please help this newbie get started
Hi, everyone, I'm trying to get email working on a server. Web servers I have some experience with, but this is new for me. On FreeBSD, with dovecot2 (2.2.27), when I try to check email, Thunderbird says: Sending of password for user xxx did not succeed.Mail server xxxresponded: Authentication failed. And on the server, in the mail log, there's a message: dovecot: pop3-login: Disconnected (user disabled) Any idea what I'm doing wrong? I didn't mean to disable any users. Thanks! Bob
Hi again, I see now it's possible to restricting IMAP/POP3 access, but that shouldn't be enabled. In conf.d/10-auth.conf that's commented out:
#!include auth-deny.conf.ext Thanks, Bob
Am 4. Februar 2017 00:16:01 MEZ schrieb drbobllc@yahoo.com:
Hi again, I see now it's possible to restricting IMAP/POP3 access, but that shouldn't be enabled. In conf.d/10-auth.conf that's commented out:
#!include auth-deny.conf.ext Please provide doveconf -n output together with a description of your problem.
The wiki also has a page about troubleshooting a dovecot installation. http://wiki2.dovecot.org/FrontPage?action=show&redirect=StartSeite#Troubleshooting
Thanks, Bob
-- Christian Kivalo
Thanks for replying. A. configuration: % dovecot -n # 2.2.27 (c0f36b0): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.3-RELEASE amd64 ufs disable_plaintext_auth = no mail_location = mbox:/var/empty:INBOX=/var/mail/%u:INDEX=MEMORY mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = blocking=no driver = passwd } ssl = no userdb { args = blocking=no driver = passwd override_fields = home=/var/empty }
B. description of problem: When I try to check email, Thunderbird says: Sending of password for user www did not succeed.Mail server xxxresponded: Authentication failed. And on the server, in the mail log, there's a message: dovecot: pop3-login: Disconnected (user disabled):user=<www>, method=PLAIN And thanks for the link to that Troubleshooting section. I didn't know that was there and will take a look at it now.
Bob
On Saturday, February 4, 2017 3:37 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:Am 4. Februar 2017 00:16:01 MEZ schrieb drbobllc@yahoo.com:
Hi again, I see now it's possible to restricting IMAP/POP3 access, but that shouldn't be enabled. In conf.d/10-auth.conf that's commented out:
#!include auth-deny.conf.ext Please provide doveconf -n output together with a description of your problem.
The wiki also has a page about troubleshooting a dovecot installation. http://wiki2.dovecot.org/FrontPage?action=show&redirect=StartSeite#Troubleshooting
Thanks, Bob
Christian Kivalo
Hi, everyone,
As advised in Debugging Authentication, I turned on auth_debug and auth_debug_passwords, and now in the mail log I get an additional message: dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field '*' Of course neither the password I tried nor the actual password was '*'. That's what's in /etc/passwd, but dovecot isn't just using that, is it?
In the new debug log, I get: dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat dovecot: auth: Debug: auth client connected (pid=3183) dovecot: auth: Debug: client in: AUTH 1 PLAIN service=pop3 session=RFp0lMFHHotLGJAC lip=xxx rip=xxx lport=110 rport=35614 dovecot: auth: Debug: client passdb out: CONT 1 dovecot: auth: Debug: client in: CONT<hidden> dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup dovecot: auth: Debug: client passdb out: FAIL 1 user=xxx user_disabled
So it's something with passdb?
- In TestPop3Installation I can't get past the "Check that it's allowing remote logins" section. telnet gives me an error:
-ERR [AUTH] Authentication failed.
which I expect, because I have telnet turned off. Does that mean I can't use plaintext authentication?
Thanks, Bob
On Saturday, February 4, 2017 8:37 AM, "drbobllc@yahoo.com" <drbobllc@yahoo.com> wrote:And thanks for the link to that Troubleshooting section. I didn't know that was there and will take a look at it now.
Am 5. Februar 2017 06:55:34 MEZ schrieb drbobllc@yahoo.com:
Hi, everyone,
- As advised in Debugging Authentication, I turned on auth_debug and auth_debug_passwords, and now in the mail log I get an additional message: dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field '*' Of course neither the password I tried nor the actual password was '*'. That's what's in /etc/passwd, but dovecot isn't just using that, is it? The '*' in passwd password field stands for login disabled. See man 5 passwd or http://www.manpages.info/freebsd/passwd.5.html
- In the new debug log, I get: dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat dovecot: auth: Debug: auth client connected (pid=3183) dovecot: auth: Debug: client in: AUTH 1 PLAIN service=pop3 session=RFp0lMFHHotLGJAC lip=xxx rip=xxx lport=110 rport=35614 dovecot: auth: Debug: client passdb out: CONT 1 dovecot: auth: Debug: client in: CONT<hidden> dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup dovecot: auth: Debug: client passdb out: FAIL 1 user=xxx user_disabled
So it's something with passdb?
- In TestPop3Installation I can't get past the "Check that it's allowing remote logins" section. telnet gives me an error:
-ERR [AUTH] Authentication failed.
which I expect, because I have telnet turned off. Does that mean I can't use plaintext authentication? This is probably because the users login is disabled.
In one oft your provided log outputs you are trying to login as user 'www'. Why? The webserver user has the login normaly disabled.
-- Christian Kivalo
Thanks, Bob
On Saturday, February 4, 2017 8:37 AM, "drbobllc@yahoo.com" drbobllc@yahoo.com wrote:
And thanks for the link to that Troubleshooting section. I didn't know that was there and will take a look at it now.
- The man page I get is slightly different: % man 5 passwd PASSWD(5) FreeBSD File Formats Manual PASSWD(5)
NAME passwd, master.passwd -- format of the password file
DESCRIPTION
The passwd files are the local source of password information. They can
be used in conjunction with the Hesiod domains passwd' and uid', and
the NIS maps passwd.byname', passwd.byuid', master.passwd.byname', and master.passwd.byuid', as controlled by nsswitch.conf(5).
For consistency, none of these files should ever be modified manually.
The master.passwd file is readable only by root, and consists of newline separated records, one per user, containing ten colon (`:') separated fields. These fields are as follows:
[...]
The passwd file is generated from the master.passwd file by pwd_mkdb(8), has the class, change, and expire fields removed, and the password field replaced by a `*' character.
[...] In the master.passwd file, the password field is the encrypted form of the password, see crypt(3). If the password field is empty, no password will be required to gain access to the machine. This is almost invari- ably a mistake, so authentication components such as PAM can forcibly disallow remote access to passwordless accounts. Because this file con- tains the encrypted user passwords, it should not be readable by anyone without appropriate privileges.
A password of *' indicates that password authentication is disabled for that account (logins through other forms of authentication, e.g., using ssh(1) keys, will still work). The field only contains encrypted pass- words, and *' can never be the result of encrypting a password.
Do I need to tell dovecot to check master.passwd instead of passwd?
2. Is my (simple) passdb OK?
passdb { args = blocking=no driver = passwd } I guess it would be easy to try it without the "args" line. 4. Sometimes I log in as www to do web page stuff, so files are owned by www. www has a shell, and a password, and can ssh fine. Thanks for your help! Bob
On Sunday, February 5, 2017 2:58 AM, Christian Kivalo <ml+dovecot@valo.at> wrote:dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field '*'
The '*' in passwd password field stands for login disabled. See man 5 passwd or http://www.manpages.info/freebsd/passwd.5.html
-ERR [AUTH] Authentication failed.
This is probably because the users login is disabled.
In one oft your provided log outputs you are trying to login as user 'www'. Why? The webserver user has the login normaly disabled.
Hi, everyone, Got through for the first time! In fact the trick was to switch to: passdb { driver = passwd-file args = path-to-file-with-encrypted-passwords } Thanks for steering me in the right direction. Next I guess is SSL for more security.
Bob On Sunday, February 5, 2017 8:14 AM, "drbobllc@yahoo.com" drbobllc@yahoo.com wrote: Do I need to tell dovecot to check master.passwd instead of passwd? 2. Is my (simple) passdb OK? passdb { args = blocking=no driver = passwd }
Hi again, everyone, Adding SSL seemed to go smoothly, I can check my email now with Thunderbird with "connection security" set to STARTTLS. My next issue is receiving emails. Can you help me with that, too? It works to use "mail" on the command line to send email from one account to another. But email from this yahoo account never appears. How should I start to try to figure this out? Thanks! Bob
On Sunday, February 5, 2017 10:12 AM, "drbobllc@yahoo.com" <drbobllc@yahoo.com> wrote:Next I guess is SSL for more security.
I appreciated the help I received here. To try to give back a little, I contributed something I learned to the wiki: Passwd as a password databasePasswd as a password database on FreeBSD Thanks again, Bob
On Sunday, February 5, 2017 10:12 AM, "drbobllc@yahoo.com" <drbobllc@yahoo.com> wrote:Hi, everyone, Got through for the first time! In fact the trick was to switch to: passdb { driver = passwd-file args = path-to-file-with-encrypted-passwords } Thanks for steering me in the right direction. Next I guess is SSL for more security.
Bob On Sunday, February 5, 2017 8:14 AM, "drbobllc@yahoo.com" drbobllc@yahoo.com wrote: Do I need to tell dovecot to check master.passwd instead of passwd? 2. Is my (simple) passdb OK? passdb { args = blocking=no driver = passwd }
Am 5. Februar 2017 15:14:51 MEZ schrieb drbobllc@yahoo.com:
- The man page I get is slightly different: % man 5 passwd PASSWD(5) FreeBSD File Formats Manual PASSWD(5)
NAME passwd, master.passwd -- format of the password file
DESCRIPTION The passwd files are the local source of password information. They can be used in conjunction with the Hesiod domains
passwd' anduid', and the NIS mapspasswd.byname',passwd.byuid',master.passwd.byname', andmaster.passwd.byuid', as controlled by nsswitch.conf(5).For consistency, none of these files should ever be modified manually.
The master.passwd file is readable only by root, and consists of newline separated records, one per user, containing ten colon (`:') separated fields. These fields are as follows:
[...]
The passwd file is generated from the master.passwd file by pwd_mkdb(8), has the class, change, and expire fields removed, and the password field replaced by a `*' character.
[...] In the master.passwd file, the password field is the encrypted form of the password, see crypt(3). If the password field is empty, no password will be required to gain access to the machine. This is almost invari- ably a mistake, so authentication components such as PAM can forcibly disallow remote access to passwordless accounts. Because this file con- tains the encrypted user passwords, it should not be readable by anyone without appropriate privileges.
A password of
*' indicates that password authentication is disabled for that account (logins through other forms of authentication, e.g., using ssh(1) keys, will still work). The field only contains encrypted pass- words, and*' can never be the result of encrypting a password. Do I need to tell dovecot to check master.passwd instead of passwd? You could try using passwd-file as passdb but i have never used anything else than pam and sql.
- Is my (simple) passdb OK?
passdb { args = blocking=no driver = passwd } I guess it would be easy to try it without the "args" line. 4. Sometimes I log in as www to do web page stuff, so files are owned by www. www has a shell, and a password, and can ssh fine.
Whats the uid of 'www'? See http://wiki2.dovecot.org/UserIds the part about uids. It could be that the www user has a uid below 500 and therefore login is disabled with the default settings.
Christian
Thanks for your help! Bob
On Sunday, February 5, 2017 2:58 AM, Christian Kivalo ml+dovecot@valo.at wrote:
dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field '*'
The '*' in passwd password field stands for login disabled. See man 5 passwd or http://www.manpages.info/freebsd/passwd.5.html
-ERR [AUTH] Authentication failed.
This is probably because the users login is disabled.
In one oft your provided log outputs you are trying to login as user 'www'. Why? The webserver user has the login normaly disabled.
If you want things done as a disabled user use su with the -c switch. For example to simulate a cgi request from outside I do:
su www-data -c /cgi-bin/getnewimages.cgi
the www-data user is the user that runs scripts. ..
El 05/02/2017 05:58, "Christian Kivalo" ml+dovecot@valo.at escribió:
Hi, everyone,
- As advised in Debugging Authentication, I turned on auth_debug and auth_debug_passwords, and now in the mail log I get an additional message: dovecot: auth: passwd(xxx,xxx,<40AjQMFHSLVLGJAC>): invalid password field '*' Of course neither the password I tried nor the actual password was '*'. That's what's in /etc/passwd, but dovecot isn't just using that, is it? The '*' in passwd password field stands for login disabled. See man 5
Am 5. Februar 2017 06:55:34 MEZ schrieb drbobllc@yahoo.com: passwd or http://www.manpages.info/freebsd/passwd.5.html
- In the new debug log, I get: dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat dovecot: auth: Debug: auth client connected (pid=3183) dovecot: auth: Debug: client in: AUTH 1 PLAIN service=pop3 session=RFp0lMFHHotLGJAC lip=xxx rip=xxx lport=110 rport=35614 dovecot: auth: Debug: client passdb out: CONT 1 dovecot: auth: Debug: client in: CONT<hidden> dovecot: auth: Debug: passwd(xxx,xxx,<RFp0lMFHHotLGJAC>): lookup dovecot: auth: Debug: client passdb out: FAIL 1 user=xxx user_disabled
So it's something with passdb?
- In TestPop3Installation I can't get past the "Check that it's allowing remote logins" section. telnet gives me an error:
-ERR [AUTH] Authentication failed.
which I expect, because I have telnet turned off. Does that mean I can't use plaintext authentication? This is probably because the users login is disabled.
In one oft your provided log outputs you are trying to login as user 'www'. Why? The webserver user has the login normaly disabled.
-- Christian Kivalo
Thanks, Bob
On Saturday, February 4, 2017 8:37 AM, "drbobllc@yahoo.com" drbobllc@yahoo.com wrote:
And thanks for the link to that Troubleshooting section. I didn't know that was there and will take a look at it now.
participants (3)
-
Christian Kivalo
-
drbobllc@yahoo.com
-
Shawn Pringle