master-users problem
I am trying to activate master-users as usual but seems in this case I am doing something wrong and I can't have it working. It is a Rocky Linux 9.x (in Proxmox CT), installed with virtualmin and using system users:
# doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 6.5.11-4-pve x86_64 Rocky Linux release 9.3 (Blue Onyx) auth_master_user_separator = * auth_mechanisms = plain login disable_plaintext_auth = no first_valid_uid = 1000 mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes result_success = continue } passdb { driver = pam } protocols = imap pop3 ssl = required ssl_cert =
Any hints on what I am doing wrong and/or how to debug it?
Thanks, B.
Hi Barbara,
On 14/12/2023 00:08, Barbara M. wrote:
passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes result_success = continue }
try replacing result_success with pass = yes
-- Regards, Noel Butler
Hi Barbara, On 14/12/2023 00:08, Barbara M. wrote:
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
result_success = continue
}
try replacing result_success with pass = yes
Regards, Noel Butler
On Sat, 23 Dec 2023, Noel Butler via dovecot wrote:
Hi Barbara, On 14/12/2023 00:08, Barbara M. wrote:
passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes result_success = continue }try replacing result_success with pass = yes
Thanks for replay. Already tried without success.
passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users # result_success = continue pass = yes }
Anyway, tried again using a test user box3 and next with master user aa33:
]# telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK Dovecot ready. user box3 +OK pass ************* +OK Logged in. quit +OK Logging out. Connection closed by foreign host. # telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK Dovecot ready. user box3*aa33 +OK pass XXXXXXXXXXXXXXXX -ERR [AUTH] Authorization failed quit +OK Logging out Connection closed by foreign host.
In the enabled log I have:
Dec 24 15:54:15 pop3-login: Info: Login: user=<box3>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, mpid=1282414, secured, session=<59mCn0INEIh/AAAB>
Dec 24 15:54:19 pop3(box3)<1282414><59mCn0INEIh/AAAB>: Info: Disconnected:
Logged out top=0/0, retr=0/0, del=0/774, size=328796462
Dec 24 15:54:44 auth: Info: Master user logging in as box3
Dec 24 15:54:46 auth-worker(1282411): Info: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<4>: pam(box3,127.0.0.1,
The master user was copied from the old server and also created with the syntax: htpasswd -b -c -s passwd.masterusers aa33 XXXXXXXXXXXX
And I have a row like:
aa33:{SHA}jWMl8Ye1yJr+5Y5........bo=
in the file /etc/dovecot/master-users
If useful (hoping I have extraced valuable info), I report below the debug log:
Dec 24 15:54:15 auth: Debug: client in: AUTH 1 PLAIN
service=pop3 secured session=59mCn0INEIh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=110 rport=34832
resp=AGJveDMAMS1DYXNpbm80NS5hcGY= (previous base64 data may contain sensitive data)
Dec 24 15:54:15 auth: Debug: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Performing passdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker (pid=1282053,uid=97): auth-worker<2>: Handling PASSV request
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker (pid=1282053,uid=97): auth-worker<2>: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Performing passdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<2>: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): lookup service=dovecot
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<2>: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): #1/1 style=1 msg=Password:
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<2>: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Finished passdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<2>: Finished
Dec 24 15:54:15 auth: Debug: pam(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Finished passdb lookup
Dec 24 15:54:15 auth: Debug: auth(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Auth request finished
Dec 24 15:54:15 auth: Debug: client passdb out: OK 1 user=box3
Dec 24 15:54:15 auth: Debug: master in: REQUEST 2573860865 1282408 1
a3c5e0293a186740512d8f0033e971a1 session_pid=1282414
Dec 24 15:54:15 auth: Debug: passwd(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Performing userdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker (pid=1282053,uid=97): auth-worker<3>: Handling USER request
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker (pid=1282053,uid=97): auth-worker<3>: passwd(box3,127.0.0.1,<
59mCn0INEIh/AAAB>): Performing userdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<3>: passwd(box3,127.0.0.1,<59mCn0INEIh/AAAB>): lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<3>: passwd(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Finished userdb lookup
Dec 24 15:54:15 auth-worker(1282411): Debug: conn unix:auth-worker
(pid=1282053,uid=97): auth-worker<3>: Finished
Dec 24 15:54:15 auth: Debug: passwd(box3,127.0.0.1,<59mCn0INEIh/AAAB>): Finished userdb lookup
Dec 24 15:54:15 auth: Debug: master userdb out: USER 2573860865 box3 system_groups_user=box3 uid=50613 gid=100
home=/home/Users/box3 auth_mech=PLAIN
Dec 24 15:54:22 auth: Debug: auth client connected (pid=1282416)
Dec 24 15:54:44 auth: Debug: client in: AUTH 1 PLAIN
service=pop3 secured session=Ppk6oUINxMh/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=110 rport=51396
resp=AGJveDMqYWEzMwBBUEYtLS1kaS0tLUFuZHJldHRBUGFvbE8= (previous base64 data may contain sensitive data)
Dec 24 15:54:44 auth: Debug:
passwd-file(aa33,127.0.0.1,master,
Hi Barbara,
On 13.12.23 15:08, Barbara M. wrote:
passdb { args = /etc/dovecot/master-users
Correct me if I am wrong, but IIRC, these files are read after privileges are dropped... so quick guess: is the file readable by the service user itself?
If your service runs with "dovecot" as user, try the following:
sudo -u "dovecot" test -r "/etc/dovecot/master-users"; echo $?
where 1 == error and 0 == success.
On many installations and setups, the /etc/dovecot/ directory is owned by root with 750 permission. So it might make sense to place the file somewhere else, e.g. beside instead of inside the /etc/dovecot/ dir, so you do not need to soften the permissions of the more important config files:
# ls -lah /etc/ | grep dovecot drwxr-x--- 4 root root 4.0K Jan 17 22:06 dovecot -rw-r----- 1 dovecot dovecot 76 Jan 8 00:06 dovecot-masterusers-passwd
-- Regards Andreas Haerter
foundata GmbH Steinhäuserstr. 20 76135 Karlsruhe
Sitz der Gesellschaft: Karlsruhe Registergericht: Amtsgericht Mannheim, HRB 714807 Geschäftsführer: Andreas Haerter USt-IdNr.: DE284122682
On Sat, 20 Jan 2024, Andreas Haerter wrote:
Hi Barbara,
On 13.12.23 15:08, Barbara M. wrote:
passdb { args = /etc/dovecot/master-users
Correct me if I am wrong, but IIRC, these files are read after privileges are dropped... so quick guess: is the file readable by the service user itself?
Default config from the distro rpm (RL9), was:
passdb { driver = passwd-file master = yes args = /etc/dovecot/master-users pass = yes }
I solved my problem with this config:
auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/master-users master = yes result_success = continue } passdb { driver = shadow } userdb { driver = passwd }
that I get from the dovecot doc.
I'm not a dovecot configuration expert, so I don't understand exactly how the added sections interact in the config, but this solved my problem (hoping that I haven't created other problems that I don't see at the moment ... ;-) ).
Thanks, B.
participants (3)
-
Andreas Haerter
-
Barbara M.
-
Noel Butler