Re: MySQL Auth Troubles during Migration to 2.4.1

6 May 2025

      On Tue, May 6, 2025 at 10:53 AM Timo Sirainen <timo@sirainen.com> wrote:
...
On 4. May 2025, at 14.24, Odhiambo Washington via dovecot <
dovecot@dovecot.org> wrote:
...
passdb sql {
default_password_scheme = SHA512
query = SELECT crypt AS password FROM users,domains WHERE
users.username = '%
...
{user}' AND users.enabled = '1' AND users.type='local' and
domains.enabled='1'
and domains.domain_id = users.domain_id
}
userdb sql {
query = SELECT pop as home, uid, gid FROM users WHERE username =
'%{user}'
iterate_query = SELECT username AS user FROM users
Not a reason for your troubles, but should you be checking the enabled=1
here also? So LMTP deliveries won't succeed for disabled users/domains.
...
May 04 13:09:12 auth-worker(9138): Debug:
mysql(/var/run/mysqld/mysqld.sock):
Finished query 'SELECT crypt AS password FROM users,domains WHERE
users.username = 'joh@doe.com' AND users.enabled = '1' AND
users.type='local'
and domains.enabled='1' and domains.domain_id = users.domain_id' in 0
msecs
May 04 13:09:12 auth-worker(joh@doe.com
,127.0.0.1)<9138><0sexkUw07I1/AAAB>:
request [1]: Debug: sql: Finished passdb lookup
Okay..
...
May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
(pid=9063,uid=116): auth-worker<1>: Finished: internal_failure
There's an internal failure, but no reason for it in these logs. I'd have
expected an error to be logged. Are the errors logged to a different file
that you're not looking at? Check with "doveadm log find" and/or "doveadm
log errors" if there's a reason for the internal failure.
I was relying on the sample configs provided at
https://github.com/dovecot/tools/blob/main/dovecot-2.4.0-example-config.tar....
.
BTW, tar -zxvf
https://github.com/dovecot/tools/blob/main/dovecot-2.4.0-example-config.tar....
(on Debian 12) does not work for me with this file. Why.
Anyway, so when I extracted the above, I started by only changing the
10-auth.conf which contains:
auth_mechanisms = plain login
!include auth-sql.conf.ext
Then I created my auth-sql.conf.ext shown above.
What I realized then is that the dovecot/auth service doesn't seem to be
running. Not sure why.
May 06 12:02:20 pop3-login: Info: Login aborted: Logged out (auth service
reported temporary failure

doveadm log errors gives no output.
Looking at https://doc.dovecot.org/2.4.1/core/admin/running.html, and
comparing with a system where I have installed Dovecot 2.4.1:
root@mail:/etc/dovecot/conf.d# ps auxw|grep "dovecot"
root        9739  0.0  0.0   8872  4816 ?        Ss   14:47   0:00
/usr/sbin/dovecot -F
root        9741  0.0  0.0   5324  3280 ?        S    14:47   0:00
dovecot/anvil
root        9742  0.0  0.0   5428  3256 ?        S    14:47   0:00
dovecot/log
root        9743  0.0  0.1  51976 10248 ?        S    14:47   0:00
dovecot/config
Why are my other services not running? For example, the dovecot/auth
service is not running.
On an system running 2.3.21, I get:
wash@eu:~$ ps auxw|grep "dovecot"
root      181404  0.0  0.0   8240  4408 ?        Ss   14:33   0:00
/usr/sbin/dovecot -F
dovecot   181408  0.0  0.0  10668  6936 ?        S    14:33   0:00
dovecot/managesieve-login
Debian-+  181409  0.0  0.0  12192  8880 ?        S    14:33   0:00
dovecot/lmtp -L
dovecot   181410  0.0  0.0   4760  1436 ?        S    14:33   0:00
dovecot/anvil
root      181411  0.0  0.0   5028  2960 ?        S    14:33   0:00
dovecot/log
Debian-+  181412  0.0  0.0  12192  8848 ?        S    14:33   0:00
dovecot/lmtp -L
Debian-+  181413  0.0  0.0  12192  9040 ?        S    14:33   0:00
dovecot/lmtp -L
Debian-+  181414  0.0  0.0  12192  8908 ?        S    14:33   0:00
dovecot/lmtp -L
Debian-+  181415  0.0  0.0  12192  8876 ?        S    14:33   0:00
dovecot/lmtp -L
root      181416  0.0  0.0   8096  5444 ?        S    14:33   0:00
dovecot/config
dovecot   181418  0.0  0.0   5964  3496 ?        S    14:33   0:00
dovecot/stats
dovecot   181419  0.0  0.0  12216  8456 ?        S    14:33   0:00
dovecot/auth
Is it normal that the dovecot/auth is not listed as a running service for
2.4.1?
I think that is one of my problems, besides also not getting any output
from doveadm log errors.
I wiped dovecot and reinstalled. My current config is minimal and I am not
using the sample configs referred to above, but I still have the same
problem:
root@mail:/var/www/html/exim4u/vexim2-master/setup# doveconf -n
2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4+debian12 (0a86619f)
OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10
Hostname: mail.mara.cloud
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
info_log_path = /var/log/dovecot.log
mail_driver = maildir
mail_home = /home/%{user | username}/mail
mail_inbox_path = /var/mail/%{user | username}
mail_path = ~/mail
mailbox_list_utf8 = yes
protocols = imap lmtp sieve pop3 submission
sql_driver = mysql
passdb pam {
}
userdb passwd {
}
mysql /var/run/mysqld/mysqld.sock {
dbname = exim4u
password = # hidden, use -P to show it
user = exim4u
}
passdb sql {
default_password_scheme = SHA512
query = SELECT crypt AS password FROM users,domains WHERE users.username
= '%{user}' AND users.enabled = '1' AND users.type='local' and
domains.enabled='1' and domains.domain_id = users.domain_id
}
userdb sql {
iterate_query = SELECT username AS user FROM users
query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}'
}
namespace inbox {
inbox = yes
separator = /
}
ssl_server {
cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
key_file = /etc/ssl/private/ssl-cert-snakeoil.key
}
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
On Tue, May 6, 2025 at 10:53 AM Timo Sirainen <timo@sirainen.com> wrote:
On 4. May 2025, at 14.24, Odhiambo Washington via dovecot
<dovecot@dovecot.org> wrote:
>
> passdb sql {
>   default_password_scheme = SHA512
>   query = SELECT crypt AS password FROM users,domains WHERE
users.username = '%
> {user}' AND users.enabled = '1' AND users.type='local' and
domains.enabled='1'
> and domains.domain_id = users.domain_id
> }
>
> userdb sql {
>   query = SELECT pop as home, uid, gid FROM users WHERE username =
'%{user}'
>   iterate_query = SELECT username AS user FROM users
 Not a reason for your troubles, but should you be checking the
 enabled=1 here also? So LMTP deliveries won't succeed for disabled
 users/domains.

 > May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/
 mysqld.sock):
 > Finished query 'SELECT crypt AS password FROM users,domains WHERE
 > users.username = 'joh@doe.com' AND users.enabled = '1' AND
 users.type='local'
 > and domains.enabled='1' and domains.domain_id = users.domain_id' in
 0 msecs
 > May 04 13:09:12 auth-worker
 (joh@doe.com,127.0.0.1)&lt;9138>&lt;0sexkUw07I1/AAAB>:
 > request [1]: Debug: sql: Finished passdb lookup

 Okay..

 > May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
 > (pid=9063,uid=116): auth-worker&lt;1>: Finished: internal_failure

 There's an internal failure, but no reason for it in these logs. I'd
 have expected an error to be logged. Are the errors logged to a
 different file that you're not looking at? Check with "doveadm log
 find" and/or "doveadm log errors" if there's a reason for the
 internal failure.
I was relying on the sample configs provided at https://github.com/dovecot/
tools/blob/main/dovecot-2.4.0-example-config.tar.gz.
BTW, tar -zxvf https://github.com/dovecot/tools/blob/main/dovecot-2.4.0-
example-config.tar.gz (on Debian 12) does not work for me with this file. Why.
Anyway, so when I extracted the above, I started by only changing the 10-
auth.conf which contains:
auth_mechanisms = plain login
!include auth-sql.conf.ext
Then I created my auth-sql.conf.ext shown above.
What I realized then is that the dovecot/auth service doesn't seem to be
running. Not sure why.
May 06 12:02:20 pop3-login: Info: Login aborted: Logged out (auth service
reported temporary failure

doveadm log errors gives no output.
Looking at https://doc.dovecot.org/2.4.1/core/admin/running.html, and comparing
with a system where I have installed Dovecot 2.4.1:
root@mail:/etc/dovecot/conf.d# ps auxw|grep "dovecot"
root        9739  0.0  0.0   8872  4816 ?        Ss   14:47   0:00 /usr/sbin/
dovecot -F
root        9741  0.0  0.0   5324  3280 ?        S    14:47   0:00 dovecot/
anvil
root        9742  0.0  0.0   5428  3256 ?        S    14:47   0:00 dovecot/log
root        9743  0.0  0.1  51976 10248 ?        S    14:47   0:00 dovecot/
config
Why are my other services not running? For example, the dovecot/auth service is
not running.
On an system running 2.3.21, I get:
wash@eu:~$ ps auxw|grep "dovecot"
root      181404  0.0  0.0   8240  4408 ?        Ss   14:33   0:00 /usr/sbin/
dovecot -F
dovecot   181408  0.0  0.0  10668  6936 ?        S    14:33   0:00 dovecot/
managesieve-login
Debian-+  181409  0.0  0.0  12192  8880 ?        S    14:33   0:00 dovecot/lmtp
-L
dovecot   181410  0.0  0.0   4760  1436 ?        S    14:33   0:00 dovecot/
anvil
root      181411  0.0  0.0   5028  2960 ?        S    14:33   0:00 dovecot/log
Debian-+  181412  0.0  0.0  12192  8848 ?        S    14:33   0:00 dovecot/lmtp
-L
Debian-+  181413  0.0  0.0  12192  9040 ?        S    14:33   0:00 dovecot/lmtp
-L
Debian-+  181414  0.0  0.0  12192  8908 ?        S    14:33   0:00 dovecot/lmtp
-L
Debian-+  181415  0.0  0.0  12192  8876 ?        S    14:33   0:00 dovecot/lmtp
-L
root      181416  0.0  0.0   8096  5444 ?        S    14:33   0:00 dovecot/
config
dovecot   181418  0.0  0.0   5964  3496 ?        S    14:33   0:00 dovecot/
stats
dovecot   181419  0.0  0.0  12216  8456 ?        S    14:33   0:00 dovecot/auth
Is it normal that the dovecot/auth is not listed as a running service for
2.4.1?
I think that is one of my problems, besides also not getting any output from
doveadm log errors.
I wiped dovecot and reinstalled. My current config is minimal and I am not
using the sample configs referred to above, but I still have the same problem:
root@mail:/var/www/html/exim4u/vexim2-master/setup# doveconf -n
2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4+debian12 (0a86619f)
OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10
Hostname: mail.mara.cloud
dovecot_config_version = 2.4.1
dovecot_storage_version = 2.4.1
info_log_path = /var/log/dovecot.log
mail_driver = maildir
mail_home = /home/%{user | username}/mail
mail_inbox_path = /var/mail/%{user | username}
mail_path = ~/mail
mailbox_list_utf8 = yes
protocols = imap lmtp sieve pop3 submission
sql_driver = mysql
passdb pam {
}
userdb passwd {
}
mysql /var/run/mysqld/mysqld.sock {
dbname = exim4u
password = # hidden, use -P to show it
user = exim4u
}
passdb sql {
default_password_scheme = SHA512
query = SELECT crypt AS password FROM users,domains WHERE users.username = '%
{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1'
and domains.domain_id = users.domain_id
}
userdb sql {
iterate_query = SELECT username AS user FROM users
query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}'
}
namespace inbox {
inbox = yes
separator = /
}
ssl_server {
cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
key_file = /etc/ssl/private/ssl-cert-snakeoil.key
}
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions: http://www.catb.org/~esr/faqs/smart-
questions.html]