Dovecot auth-worker error after cram-md5 auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Feb 1 08:04:26 UTC 2017


Can you check your logs?

Aki


On 01.02.2017 10:02, Poliman - Serwis wrote:
> When I used backup copy of the dovecot.conf file I have this same error. So
> I think that maybe something was written to database? I really would point
> out that I only added
> passdb {
>   driver = passwd-file
>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> }
>
> and comment out from above block default lines
>   #args = /etc/dovecot/dovecot-sql.conf
>   #driver = sql
>
> And in auth_mechanisms add line cram-md5. Nothing more in any other file.
>
> I don't want to use cram-md5. I need move back to default settings.
> Cram-md5 was only for testing purposes. :) But I supposed that I can move
> back to default by commenting out added lines. But unfortunately it isn't
> that simple.
>
> 2017-02-01 8:59 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>> Are you still trying to authenticate using cram-md5?
>>
>> Aki
>>
>>
>> On 01.02.2017 09:51, Poliman - Serwis wrote:
>>> It still use:
>>> passdb {
>>>   driver = passwd-file
>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>> }
>>>
>>> When I delete above and delete "cram-md5" in auth_mechanisms it still not
>>> working.
>>>
>>> 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>>> You are probably wanting to do
>>>> passdb {
>>>>   driver = passwd-file
>>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>> }
>>>>
>>>> passdb {
>>>>   driver = sql
>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>> }
>>>>
>>>> Why you want to use cram-md5 is beyond me, because using SSL is much
>>>> more safer.
>>>>
>>>> Aki
>>>>
>>>> On 01.02.2017 09:41, Poliman - Serwis wrote:
>>>>> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
>>>>> After restart all work perfectly. But after I added:
>>>>>    driver = passwd-file
>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>> I can't set default lines because I got error. Please tell me which
>> lines
>>>>> should be changed to resolve this issue. Should I remove "login" from
>>>>> auth_mechanism ("login" was default setting and I would like to move
>> back
>>>>> to default settings)?
>>>>>
>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>
>>>>>> Because cram-md5 needs the user's password for calculating responses,
>> it
>>>>>> cannot work with hashed passwords (one-way encrypted). The only
>>>>>> supported password schemes are PLAIN and CRAM-MD5.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>>>>>> I always restart dovecot after change config. ;) Sure, I commented
>> out
>>>>>>> added two lines by me, restarted dovecot and here it is:
>>>>>>>
>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>>>>>> auth_mechanisms = plain login cram-md5
>>>>>>> listen = *,[::]
>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>> mail_max_userip_connections = 100
>>>>>>> mail_plugins = " quota"
>>>>>>> mail_privileged_group = vmail
>>>>>>> passdb {
>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>   driver = sql
>>>>>>> }
>>>>>>> plugin {
>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>>>>>>   sieve_max_redirects = 25
>>>>>>> }
>>>>>>> postmaster_address = postmaster at example.com
>>>>>>> protocols = imap pop3
>>>>>>> service auth {
>>>>>>>   unix_listener /var/spool/postfix/private/auth {
>>>>>>>     group = postfix
>>>>>>>     mode = 0660
>>>>>>>     user = postfix
>>>>>>>   }
>>>>>>>   unix_listener auth-userdb {
>>>>>>>     group = vmail
>>>>>>>     mode = 0600
>>>>>>>     user = vmail
>>>>>>>   }
>>>>>>>   user = root
>>>>>>> }
>>>>>>> service imap-login {
>>>>>>>   client_limit = 1000
>>>>>>>   process_limit = 512
>>>>>>> }
>>>>>>> service lmtp {
>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>>>>     group = postfix
>>>>>>>     mode = 0600
>>>>>>>     user = postfix
>>>>>>>   }
>>>>>>> }
>>>>>>> ssl = required
>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>> ssl_cipher_list =
>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>> userdb {
>>>>>>>   driver = prefetch
>>>>>>> }
>>>>>>> userdb {
>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>   driver = sql
>>>>>>> }
>>>>>>> protocol imap {
>>>>>>>   mail_plugins = quota imap_quota
>>>>>>> }
>>>>>>> protocol pop3 {
>>>>>>>   mail_plugins = quota
>>>>>>>   pop3_uidl_format = %08Xu%08Xv
>>>>>>> }
>>>>>>> protocol lda {
>>>>>>>   mail_plugins = sieve quota
>>>>>>>   postmaster_address = webmaster at localhost
>>>>>>> }
>>>>>>> protocol lmtp {
>>>>>>>   mail_plugins = quota sieve
>>>>>>>   postmaster_address = webmaster at localhost
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>
>>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>>>>>> This is debug log files in syslog:
>>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
>>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>>>>>>>> m5ldD4=
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
>>>> CONT<hidden>
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>>>> user,
>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>>>> maildir,
>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>>>> userdb_mail,
>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>>>> 'B')
>>>>>> AS
>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
>>>> '1'
>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>>>>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5
>> scheme,
>>>>>>>> but we
>>>>>>>>> have only CRYPT
>>>>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>>>> FAIL#0112#011user=do_not_reply at example.com
>>>>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>>>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
>>>> authentication
>>>>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT
>> kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
>>>>>> dD4=
>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>>>>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do
>>>> echo
>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
>>>>>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do
>> echo
>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>>>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
>>>>>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ
>>>> 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
>>>>>>>> m5ldD4=
>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>> CONT<hidden>
>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>>>> user,
>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>>>> maildir,
>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>>>> userdb_mail,
>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>>>> 'B')
>>>>>> AS
>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
>>>> '1'
>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
>>>>>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5
>> scheme,
>>>>>> but
>>>>>>>> we
>>>>>>>>> have only CRYPT
>>>>>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
>>>>>>>>> FAIL#0113#011user=do_not_reply at example.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> #####################
>>>>>>>>> I added in dovecot.conf lines in passdb block:
>>>>>>>>>    driver = passwd-file
>>>>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>> and commented out default lines
>>>>>>>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>   #driver = sql
>>>>>>>>> When I try set again default lines I got above error
>>>>>>>> Can you run doveconf -n with the configuration that causes the above
>>>>>>>> error? Also it clearly does SQL lookup, so that error is happening
>>>> with
>>>>>>>> SQL passdb. You need to remember to restart dovecot between
>>>>>>>> configuration changes.
>>>>>>>>
>>>>>>>> Aki
>>>>>>>>
>>>>>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>>>
>>>>>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>>>>>>>>>> I set up cram-md5 using this tutorial
>>>>>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
>>>>>> /etc/dovecot/dovecot.conf
>>>>>>>> in
>>>>>>>>>>> passdb code block:
>>>>>>>>>>> listen = *,[::]
>>>>>>>>>>> protocols = imap pop3
>>>>>>>>>>> #auth_mechanisms = plain login cram-md5
>>>>>>>>>>> auth_mechanisms = cram-md5 plain login
>>>>>>>>>>> #dodana nizej linia
>>>>>>>>>>> ssl = required
>>>>>>>>>>> disable_plaintext_auth = yes
>>>>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>>>>>> mail_privileged_group = vmail
>>>>>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
>>>>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>>>>>> ssl_cipher_list =
>>>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
>>>>>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>>>>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> mail_max_userip_connections = 100
>>>>>>>>>>> passdb {
>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>> # driver = sql
>>>>>>>>>>> driver = passwd-file
>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>>>> }
>>>>>>>>>>> userdb {
>>>>>>>>>>> driver = prefetch
>>>>>>>>>>> }
>>>>>>>>>>> userdb {
>>>>>>>>>>> args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>> driver = sql
>>>>>>>>>>> }
>>>>>>>>>>> Of course I created cram-md5.pwd file. All mails go out and come
>>>>>>>> nicely.
>>>>>>>>>>> But after I want to do default settings by commented out these
>> two
>>>>>>>> lines:
>>>>>>>>>>> driver = passwd-file
>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>>>> and uncomment
>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>> # driver = sql
>>>>>>>>>>> I can't send emails - I use Thunderbird - get error "logging on
>>>>>> server
>>>>>>>>>>> mail.example.com not work out". Error in logs:
>>>>>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
>>>>>>>>>>> passdbs/userdbs than auth server.
>>>>>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>>>>>>>>>>>
>>>>>>>>>>> Is it possible that hashed password from cram-md5.pwd file was
>>>>>> written
>>>>>>>> to
>>>>>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't change
>>>> any
>>>>>>>>>> userdb
>>>>>>>>>>> {} block and this second userdb block has this same lines like
>>>>>> default
>>>>>>>>>>> settings in passdb block.
>>>>>>>>>>>
>>>>>>>>>> Try
>>>>>>>>>>
>>>>>>>>>> auth_debug=yes
>>>>>>>>>> auth_verbose=yes
>>>>>>>>>>
>>>>>>>>>> and see if it gives any more reasonable messages.
>>>>>>>>>>
>>>>>>>>>> Aki
>>>>>>>>>>
>>>
>
>



More information about the dovecot mailing list