after upgrade to 2.4 I get passwd-file: Password mismatch
I upgraded dovecot from 2.3 to 2.4 today and all of a sudden I get an authentication error: passwd-file: Password mismatch
My config looks like this:
passdb pam { driver = pam } passdb passwd-file { driver = passwd-file auth_username_format = %{user | username} passwd_file_path = /etc/dovecot/alternate/passwd skip = authenticated }
I haven't changed the /etc/dovecot/alternate/passwd in ages and its contents look similar to:
user:$6$blablablagfsgfsgfsgsbfssfslongbase64stringhere
Just earlier today (on 2.3) I was able to login just fine with the alternate password for my user.
Did I misconfigure dovecot or are $6$ type passwords no longer supported. Here's the debug output:
2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: pam: Finished passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: Performing passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: lookup: user=userhere file=/etc/dovecot/alternate/passwd 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: Finished passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: Auth request finished 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: delaying auth failure
Any idea what might be going on?
Cheers, K. C.
On 10/11/2025 07:14 EET Helmut K. C. Tessarek via dovecot <dovecot@dovecot.org> wrote:
I upgraded dovecot from 2.3 to 2.4 today and all of a sudden I get an authentication error: passwd-file: Password mismatch
My config looks like this:
passdb pam { driver = pam } passdb passwd-file { driver = passwd-file auth_username_format = %{user | username} passwd_file_path = /etc/dovecot/alternate/passwd skip = authenticated }
I haven't changed the /etc/dovecot/alternate/passwd in ages and its contents look similar to:
user:$6$blablablagfsgfsgfsgsbfssfslongbase64stringhere
Just earlier today (on 2.3) I was able to login just fine with the alternate password for my user.
Did I misconfigure dovecot or are $6$ type passwords no longer supported. Here's the debug output:
2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: pam: Finished passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: Performing passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: lookup: user=userhere file=/etc/dovecot/alternate/passwd 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: passwd-file: Finished passdb lookup 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: Auth request finished 2025-11-10 05:44:58 +0100auth(userhere,server-ip-here,sasl:plain)<VrJZMTZD7rtcKosF>: Debug: delaying auth failure
Any idea what might be going on?
Cheers, K. C.
Try adding to the passwd-file
default_password_scheme = crypt
Aki
On 2025-11-10 06:58, Aki Tuomi via dovecot wrote:
Try adding to the passwd-file
default_password_scheme = crypt
Thanks, this worked, even though I have no idea why.
The documentation states:
https://doc.dovecot.org/2.4.2/core/config/auth/schemes.html#crypt Traditional DES-crypted password
However, my file uses SHA512-CRYPT ($6$), and sha256crypt, and yescrypt. Not sure, if DES-crypted passwords are still in use these days. The last 10 years I have only seen sha512crypt, sha256crypt, bcrypt, and yescrypt. Either way, even though the password is not crypt (56bit DES crypt), authentication still seems to work. Very mysterious.
Somehow the documentation is very confusing. And why for the love of security is PLAIN the default? Nobody in their right mind chooses to store passwords in clear text. In fact, when using PLAIN one should have to set a separate parameter:
i_know_what_i_am_doing = yes or i_know_how_stupid_that_is = yes
Yet, PLAIN is the default? This is also a breaking change and should have been mentioned in BIG FAT LETTERS. As I have pointed out, in 2.3 the file worked without setting any password scheme parameter.
I am genuinely puzzled.
Cheers, K. C.
On 10/11/2025 16:04 EET Helmut K. C. Tessarek via dovecot <dovecot@dovecot.org> wrote:
On 2025-11-10 06:58, Aki Tuomi via dovecot wrote:
Try adding to the passwd-file
default_password_scheme = crypt
Thanks, this worked, even though I have no idea why.
The documentation states:
https://doc.dovecot.org/2.4.2/core/config/auth/schemes.html#crypt Traditional DES-crypted password
Also the very next line in the very same documentation says:
Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page.
Somehow the documentation is very confusing. And why for the love of security is PLAIN the default? Nobody in their right mind chooses to store passwords in clear text.
Actually the default for passwd-file is CRYPT.
passdb_passwd_file { passdb_default_password_scheme = CRYPT }
but not sure why it's not working correctly, so this is a bug.
Aki
On 2025-11-10 09:15, Aki Tuomi via dovecot wrote:
Also the very next line in the very same documentation says:
Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page.
This is true. I still found it confusing. Why mention DES crypt at all? There is a separate DES-CRYPT entry/scheme anyway.
I'd change it like so:
CRYPT
Password is encrypted.
Dovecot uses libc's crypt() function, which means that it is able to recognize
all password schemes available on your system (e.g. the ones used in /etc/passwd)
The second part should be moved to the DES-CRYPT section:
DES-CRYPT
Traditional DES based hash.
The DES-crypt scheme only uses the first 8 characters of the password, the rest is ignored. Other schemes may have other password length limitations (if they limit the password length at all).
Changed: 2.4.0
Disabled by default.
Do you accept a PR? I'd love to propose above changes to the documentation.
Actually the default for passwd-file is CRYPT.
passdb_passwd_file { passdb_default_password_scheme = CRYPT }
but not sure why it's not working correctly, so this is a bug.
Thanks for the info. I am not happy with a bug, but with the fact that PLAIN is not the default. ;-)
Cheers, K. C.
participants (2)
-
Aki Tuomi
-
Helmut K. C. Tessarek