I'm getting imap-login: Internal login failure: bob whenever I try to check mail. I'm new to mail server setup, new to IMAP, and I don't know a heck of a lot about authentication schemes.
I've set up Dovecot as an IMAP server on FreeBSD 4.8. I've got OpenLDAP running on the same system. Users will access mail via Eudora on Windows and Macs, so that's how I'm testing. If I try to test Dovecot using IMAP commands via telnet, Dovecot tells me LOGIN BAD Error in IMAP command received by server. I also can't telnet via localhost; I have to specify the host name, so I'm connecting via the host's external interface. I have no problem connecting to localhost on ports not used by Dovecot.
So I have two questions:
- How do I correct my configuration to make login successful?
- How can I test Dovecot without using an MUA? If I have to use an MUA, I can't distinguish between errors in the MUA and errors in the IMAP server.
Thanks for any help with these two. Configuration follows.
Eudora: Server configuration: IMAP IMAP Mailbox Location Prefix: /var/mail/bob/Mail Authentication Style: passwords
dovecot.conf
protocols = imap imaps imap_listen = *:143 login_user = dovecot default_mail_env = mbox:/var/mail/%u/Mail auth_userdb = ldap /usr/local/etc/dovecot-ldap.conf auth_passdb = ldap /usr/local/etc/dovecot-ldap.conf auth_user = dovecot
dovecot-ldap.conf
hosts = localhost dn = cn=dovecot,dc=domain,dc=tld dnpass = ********** ldap_version = 3 base = ou=accounts,dc=domain,dc=tld deref = never scope = subtree user_attrs = uid user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_attrs = uid,userPassword pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)) default_pass_scheme = PLAIN
slapd.conf
password-hash {CLEARTEXT}
If I change this last to CRYPT (comment out the dovecot-ldap default_pass_scheme and change the slapd.conf password-hash to {CRYPT} and re-enter the password into LDAP), I get the same error. I have no problem accessing the LDAP data from the command line.
If I comment out the dovecot-ldap.conf user_filter and pass_filter, I get dovecot-auth: ldap(bob): unknown user I interpret as meaning that the user_filter and pass_filter are necessary.
Bob Hall
On Tuesday, Aug 12, 2003, at 23:40 Europe/Helsinki, Bob Hall wrote:
I'm getting imap-login: Internal login failure: bob whenever I try to check mail. I'm new to mail server setup, new to IMAP, and I don't know a heck of a lot about authentication schemes.
There should be another error message before that line?
If I try to test Dovecot using IMAP commands via telnet, Dovecot tells me LOGIN BAD Error in IMAP command received by server.
How did you try it? It should be: 1 login username password
I also can't telnet via localhost; I have to specify the host name, so I'm connecting via the host's external interface. I have no problem connecting to localhost on ports not used by Dovecot.
I'd guess it's because localhost resolves to IPv6 localhost ::1, and Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it requires two sockets.
So I have two questions:
- How do I correct my configuration to make login successful?
The real error message should be in the logs, but I'd guess it's got something to do with user ids. What uids have you given to users in LDAP? Are they smaller than 500, which is the default minimum accepted uid? You could change first_valid_uid in config file.
Server configuration: IMAP IMAP Mailbox Location Prefix: /var/mail/bob/Mail Authentication Style: passwords
Don't give any IMAP prefix to clients.
login_user = dovecot auth_user = dovecot
It's better not to use the same user for auth and login. Maybe I should add a check to disallow this entirely..
Wow. Thanks for the rapid and detailed response!
On Wed, Aug 13, 2003 at 12:19:54AM +0300, Timo Sirainen wrote:
On Tuesday, Aug 12, 2003, at 23:40 Europe/Helsinki, Bob Hall wrote:
I'm getting imap-login: Internal login failure: bob whenever I try to check mail. I'm new to mail server setup, new to IMAP, and I don't know a heck of a lot about authentication schemes.
There should be another error message before that line?
No. The complete log entries related to my last attempt to log in are
Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob [192.168.0.2] Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11
This is from maillog.
If I try to test Dovecot using IMAP commands via telnet, Dovecot tells me LOGIN BAD Error in IMAP command received by server.
How did you try it? It should be: 1 login username password
That's what I used.
telnet imap 143 Trying xxx.xxx.xxx.xxx... Connected to imap.domain.tld. Escape character is '^]'.
- OK dovecot ready. LOGIN dovecot secret LOGIN BAD Error in IMAP command received by server.
I also can't telnet via localhost; I have to specify the host name, so I'm connecting via the host's external interface. I have no problem connecting to localhost on ports not used by Dovecot.
I'd guess it's because localhost resolves to IPv6 localhost ::1, and Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it requires two sockets.
No, localhost resolves to 127.0.0.1. However, compiling Dovecot with the --disable-ipv6 flag fixed that problem. Now I can connect via localhost, but I can't LOGIN. Error is identical to above.
In case it helps, here's my compile flags from the Makefile:
CONFIGURE_ARGS+= --with-shadow --disable-ipv6
--localstatedir=/var --with-ldap --with-rawlog
--without-vpopmail --without-pgsql --without-pam
--with-rawlog doesn't seem to do anything. I've added the dovecot.rawlog directory to both the root home and my home, and nothing is showing up in either location, even though maillog continues to receive error messages.
So I have two questions:
- How do I correct my configuration to make login successful?
The real error message should be in the logs, but I'd guess it's got
The error message I quoted is from the logs.
something to do with user ids. What uids have you given to users in LDAP? Are they smaller than 500, which is the default minimum accepted uid? You could change first_valid_uid in config file.
I'm confused. In the documentation and schemas that come with OpenLDAP, a uid is a login. E.g. my account uid is 'bob'. Unix uses numeric uids, but if I'm using LDAP, I'm not accessing anything with numeric uids. posixAccount uses uidNumber, but I'm not using that class.
Server configuration: IMAP IMAP Mailbox Location Prefix: /var/mail/bob/Mail Authentication Style: passwords
Don't give any IMAP prefix to clients.
OK. The Eudora documentation says I need it. This is why I want to be able to test w/out an MUA, so that I don't mix my client errors with my server errors. I've removed it, and I'm still getting the error message.
login_user = dovecot auth_user = dovecot
It's better not to use the same user for auth and login. Maybe I should add a check to disallow this entirely..
I don't know enough about it to know why that's a bad idea, but I got it from a sample config file online. I've changed auth_user to dovecot-auth and I'm still getting the same error.
Thanks again for the response.
Bob Hall
On Wednesday, Aug 13, 2003, at 10:03 Europe/Helsinki, Bob Hall wrote:
There should be another error message before that line?
No. The complete log entries related to my last attempt to log in are
Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob [192.168.0.2] Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11
OK, so the problem is that dovecot-auth process crashes. Maybe it's because you didn't give homeDirectory? It's not really needed, but there was a bug when it wasn't given. Here's a patch to fix it: http://dovecot.procontrol.fi/patches/auth-no-homedir.patch
LOGIN dovecot secret
All IMAP commands starts with a "tag", which can be pretty much any text. Add "x" or whatever before the LOGIN command.
I'd guess it's because localhost resolves to IPv6 localhost ::1, and Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it requires two sockets.
No, localhost resolves to 127.0.0.1. However, compiling Dovecot with the --disable-ipv6 flag fixed that problem. Now I can connect via localhost, but I can't LOGIN. Error is identical to above.
Well, that's a bit strange..
something to do with user ids. What uids have you given to users in LDAP? Are they smaller than 500, which is the default minimum accepted uid? You could change first_valid_uid in config file.
I'm confused. In the documentation and schemas that come with OpenLDAP, a uid is a login. E.g. my account uid is 'bob'. Unix uses numeric uids, but if I'm using LDAP, I'm not accessing anything with numeric uids. posixAccount uses uidNumber, but I'm not using that class.
Dovecot still needs to map usernames to system UID numbers. If you want to use only one system UID, you can set user_global_uid and user_global_gid in dovecot-ldap.conf. Otherwise you'll need to set uidNumber and gidNumber for all users.
login_user = dovecot auth_user = dovecot
It's better not to use the same user for auth and login. Maybe I should add a check to disallow this entirely..
I don't know enough about it to know why that's a bad idea, but I got it from a sample config file online. I've changed auth_user to dovecot-auth and I'm still getting the same error.
It's mostly just that login process is designed to be "safe" even if it contains some security holes. If other processes are running with same userid, the login process may be able to do some evil things to them.
On Wed, Aug 13, 2003 at 05:42:09PM +0300, Timo Sirainen wrote:
On Wednesday, Aug 13, 2003, at 10:03 Europe/Helsinki, Bob Hall wrote:
There should be another error message before that line?
No. The complete log entries related to my last attempt to log in are
Aug 12 21:46:31 kongemord imap-login: Internal login failure: bob [192.168.0.2] Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11
OK, so the problem is that dovecot-auth process crashes. Maybe it's because you didn't give homeDirectory? It's not really needed, but there was a bug when it wasn't given. Here's a patch to fix it: http://dovecot.procontrol.fi/patches/auth-no-homedir.patch
I've never done a patch before, and I looked at the FBSD documentation on it, and couldn't figure out how it was done. So I modified my test entry in the LDAP directory and added posixAccount with homeDirectory and uidNumber and gidNumber. Restart OpenLDAP, retest, and same error message.
LOGIN dovecot secret
All IMAP commands starts with a "tag", which can be pretty much any text. Add "x" or whatever before the LOGIN command.
x login dovecot secret x NO Authentication failed.
The dovecot Unix account and the dovecot LDAP entry have been assigned the same password.
I'd guess it's because localhost resolves to IPv6 localhost ::1, and Dovecot doesn't listen in IPv6 interfaces with *BSD fow now, since it requires two sockets.
No, localhost resolves to 127.0.0.1. However, compiling Dovecot with the --disable-ipv6 flag fixed that problem. Now I can connect via localhost, but I can't LOGIN. Error is identical to above.
Well, that's a bit strange..
something to do with user ids. What uids have you given to users in LDAP? Are they smaller than 500, which is the default minimum accepted uid? You could change first_valid_uid in config file.
I'm confused. In the documentation and schemas that come with OpenLDAP, a uid is a login. E.g. my account uid is 'bob'. Unix uses numeric uids, but if I'm using LDAP, I'm not accessing anything with numeric uids. posixAccount uses uidNumber, but I'm not using that class.
Dovecot still needs to map usernames to system UID numbers. If you want to use only one system UID, you can set user_global_uid and user_global_gid in dovecot-ldap.conf. Otherwise you'll need to set uidNumber and gidNumber for all users.
OK. I've added uidNumber and gidNumber for my LDAP test entry, and user_global_uid = 2000 user_global_gid = 6 6 is the mail group. 2000 is no one in particular. I added dovecot to the mail group, but since Dovecot runs as root, I don't think that's necessary.
login_user = dovecot auth_user = dovecot
It's better not to use the same user for auth and login. Maybe I should add a check to disallow this entirely..
I don't know enough about it to know why that's a bad idea, but I got it from a sample config file online. I've changed auth_user to dovecot-auth and I'm still getting the same error.
It's mostly just that login process is designed to be "safe" even if it contains some security holes. If other processes are running with same userid, the login process may be able to do some evil things to them.
OK. Dovecot (the app) runs under root. dovecot-auth (the process) runs under dovecot-auth (the user), imap-login runs under dovecot (the user), and nor the twain shall meet. Does that seem right?
Sorry if I seem slow, but I'm really unfamiliar with mail servers and authentication. It takes me hours to think through your replies and apply them to what I've done.
Bob Hall
On Wed, 2003-08-13 at 21:38, Bob Hall wrote:
Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11 I've never done a patch before, and I looked at the FBSD documentation on it, and couldn't figure out how it was done.
cd src/auth patch -p0 < auth-no-homedir.patch
(I forgot to make the patch against root dir so the cd command is needed..)
So I modified my test entry in the LDAP directory and added posixAccount with homeDirectory and uidNumber and gidNumber. Restart OpenLDAP, retest, and same error message.
Well, since it's still crashing, check with gdb:
ps ax|grep dovecot-auth -> get PID gdb /usr/local/libexec/dovecot/dovecot-auth PID continue
Now try to login, and it should crash. Then type "bt" and copy&paste the output and mail it to me. http://dovecot.procontrol.fi/bugreport.html shows what the gdb output should look like.
x login dovecot secret x NO Authentication failed.
Yeah. User doesn't get very specific error messages, they're in the log file.
OK. Dovecot (the app) runs under root. dovecot-auth (the process) runs under dovecot-auth (the user), imap-login runs under dovecot (the user), and nor the twain shall meet. Does that seem right?
That's fine.
On Thu, Aug 14, 2003 at 04:40:50AM +0300, Timo Sirainen wrote:
On Wed, 2003-08-13 at 21:38, Bob Hall wrote:
Aug 12 21:46:31 kongemord dovecot: child 14690 (auth) killed with signal 11 I've never done a patch before, and I looked at the FBSD documentation on it, and couldn't figure out how it was done.
cd src/auth patch -p0 < auth-no-homedir.patch
Hmmm. That must Linux. I can't find a src/auth on FBSD, and I don't know what the FBSD equivalent would be.
(I forgot to make the patch against root dir so the cd command is needed..)
So I modified my test entry in the LDAP directory and added posixAccount with homeDirectory and uidNumber and gidNumber. Restart OpenLDAP, retest, and same error message.
Well, since it's still crashing, check with gdb:
ps ax|grep dovecot-auth -> get PID gdb /usr/local/libexec/dovecot/dovecot-auth PID continue
Now try to login, and it should crash. Then type "bt" and copy&paste the output and mail it to me. http://dovecot.procontrol.fi/bugreport.html shows what the gdb output should look like.
It doesn't crash, it hangs. 1 login bob secret * OK Waiting for authentication process to respond.. * BYE Disconnected for inactivity. Connection closed by foreign host. maillog gives no error message except mentioning that the connection was closed due to inactivity. I've sent the output from gdb, but it's very compassionate; no processes were killed during its production.
x login dovecot secret x NO Authentication failed.
Yeah. User doesn't get very specific error messages, they're in the log file.
The problem above is caused by the fact that dovecot is not in the same subtree in LDAP registry as the user accounts. I may have to rethink that. If I log in as myself, I duplicate the error I get when I try to connect as myself from an MUA. So at least now I know how to do that.
Maybe someone can tell me; is there ever any reason to log onto dovecot as dovecot? Should I make the dovecot user's LDAP entry available to dovecot?
Bob Hall
On Wed, 13 Aug 2003 23:25:08 -0400 "Bob Hall" rjhjr@cox.net wrote:
cd src/auth patch -p0 < auth-no-homedir.patch
Hmmm. That must Linux. I can't find a src/auth on FBSD, and I don't know what the FBSD equivalent would be.
Bob,
assuming you are using the fbsd port of dovecot:
apply the patch: cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth patch -p0 < auth-no-homedir.patch
compile using the port: cd /usr/ports/mail/dovecot rm work/.build_done* make
copy by hand the binary /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth/dovecot-auth to /usr/local/libexec/dovecot/
marco
On Thu, Aug 14, 2003 at 09:07:00AM +0200, molter@tin.it wrote:
On Wed, 13 Aug 2003 23:25:08 -0400 "Bob Hall" rjhjr@cox.net wrote:
cd src/auth patch -p0 < auth-no-homedir.patch
Hmmm. That must Linux. I can't find a src/auth on FBSD, and I don't know what the FBSD equivalent would be.
Bob,
assuming you are using the fbsd port of dovecot:
apply the patch: cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth patch -p0 < auth-no-homedir.patch
Thanks, Marco.
I saved the patch on the website to auth-no-homedir.patch and cp'ed it to /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth. When I ran patch -p0 < auth-no-homedir.patch I got Hunk #1 failed at 55. 1 out of 1 hunks failed--saving rejects to master-connection.c.rej Hmm... Ignoring the trailing garbage. done I'm guessing that means I did something wrong?
Bob Hall
On Thursday, Aug 14, 2003, at 22:22 Europe/Helsinki, Bob Hall wrote:
I saved the patch on the website to auth-no-homedir.patch and cp'ed it to /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth. When I ran patch -p0 < auth-no-homedir.patch
You did it right.
Hunk #1 failed at 55. 1 out of 1 hunks failed--saving rejects to master-connection.c.rej Hmm... Ignoring the trailing garbage.
But I don't understand why it says this. Maybe you somehow managed to corrupt the patch file when transferring? Like if you transferred it from windows it might have changed the linefeeds from LF -> CRLF. It goes in just fine with my Linux and FreeBSD 4.8.
On Thursday, Aug 14, 2003, at 06:25 Europe/Helsinki, Bob Hall wrote:
Now try to login, and it should crash. Then type "bt" and copy&paste the output and mail it to me. http://dovecot.procontrol.fi/bugreport.html shows what the gdb output should look like.
It doesn't crash, it hangs.
Your logs before showed that it crashes at least sometimes. The backtrace you sent was done before the crash, so it didn't help.. Did you give the "continue" command to gdb? Without that the process is just stuck in gdb.
Maybe someone can tell me; is there ever any reason to log onto dovecot as dovecot? Should I make the dovecot user's LDAP entry available to dovecot?
There's no need to ever login as dovecot. I'll probably just add extra checks to make sure dovecot user isn't ever used for anything else than executing the login processes :)
On Thu, Aug 14, 2003 at 08:18:56PM +0300, Timo Sirainen wrote:
On Thursday, Aug 14, 2003, at 06:25 Europe/Helsinki, Bob Hall wrote:
Now try to login, and it should crash. Then type "bt" and copy&paste the output and mail it to me. http://dovecot.procontrol.fi/bugreport.html shows what the gdb output should look like.
It doesn't crash, it hangs.
Your logs before showed that it crashes at least sometimes. The backtrace you sent was done before the crash, so it didn't help.. Did you give the "continue" command to gdb? Without that the process is just stuck in gdb.
No, I didn't know about continue. dovecot-auth now bleats appropriately and goes mildly to the slaughter. The new backtrace is on its way to you.
Maybe someone can tell me; is there ever any reason to log onto dovecot as dovecot? Should I make the dovecot user's LDAP entry available to dovecot?
There's no need to ever login as dovecot. I'll probably just add extra checks to make sure dovecot user isn't ever used for anything else than executing the login processes :)
Dang. Everytime I try to do something, you add a check to prevent it. Are you trying to save me from myself?
Bob Hall
On Thursday, Aug 14, 2003, at 21:16 Europe/Helsinki, Bob Hall wrote:
There's no need to ever login as dovecot. I'll probably just add extra checks to make sure dovecot user isn't ever used for anything else than executing the login processes :)
Dang. Everytime I try to do something, you add a check to prevent it. Are you trying to save me from myself?
Yes :)
But I try to give understandable error messages so you can fix them. Hopefully I'll also get some small easy to read installation document written..
On Thursday, Aug 14, 2003, at 23:20 Europe/Helsinki, Jens Gutzeit wrote:
Hopefully I'll also get some small easy to read installation document written..
Just an idea, why not simply setup a Dovecot documentation wiki?
I haven't really understood why they're so great. I just looked at twiki anyway, it's what most people seem to be using. Looks a bit insecure.. And looks like it takes some work to get it into useful state.
On Thursday 14 August 2003 23:23, Timo Sirainen wrote:
On Thursday, Aug 14, 2003, at 23:20 Europe/Helsinki, Jens Gutzeit wrote:
Just an idea, why not simply setup a Dovecot documentation wiki?
I haven't really understood why they're so great. I just looked at
Hmm, it would be easy to contribute documentation for all of us.
twiki anyway, it's what most people seem to be using. Looks a bit insecure.. And looks like it takes some work to get it into useful state.
I don't like twiki very much, MoinMoin is IMHO a great wiki, it's written in python. http://moin.sourceforge.net/
Jens
Timo Sirainen explained:
I haven't really understood why they're so great. I just looked at twiki anyway, it's what most people seem to be using. Looks a bit insecure.. And looks like it takes some work to get it into useful state.
having used twiki and moinmoin, I think moinmoin is a better system now. I've run twiki as part of IPCop and it's worked rather well. We have had more damage done to us by sourceforge than we have by vandals. I believe moinmoin now keeps track of revisions which means it's easier to recover from a scribbler.
I think part of the reason they are thought of as being "great" is because they make it dammed easy for anyone to contribute. They lower the threshold of effort needed to participate which makes it more accessible to more members of a community. I've submitted a feature request with the abiword people to add a plug-in which will make it even easier (i.e. no markup language knowledge necessary). This plug-in would allow one to import and export pages from the wiki and edit them in WYSIWYG mode inside of abiword.
---eric
Dovecot now works perfectly. In spite of having a homeDirectory value for my test LDAP entry, I still needed the LDAP patch. For any foolish beginners like myself, the procedure for patch-less patching in FBSD is: # cd /usr/ports/mail/dovecot If you have dovecot currently installed, then # make deinstall If you have a work directory, then # make distclean The next step reinstalls the work directory and any and all files that a patch might be applied to. # make patch Move to the directory with the file you want to patch. # cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth Copy the patch file to the directory. # cp /path-to-patch-file/auth-no-homedir.patch . Do something that allows you to view both the patch file and the file to be patched. In my case, that's # vim -o master-connection.c auth-no-homedir.patch Find the line in the file to be patched that matches the line in the patch file marked with an "-". Replace it with the line in the patch file marked with a "+". Make absolutely sure that you have deleted only what should be deleted and have added everything that should be added, and in the correct location. Save and close. # cd /usr/ports/mail/dovecot # make install
Thank you Marco, and thank you very very much Timo for your time and effort.
Bob Hall
participants (5)
-
Bob Hall
-
Eric S. Johansson
-
Jens Gutzeit
-
molter@tin.it
-
Timo Sirainen