pam(foobar@example.com,192.0.1.1,<9zMTUUCGNfHZzMpL>): unknown user (SHA1 of given password: ff75068c2f4d700a49dae204d56477a5ffa5d23d)
The password is correct, i.e. 'echo -n 'passed' | openssl dgst -sha1' matches.
The user is setup correctly in /etc/dovecot/users (the /etc/dovecot/users was copied from another known-good server, so the syntax is correct and appropriate adjustments have been made for chmod and directory).
doveconf -N follows:
# 2.3.3 (dcead646b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.3 (f018bbab) # OS: Linux 4.12.14-lp150.12.48-default x86_64 # Hostname: foobar auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = sha1 doveadm_password = # hidden, use -P to show it first_valid_uid = 471 imapc_features = rfc822.size fetch-headers imapc_host = foobar.example.com imapc_password = # hidden, use -P to show it imapc_port = 993 imapc_ssl = imaps imapc_user = %u mail_location = maildir:~/Maildir mail_plugin_dir = /usr/lib64/dovecot/modules mail_prefetch_count = 20 mailbox_list_index = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body environment mailbox date ihave enotify namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam name = } plugin { sieve = file:~/.dovecot.sieve } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } } service imap-login { process_min_avail = 3 } service lmtp { process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = my_virtmailuser } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieves { address = port = 5190 ssl = yes } } ssl = required ssl_ca = </etc/dovecot/ssl/certbot_ca.pem ssl_cert = </etc/dovecot/ssl/certbot.pem ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd name = } userdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file name = } protocol lmtp { mail_plugins = sieve postmaster_address = foobar@example.com } protocol lda { deliver_log_format = msgid=%m: %$ mail_plugins = sieve postmaster_address = postmaster quota_full_tempfail = yes rejection_reason = Your message to <%t> was automatically rejected:%n%r } protocol imap { mail_max_userip_connections = 20 }
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format.
Aki
But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 11, 2019 3:07 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format.
Aki
But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
you have passdb block using pam. it is involved in the lookup process.
Well, I didn't but it seems to be the default example config (i.e its in auth-system.conf.ext, not my local.cf).
I commented it out, but now I get "auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one"
What am I missing to make it look in /etc/dovecot/users ? My local.cf came from a known-good server so I don't understand why it hasn't implemented the changes that need to be done on this new one ? What parameters am I missing ? I'm lost and exhausted by struggling with dovecot these last few days.
On Thursday, April 11, 2019 3:07 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format.
Aki
But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
you have passdb block using pam. it is involved in the lookup process.
Aki Tuomi
doveconf -n passdb userdb passdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file } userdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file }
On 11 April 2019 17:56 Laura Smith via dovecot <dovecot@dovecot.org> wrote:
On Thursday, April 11, 2019 3:07 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format.
Aki
But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
you have passdb block using pam. it is involved in the lookup process.
Aki Tuomi
doveconf -n passdb userdb passdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file } userdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file }
Looks OK now. PAM is quite often the culprit as it's part of the default shipped config and can be often missed when setting things up.
Aki
On Thursday, April 11, 2019 5:49 PM, Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 11 April 2019 17:56 Laura Smith via dovecot dovecot@dovecot.org wrote: On Thursday, April 11, 2019 3:07 PM, Aki Tuomi aki.tuomi@open-xchange.com wrote:
On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote: On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format.
Aki
But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
you have passdb block using pam. it is involved in the lookup process.
Aki Tuomi
doveconf -n passdb userdb passdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file } userdb { args = scheme=ARGON2ID username_format=%u /etc/dovecot/users auth_verbose = yes driver = passwd-file }
Looks OK now. PAM is quite often the culprit as it's part of the default shipped config and can be often missed when setting things up.
Aki
I guess for the future it might be nice to have an options in the params to enable overrides for shipped configs (e.g. something similar to '!important' in CSS land).
It would be nice to be able to make local.conf the source of truth instead of having to say 97.5% local.conf and then these few hacks of shipped configs (which may or may not get overwritten by package updates from the distros)
participants (2)
-
Aki Tuomi
-
Laura Smith