no such user but Thunderbird okeys it ?
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L.
On 04/09/2023 09:47 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L.
Enable auth_debug=yes and check logs again.
Aki
On 04/09/2023 09:47 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L. Enable auth_debug=yes and check logs again.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Just to clarify - the user who does not exist should be denied, is what I want - as general idea is: deny non-existent users. I wonder if this below is the culprit (I copy lots of configs from my very old Dovecot which laid dormant long time, I confess) ...
On 04/09/2023 08:54, Aki Tuomi via dovecot wrote: passdb { driver = static args = password=myPass } userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%d/%n }
Logs with debug: ... auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat auth: Debug: auth client connected (pid=1997362) auth: Debug: client in: AUTH 1 PLAIN service=imap secured=tls session=rcUXJIMELrFdviSg lip=AA.BB.CC.DD rip=AA.BB.CC.DD lport=143 rport=45358 local_name=mail.lemko.xyz auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing passdb lookup auth-worker(1997367): Debug: Loading modules from directory: /usr/lib64/dovecot/auth auth-worker(1997367): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so auth-worker(1997367): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): Server accepted connection (fd=13) auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): Sending version handshake auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: Handling PASSV request auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing passdb lookup auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): lookup service=dovecot auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD auth-worker(1997367): conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): pam_authenticate() failed: Authentication failure (Password mismatch?) auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished passdb lookup auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<1>: Finished: password_mismatch auth: Debug: pam(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished passdb lookup auth: Debug: static(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing passdb lookup auth: Debug: static(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): lookup auth: Debug: static(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished passdb lookup auth: Debug: auth(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Auth request finished auth: Debug: client passdb out: OK 1 user=dupa auth: Debug: master in: REQUEST 1194328065 1997362 1 b0439c930d76eeaced56a333d60e4964 session_pid=1997688 request_auth_token auth: Debug: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing userdb lookup auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: Handling USER request auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing userdb lookup auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): lookup auth-worker(1997367): conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): unknown user auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished userdb lookup auth-worker(1997367): Debug: conn unix:auth-worker (pid=1997363,uid=97): auth-worker<2>: Finished: user_unknown auth: Debug: passwd(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished userdb lookup auth: Debug: static(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Performing userdb lookup auth: Debug: static(dupa,AA.BB.CC.DD,<rcUXJIMELrFdviSg>): Finished userdb lookup auth: Debug: master userdb out: USER 1194328065 dupa uid=2000 gid=2000 home=/home/vmail//dupa auth_mech=PLAIN auth_token=3742534e57e271d27bd1306379906403a40205bf imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1997688, TLS, session=<rcUXJIMELrFdviSg> auth: Debug: auth client connected (pid=1998311) auth: Debug: client in: AUTH 1 PLAIN service=imap secured=tls session=aMWCJIME8uNdviSg lip=AA.BB.CC.DD rip=AA.BB.CC.DD lport=143 rport=58354 local_name=mail.lemko.xyz auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden>
On 04/09/2023 10:19 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
On 04/09/2023 09:47 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L. Enable auth_debug=yes and check logs again.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Just to clarify - the user who does not exist should be denied, is what I want - as general idea is: deny non-existent users. I wonder if this below is the culprit (I copy lots of configs from my very old Dovecot which laid dormant long time, I confess) ...
On 04/09/2023 08:54, Aki Tuomi via dovecot wrote: passdb { driver = static args = password=myPass } userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%d/%n }
So do you intend to use just static driver or also pam?
Iäm guessing you are using debian with split config, so go into /etc/dovecot/conf.d and comment out pam and passwd passdb and userdb, restart dovecot and check with doveconf -n that you only have the passdbs and userdbs you expect to have.
Aki
On 04/09/2023 09:32, Aki Tuomi via dovecot wrote:
On 04/09/2023 10:19 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
On 04/09/2023 09:47 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L. Enable auth_debug=yes and check logs again.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Just to clarify - the user who does not exist should be denied, is what I want - as general idea is: deny non-existent users. I wonder if this below is the culprit (I copy lots of configs from my very old Dovecot which laid dormant long time, I confess) ...
On 04/09/2023 08:54, Aki Tuomi via dovecot wrote: passdb { driver = static args = password=myPass } userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%d/%n }
So do you intend to use just static driver or also pam?
Iäm guessing you are using debian with split config, so go into /etc/dovecot/conf.d and comment out pam and passwd passdb and userdb, restart dovecot and check with
doveconf -nthat you only have the passdbs and userdbs you expect to have.Aki My goal is - what many's goal is I imagine - to have virtual users (& perhaps system-pam users)
I what I think is happening - looking at Dovecot's behavior & above config - puzzles & worries me. Does Dovecot (partially) allows any user, existing or not, as long as the client supplied a valid password ??
When I try a following config: passdb { driver = passwd-file args = scheme=sha256 username_format=%n /etc/dovecot/passwd.file } userdb { driver = passwd-file args = username_format=%n /etc/dovecot/passwd.file default_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n }
which I hope will now specifically allow only existing users, dovecot logs: ... auth: Error: passwd-file /etc/dovecot/passwd.file:User systems is missing userdb info ...
and in '/etc/dovecot/passwd.file' : ... systems:{SHA256}2s5EZJYS..............
-> $ doveadm user systems
userdb lookup: user systems doesn't exist field value
I've also set: auth_username_format = %n
On 04/09/2023 15:23 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
On 04/09/2023 09:32, Aki Tuomi via dovecot wrote:
On 04/09/2023 10:19 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
On 04/09/2023 09:47 EEST lejeczek via dovecot dovecot@dovecot.org wrote:
Hi guys.
I'm having quite bizarre situation where Dovecot logs: ... pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=dupa rhost=AA.BB.CC.DD imap-login: Login: user=<dupa>, method=PLAIN, rip=AA.BB.CC.DD, lip=AA.BB.CC.DD, mpid=1756629, TLS, session=<uV7OwIIEWsJdviSg>: ...
but Thunderbird allows, is okey with such user & creates an account for it. I must be having my setup miss-configured - I'm hoping it's something obvious somebody could point me towards.
many thanks, L. Enable auth_debug=yes and check logs again.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org Just to clarify - the user who does not exist should be denied, is what I want - as general idea is: deny non-existent users. I wonder if this below is the culprit (I copy lots of configs from my very old Dovecot which laid dormant long time, I confess) ...
On 04/09/2023 08:54, Aki Tuomi via dovecot wrote: passdb { driver = static args = password=myPass } userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%d/%n }
So do you intend to use just static driver or also pam?
Iäm guessing you are using debian with split config, so go into /etc/dovecot/conf.d and comment out pam and passwd passdb and userdb, restart dovecot and check with
doveconf -nthat you only have the passdbs and userdbs you expect to have.Aki My goal is - what many's goal is I imagine - to have virtual users (& perhaps system-pam users)
I what I think is happening - looking at Dovecot's behavior & above config - puzzles & worries me. Does Dovecot (partially) allows any user, existing or not, as long as the client supplied a valid password ??
When I try a following config: passdb { driver = passwd-file args = scheme=sha256 username_format=%n /etc/dovecot/passwd.file } userdb { driver = passwd-file args = username_format=%n /etc/dovecot/passwd.file default_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n }
which I hope will now specifically allow only existing users, dovecot logs: ... auth: Error: passwd-file /etc/dovecot/passwd.file:User systems is missing userdb info ...
and in '/etc/dovecot/passwd.file' : ... systems:{SHA256}2s5EZJYS..............
-> $ doveadm user systems
userdb lookup: user systems doesn't exist field value
I've also set: auth_username_format = %n
A userdb file is more strict about the contents, see https://doc.dovecot.org/configuration_manual/authentication/passwd_file/#aut...
so basically you need to add :::::: for the missing values, as you don't need to supply them necessarely, but the fields must be there, even as empty.
Aki
participants (2)
-
Aki Tuomi
-
lejeczek