[Dovecot] Improvements to "Authentication failed" error
Probably one of the most commonly asked question is "Why does Dovecot just say authentication failed"? It would be nice to be able to get rid of these questions by having Dovecot itself point out the http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There are two groups of people here:
People who look at logs after seeing the "Authentication failed" from a client/telnet session.
People who don't even think about looking at logs.
I'm thinking that the group 1 could be handled by having Dovecot log the link once as informational message if the first authentication attempt fails and it's from localhost. This shouldn't cause problems I think.
Group 2 is more difficult though, and I fear they're also the ones asking this question more often than group 1.. I think the only solution would be to change the IMAP/POP3 error message for them. So instead of:
NO Authentication failed.
they'd get something more usable. So:
2a) NO Authentication failed. See http://wiki.dovecot.org/WhyDoesItNotWork. 2b) NO Authentication failed. Refer to server log for more information. 2c) NO Authentication failed. Enable auth_debug in server for more information.
But there are some problems I think:
If it's done only for connections from localhost, the error messages would be different from localhost vs. elsewhere, which might confuse some log parser scripts.
Some people are running stunnel or some other proxies, causing all connections to appear from localhost. Also webmails often run in localhost. So it can't be assumed that only admins will see the error message. I think this rules out 2a) message. I'm certain I don't want end users emailing me and asking why they can't connect to their server because they saw that link.
Sending 2b) for all connections could be a solution, but it might be confusing for end users. They of course can't refer to server log.. Also unless the wiki link is logged for every failure or auth_debug is enabled, there's nothing useful in the server log.
Sending 2c) for all connections when auth_debug isn't enabled (and plain "Authentication failed" when it is) might also work, but it's again confusing to end users since they can't do that.
Any thoughts?
On Mon, 2008-10-06 at 00:51 +0300, Timo Sirainen wrote:
- People who don't even think about looking at logs.
Oh, one more alternative to this I thought of:
Even though these people don't read logs, they probably restart Dovecot manually at some point (if they don't give up immediately). Dovecot could track if all auth attempts in its existence have failed (e.g. /var/lib/dovecot/auth-fails exists) and if so, when starting up it'd write something like:
If you have trouble with authentication failures, enable auth_debug_passwords setting. http://wiki.dovecot.org/WhyDoesItNotWork
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, Oct 06, 2008 at 12:58:35AM +0300, Timo Sirainen wrote:
On Mon, 2008-10-06 at 00:51 +0300, Timo Sirainen wrote:
- People who don't even think about looking at logs.
Oh, one more alternative to this I thought of:
I think still 2b is best ("refer to server log"). You might add "or system administrator", but I'd think even this is overkill.
I bet there will be people not reading even this[1]. Thiy'll have to do the first step sometime.
[1] and no, I don't think it's bad intentions or lazyness -- it's just lack of habit in debugging.
Regards
- -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI6aakBcgs9XrR2kYRAjXOAJ48QAPgJPjaoaHsEa2pT4PKm7B+oQCfUyXu zMFH2DA6Na0hZAlMltmc4e4= =oa/j -----END PGP SIGNATURE-----
tomas@tuxteam.de wrote:
I have a problem and I have not been able to figure out how to get it to log any useful information. I would like to see what is happening between the client and the server. I was thinking that I might use strace.
-Don
On Mon, Oct 06, 2008 at 12:58:35AM +0300, Timo Sirainen wrote:
On Mon, 2008-10-06 at 00:51 +0300, Timo Sirainen wrote:
- People who don't even think about looking at logs. Oh, one more alternative to this I thought of:
I think still 2b is best ("refer to server log"). You might add "or system administrator", but I'd think even this is overkill.
I bet there will be people not reading even this[1]. Thiy'll have to do the first step sometime.
[1] and no, I don't think it's bad intentions or lazyness -- it's just lack of habit in debugging.
Regards -- tomás
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, Oct 05, 2008 at 11:04:18PM -0700, Don Steiny wrote:
Please, don't top-quote. Pretty please. You see what happens:
tomas@tuxteam.de wrote:
I have a problem and I have not been able to figure out how to get it to log any useful information. I would like to see what is happening between the client and the server. I was thinking that I might use strace.
(I didn't write that. You wrote it!).
Anyway -- back to your question. If the debugging options of Dovecot aren't enough for you, just give Wireshark a try. Especially its "follow TCP stream" feature is very recommended. You can just spy on any TCP conversation.
Regards
- -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFI6g/CBcgs9XrR2kYRAoZRAJwL+FQRxTcBwB8V1M+MQpSFZSzHtgCcD4yB k/tSUc1dbz/iJnN9I1WGL0Q= =srkX -----END PGP SIGNATURE-----
Timo Sirainen wrote:
Probably one of the most commonly asked question is "Why does Dovecot just say authentication failed"? It would be nice to be able to get rid of these questions by having Dovecot itself point out the http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There are two groups of people here:
People who look at logs after seeing the "Authentication failed" from a client/telnet session.
People who don't even think about looking at logs.
Any thoughts?
Honestly - and no offense to anyone on this list who's new - people need to learn how to help themselves to a certain point. "My password doesn't work and I know it's right" without ever bothering to 1) look at the documentation or 2) look at a log is hopeless. At the very least *everyone* should be able to read the documentation. The documentation which will tell them #2. I mean, is it really that hard? Reading the docs and asking "I don't understand blah blah on page blah" is understandable, but someone not reading and expecting the same answer to the same question over and over (hence docs or a FAQ) is not your problem.
There's no point in trying to program in fancy conditions for errors like this. It's just silly. Even if you make these changes I'll bet you it doesn't make a difference. The same group you're trying to help will see the long, wordy error message, glaze over it, and go straight to "my password doesn't work and I know it's right".
~Seth
On Oct 6, 2008, at 3:47 AM, Seth Mattinen wrote:
Timo Sirainen wrote:
Probably one of the most commonly asked question is "Why does Dovecot just say authentication failed"? It would be nice to be able to get
rid of these questions by having Dovecot itself point out the http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this?
There are two groups of people here: ..There's no point in trying to program in fancy conditions for errors like this. It's just silly. Even if you make these changes I'll bet
you it doesn't make a difference. The same group you're trying to help
will see the long, wordy error message, glaze over it, and go straight to
"my password doesn't work and I know it's right".
It doesn't help for everyone, but I think it could reduce the number
of these questions. I think I'm going to do this:
If /var/lib/dovecot/auth-success file doesn't exist at startup and
protocols != none, print at startup:
If you have trouble with authentication failures, enable auth_debug setting. http://wiki.dovecot.org/WhyDoesItNotWork
If the process printed that and a successful login comes in (master
process sees it easily internally), create the auth-success file.
This should be only about 10-20 extra lines of code, doesn't change
behavior for end users and shouldn't annoy sysadmins since it stops
after the first successful authentication.
- Timo Sirainen dovecot@dovecot.org:
Probably one of the most commonly asked question is "Why does Dovecot just say authentication failed"? It would be nice to be able to get rid of these questions by having Dovecot itself point out the http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There are two groups of people here:
People who look at logs after seeing the "Authentication failed" from a client/telnet session.
People who don't even think about looking at logs.
I'm thinking that the group 1 could be handled by having Dovecot log the link once as informational message if the first authentication attempt fails and it's from localhost. This shouldn't cause problems I think.
Group 2 is more difficult though, and I fear they're also the ones asking this question more often than group 1.. I think the only solution would be to change the IMAP/POP3 error message for them. So instead of:
NO Authentication failed.
I don't agree. To me the problem is a role conflict (user vs. sysadm) and lack to follow sysadm standard procedures.
The "NO Authentication failed." message is a message sent to the user. It's meant to be simple and the message we are talking about says exactly what happend. All the options you are thinking off, are making it more complicated and this would irritate any user (role).
I would not send a mixture of user and sysadm notes in the failure message. Pointing people to the log points to a starting point only, but it's not a debugging procedure. I don't think this will solve the problem. People will have a look at the log and then they will show up on the list and yell "Authentication failed and I took a look at the log, but it didn't tell what's wrong."
Instead I'd leave the message as simple as it is and - if you haven't done so yet- I would prepare documentation that describes debugging procedures and I would send that link to anybody who refuses to show up prepared. This gives them what they need: Instructions to debug authentication problems.
p@rick
-- state of mind Agentur für Kommunikation, Design und Softwareentwicklung
Patrick Koetter Tel: 089 45227227 Echinger Strasse 3 Fax: 089 45227226 85386 Eching Web: http://www.state-of-mind.de
Amtsgericht München Partnerschaftsregister PR 563
participants (5)
-
Don Steiny
-
Patrick Ben Koetter
-
Seth Mattinen
-
Timo Sirainen
-
tomas@tuxteam.de