Red Hat 8.0 stock dovecot 99.10
for a variety of reasons, I decided to cut over to dovecot this morning. I extracted all of my mailboxes from mbx purgatory back to mbox purgatory, set up dovecot and proceed to get authentication failures. (am using simple password based authentication either direct or through pam)
I turned authentication verbosity on and got: Aug 14 11:51:38 harvee dovecot: Dovecot starting up Aug 14 11:51:46 harvee dovecot-auth: PAM: pam_authenticate(esj) failed: Authentication failure Aug 14 11:51:49 harvee dovecot-auth: PAM: pam_authenticate(esj) failed: Authentication failure Aug 14 11:51:52 harvee imap-login: Aborted login [192.168.0.10]
not very informative. I already know that I can't login. So I fire up ethereal and capture the following transaction:
- OK dovecot ready. 1 authenticate login 1 NO Unsupported authentication mechanism. 2 login "esj" "no peeking" 2 NO Authentication failed. 3 authenticate login 3 NO Unsupported authentication mechanism. 4 login "esj" "no peeking" 4 NO Authentication failed. 5 logout
- BYE Logging out 5 OK Logout completed.
hmm no unsupported authentication mechanism. So that means all authentication methods works right? ;-)
looking a little further into the configuration, I see instructions to change auth_methods to add plain in front of digest-md5 (or is it digest_md5, both forms are present in the configuration file). No luck. Doing so gives me the following error message:
Fatal: Error in configuration file /usr/local/etc/dovecot.conf line 430: Unknown setting: methods
so, I'm not sure what to look for. It's probably something simple but googling didn't reveal anything pertinent although it turned up something amusing[1]and dovecot does apply.
Suggestions or clues would be welcome.
FYI, you probably could use a little bit more detail in the install instructions. For example instructing user to create a dovecot user and group name would be useful as would be a startup/shutdown script for init.d. I also find the SSL configuration lacking. On the other hand, I have enough scar tissue from certificates and mini-CA setups to hate them till the end of time. If I get them working better, I'll document and send it to the list.
---eric
On Thursday, Aug 14, 2003, at 19:31 Europe/Helsinki, Eric S. Johansson wrote:
Aug 14 11:51:46 harvee dovecot-auth: PAM: pam_authenticate(esj) failed: Authentication failure
not very informative. I already know that I can't login. So I fire up ethereal and capture the following transaction:
Well, that's as informative as you can get from PAM :) It means that PAM decided the password was wrong. Do you have /etc/pam.d/imap file set up correctly?
3 authenticate login 3 NO Unsupported authentication mechanism.
hmm no unsupported authentication mechanism. So that means all authentication methods works right? ;-)
Either your client is stupid or it tries to work around stupid servers. LOGIN command should be accepted by all servers and "login" SASL mechanism is some old not-really-standard.
looking a little further into the configuration, I see instructions to change auth_methods to add plain in front of digest-md5 (or is it digest_md5, both forms are present in the configuration file). No luck. Doing so gives me the following error message:
Fatal: Error in configuration file /usr/local/etc/dovecot.conf line 430: Unknown setting: methods
Um.. You must have had at least one auth_methods line before or it wouldn't have worked.. And the default dovecot-example.conf contained only plain there.
FYI, you probably could use a little bit more detail in the install instructions.
Yes, I have plans to write them .. before 1.0 :)
For example instructing user to create a dovecot user and group name would be useful as would be a startup/shutdown script for init.d. I also find the SSL configuration lacking. On the other hand, I have enough scar tissue from certificates and mini-CA setups to hate them till the end of time. If I get them working better, I'll document and send it to the list.
Yea, there really should be some easier ways to manage your own CAs. I found some certificate manager written with Qt (can't remember name), but something web based could be nice too.
Timo Sirainen explained:
Well, that's as informative as you can get from PAM :) It means that PAM decided the password was wrong. Do you have /etc/pam.d/imap file set up correctly?
don't know if it is correct but it is stock Red Hat. one more item for the install instructions.
[root@harvee doc]# more /etc/pam.d/imap #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth [root@harvee doc]#
Either your client is stupid or it tries to work around stupid servers. LOGIN command should be accepted by all servers and "login" SASL mechanism is some old not-really-standard.
I think I would choose the "stupid" option. I am using Mozilla 1.4 (the imap client on windows that sucks the least).
Fatal: Error in configuration file /usr/local/etc/dovecot.conf line 430: Unknown setting: methods
Um.. You must have had at least one auth_methods line before or it wouldn't have worked.. And the default dovecot-example.conf contained only plain there.
I think I understand. I screwed up my authentication definition because it wasn't clear. On a stock Red Hat system using password authentication, what works is:
auth_userdb = passwd auth_passdb = shadow
and leave the digest_md5 stuff alone (which I turned on in my confusion). But *yay* dovecot is working for me! Now all I need to do is turn on my inbox properly (and reclaim my 3300 messages from the old inbox) and I will be a happy camper.
Yes, I have plans to write them .. before 1.0 :)
ya right... just like my intention to rewrite the camram antispam system documentation/web site. It's at least a year out of date but at least I have working code for sender pays antispam with some other nice features accommodating the real world.
Yea, there really should be some easier ways to manage your own CAs. I found some certificate manager written with Qt (can't remember name), but something web based could be nice too.
I've been very happy with TinyCA. It's written in perl and uses tk for the GUI. It's not full featured but I found it hard to do things wrong. On the other hand, that might be a side effect of the scar tissue. ;-)
anyway, as I said above, I now have things working (more or less) and I will find out how well the indexing works as I gradually open different mailboxes on demand. I may play with maildir mailboxes if I can mix and match mbox and maildir in the same directory. playing the fire?
---eric
participants (2)
-
Eric S. Johansson
-
Timo Sirainen