[Dovecot] Differences between IPv4 and IPv6 authentication
Hi,
I have Dovecot listening on both IPv4 and IPv6, and can connect on both interfaces, but cannot authenticate over IPv6, using exactly the same credentials as IPv4. I assumed that the same authentication mechanisms would be used, regardless of the protocol being used - are there differences somewhere?
For example:
~$ telnet server1.teststable.simplyspamfree.com 143 Trying 2a01:4f8:100:12c1:bc:28:b2:34... Connected to server1.teststable.simplyspamfree.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Training System v2.8.30038 ready. 0 login training XXXXXXXX 0 NO [AUTHENTICATIONFAILED] Authentication failed. 0 logout
- BYE Logging out 0 OK Logout completed.
~$ telnet -4 server1.teststable.simplyspamfree.com 143 Trying 188.40.178.56... Connected to server1.teststable.simplyspamfree.com. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Training System v2.8.30038 ready. 0 login training XXXXXXXX 0 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA] Logged in 0 logout
- BYE Logging out 0 OK Logout completed.
Any insight would be appreciated, thanks!
Cheers, Tony
~$ dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-bpo.3-amd64 x86_64 Debian 5.0.6 log_path: /var/log/spamexperts/dovecot.log log_timestamp: %Y-%m-%d %H:%M:%S listen: *, [::] disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login verbose_proctitle: yes first_valid_uid: 100 mail_privileged_group: mail fsync_disable: yes mbox_write_locks: fcntl dotlock mail_executable: /home/spamexperts/post-login.sh mail_plugins: acl quota imap_quota expire imap_client_workarounds: delay-newmail auth default: passdb: driver: sql args: /etc/dovecot/dovecot-mysql-maint.conf passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: sql args: /etc/dovecot/dovecot-mysql-maint.conf userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf plugin: quota: maildir acl: vfile:/etc/dovecot/dovecot-acls expire: Caught 30 expire_dict: proxy::expire dict: expire: mysql:/etc/dovecot/dovecot-expire-mysql.conf
On 31.10.2010, at 19.49, Tony Meyer wrote:
I have Dovecot listening on both IPv4 and IPv6, and can connect on both interfaces, but cannot authenticate over IPv6, using exactly the same credentials as IPv4. I assumed that the same authentication mechanisms would be used, regardless of the protocol being used - are there differences somewhere?
No.
~$ telnet server1.teststable.simplyspamfree.com 143
Try 127.0.0.1 vs ::1
Any insight would be appreciated, thanks!
Proxy/firewall/antivirus/etc in the middle?
If none of that is helpful, set auth_debug_passwords=yes and see the logs.
Thanks for the suggestions!
~$ telnet server1.teststable.simplyspamfree.com 143
Try 127.0.0.1 vs ::1
I should have thought of that :) Indeed, ::1 works fine, so it is not IPv6, it is external IPv6.
Proxy/firewall/antivirus/etc in the middle?
I don't think so.
If none of that is helpful, set auth_debug_passwords=yes and see the logs.
With the successful connection to ::1 I get:
""" 2010-11-02 02:43:29 auth(default): Info: new auth connection: pid=28423 2010-11-02 02:43:35 auth(default): Info: client in: AUTH 1 PLAIN service=imap secured lip=::1 rip=::1 lport=143 rport=42445 resp=AHRyYWluaW5nAGZsaXRrWGw3bHgyQWdQemc= 2010-11-02 02:43:35 auth-worker(default): Info: sql(training,::1): query: SELECT DISTINCT "training" AS user, password FROM dovecot WHERE account="testing override"; 2010-11-02 02:43:35 auth-worker(default): Info: sql(training,::1): Password mismatch 2010-11-02 02:43:35 auth-worker(default): Error: ssha256_verify(training): SSHA256 password too short 2010-11-02 02:43:35 auth-worker(default): Warning: Invalid OTP data in passdb 2010-11-02 02:43:35 auth-worker(default): Warning: Invalid OTP data in passdb 2010-11-02 02:43:35 auth-worker(default): Info: sql(training,::1): PLAIN-MD5(XXXXXXXX) != '6e202e30677971ea4ebe5e562ae5c195' 2010-11-02 02:43:35 auth-worker(default): Info: sql(training,::1): query: SELECT DISTINCT "training" AS user, password FROM dovecot WHERE account=LOWER("training"); 2010-11-02 02:43:35 auth(default): Info: client out: OK 1 user=training 2010-11-02 02:43:35 auth(default): Info: master in: REQUEST 2 28374 1 2010-11-02 02:43:35 auth-worker(default): Info: sql(training,::1): SELECT DISTINCT CONCAT_WS("/", "/var/mail", LEFT(account, 1), LEFT(account, 2), LOWER(account)) AS home, CONCAT_WS("/", "maildir:/var/mail", LEFT(account, 1),LEFT(account, 2), LOWER(account)) AS mail, 1001 AS uid, 8 AS gid, CONCAT("*:storage=", FLOOR(quota)) AS quota_rule FROM dovecot WHERE account=LOWER("training") 2010-11-02 02:43:35 auth(default): Info: master out: USER 2 training home=/var/mail/t/tr/training mail=maildir:/var/mail/t/tr/training uid=1001 gid=8 quota_rule=*:storage=10245120 2010-11-02 02:43:35 imap-login: Info: Login: user=<training>, method=PLAIN, rip=::1, lip=::1, secured 2010-11-02 02:43:38 IMAP(training): Info: Disconnected: Logged out bytes=8/334 """
With the external connection to IPv6 nothing at all gets written to the Dovecot log. (External IPv4 works fine). If I do an SSL connection I get only this for external IPv6:
""" 2010-11-02 02:51:38 imap-login: Info: Disconnected (no auth attempts): rip=178.63.10.79, lip=188.40.178.56 2010-11-02 02:51:38 auth(default): Info: new auth connection: pid=28726 """
I'm afraid that still leaves me stumped. Any further suggestions?
Thanks, Tony
On Tue, 2010-11-02 at 15:02 +1300, Tony Meyer wrote:
With the external connection to IPv6 nothing at all gets written to the Dovecot log. (External IPv4 works fine). If I do an SSL connection I get only this for external IPv6:
""" 2010-11-02 02:51:38 imap-login: Info: Disconnected (no auth attempts): rip=178.63.10.79, lip=188.40.178.56
Those are IPv4 addresses, so if you really were connecting with IPv6 something changed it to IPv4 in the middle.
I'm afraid that still leaves me stumped. Any further suggestions?
Are you sure IPv6 works at all in the server? Or maybe it has firewall settings to disallow imap port for IPv6.
Anyway, the problem clearly isn't with Dovecot.
participants (2)
-
Timo Sirainen
-
Tony Meyer