[Dovecot] passwd authentication issues (ATTN: Petar)
Hi, Petar,
For whatever reason, I didn't see your most recent reply until I checked the web archives.
To answer your questions...
Is my dovecot running chrooted? Not that I know of. However, the option to (apparently) decide this is confusing at best. Here is what I have entered.
# chroot login process to the login_dir. Only reason not to do this is if you # wish to run the whole Dovecot without roots. # http://wiki.dovecot.org/Rootless login_chroot = yes
Now, my guts tell me that this WILL make it run chrooted. However, reading the material at this link...
http://wiki.dovecot.org/Rootless
...says otherwise, and that setting this to 'no' would be making it run chrooted.
For reference, this is the process line from ps -aux|grep dovecot
root 3182 0.0 1.4 256 876 ? Ss Sun08PM 10:10.06 /usr/local/sbin/dovecot
Also, something else just turned up in the process list that I'm not sure I understand. Specifically...
root 1817 0.0 1.6 324 1056 ? S 8:53PM 0:00.19 dovecot-auth dovecot 2191 0.0 3.0 256 1940 ? S 8:53PM 0:00.97 imap-login root 3182 0.0 1.4 256 876 ? Ss Sun08PM 10:11.78 /usr/local/sbin/dovecot dovecot 6333 0.0 3.0 256 1940 ? S 8:53PM 0:00.93 imap-login dovecot 8133 0.0 3.0 256 1940 ? S 8:53PM 0:00.97 imap-login dovecot 8397 0.0 3.0 256 1940 ? S 8:53PM 0:00.96 imap-login dovecot 16144 0.0 3.0 256 1940 ? S 8:53PM 0:00.92 imap-login
This has me deeply confused. I'm not running IMAP, I'm not interested in running IMAP, I don't want anything to do with IMAP. However, there's five processes for imap-login. What gives?
On to your second question: Are /etc/pwd.db and /etc/spwd.db available? Yes, both are listed in the directory of /etc as follows.
-rw-r--r-- 1 root wheel 40960 Jul 9 09:56 /etc/pwd.db -rw------- 1 root wheel 40960 Jul 9 09:56 /etc/spwd.db featherweb: {41}
How "available" this makes them (I don't know what context you were asking in), I'm not sure. Just for giggles, I tried chaning the permissions on spwd.db so that it was world-readable. Doing so had no effect. I still get password failure errors when I try to authenticate a pop3s connection from the client program.
One other question: Pegasus (the mail client) has two options for secure POP connections besides apop (which I've shelved for the moment): STLS and direct SSL connection. I've got it set to direct SSL at the moment. Does this sound right?
Looking forward to the next set of replies.
Thanks much.
-=-=-=-=-=-=-=-=-=-=-=- Bruce Lane, Owner & Head Hardware Heavy, Blue Feather Technologies -- http://www.bluefeathertech.com kyrrin (at) bluefeathertech do/t c=o=m "If Salvador Dali had owned a computer, would it have been equipped with surreal ports?"
Bruce Lane wrote:
Hi, Petar,
Hi!
Is my dovecot running chrooted? Not that I know of. However, the option to (apparently) decide this is confusing at best. Here is what I have entered.
# chroot login process to the login_dir. Only reason not to do this is if you # wish to run the whole Dovecot without roots. # http://wiki.dovecot.org/Rootless login_chroot = yes
Hmm, I had chroot(8) on my mind, but AFAIK, this option and chroot(8) have both something to do with chroot(2).
I don't fully understand what `login_chroot' is actually doing. However, it's not activated in my dovecot.conf.
$ grep login_chroot dovecot.conf.ssl #login_chroot = yes
The wiki says, that this just makes sense if you want to _start_ dovecot as non-root, so you better ignore my `login_chroot' and stick to the default (if that really is the default).
This has me deeply confused. I'm not running IMAP, I'm not interested in running IMAP, I don't want anything to do with IMAP. However, there's five processes for imap-login. What gives?
What does `protocols' from your dovecot.conf say?
On to your second question: Are /etc/pwd.db and /etc/spwd.db available? Yes, both are listed in the directory of /etc as follows.
How "available" this makes them (I don't know what context you were asking in), I'm not sure.
That question war related to chroot(8). If you chroot things and if you want to authenticate `passwd'-users in this new chroot-ed environment.. then you need at least pwd.db.
One other question: Pegasus (the mail client) has two options for secure POP connections besides apop (which I've shelved for the moment): STLS and direct SSL connection. I've got it set to direct SSL at the moment. Does this sound right?
How about trying plain-pop3 / plain-imap? Maybe your problem has something to do with ssl..
Kind regards,
Petar
Hi, Petar,
*********** REPLY SEPARATOR ***********
On 12-Jul-06 at 08:49 Petar Bogdanovic wrote:
# wish to run the whole Dovecot without roots. # http://wiki.dovecot.org/Rootless login_chroot = yes
Hmm, I had chroot(8) on my mind, but AFAIK, this option and chroot(8) have both something to do with chroot(2).
I don't fully understand what `login_chroot' is actually doing. However, it's not activated in my dovecot.conf.
$ grep login_chroot dovecot.conf.ssl #login_chroot = yes
I changed my own file to reflect this. Didn't make any difference.
What does `protocols' from your dovecot.conf say?
Just pop3 and pop3s. That's it.
That question war related to chroot(8). If you chroot things and if you want to authenticate `passwd'-users in this new chroot-ed environment.. then you need at least pwd.db.
In the same directory as Dovecot's configuration file, I'd wager? I've not tried copying them into there just yet. Perhaps I should...
One other question: Pegasus (the mail client) has two options for secure POP connections besides apop (which I've shelved for the moment): STLS and direct SSL connection. I've got it set to direct SSL at the moment. Does this sound right?
How about trying plain-pop3 / plain-imap? Maybe your problem has something to do with ssl..
Well, I'm not set up at all for IMAP, and plain pop3 doesn't work either when Dovecot is enabled (it insists on getting authentication).
I'm going to experiment a little more, but I'm kind of losing faith. I'd looked upon Dovecot to be an all-in-one solution for both TLS and pop3s, but the configuration is turning out to be something of a nightmare. It's too bad qpopper wouldn't compile on my system...
Thanks much.
-=-=-=-=-=-=-=-=-=-=-=- Bruce Lane, Owner & Head Hardware Heavy, Blue Feather Technologies -- http://www.bluefeathertech.com kyrrin (at) bluefeathertech do/t c=o=m "If Salvador Dali had owned a computer, would it have been equipped with surreal ports?"
On Wed, Jul 12, 2006 at 12:29:42AM -0700, Bruce Lane wrote:
That question war related to chroot(8). If you chroot things and if you want to authenticate `passwd'-users in this new chroot-ed environment.. then you need at least pwd.db.
In the same directory as Dovecot's configuration file, I'd wager? I've not tried copying them into there just yet. Perhaps I should...
Don't! If you never used chroot(8), please forget everything I've ever written about pwd.db.
Kind regards,
Petar
From the problems your seeing and the fact that you have only specified pop3 and pop3s under protocolos but still seeing the imap-login process, it sounds like your dovecot install isn't reading the proper configuration file (or at least the one you're editing). Maybe that's why these changes don't seem to do anything?
-- Jeff Graves, MCSA Image Source, Inc. 508.966.5200 x31 www.image-src.com
-----Original Message----- From: dovecot-bounces@dovecot.org [mailto:dovecot-bounces@dovecot.org] On Behalf Of Bruce Lane Sent: Wednesday, July 12, 2006 3:30 AM To: Petar Bogdanovic Cc: dovecot@dovecot.org Subject: Re: [Dovecot] passwd authentication issues (ATTN: Petar)
Hi, Petar,
*********** REPLY SEPARATOR ***********
On 12-Jul-06 at 08:49 Petar Bogdanovic wrote:
# wish to run the whole Dovecot without roots. # http://wiki.dovecot.org/Rootless login_chroot = yes
Hmm, I had chroot(8) on my mind, but AFAIK, this option and chroot(8) have both something to do with chroot(2).
I don't fully understand what `login_chroot' is actually doing. However, it's not activated in my dovecot.conf.
$ grep login_chroot dovecot.conf.ssl #login_chroot = yes
I changed my own file to reflect this. Didn't make any difference.
What does `protocols' from your dovecot.conf say?
Just pop3 and pop3s. That's it.
That question war related to chroot(8). If you chroot things and if you want to authenticate `passwd'-users in this new chroot-ed environment.. then you need at least pwd.db.
In the same directory as Dovecot's configuration file, I'd wager?
I've not tried copying them into there just yet. Perhaps I should...
One other question: Pegasus (the mail client) has two options for secure POP connections besides apop (which I've shelved for the moment): STLS and direct SSL connection. I've got it set to direct SSL at the moment. Does this sound right?
How about trying plain-pop3 / plain-imap? Maybe your problem has something to do with ssl..
Well, I'm not set up at all for IMAP, and plain pop3 doesn't work
either when Dovecot is enabled (it insists on getting authentication).
I'm going to experiment a little more, but I'm kind of losing faith.
I'd looked upon Dovecot to be an all-in-one solution for both TLS and pop3s, but the configuration is turning out to be something of a nightmare. It's too bad qpopper wouldn't compile on my system...
Thanks much.
-=-=-=-=-=-=-=-=-=-=-=- Bruce Lane, Owner & Head Hardware Heavy, Blue Feather Technologies -- http://www.bluefeathertech.com kyrrin (at) bluefeathertech do/t c=o=m "If Salvador Dali had owned a computer, would it have been equipped with surreal ports?"
participants (3)
-
Bruce Lane
-
Jeff Graves
-
Petar Bogdanovic