Re: [Dovecot] Auth Worker failures

20 Oct 2011


      On 18 October 2011 10:37, Timo Sirainen tss@iki.fi wrote:
...
On Wed, 2011-10-12 at 10:24 -0400, Simon Brereton wrote:
...
Of all the accounts on the box, it's only mine that throws this up.
Since its LIP is localhost, it could really only be for webmail - but
I don't always leave the webmail open, so I'm curious to know how this
gets there and what it is.
Any suggestions?  I find it difficult to believe I have an IMAP
process in a script somewhere (especially with my user account - the
postmaster account, I could believe, but not with my personal one)..
You could enable auth_debug_passwords=yes and see what password it
tries.
The first day I did this, I forgot to restart dovecot.  Doh.  This
morning I had:
Oct 20 06:25:14 mail dovecot: auth(default): client in:
AUTH#0112#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--alsoremoved--==
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='simon@example.net' AND active = '1';
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:14 mail dovecot: auth-worker(default):
md5_verify(simon@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:14 mail dovecot: auth-worker(default):
smd5_verify(simon@example.net): SMD5 password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default):
ssha_verify(simon@example.net): SSHA password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default):
ssha256_verify(simon@example.net): SSHA256 password too short
Oct 20 06:25:14 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:14 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:14 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:16 mail dovecot: auth(default): client out:
FAIL#0112#011user=simon@example.net
Oct 20 06:25:26 mail dovecot: auth(default): client in:
AUTH#0113#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--truncated--
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='simon@example.net' AND active = '1';
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:26 mail dovecot: auth-worker(default):
md5_verify(simon@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:26 mail dovecot: auth-worker(default):
smd5_verify(simon@example.net): SMD5 password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default):
ssha_verify(simon@example.net): SSHA password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default):
ssha256_verify(simon@example.net): SSHA256 password too short
Oct 20 06:25:26 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:26 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:26 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:28 mail dovecot: auth(default): client out:
FAIL#0113#011user=simon@example.net
Oct 20 06:25:43 mail dovecot: auth(default): client in:
AUTH#0114#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50683#011resp=--alsoremoved--==
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='simon@example.net' AND active = '1';
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): Password mismatch
Oct 20 06:25:43 mail dovecot: auth-worker(default):
md5_verify(simon@example.net): Not a valid MD5-CRYPT or PLAIN-MD5
password
Oct 20 06:25:43 mail dovecot: auth-worker(default):
smd5_verify(simon@example.net): SMD5 password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default):
ssha_verify(simon@example.net): SSHA password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default):
ssha256_verify(simon@example.net): SSHA256 password too short
Oct 20 06:25:43 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:43 mail dovecot: auth-worker(default): Invalid OTP data in passdb
Oct 20 06:25:43 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): CRYPT() != 'RaNDomsTRinG'
Oct 20 06:25:45 mail dovecot: auth(default): client out:
FAIL#0114#011user=simon@example.net
Oct 20 06:26:05 mail dovecot: imap-login: Disconnected (auth failed, 4
attempts): user=simon@example.net, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
Oct 20 06:26:15 mail dovecot: IMAP(simon@example.net): Disconnected:
Logged out bytes=8/334
Oct 20 06:26:15 mail dovecot: IMAP(simon@example.net): Disconnected:
Logged out bytes=21/393
Oct 20 06:26:16 mail dovecot: auth(default): client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50696#011resp=--removed--==
Oct 20 06:26:16 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='simon@example.net' AND active = '1';
Oct 20 06:26:16 mail dovecot: auth(default): client out:
OK#0111#011user=simon@example.net
Oct 20 06:26:16 mail dovecot: auth(default): master in:
REQUEST#0111712#01119179#0111
Oct 20 06:26:16 mail dovecot: auth(default):
prefetch(simon@example.net,127.0.0.1): success
Oct 20 06:26:16 mail dovecot: auth(default): master out:
USER#0111712#011simon@example.net#011home=/var/spool/mail/virtual/example.net/simon/#011uid=999#011gid=115
Oct 20 06:26:16 mail dovecot: imap-login: Login:
user=simon@example.net, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured
Oct 20 06:26:16 mail dovecot: auth(default): client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=50697#011resp=--removed--==
Oct 20 06:26:16 mail dovecot: auth-worker(default):
sql(simon@example.net,127.0.0.1): query: SELECT EmailAdd AS user,
Password AS password,  concat('/var/spool/mail/virtual/',MailDirLoc)
as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts
WHERE Username='simon@example.net' AND active = '1';
Oct 20 06:26:16 mail dovecot: auth(default): client out:
OK#0111#011user=simon@example.net
Oct 20 06:26:16 mail dovecot: auth(default): master in:
REQUEST#0111713#01119228#0111
Oct 20 06:26:16 mail dovecot: auth(default):
prefetch(simon@example.net,127.0.0.1): success
Oct 20 06:26:16 mail dovecot: auth(default): master out:
USER#0111713#011simon@example.net#011home=/var/spool/mail/virtual/example.net/simon/#011uid=999#011gid=115
Oct 20 06:26:16 mail dovecot: imap-login: Login:
user=simon@example.net, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured
Note, the RaNDomsTRinG is what I believe is my encrypted password.
the other strings (removed, alsoremoved and truncated) were all
variations on a string (which looks like an MD5 hash string to me).
I'm still sure this is the webmail trying to log in though..
...
From the Horde log:
mail:~# grep "2011-10-20T06:" /var/log/horde/horde4.log
2011-10-20T06:25:16+00:00 ERR: HORDE4 [imp] IMAP server denied
authentication. [pid 19222 on line 340 of
"/usr/share/horde4/imp/lib/Imap.php"]
2011-10-20T06:25:16+00:00 INFO: HORDE4 [imp] FAILED LOGIN for
simon@lydiard.net (Horde user simon@lydiard.net) [] to {localhost:143
[imap]} [pid 19222 on line 176 of
"/usr/share/horde4/imp/lib/Auth.php"]
But that only shows one attempt.  Dovecot is complaining about 4.
I'm not overly concerned, but I'm concerned that this will impact as
we scale up on users.
Simon