Greetings,
I'm running dovecot 2.3.21.1 (Plesk says up-to-date) on AlmaLinux 8.10, Plesk Obsidian 18.0.67 #3.
I'm getting this repeated error in /var/log/messages...
"SELinux is preventing /usr/libexec/dovecot/auth from write access on the file passwd.db."
(I think passwd.db is the one in /var/lib/plesk/mail/auth/)
This causes...
"Activating via systemd: service name='org.fedoraproject.Setroubleshootd'"
which is taking a lot of CPU.
This error is happening continuously, about 1-3 times per minute.
Am I correct in thinking that an email client or webmail client is trying to change an email account password via IMAP?
If so, I would like to know how to disable this ability in dovecot. (I would like to change email account passwords only via Plesk.)
If not, why is dovecot trying to write to the passwd.db file? The fact that SELinux is blocking this is concerning.
thanks, JC
On 01-03-2025 13:38, jcalvert--- via dovecot wrote:
Greetings,
I'm running dovecot 2.3.21.1 (Plesk says up-to-date) on AlmaLinux 8.10, Plesk Obsidian 18.0.67 #3.
I'm getting this repeated error in /var/log/messages...
"SELinux is preventing /usr/libexec/dovecot/auth from write access on the file passwd.db."
(I think passwd.db is the one in /var/lib/plesk/mail/auth/)
This causes...
"Activating via systemd: service name='org.fedoraproject.Setroubleshootd'"
which is taking a lot of CPU.
This error is happening continuously, about 1-3 times per minute.
Am I correct in thinking that an email client or webmail client is trying to change an email account password via IMAP?
If so, I would like to know how to disable this ability in dovecot. (I would like to change email account passwords only via Plesk.)
If not, why is dovecot trying to write to the passwd.db file? The fact that SELinux is blocking this is concerning.
Hi,
Maybe the problem gets clearer when you can show the passwd configuration in dovecot that Plesk has added.
Normally the passdb should be okay being read-only (see: https://doc.dovecot.org/2.3/configuration_manual/authentication/sql/ where SELECT queries are used).
Password changes can't be done through IMAP iirc, but maybe the lookup query does something weird.
Kind regards,
Tom
Thanks, Tom.
Here's an update to the sequence of the issue...
For some reason dovecot/auth is repeatedly trying to write to /var/lib/plesk/mail/auth/passwd.db I have confirmed that passwd.db is indeed the database that holds the email account passwords. Dovecot is doing this about 1-3 times per minute.
SELinux blocks these attempts and the denials are stored /var/log/audit/audit.log as type AVC.
The Fedora Project's SETroubleshoot processes runs twice per minute, and detects the new denial(s) in the audit.log.
SETroubleshoot reports "SELinux is preventing /usr/libexec/dovecot/auth from write access on the file passwd.db." to the /var/log/messages file.
The question remains, what is causing dovecot/auth to repeatedly try to write to /var/lib/plesk/mail/auth/passwd.db?
The IMAP protocol does allow a client to change the account password, so this is a possible reason why dovecot is attempting to write. Is there any other reason? Can dovecot be configured to disallow this? If these are password change attempts, how can I determine for which email account(s)? Can I find associated IPs?
The constant repeated nature of this issue has me baffled. Is there something cached in dovecot that needs to be cleared out? If so, how? I have of course tried restarting dovecot and also rebooting, but the issue persists.
I am seeing no problems with any of my clients' email accounts, including the clients who are using IMAP.
I see now that I can turn on debugging output for dovecot... I'll try that.
On 3/3/25 11:54 AM, Tom Hendrikx via dovecot wrote:
On 01-03-2025 13:38, jcalvert--- via dovecot wrote:
Greetings,
I'm running dovecot 2.3.21.1 (Plesk says up-to-date) on AlmaLinux 8.10, Plesk Obsidian 18.0.67 #3.
I'm getting this repeated error in /var/log/messages...
"SELinux is preventing /usr/libexec/dovecot/auth from write access on the file passwd.db."
(I think passwd.db is the one in /var/lib/plesk/mail/auth/)
This causes...
"Activating via systemd: service name='org.fedoraproject.Setroubleshootd'"
which is taking a lot of CPU.
This error is happening continuously, about 1-3 times per minute.
Am I correct in thinking that an email client or webmail client is trying to change an email account password via IMAP?
If so, I would like to know how to disable this ability in dovecot. (I would like to change email account passwords only via Plesk.)
If not, why is dovecot trying to write to the passwd.db file? The fact that SELinux is blocking this is concerning.
Hi,
Maybe the problem gets clearer when you can show the passwd configuration in dovecot that Plesk has added.
Normally the passdb should be okay being read-only (see: https://doc.dovecot.org/2.3/configuration_manual/authentication/sql/ where SELECT queries are used).
Password changes can't be done through IMAP iirc, but maybe the lookup query does something weird.
Kind regards,
Tom
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 03/03/2025 3:41 PM MST John Calvert via dovecot <dovecot@dovecot.org> wrote:
The IMAP protocol does allow a client to change the account password, so this is a possible reason why dovecot is attempting to write.
No, there is no IMAP standard (or any other mail protocol, for that matter) that allows for user credential modification.
For some reason dovecot/auth is repeatedly trying to write to /var/lib/plesk/mail/auth/passwd.db
As mentioned by a previous poster, what is your actual authentication config? That looks to be a Plesk-specific authentication file and you haven't told us what driver is being used to access it.
michael
Thanks.
AlmaLinux% doveconf -n | sed -n '/passdb/,/}/p' passdb { driver = plesk }
Re: user credential modification... thanks... looks like I was misled by AI (!) One thing though, Roundcube webmail does allow this, and I think Roundcube is using IMAP.
On 3/3/25 01:04 PM, Michael Slusarz via dovecot wrote:
On 03/03/2025 3:41 PM MST John Calvert via dovecot <dovecot@dovecot.org> wrote:
The IMAP protocol does allow a client to change the account password, so this is a possible reason why dovecot is attempting to write. No, there is no IMAP standard (or any other mail protocol, for that matter) that allows for user credential modification.
For some reason dovecot/auth is repeatedly trying to write to /var/lib/plesk/mail/auth/passwd.db As mentioned by a previous poster, what is your actual authentication config? That looks to be a Plesk-specific authentication file and you haven't told us what driver is being used to access it.
michael
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi John,
Note that I'm not a Plesk user or expert, so can't say anything about that, but I do think you're chasing up the wrong tree.
IMAP does NOT allow password changes through the protocol AFAIK. If you think otherwise, please add a link to some documentation.
Dovecot configuration requires *you* (or the plesk setup template) to configure SQL statements for retrieving the password. However, no configuration setting exists for a SQL statement to update a password in the database. There simply is no such thing in Dovecot, as it doesn't support password changes.
If all of this still would be possible, it would only be allowed after a successful authentication from a known user on your system. I.e. there should be nothing to block on the outside (IP addresses or whatnot) as it would be acceptable traffic.
Please show us your dovecot config including SQL configuration, otherwise it's hard to tell whether dovecot is doing something strange.
Or maybe just file a report at your Plesk provider, and explain them that their Dovecot setup is conflicting with the SELinux rules.
Kind regards,
Tom
On 03-03-2025 23:41, John Calvert via dovecot wrote:
Thanks, Tom.
Here's an update to the sequence of the issue...
For some reason dovecot/auth is repeatedly trying to write to /var/ lib/plesk/mail/auth/passwd.db I have confirmed that passwd.db is indeed the database that holds the email account passwords. Dovecot is doing this about 1-3 times per minute.
SELinux blocks these attempts and the denials are stored /var/log/ audit/audit.log as type AVC.
The Fedora Project's SETroubleshoot processes runs twice per minute, and detects the new denial(s) in the audit.log.
SETroubleshoot reports "SELinux is preventing /usr/libexec/dovecot/ auth from write access on the file passwd.db." to the /var/log/messages file.
The question remains, what is causing dovecot/auth to repeatedly try to write to /var/lib/plesk/mail/auth/passwd.db?
The IMAP protocol does allow a client to change the account password, so this is a possible reason why dovecot is attempting to write. Is there any other reason? Can dovecot be configured to disallow this? If these are password change attempts, how can I determine for which email account(s)? Can I find associated IPs?
The constant repeated nature of this issue has me baffled. Is there something cached in dovecot that needs to be cleared out? If so, how? I have of course tried restarting dovecot and also rebooting, but the issue persists.
I am seeing no problems with any of my clients' email accounts, including the clients who are using IMAP.
I see now that I can turn on debugging output for dovecot... I'll try that.
On 3/3/25 11:54 AM, Tom Hendrikx via dovecot wrote:
On 01-03-2025 13:38, jcalvert--- via dovecot wrote:
Greetings,
I'm running dovecot 2.3.21.1 (Plesk says up-to-date) on AlmaLinux 8.10, Plesk Obsidian 18.0.67 #3.
I'm getting this repeated error in /var/log/messages...
"SELinux is preventing /usr/libexec/dovecot/auth from write access on the file passwd.db."
(I think passwd.db is the one in /var/lib/plesk/mail/auth/)
This causes...
"Activating via systemd: service name='org.fedoraproject.Setroubleshootd'"
which is taking a lot of CPU.
This error is happening continuously, about 1-3 times per minute.
Am I correct in thinking that an email client or webmail client is trying to change an email account password via IMAP?
If so, I would like to know how to disable this ability in dovecot. (I would like to change email account passwords only via Plesk.)
If not, why is dovecot trying to write to the passwd.db file? The fact that SELinux is blocking this is concerning.
Hi,
Maybe the problem gets clearer when you can show the passwd configuration in dovecot that Plesk has added.
Normally the passdb should be okay being read-only (see: https:// doc.dovecot.org/2.3/configuration_manual/authentication/sql/ where SELECT queries are used).
Password changes can't be done through IMAP iirc, but maybe the lookup query does something weird.
Kind regards,
Tom
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (4)
-
jcalvert@crystal3.com
-
John Calvert
-
Michael Slusarz
-
Tom Hendrikx