Can’t authenticate any users after upgrade.
I’m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won’t let any client login to get their email.
PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf # OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) # Hostname: kjchome.homeip.net mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = required ssl_cert =
-- Kevin J. Cummings cummings@kjchome.homeip.net cummings@kjc386.framingham.ma.us kjchome@icloud.com Registered Linux User #1232 (http://www.linuxcounter.net/)
On 2018-04-04 23:10, Kevin Cummings wrote:
PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
Please look at my pull request at: https://github.com/dovecot/core/pull/71
Or, if it's any easier:
- Stop dovecot
- Replace /usr/lib/systemd/system/dovecot.service with the attached file
- systemctl daemon-reload
- systemctl start dovecot
Done.
Cheers, K. C.
-- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:
On 2018-04-04 23:10, Kevin Cummings wrote:
PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
Please look at my pull request at: https://github.com/dovecot/core/pull/71
Or, if it's any easier:
- Stop dovecot
- Replace /usr/lib/systemd/system/dovecot.service with the attached file
I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content:
-<<-- [Service] NoNewPrivileges=false -->>-
This way the fix survives any updates and you don't have to mess with package-provided files.
- systemctl daemon-reload
- systemctl start dovecot
On 2018-04-05 02:34, B. Reino wrote:
This way the fix survives any updates and you don't have to mess with package-provided files.
You'd also have to add the following:
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE
It won't work without CAP_AUDIT_WRITE, even, if NoNewPrivileges is set to false, at least not on my server.
But as I've mentioned this _could_ be counterproductive if in the future the systemd file that comes with dovecot is changed and you forget to delete /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf again.
-- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
On 04/05/18 02:34, B. Reino wrote:
On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:
On 2018-04-04 23:10, Kevin Cummings wrote: PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
Please look at my pull request at: https://github.com/dovecot/core/pull/71
Or, if it's any easier:
- Stop dovecot
- Replace /usr/lib/systemd/system/dovecot.service with the attached file
I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content:
-<<-- [Service] NoNewPrivileges=false -->>-
This way the fix survives any updates and you don't have to mess with package-provided files.
- systemctl daemon-reload
- systemctl start dovecot
OK, so I went this root, added the new file, stopped dovecot, did the daemon-reload, then started it up again. It did not work for me. As I continued to read the other emails in this thread, I came to the conclusion that the Fedora configuration, as packaged by City-Fan.org is what is broken. Luckily for me, there was still a 2.2.35 version of dovecot in the repository, so I ended up doing the "dnf downgrade dovecot" and now I can read my emails again. I'm assuming that the packager for Fedora will ensure that this gets fixed in the current releases. I checked, and F26
On 2018-04-05 22:14, Kevin Cummings wrote:
OK, so I went this root, added the new file, stopped dovecot, did the daemon-reload, then started it up again. It did not work for me. As I continued to read the other emails in this thread, I came to the conclusion that the Fedora configuration, as packaged by City-Fan.org http://City-Fan.org is what is broken. Luckily for me, there was still a 2.2.35 version of dovecot in the repository, so I ended up doing the "dnf downgrade dovecot" and now I can read my emails again. I'm assuming that the packager for Fedora will ensure that this gets fixed in the current releases. I checked, and F26
Interesting, I'm still on an older Fedora release, but I used the original Fedora spec file, which I adjusted a bit (so that it uses my own openssl version instead of the system's, and a few other minor tweaks), and created my own dovecot 2.3.1 package.
In any case, the changes I described fixed it for me.
I don't think the Fedora packager even knows about the PAM configuration issue, otherwise he would have written a patch, but there's nothing in git master of the dovecot package repo.
I've opend a bug with Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1564348
Cheers, K. C.
-- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
On 05.04.2018 07:33, Helmut K. C. Tessarek wrote:
On 2018-04-04 23:10, Kevin Cummings wrote:
PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> Please look at my pull request at: https://github.com/dovecot/core/pull/71
Or, if it's any easier:
- Stop dovecot
- Replace /usr/lib/systemd/system/dovecot.service with the attached file
- systemctl daemon-reload
- systemctl start dovecot
Done.
Cheers, K. C.
Hi!
Never replace /lib or /usr/lib systemd unit files, if you want to replace the whole unit file, please put it under /etc/systemd/system/ directory. If unit file with same name is found under there, it is used instead.
Aki
On 2018-04-05 03:01, Aki Tuomi wrote:
Never replace /lib or /usr/lib systemd unit files, if you want to replace the whole unit file, please put it under /etc/systemd/system/ directory. If unit file with same name is found under there, it is used instead.
Usually I'd agree, but let's assume you change something in the file that comes with dovecot in the future, systemd will still use the one in /etc/system.d/system and you'd never know that the original file has ever even changed.
On the other side, if with the next version of dovecot this NoNewPrivileges issue will not have been resolved, you just change the file again. If it has been fixed, all is good anyway.
Anyhow, both concepts are valid in this instance in my opinion.
-- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944
/* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
On 04/04/18 23:10, Kevin Cummings wrote: I’m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won’t let any client login to get their email.
PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two)
# Hostname: kjchome.homeip.net http://kjchome.homeip.net
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts}
mailbox Junk {
special_use = \Junk}
mailbox Sent {
special_use = \Sent}
mailbox "Sent Messages" {
special_use = \Sent}
mailbox Trash {
special_use = \Trash}
prefix =
}
passdb {
driver = pam
}
ssl = required
ssl_cert =
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
What ened up working for me.
I ended up downgrading to version 2.2.25 as packaged by city-fan.org
That worked.
Then, at the urging of the packager, I re-installed 2.3.1 (from the same repository), but replaced the dovecot.service file with the one from 2.2.35.
[Always did a systemctl daemon-reload; systemctl restart dovecot between attemptsz]
That worked.
Next he had me comment out the line that starts:
CapabilityBoundingSet=
That also worked
-- Kevin J. Cummings cummings@kjchome.homeip.net cummings@kjc386.framingham.ma.us kjchome@icloud.com Registered Linux User #1232 (http://www.linuxcounter.net/)
participants (4)
-
Aki Tuomi
-
B. Reino
-
Helmut K. C. Tessarek
-
Kevin Cummings