Configuring master password when using pam/openldap [was: "running alternate dovecot instances on the same server"]
Chris Hoogendyk
hoogendyk at bio.umass.edu
Tue Jun 21 21:59:37 UTC 2022
So this is resolved.
Turns out that getting rid of the "result_success = continue" fixed it. Which is odd, because I
thought from the documentation that that was required.
Anyway. Fixed.
On 6/20/22 2:53 PM, Chris Hoogendyk wrote:
> Hoping that someone can help with this. It's a critical project that requires getting the master
> password to work.
>
> I've managed to get the logging at maximum level and what I'm seeing is the following. Testing with:
>
> chrisho at marlin:~$ telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
> Dovecot ready.
> a login chrisho+<masteruser> <masterpassword>
> a NO [AUTHORIZATIONFAILED] Authorization failed
> * BYE Disconnected for inactivity.
> Connection closed by foreign host.
> chrisho at marlin:~$
>
> And what I see in the log files is:
>
> Jun 17 12:16:10 marlin dovecot: auth: Debug: client in:
> AUTH#0111#011PLAIN#011service=imap#011secured#011session=<stuffhere>#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=60150#011resp<stuffhere>
> (previous base64 data may contain sensitive data)
> Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>):
> Master user lookup for login: chrisho
> Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>):
> lookup: user=<masteruser> file=/etc/dovecot/passwd.masterusers
> Jun 17 12:16:10 marlin dovecot: auth: passwd-file(<masteruser>,127.0.0.1,master,<hash>): Master
> user logging in as chrisho
> Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): lookup
> service=imap
> Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): #1/1 style=1
> msg=Password:
> Jun 17 12:16:12 marlin dovecot: auth-worker(9763): pam(chrisho,127.0.0.1): pam_authenticate()
> failed: Authentication failure (password mismatch?) (given password: <masterpassword>)
> Jun 17 12:18:53 marlin dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in
> 163 secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
>
> I've replaced sensitive content with <masteruser>, <masterpassword>, <stuffhere>, and <hash>. BUT,
> note that in the next to the last line, where dovecot is attempting to authenticate the user via
> pam using the master password!! Why?? 1st, it shouldn't be trying to authenticate, it already has
> the master user authenticated. 2nd, why would it try to use what it should know is the master
> password to authenticate the regular user?
>
> Irrespective of those two questions, which are given primarily as what I would see as significant
> clues, what do I need to do to get it to work? Is this an issue with my dovecot configuration? An
> issue with my pam configuration? Or a bug in dovecot? Note also that I am using ldap as a user
> database. One of the criteria set up in pam is that the user must also exist in the local
> /etc/passwd, but the authentication goes to ldap.
>
> Any help very much appreciated.
>
> My doveconf output is already included in this thread, so I won't repeat it. The only thing I've
> changed is the debug levels. If there is anything else that would be useful to know, please let me
> know.
>
>
> ---------------
>
> Chris Hoogendyk
>
> -
> O__ ---- Systems Administrator, Retired
> c/ /'_ --- Biology & Geosciences Departments
> (*) \(*) -- 315 Morrill Science Center III
> ~~~~~~~~~~ - University of Massachusetts, Amherst
>
> <hoogendyk at bio.umass.edu>
>
> ---------------
>
> Erdös 4
>
>
> On 6/5/22 2:40 PM, Chris Hoogendyk wrote:
>> I've changed the subject line on this email to more closely address the current issue.
>>
>> I'm hoping that with the most recent release out the door for a while there might be time to
>> answer this.
>>
>> I believe I have the configuration done correctly to use a master password, but for some reason
>> Dovecot seems to be going to ldap rather than just transferring to the requested user account.
>> Since I don't really know what Dovecot is doing, it's hard to know what to try or whether it will
>> actually work. In my mind it seems like Dovecot is could do something similar to a `sudo su
>> user`, bypassing the usual authentication since it was given the master password.
>>
>> Details below and already on the dovecot mailing list.
>>
>> I've got a limited time to get this running, because central IT wants to transfer these accounts
>> from our department server to the central IT servers this month. We have hundreds of accounts, so
>> it doesn't scale to try to copy over individual accounts using individual's passwords.
>>
>> Thank you,
>>
>>
>> ---------------
>>
>> Chris Hoogendyk
>>
>> -
>> O__ ---- Systems Administrator, Retired
>> c/ /'_ --- Biology & Geosciences Departments
>> (*) \(*) -- 315 Morrill Science Center III
>> ~~~~~~~~~~ - University of Massachusetts, Amherst
>>
>> <hoogendyk at bio.umass.edu>
>>
>> ---------------
>>
>> Erdös 4
>>
>>
>> On 5/1/22 4:59 PM, Chris Hoogendyk wrote:
>>> Progress???
>>>
>>> I realized that the error might indicate I had an empty conf paragraph or whatever you call it
>>> when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing
>>> passdb { } with no contents. That was the error. So I commented out everything in
>>> /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right
>>> precedence for masteruser and regular logins.
>>>
>>> Then my login from telnet still failed. So I had two terminal windows, one with `sudo journalctl
>>> -u dovecot.service -f` to follow the journal entries form dovecot, and another to do my telnet
>>> localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal
>>> that said:
>>>
>>> May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1):
>>> pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)
>>>
>>> hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then
>>> there are some entries that start with common and include common-auth, common-session,
>>> common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a
>>> symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I
>>> simply get:
>>>
>>> May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112
>>> secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
>>> session=<2BspEfndKMN/AAAB>
>>>
>>> The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered
>>> `2 logout`.
>>>
>>> At this point, my dovecot -n output is as follows:
>>>
>>> chrisho at marlin:/etc/dovecot$ sudo doveconf -n
>>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.4.13 (7b14904)
>>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
>>> auth_master_user_separator = *
>>> default_process_limit = 200
>>> first_valid_gid = 98
>>> first_valid_uid = 1000
>>> login_access_sockets = tcpwrap
>>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>> mail_max_userip_connections = 8
>>> mail_privileged_group = mail
>>> mbox_write_locks = dotlock fcntl
>>> namespace inbox {
>>> inbox = yes
>>> location =
>>> mailbox Drafts {
>>> special_use = \Drafts
>>> }
>>> mailbox Junk {
>>> special_use = \Junk
>>> }
>>> mailbox Sent {
>>> special_use = \Sent
>>> }
>>> mailbox "Sent Messages" {
>>> special_use = \Sent
>>> }
>>> mailbox Trash {
>>> special_use = \Trash
>>> }
>>> prefix =
>>> }
>>> passdb {
>>> args = /etc/dovecot/passwd.masterusers
>>> driver = passwd-file
>>> master = yes
>>> result_success = continue
>>> }
>>> passdb {
>>> args = session=yes %Ls
>>> driver = pam
>>> }
>>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>>> pop3_reuse_xuidl = yes
>>> pop3_uidl_format = %08Xv%08Xu
>>> protocols = " imap pop3"
>>> service imap-login {
>>> inet_listener imap {
>>> address = localhost
>>> port = 143
>>> }
>>> inet_listener imaps {
>>> port = 993
>>> ssl = yes
>>> }
>>> }
>>> service pop3-login {
>>> inet_listener pop3 {
>>> port = 0
>>> }
>>> inet_listener pop3s {
>>> port = 995
>>> ssl = yes
>>> }
>>> }
>>> service tcpwrap {
>>> unix_listener login/tcpwrap {
>>> group = $default_login_user
>>> mode = 0600
>>> user = $default_login_user
>>> }
>>> }
>>> ssl = required
>>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
>>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
>>> ssl_key = </etc/mail/tls/marlin/sendmail.pem
>>> ssl_protocols = !SSLv2 !SSLv3
>>> syslog_facility = local2
>>> userdb {
>>> driver = passwd
>>> }
>>>
>>>
>>> On 4/30/22 8:00 PM, Chris Hoogendyk wrote:
>>>> Aki,
>>>>
>>>> Thankyou for your advice. I finally got around to this. I'm retired, working part time, and
>>>> have more to do than fits the time. Anyway . . .
>>>>
>>>> I did the configuration in /etc/dovecot/local.conf, which is included in the
>>>> /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before
>>>> the local.conf. I believe that means that the entries in the conf.d come first and have
>>>> precedence. I was getting authorization failures. The section of my local.conf is as follows:
>>>>
>>>> #
>>>> # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list
>>>> 3/21/2022,
>>>> # modified based on example from
>>>> https://doc.dovecot.org/configuration_manual/authentication/master_users/
>>>> # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to
>>>> resolve precedence.
>>>> # CGH
>>>> #
>>>> auth_master_user_separator = *
>>>> passdb {
>>>> driver = passwd-file
>>>> args = /etc/dovecot/passwd.masterusers
>>>> master = yes
>>>> result_success = continue
>>>> }
>>>> passdb {
>>>> driver = pam
>>>> args = session=yes %Ls
>>>> }
>>>> userdb {
>>>> driver = passwd
>>>> }
>>>>
>>>> I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for
>>>> passdb and passwd for userdb. I commented those two lines out since I had them covered in my
>>>> local.conf. That failed with the control process exiting with an error code. I quickly
>>>> uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of
>>>> users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up
>>>> alright with the above local.conf, but master user doesn't seem to work.
>>>>
>>>> I'm testing with the following (master username and passwrd replaced):
>>>>
>>>> chrisho at marlin:/etc/dovecot$ telnet localhost 143
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>> Escape character is '^]'.
>>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
>>>> Dovecot ready.
>>>> 1 login chrisho*masteruser masterpassword
>>>> 1 NO [AUTHORIZATIONFAILED] Authorization failed
>>>> 2 exit
>>>> Connection closed by foreign host.
>>>>
>>>> What I'm seeing in the logs is:
>>>>
>>>> Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname=
>>>> uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>>>> Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
>>>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>>>> Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>>>> Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
>>>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>>>>
>>>> The output of doveconf -n is as follows:
>>>>
>>>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
>>>> # Pigeonhole version 0.4.13 (7b14904)
>>>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
>>>> auth_master_user_separator = *
>>>> default_process_limit = 200
>>>> first_valid_gid = 98
>>>> first_valid_uid = 1000
>>>> login_access_sockets = tcpwrap
>>>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>>> mail_max_userip_connections = 8
>>>> mail_privileged_group = mail
>>>> mbox_write_locks = dotlock fcntl
>>>> namespace inbox {
>>>> inbox = yes
>>>> location =
>>>> mailbox Drafts {
>>>> special_use = \Drafts
>>>> }
>>>> mailbox Junk {
>>>> special_use = \Junk
>>>> }
>>>> mailbox Sent {
>>>> special_use = \Sent
>>>> }
>>>> mailbox "Sent Messages" {
>>>> special_use = \Sent
>>>> }
>>>> mailbox Trash {
>>>> special_use = \Trash
>>>> }
>>>> prefix =
>>>> }
>>>> passdb {
>>>> driver = pam
>>>> }
>>>> passdb {
>>>> args = /etc/dovecot/passwd.masterusers
>>>> driver = passwd-file
>>>> master = yes
>>>> result_success = continue
>>>> }
>>>> passdb {
>>>> args = session=yes %Ls
>>>> driver = pam
>>>> }
>>>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>>>> pop3_reuse_xuidl = yes
>>>> pop3_uidl_format = %08Xv%08Xu
>>>> protocols = " imap pop3"
>>>> service imap-login {
>>>> inet_listener imap {
>>>> address = localhost
>>>> port = 143
>>>> }
>>>> inet_listener imaps {
>>>> port = 993
>>>> ssl = yes
>>>> }
>>>> }
>>>> service pop3-login {
>>>> inet_listener pop3 {
>>>> port = 0
>>>> }
>>>> inet_listener pop3s {
>>>> port = 995
>>>> ssl = yes
>>>> }
>>>> }
>>>> service tcpwrap {
>>>> unix_listener login/tcpwrap {
>>>> group = $default_login_user
>>>> mode = 0600
>>>> user = $default_login_user
>>>> }
>>>> }
>>>> ssl = required
>>>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
>>>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
>>>> ssl_key = </etc/mail/tls/marlin/sendmail.pem
>>>> ssl_protocols = !SSLv2 !SSLv3
>>>> syslog_facility = local2
>>>> userdb {
>>>> driver = passwd
>>>> }
>>>> userdb {
>>>> driver = passwd
>>>> }
>>>>
>>>> And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server.
>>>> So we do get security patches and the hope is that we can do a release upgrade this summer.
>>>>
>>>> Any further guidance would be much appreciated. If any further information is needed, I can
>>>> provide it.
>>>>
>>>>
>>>> On 3/21/22 1:57 AM, Aki Tuomi wrote:
>>>>>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk at bio.umass.edu> wrote:
>>>>>>
>>>>>> I'm posting to the list, but not on the list. I presume that means a reply-all to get to me
>>>>>> as well
>>>>>> as the list?
>>>>>>
>>>>>> We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different
>>>>>> departments.
>>>>>>
>>>>>> We are transitioning mail service to the University central IT. They need to move accounts in an
>>>>>> automated fashion and therefore need a master password to our dovecot servers. However, we are
>>>>>> running with LDAP authentication, and I understand that a master password is not possible in
>>>>>> that
>>>>>> configuration.
>>>>>>
>>>>> Hi!
>>>>>
>>>>> It is totally possible to use LDAP with master password, using configuration like this:
>>>>>
>>>>> # this must be first
>>>>> passdb {
>>>>> driver = static
>>>>> args = password=masterpass
>>>>> }
>>>>>
>>>>> # current passdb config
>>>>>
>>>>> # you probably already have this
>>>>> userdb {
>>>>> driver = ldap
>>>>> args = /path/to/ldap/userdb
>>>>> }
>>>>>
>>>>> If this does not work, please send your `doveconf -n` as well.
>>>>>
>>>>> Aki
>>>>
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator, Retired
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk at bio.umass.edu>
---------------
Erdös 4
More information about the dovecot
mailing list