Progress???
I realized that the error might indicate I had an empty conf paragraph or whatever you call it when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing passdb { } with no contents. That was the error. So I commented out everything in /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right precedence for masteruser and regular logins.
Then my login from telnet still failed. So I had two terminal windows, one with sudo journalctl -u dovecot.service -f to follow the journal entries form dovecot, and another to do my telnet
localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal that said:
May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1):
pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then there are some entries that start with common and include common-auth, common-session, common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I simply get:
May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112
secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=<2BspEfndKMN/AAAB>The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered 2 logout.
At this point, my dovecot -n output is as follows:
chrisho@marlin:/etc/dovecot$ sudo doveconf -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
result_success = continue
}
passdb {
args = session=yes %Ls
driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
inet_listener imap {
address = localhost
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
driver = passwd
}On 4/30/22 8:00 PM, Chris Hoogendyk wrote:
Aki,
Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have more to do than fits the time. Anyway . . .
I did the configuration in /etc/dovecot/local.conf, which is included in the /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before the local.conf. I believe that means that the entries in the conf.d come first and have precedence. I was getting authorization failures. The section of my local.conf is as follows:
# # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022, # modified based on example from https://doc.dovecot.org/configuration_manual/authentication/master_users/ # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to resolve precedence. # CGH # auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/passwd.masterusers master = yes result_success = continue } passdb { driver = pam args = session=yes %Ls } userdb { driver = passwd }
I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for passdb and passwd for userdb. I commented those two lines out since I had them covered in my local.conf. That failed with the control process exiting with an error code. I quickly uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up alright with the above local.conf, but master user doesn't seem to work.
I'm testing with the following (master username and passwrd replaced):
chrisho@marlin:/etc/dovecot$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login chrisho*masteruser masterpassword 1 NO [AUTHORIZATIONFAILED] Authorization failed 2 exit Connection closed by foreign host.
What I'm seeing in the logs is:
Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials) Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
The output of doveconf -n is as follows:
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS auth_master_user_separator = * default_process_limit = 200 first_valid_gid = 98 first_valid_uid = 1000 login_access_sockets = tcpwrap mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_max_userip_connections = 8 mail_privileged_group = mail mbox_write_locks = dotlock fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd.masterusers driver = passwd-file master = yes result_success = continue } passdb { args = session=yes %Ls driver = pam } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_reuse_xuidl = yes pop3_uidl_format = %08Xv%08Xu protocols = " imap pop3" service imap-login { inet_listener imap { address = localhost port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl = required ssl_ca =
And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server. So we do get security patches and the hope is that we can do a release upgrade this summer.
Any further guidance would be much appreciated. If any further information is needed, I can provide it.
On 3/21/22 1:57 AM, Aki Tuomi wrote:
On 20/03/2022 22:36 Chris Hoogendyk hoogendyk@bio.umass.edu wrote:
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Hi!
It is totally possible to use LDAP with master password, using configuration like this:
# this must be first passdb { driver = static args = password=masterpass }
# current passdb config
# you probably already have this userdb { driver = ldap args = /path/to/ldap/userdb }
If this does not work, please send your
doveconf -nas well.Aki
--
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4