[Dovecot] multiple authentication mechanisms, many problems
dovecot: Jun 11 23:57:56 Info: auth(default): pam(testi@irkkaa.net,83.145.196.129): pam_authenticate() failed: Authentication failure
tried also debugging whats wrong with it, it queries ok, the password in the query is ok and everything. but it never replies +OK. that connection just halts after PASS command. Tried IMAP, same result.
config: (dovecot.conf, PLAIN etc all enabled)
passdb pam { args = * } passdb sql { args = /usr/local/etc/dovecot-mysql.conf } userdb passwd { } userdb sql { args = /usr/local/etc/dovecot-mysql.conf }
default_pass_scheme = PLAIN
password_query = SELECT username as user, password FROM mailbox WHERE username = '%u'
user_query = SELECT concat('/usr/local/virtual/',maildir) as home, 207 AS uid,208 AS gid FROM mailbox WHERE username = '%u'
postfixadmin-format mysql-DB, mails in /usr/local/virtual/user@domain/Maildir
Any ideas where stuff could go wrong? Passwords in the MySQL are cleartext and checked that query returns right values. Yet authentication-phase just gets stuck. System is hardned Gentoo-Linux (2.6.11r13-grsec)
On Sun, 2005-06-12 at 00:06 +0300, Jani Karlsson wrote:
dovecot: Jun 11 23:57:56 Info: auth(default): pam(testi@irkkaa.net,83.145.196.129): pam_authenticate() failed: Authentication failure .. passdb pam { args = * } passdb sql { args = /usr/local/etc/dovecot-mysql.conf } userdb passwd { } userdb sql { args = /usr/local/etc/dovecot-mysql.conf }
Did you try that it works with just SQL, or with just PAM? The problem happens only if these both are defined? When it gets stuck, does it matter if the user is in PAM or SQL?
Is this with 1.0-stable or 1.0-test?
Timo Sirainen wrote:
On Sun, 2005-06-12 at 00:06 +0300, Jani Karlsson wrote:
dovecot: Jun 11 23:57:56 Info: auth(default): pam(testi@irkkaa.net,83.145.196.129): pam_authenticate() failed: Authentication failure
..
passdb pam { args = * } passdb sql { args = /usr/local/etc/dovecot-mysql.conf } userdb passwd { } userdb sql { args = /usr/local/etc/dovecot-mysql.conf }
Did you try that it works with just SQL, or with just PAM? The problem happens only if these both are defined? When it gets stuck, does it matter if the user is in PAM or SQL?
Is this with 1.0-stable or 1.0-test?
1.0-test, I found the error it had... authentication was successfull, but it was trying to request /Maildir, although I had %h:%h/Maildir I was wanting /Maildir for shell (unix) users and homedir/[cur,new,tmp] for SQL-users. It tried to access /usr/local/virtual/test@test.net//Maildir/ and was stuck in some loop until that connection timed out. After I fixed this error, I found another, already posted on the list:
http://dovecot.org/pipermail/dovecot/2005-May/007421.html
similiar problems with Gentoo on AMD64, 1.0-test72.. cannot create/move/such IMAP folders. Error: denied resource overstep by requesting 17189568512 for RLIMIT_AS against limit 536870912 for /usr/local/libexec/dovecot/imap[imap:23732] uid/euid:1156/1156 gid/egid:1156/1156, parent /usr/local/sbin/dovecot[dovecot:13204] uid/euid:0/0 gid/egid:0/0
Yet there is no limits, checked that twice.
Also, dovecot starts only random, if it has to do something (like correct /var/run/dovecot permissions, it will always start), somehow it races too fast too many connections to MySQL, resulting: dovecot: Jun 14 12:46:45 Error: Auth process died too early - shutting down dovecot: Jun 14 12:46:45 Info: auth(default): mysql: Connected to (null) (postfix) dovecot: Jun 14 12:46:45 Error: auth(default): net_connect_unix(/var/run/dovecot/auth-worker.11918) failed: No such file or directory dovecot: Jun 14 12:46:45 Error: child 11918 (auth) returned error 89
I find it yet not quite suitable for production use, as I can duplicate these exact same errors on another 64-bit (AMD64) Debian system. I am wondering if is this something related to 64-bit CPUs. Anyway, patches etc are welcome. Specially the dovecot starting randomly only is nasty, need to kill all processes manually and try again.
On Tue, 14 Jun 2005, Jani Karlsson wrote:
http://dovecot.org/pipermail/dovecot/2005-May/007421.html
similiar problems with Gentoo on AMD64, 1.0-test72.. cannot create/move/such IMAP folders. Error: denied resource overstep by requesting 17189568512 for RLIMIT_AS against limit 536870912 for /usr/local/libexec/dovecot/imap[imap:23732] uid/euid:1156/1156 gid/egid:1156/1156, parent /usr/local/sbin/dovecot[dovecot:13204] uid/euid:0/0 gid/egid:0/0
Yet there is no limits, checked that twice.
that message comes from grsecurity. i guess gentoo uses that.
anyway, RLIMIT_AS is the address space limit. dovecot's imap is trying to increase the limit from 512mb to 16gb for inexplicable reason.
looks like a bug to me (any legitimate reason imap would ever need 16gb, let alone 512mb?)
-Dan
Dan Hollis wrote:
that message comes from grsecurity. i guess gentoo uses that.
Gentoo hardned-kernel (grsecurity+pax+selinux), the Debian 64-bit is running vanilla. It doesn't show the error, it just kills that process.
anyway, RLIMIT_AS is the address space limit. dovecot's imap is trying to increase the limit from 512mb to 16gb for inexplicable reason.
looks like a bug to me (any legitimate reason imap would ever need 16gb, let alone 512mb?)
Yeah, I wondered why tranferring small IMAP folders reguire nearly 16 gigabytes of RAM. Too bad those servers only have 2. Again dovecot gets stuck until connection will timeout itself.
512MB is the limit in the dovecot-config so that it doesn't get on rampage. Yet it apparently tries to do that.
On Tue, 2005-06-14 at 13:24 +0300, Jani Karlsson wrote:
1.0-test, I found the error it had... authentication was successfull, but it was trying to request /Maildir, although I had %h:%h/Maildir I was wanting /Maildir for shell (unix) users and homedir/[cur,new,tmp] for SQL-users. It tried to access /usr/local/virtual/test@test.net//Maildir/ and was stuck in some loop until that connection timed out.
How could I reproduce this? Dovecot shouldn't ever get stuck. Was it dovecot-auth, dovecot master or imap process that got stuck?
Error: denied resource overstep by requesting 17189568512 for RLIMIT_AS against
So it's trying to allocate 17GB of memory. Shouldn't really happen :)
Also, dovecot starts only random, if it has to do something (like correct /var/run/dovecot permissions, it will always start), somehow it races too fast too many connections to MySQL, resulting: dovecot: Jun 14 12:46:45 Error: Auth process died too early - shutting down dovecot: Jun 14 12:46:45 Info: auth(default): mysql: Connected to (null) (postfix) dovecot: Jun 14 12:46:45 Error: auth(default): net_connect_unix(/var/run/dovecot/auth-worker.11918) failed: No such file or directory
This I've heard before. Should look into it..
I find it yet not quite suitable for production use, as I can duplicate these exact same errors on another 64-bit (AMD64) Debian system. I am wondering if is this something related to 64-bit CPUs.
Yes, must be somehow related to 64bit systems. I just can't test them myself currently..
On Tue, 2005-06-14 at 13:24 +0300, Jani Karlsson wrote:
similiar problems with Gentoo on AMD64, 1.0-test72.. cannot create/move/such IMAP folders. Error: denied resource overstep by requesting 17189568512 for RLIMIT_AS against limit 536870912 for /usr/local/libexec/dovecot/imap[imap:23732] uid/euid:1156/1156 gid/egid:1156/1156, parent /usr/local/sbin/dovecot[dovecot:13204] uid/euid:0/0 gid/egid:0/0
Could you attach gdb into the imap process before starting the move, and when the process gets killed it should be possible to get backtrace of it? ie.:
gdb attach pidof imap
cont
<make it crash here>
bt
participants (3)
-
Dan Hollis
-
Jani Karlsson
-
Timo Sirainen