[Dovecot] (no subject)
On an Ubuntu Server 12.04 system with Dovecot 2.0.19 I am having some trouble with the Dovecot passwords. I am finding this in the logs when I unsuccessfully try to log in:
Jul 07 08:13:25 auth-worker: Debug: pam(user@someDomain.com,212. 179.241.14): lookup service=dovecot Jul 07 08:13:25 auth-worker: Debug: pam(user@someDomain.com,212.179.241.14): #1/1 style=1 msg=Password: Jul 07 08:13:27 auth-worker: Info: pam(user@someDomain.com,212.179.241.14): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: 12345) Jul 07 08:13:29 auth: Debug: client out: FAIL 2 user=user@someDomain.com Jul 07 08:13:29 pop3-login: Info: Disconnected (auth failed, 2 attempts): user=<user@someDomain.com>, method=PLAIN, rip=212.179.241.14, lip=10.138.11.251
This is not the real password, but an example to show that I think that there is an issue: $ /usr/bin/doveadm pw -u user@someDomain.com -s DIGEST-MD5 Enter new password: # Here I have typed "12345" Retype new password: # Here I have typed "12345" {DIGEST-MD5}f4e442b0dec5009eaa8b9b4104923edc $ printf "12345" | md5sum 827ccb0eea8a706c4c34a16891f84e7b - $
Shouldn't that password match the md5sum check? Also, might I have the file formats wrong? $ cat passwd user@someDomain.com::5000:5000::/var/mail/vhosts/someDomain.com/user $ cat shadow user@someDomain.com:{DIGEST-MD5}f4e442b0dec5009eaa8b9b4104923edc $
Note that testing in Telnet fails the password as well, both when specifying the user without a domain and with a domain:
$ telnet mail.someDomain.com 143 Trying x.x.x.x... Connected to mail.someDomain.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login user 12345 a NO [AUTHENTICATIONFAILED] Authentication failed. e logout
- BYE Logging out e OK Logout completed. Connection closed by foreign host. $ telnet mail.someDomain.com 143 Trying x.x.x.x... Connected to mail.someDomain.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login user@someDomain.com 12345 a NO [AUTHENTICATIONFAILED] Authentication failed.
- BAD Error in IMAP command received by server. e logout
- BYE Logging out e OK Logout completed. Connection closed by foreign host.
Thanks!
-- Dotan Cohen
Le 7 juil. 2013 à 11:47, Dotan Cohen a écrit :
[...] $ /usr/bin/doveadm pw -u user@someDomain.com -s DIGEST-MD5 Enter new password: # Here I have typed "12345" Retype new password: # Here I have typed "12345" {DIGEST-MD5}f4e442b0dec5009eaa8b9b4104923edc $ printf "12345" | md5sum 827ccb0eea8a706c4c34a16891f84e7b - $
Hello Dotan,
Note that md5sum calculates a hash similar to the one used by dovecot's MD5-PLAIN scheme:
$ doveadm pw -s PLAIN-MD5 -p 12345
{PLAIN-MD5}827ccb0eea8a706c4c34a16891f84e7b
Shouldn't that password match the md5sum check?
As a result: no... ;-)
[...] $ telnet mail.someDomain.com 143 Trying x.x.x.x... Connected to mail.someDomain.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login user 12345 [...]
I doubt this is a valid attempt:
- unless I'm wrong, the command should be authenticate (not login)
- the server doesn't seem to be configured for making use of digest-md5
You may find an example of such an authentication near the end of http://tools.ietf.org/html/rfc2831. You might also have a look at http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5.
HTH, Axel
On Sun, Jul 7, 2013 at 4:10 PM, Axel Luttgens <AxelLuttgens@swing.be> wrote:
Hello Dotan,
Note that md5sum calculates a hash similar to the one used by dovecot's MD5-PLAIN scheme:
$ doveadm pw -s PLAIN-MD5 -p 12345 {PLAIN-MD5}827ccb0eea8a706c4c34a16891f84e7b
Shouldn't that password match the md5sum check?
As a result: no... ;-)
I see! I've tried a few formats to verify the MD5 hash, but none produced the expected results. In any case, I've gotten that part of Dovecot working now that I've discovered that most of the information online is for Dovecot 1. However the Dovecot 2 wiki is terrific and it pulled me through.
[...] $ telnet mail.someDomain.com 143 Trying x.x.x.x... Connected to mail.someDomain.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login user 12345 [...]
I doubt this is a valid attempt:
- unless I'm wrong, the command should be authenticate (not login)
No, it does seem that 'login' is the right command. I've got it working now.
- the server doesn't seem to be configured for making use of digest-md5
You may find an example of such an authentication near the end of http://tools.ietf.org/html/rfc2831. You might also have a look at http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5.
Thank you, that was indeed part of the issue!
-- Dotan Cohen
participants (2)
-
Axel Luttgens
-
Dotan Cohen