I have dovecot version 2.2.10 dovecot -n output below
I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry
My connection script located at /etc/dovecot/dovecot-sql.conf.ext is like (password edited):
driver = mysql connect = host=localhost dbname=servermail user='usermail' password='MY_SUPER_SECRET_PASSWORD' default_pass_scheme = SHA512-CRYPT password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I have verified that I can gain access to the SQL database with # mysql -u usermail -p
I can make select statements on the 'servermail' database and all of its tables.
I've searched for similar errors from users, but most of the questions are unanswered, or answered incorrectly. I did follow one thread's suggest of setting the MYSQL password for the 'usermail' with OLD_PASSWORD instead of PASSWORD. I did that. I could still login from the shell using mysql -u usermail -p
But dovecot still wrote the same error. (I did a flush privileges, and restarted mysql, and dovecot) I then set the password in SQL back using PASSWORD. (flush'd priveleges and restarte mysql and dovecot). Still Errors.
Looking for leads.
Thanks,
Dan LaSota Instructional Designer, UAF eLearning (907) 451-4067 dan.lasota@alaska.edu http://elearning.uaf.edu
dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-123.20.1.el7.x86_64 x86_64 CentOS Linux release 7.0.1406 (Core) xfs auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imap { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert =
Am 02.03.2015 um 06:03 schrieb Dan LaSota:
I have dovecot version 2.2.10 dovecot -n output below
I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry
Just some quick ideas
- check if the mysql socket file has rw permissions for the dovecot user
- Try to run the mysql query as user dovecot (su dovecot)
- Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost)
Oliver
-- Protect your environment - close windows and adopt a penguin!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 2 Mar 2015, Oliver Welter wrote:
Am 02.03.2015 um 06:03 schrieb Dan LaSota:
I have dovecot version 2.2.10 dovecot -n output below
I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry
Just some quick ideas the ACL checks if you come from localhost)
- check if the mysql socket file has rw permissions for the dovecot user
- Try to run the mysql query as user dovecot (su dovecot)
- Try to set the local ip instead of localhost (mysql makes a difference in
(Y) in addition:
- Did mysql logged something useful?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVPQYN3z1H7kL/d9rAQLyRwgAlasqa/rDY86UmYHF2+e/Q5++oCC/8n0a 0sCyQdY8SVJA8jsZbL4+B/F9lwkMA+7gSkiSDuLQWM/c7VotBhQ5AvZKOXfEUmCZ DFH7J2dZMwPjAubcdjjp2lnA97NS4wt3+dqyo4ezCEcc+ZKjDh8QSuPAO8xRP1Dq pK/47DYi9yyz0dExQlQ1Fx1w792n4igCuPySThT03k+yRZpx4x5Va4/s0TM5ZwLP JaRZWo8IzzWjFWvCZQDGWCpy1+TWNTN1NUAfN2ngZSxWGq0mpPX9dFerXJdgyBzg LCYGkufOO1FjlT+bRDqezBf/ps5MJsObeJr/Z816u1JdCS2Uc49CbQ== =Z7XP -----END PGP SIGNATURE-----
Just some quick ideas * check if the mysql socket file has rw permissions for the dovecot user
# ls -l /var/lib/mysql/mysql.sock srwxrwxrwx. 1 mysql mysql 0 Mar 1 19:33 /var/lib/mysql/mysql.sock
* Try to run the mysql query as user dovecot (su dovecot)
The dovecot user I set up is a non-interactive user /sbin/nologin I studied different setup guides, and all of them suggested setting up dovecot with a non-interactive shell. However the mysql client is world executable: # ls -l /bin/mysql -rwxr-xr-x. 1 root root 3533008 Feb 5 05:47 /bin/mysql
* Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost)
I have tried with connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' and connect = host=127.0.0.1 dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry
* Did mysql logged something useful?
I have turned on general-log in MySQL (actually mariadb): A few things to note: connection 221 is me manually logging into the server from the command line. The other numbers are dovecot. I'm using the same credentials as the dovecot config files. (not sure if this is useful or not) 221 Connect mailuser@localhost as anonymous on 221 Query select @@version_comment limit 1 150302 9:18:33 221 Query show databases 150302 9:18:38 221 Query SELECT DATABASE() 221 Init DB servermail 221 Query show databases 221 Query show tables 221 Field List virtual_aliases 221 Field List virtual_domains 221 Field List virtual_users 150302 9:18:43 221 Query show tables 150302 9:18:50 222 Connect usermail@localhost as anonymous on servermail 222 Connect Access denied for user 'usermail'@'localhost' (using password: YES) 223 Connect usermail@localhost as anonymous on servermail 223 Connect Access denied for user 'usermail'@'localhost' (using password: YES) 150302 9:18:56 221 Query select * from virtual_users 150302 9:19:19 224 Connect usermail@localhost as anonymous on servermail 224 Connect Access denied for user 'usermail'@'localhost' (using password: YES) 213 Quit 214 Quit 215 Quit 150302 9:19:20 225 Connect usermail@localhost as anonymous on servermail 225 Connect Access denied for user 'usermail'@'localhost' (using password: YES) 150302 9:19:24 221 Quit 150302 9:19:25 226 Connect usermail@localhost as anonymous on servermail 226 Connect Access denied for user 'usermail'@'localhost' (using password: YES) 150302 9:19:50 227 Connect usermail@localhost as anonymous on servermail 227 Connect Access denied for user 'usermail'@'localhost' (using password: YES) Dan LaSota Instructional Designer, UAF eLearning (907) 451-4067 dan.lasota@alaska.edu http://elearning.uaf.edu
Am 02.03.2015 um 19:30 schrieb Dan LaSota:
Just some quick ideas
- check if the mysql socket file has rw permissions for the dovecot user
# ls -l /var/lib/mysql/mysql.sock srwxrwxrwx. 1 mysql mysql 0 Mar 1 19:33 /var/lib/mysql/mysql.sock
that's not the problem
I have tried with connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' and connect = host=127.0.0.1 dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh'
still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry
that is a pretty clear message
the username / password / host is wrong, fix your mysql permissions and keep in mind that localhost != 127.0.0.1 in that context
the user with that password from that host is not allowed - period
still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry
that is a pretty clear message
the username / password / host is wrong, fix your mysql permissions and keep in mind that localhost != 127.0.0.1 in that context
which is the preferred address: localhost or 127.0.0.1 ?
the user with that password from that host is not allowed - period
Then why can I use the same credentials to log into mysql from the command line? Like so:
# mysql -u mailuser -h localhost -p
Dan LaSota Instructional Designer, UAF eLearning (907) 451-4067 dan.lasota@alaska.edu http://elearning.uaf.edu
Am 02.03.2015 um 19:53 schrieb Dan LaSota:
still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry
that is a pretty clear message
the username / password / host is wrong, fix your mysql permissions and keep in mind that localhost != 127.0.0.1 in that context
which is the preferred address: localhost or 127.0.0.1 ?
depends
if you prefer unix sockets: localhost if you prefer TCP: 127.0.0.1
the user with that password from that host is not allowed - period
Then why can I use the same credentials to log into mysql from the command line? Like so:
# mysql -u mailuser -h localhost -p
that is unix-socket, -h 127.0.0.1 would be TCP
just use "host=/var/lib/mysql/mysql.sock" or wherever your socket lives or give the 127.0.0.1 user the same permissions - these are mysql basics
Am 02.03.2015 um 19:30 schrieb Dan LaSota:
Just some quick ideas
- check if the mysql socket file has rw permissions for the dovecot user
# ls -l /var/lib/mysql/mysql.sock srwxrwxrwx. 1 mysql mysql 0 Mar 1 19:33 /var/lib/mysql/mysql.sock
- Try to run the mysql query as user dovecot (su dovecot)
The dovecot user I set up is a non-interactive user /sbin/nologin
You can use "su dovecot -s /bin/bash" to override the configured shell (or temporary set the users shell using "usermod").
However the mysql client is world executable: doevcot should not need the client (its build in)
- Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost)
I have tried with connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' and connect = host=127.0.0.1 dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh'
Do you really have a dollar sign in the password? This is always a suspicious candidate - try a password without the dollar sign (I dont know if/what dovecot requires escaping)
Oliver
-- Protect your environment - close windows and adopt a penguin!
Thanks for the auggestion. I did indeed have a dollar sign in there. No longer the case. I also changed 'localhost' to the pathname to the unix socket file as well.
I'm now onto the next misconfiguration!
On Mar 2, 2015, at 11:20 AM, Oliver Welter mail@oliwel.de wrote:
Am 02.03.2015 um 19:30 schrieb Dan LaSota:
Just some quick ideas
- check if the mysql socket file has rw permissions for the dovecot user
# ls -l /var/lib/mysql/mysql.sock srwxrwxrwx. 1 mysql mysql 0 Mar 1 19:33 /var/lib/mysql/mysql.sock
- Try to run the mysql query as user dovecot (su dovecot)
The dovecot user I set up is a non-interactive user /sbin/nologin
You can use "su dovecot -s /bin/bash" to override the configured shell (or temporary set the users shell using "usermod").
However the mysql client is world executable: doevcot should not need the client (its build in)
- Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost)
I have tried with connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' and connect = host=127.0.0.1 dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh'
Do you really have a dollar sign in the password? This is always a suspicious candidate - try a password without the dollar sign (I dont know if/what dovecot requires escaping)
Oliver
-- Protect your environment - close windows and adopt a penguin!
Dan LaSota Instructional Designer, UAF eLearning (907) 451-4067 dan.lasota@alaska.edu http://elearning.uaf.edu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 2 Mar 2015, Dan LaSota wrote:
connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh'
Honestely, I do not know whether and how you have / can quote strings, but try:
- to not quote at all
- use "
- use a password without $
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVPVke3z1H7kL/d9rAQJMpwf/c23CpNdb2jRtjw3LcMdDZmO19ylMJdZJ 9rBtse0zWpyCLZ60pCLvhWh/jZSHmXGofV3oTaJl9CXuK8/jVMSzfYzCpV4gPU4l fBT+QT6q6HnmfhtWH746wV/l18arp0uOa/D/sbI10Zjx/m16mj6md0FAVxAGklnw m2vzKXWPOj7HBXQwlDoZdPt8S08JOZE9Q6WSkhXpjsF2oGH6i61yckdrtEWs/N0n U2NtTZTGmMOm+8jRq1ljSdPEJYT6k93e1pw2wmA2zH5ODr9AQspsfyWbL3dmChKl 2RtzUsajfQwiwnaIOzgur8KHoFDS8Tm+sFLmiSAqrr8AeQyRBlLWbg== =5UDi -----END PGP SIGNATURE-----
participants (4)
-
Dan LaSota
-
Oliver Welter
-
Reindl Harald
-
Steffen Kaiser