[Dovecot] Errors with doveadm when using checkpassword
We have a checkpassword authentication with mysql pre-fetch for the userdb lookups.
When trying to do:
doveadm search -u andytest@xecu.net mailbox Trash DELETED
I get:
doveadm(andytest@xecu.net): Error: user andytest@xecu.net: Auth PASS lookup failed doveadm(andytest@xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb lookup failed (to see if user is proxied, because doveadm_proxy_port is set)
And I see this in the logs:
Feb 4 12:02:04 mail-out01 dovecot: auth: Error: userdb-checkpassword(andytest@xecu.net): Child 12591 exited with status 1
I'm not surprised the checkpassword lookup is failing; the password isn't being supplied. Shouldn't it just be doing the prefetch lookup instead, like the lmtp service?
Andy
Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972
On Mon, 2013-02-04 at 12:08 -0500, Andy Dills wrote:
We have a checkpassword authentication with mysql pre-fetch for the userdb lookups.
When trying to do:
doveadm search -u andytest@xecu.net mailbox Trash DELETED
I get:
doveadm(andytest@xecu.net): Error: user andytest@xecu.net: Auth PASS lookup failed doveadm(andytest@xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb lookup failed (to see if user is proxied, because doveadm_proxy_port is set)
Do you have proxying enabled? If not, remove doveadm_proxy_port and this solves itself.
I'm not surprised the checkpassword lookup is failing; the password isn't being supplied. Shouldn't it just be doing the prefetch lookup instead, like the lmtp service?
doveadm doesn't care about the password. It cares about the proxy destination host so that it can automatically connect to the correct host to run the command.
On Feb 4, 2013, at 8:56 PM, Timo Sirainen tss@iki.fi wrote:
On Mon, 2013-02-04 at 12:08 -0500, Andy Dills wrote:
We have a checkpassword authentication with mysql pre-fetch for the userdb lookups.
When trying to do:
doveadm search -u andytest@xecu.net mailbox Trash DELETED
I get:
doveadm(andytest@xecu.net): Error: user andytest@xecu.net: Auth PASS lookup failed doveadm(andytest@xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb lookup failed (to see if user is proxied, because doveadm_proxy_port is set)
Do you have proxying enabled? If not, remove doveadm_proxy_port and this solves itself
Yes, I apologize, it appears I edited out the paragraph where I described our setup.
Cluster of dovecot dual instance servers, one proxy/director, one backend. The backend config lives in dovecot.conf, the proxy config in proxy.conf (let me know if the specific config would help). Version 2.1.12 (current version in FreeBSD ports).
I should mention, I have to specify the director-admin socket manually when using doveadm director, it's as if doveadm isn't quite aware of the config in the proxy instance.
However, the authentication happens in the primary "dovecot.conf" instance...that's where checkpassword gets called, and where the prefetch is configured. The proxy is "dumb".
I'm not surprised the checkpassword lookup is failing; the password isn't being supplied. Shouldn't it just be doing the prefetch lookup instead, like the lmtp service?
doveadm doesn't care about the password. It cares about the proxy destination host so that it can automatically connect to the correct host to run the command.
I understand doveadm doesn't care about the password; i was confused why checkpassword was being called when the password is unknown rather than using the mysql prefetch.
So, I guess what you're saying is doveadm should be talking to the proxy instance rather than the backend instance? I assume I need to move the backend to a differently named config and make my proxy instances live in dovecot.conf, so that doveadm sees the "right" config?
Thanks, Andy
On Mon, 2013-02-04 at 21:16 -0500, Andy Dills wrote:
On Feb 4, 2013, at 8:56 PM, Timo Sirainen tss@iki.fi wrote:
On Mon, 2013-02-04 at 12:08 -0500, Andy Dills wrote:
We have a checkpassword authentication with mysql pre-fetch for the userdb lookups.
When trying to do:
doveadm search -u andytest@xecu.net mailbox Trash DELETED
I get:
doveadm(andytest@xecu.net): Error: user andytest@xecu.net: Auth PASS lookup failed doveadm(andytest@xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb lookup failed (to see if user is proxied, because doveadm_proxy_port is set)
Do you have proxying enabled? If not, remove doveadm_proxy_port and this solves itself
Yes, I apologize, it appears I edited out the paragraph where I described our setup.
Cluster of dovecot dual instance servers, one proxy/director, one backend. The backend config lives in dovecot.conf, the proxy config in proxy.conf (let me know if the specific config would help). Version 2.1.12 (current version in FreeBSD ports).
I should mention, I have to specify the director-admin socket manually when using doveadm director, it's as if doveadm isn't quite aware of the config in the proxy instance.
However, the authentication happens in the primary "dovecot.conf" instance...that's where checkpassword gets called, and where the prefetch is configured. The proxy is "dumb".
OK, so you are using director, so it is good that doveadm is doing a proxy lookup, otherwise it might run it on the wrong server and cause troubles with NFS caching (which is exactly what director is supposed to prevent).
I'm not surprised the checkpassword lookup is failing; the password isn't being supplied. Shouldn't it just be doing the prefetch lookup instead, like the lmtp service?
doveadm doesn't care about the password. It cares about the proxy destination host so that it can automatically connect to the correct host to run the command.
I understand doveadm doesn't care about the password; i was confused why checkpassword was being called when the password is unknown rather than using the mysql prefetch.
So, I guess what you're saying is doveadm should be talking to the proxy instance rather than the backend instance? I assume I need to move the backend to a differently named config and make my proxy instances live in dovecot.conf, so that doveadm sees the "right" config?
I think you need to remove doveadm_proxy_port from the backend dovecot.conf. Then it doesn't perform the PASS lookup. But you also should run doveadm via the proxy instance so that it gets run in the correct server (doveadm -c /etc/dovecot/proxy.conf or doveadm -i proxy if you've given it a name).
On Tue, 5 Feb 2013, Timo Sirainen wrote:
So, I guess what you're saying is doveadm should be talking to the proxy instance rather than the backend instance? I assume I need to move the backend to a differently named config and make my proxy instances live in dovecot.conf, so that doveadm sees the "right" config?
I think you need to remove doveadm_proxy_port from the backend dovecot.conf.
Thanks Timo.
That gave me:
doveadm -c /usr/local/etc/dovecot/proxy.conf search -u andynew@xecu.net mailbox Trash DELETED doveadm(andytest@xecu.net): Error: doveadm_password not set, can't authenticate to remote server doveadm(andytest@xecu.net): Error: 10.0.0.47:30003: Internal failure for andytest@xecu.net
So, on a whim, I moved the doveadm_password out from the local {} sections into the main level, and then things started to work as expected.
Is that how it should be setup now?
Thanks again for help getting me straightened out! This all started because I want to start purging the trash with doveadm instead of 'find' with -delete.
Andy
Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972
On Tue, 5 Feb 2013, Timo Sirainen wrote:
I think you need to remove doveadm_proxy_port from the backend dovecot.conf. Then it doesn't perform the PASS lookup. But you also should run doveadm via the proxy instance so that it gets run in the correct server (doveadm -c /etc/dovecot/proxy.conf or doveadm -i proxy if you've given it a name).
On a seperate note I'm sure a lot of people would benefit from -c/-i being mentioned on http://wiki2.dovecot.org/Tools/Doveadm.
You are one man with only so much time so I tried registering on the wiki to propose an edit for you, but I'm not allowed. I think all we need is to know that -c and -i exist, and a note about how people in proxy/director configurations need to make sure to tell doveadm to communicate with the instance that is running director.
For some reason, my intuition would be that since doveadm is aware of both instances, that it should be aware of which one's config to use for connecting to director for proxy information.
Thanks, Andy
Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972
On 5.2.2013, at 14.53, Andy Dills andy@xecu.net wrote:
On Tue, 5 Feb 2013, Timo Sirainen wrote:
I think you need to remove doveadm_proxy_port from the backend dovecot.conf. Then it doesn't perform the PASS lookup. But you also should run doveadm via the proxy instance so that it gets run in the correct server (doveadm -c /etc/dovecot/proxy.conf or doveadm -i proxy if you've given it a name).
On a seperate note I'm sure a lot of people would benefit from -c/-i being mentioned on http://wiki2.dovecot.org/Tools/Doveadm.
You are one man with only so much time so I tried registering on the wiki to propose an edit for you, but I'm not allowed. I think all we need is to know that -c and -i exist, and a note about how people in proxy/director configurations need to make sure to tell doveadm to communicate with the instance that is running director.
The Doveadm wiki pages are generated from man pages that exist in Dovecot source code. Feel free to send patches for them. :)
For some reason, my intuition would be that since doveadm is aware of both instances, that it should be aware of which one's config to use for connecting to director for proxy information.
Too dangerous to do that kind of guessing. You could write your own doveadm script/alias though.
participants (2)
-
Andy Dills
-
Timo Sirainen