[Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
First, my problem. Settings are below that...
Everything works fine - I can login to webmail (users are tied to LDAP). I can send and receive email via my Thunderbird Client.
However in my mail.err log I see lots of messages that say:
dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
1.) What does that mean, and how can I solve it? 2.) With regards to pop3s I am not altogether sure that I am using the right config in my dovecot.conf file (also below). Can someone let me know?
Version:
dovecot --version = 1.2.12
System:
Ubuntu Server 10.10 (64bit)
dovecot -n
# 1.2.12: /etc/dovecot/dovecot.conf # OS: Linux 2.6.35.4-rscloud x86_64 Ubuntu 10.10 log_timestamp: %Y-%m-%d %H:%M:%S protocols: pop3 pop3s imap imaps login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_privileged_group: mail mail_location: mbox:~/mail:INBOX=/var/mail/%u mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 auth default: passdb: driver: pam userdb: driver: passwd
Dovecot.conf
egrep -v "^[[:space:]]*#|^$" /etc/dovecot/dovecot.conf protocols = pop3 pop3s imap imaps log_timestamp = "%Y-%m-%d %H:%M:%S " ssl = yes ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem login_dir = /var/run/dovecot/login mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail protocol imap { login_executable = /usr/lib/dovecot/imap-login mail_executable = /usr/lib/dovecot/imap }
protocol pop3 { login_executable = /usr/lib/dovecot/pop3-login mail_executable = /usr/lib/dovecot/pop3 pop3_uidl_format = %08Xu%08Xv } protocol managesieve { } auth default { mechanisms = plain passdb pam { } userdb passwd { } user = root !include_try /etc/dovecot/auth.d/*.auth } dict { } plugin { } !include_try /etc/dovecot/conf.d/*.conf
On 01/27/11 05:57 AM, John Espiro wrote:
First, my problem. Settings are below that...
Everything works fine - I can login to webmail (users are tied to LDAP). I can send and receive email via my Thunderbird Client.
However in my mail.err log I see lots of messages that say:
dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN 1.) What does that mean, and how can I solve it?
This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following.
disable_plaintext_auth = no
Paul
Hi Paul -
Well, I want to use STARTTLS... my Thunderbird settings are:
In thunderbird, I have the following settings: Port 110 Username: <user> Connection security: STARTTLS Authentication: Normal password
Which should be correct, right?
John
On 1/27/2011 2:28 PM, Paul Griffith wrote:
This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following.
disable_plaintext_auth = no
Paul
On 01/27/11 09:42 AM, John Espiro wrote:
Hi Paul -
Well, I want to use STARTTLS... my Thunderbird settings are:
In thunderbird, I have the following settings: Port 110 Username:<user> Connection security: STARTTLS Authentication: Normal password
Which should be correct, right?
John
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
On 1/27/2011 2:28 PM, Paul Griffith wrote:
This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following.
disable_plaintext_auth = no
Paul
OK... so one thing is that I see 4 dovecot.conf files:
/usr/share/dovecot/dovecot.conf /etc/dovecot/dovecot.conf /etc/init/dovecot.conf /var/run/dovecot/dovecot.conf
It's not altogether clear which one is being used by the service... why would there be four of them?
John
On 1/27/2011 6:03 PM, Paul Griffith wrote:
On 01/27/11 09:42 AM, John Espiro wrote:
Hi Paul -
Well, I want to use STARTTLS... my Thunderbird settings are:
In thunderbird, I have the following settings: Port 110 Username:<user> Connection security: STARTTLS Authentication: Normal password
Which should be correct, right?
John
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
On 1/27/2011 2:28 PM, Paul Griffith wrote:
This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following.
disable_plaintext_auth = no
Paul
I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth to both yes and no, and the result is the same... it uses pop3/plain. I viewed the running process to see which of the 4 conf files it was using, so I know i have the right file.
Thoughts?
On 1/27/2011 6:03 PM, Paul Griffith wrote:
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
On 1/27/2011 2:28 PM, Paul Griffith wrote:
This looks like you are trying to connect to pop3 without SSL or TLS. If you really want to allow plaintext over a non-secure connection then you need to use the following.
disable_plaintext_auth = no
Paul
On 11:59 AM, John Espiro wrote:
I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth to both yes and no, and the result is the same... it uses pop3/plain. I viewed the running process to see which of the 4 conf files it was using, so I know i have the right file.
Thoughts?
Are you able to get your mail via your pop client?
If so, the log messages are from other attempts (probably by crackers trying to guess passwords on your system) to log in. Is there a "rip=" in the log messages giving the IP of the originator? If so, is it yours?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 1/27/2011 7:56 PM, Mark Sapiro wrote:
Are you able to get your mail via your pop client? Yes. If so, the log messages are from other attempts (probably by crackers trying to guess passwords on your system) to log in. Is there a "rip=" in the log messages giving the IP of the originator? If so, is it yours? There is a "rip" and it's my IP address. I've got fail2ban and denyhosts running very tightly, and so far, no one has even attempted to log in to my mail accounts (ssh is a whole other story :)
On 11:59 AM, John Espiro wrote:
On 1/27/2011 7:56 PM, Mark Sapiro wrote:
Are you able to get your mail via your pop client? Yes. If so, the log messages are from other attempts (probably by crackers trying to guess passwords on your system) to log in. Is there a "rip=" in the log messages giving the IP of the originator? If so, is it yours? There is a "rip" and it's my IP address. I've got fail2ban and denyhosts running very tightly, and so far, no one has even attempted to log in to my mail accounts (ssh is a whole other story :)
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995 Connection security: SSL/TLS Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Thu, 27 Jan 2011 17:48:13 -0800 Mark Sapiro <mark@msapiro.net> articulated:
On 11:59 AM, John Espiro wrote:
On 1/27/2011 7:56 PM, Mark Sapiro wrote:
Are you able to get your mail via your pop client? Yes. If so, the log messages are from other attempts (probably by crackers trying to guess passwords on your system) to log in. Is there a "rip=" in the log messages giving the IP of the originator? If so, is it yours? There is a "rip" and it's my IP address. I've got fail2ban and denyhosts running very tightly, and so far, no one has even attempted to log in to my mail accounts (ssh is a whole other story :)
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995 Connection security: SSL/TLS Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
I honestly don't know why you would use port 995 as opposed to 110 if employing STARTTLS. Switch to port 110, I don't know if a restart is required, and try again.
-- Jerry ✌ Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
Fortune favors the lucky.
Yep - despite the above, I still get mail. And from my conf files, plain auth is disabled. Should I re-port my conf file in case I missed something?
John
On 1/28/2011 2:48 AM, Mark Sapiro wrote:
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995 Connection security: SSL/TLS Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms It seems that PLAIN is OK, if I am using STARTTLS, which I believe I am. I mean, I've set it up, and it _seems_ to work. So the question I have, to the list, is... how can I verify that the passwords are being sent over STARTTLS.
Quoting:
The simplest authentication mechanism is PLAIN. The client simply
sends the password unencrypted to Dovecot. All clients support the
PLAIN mechanism, but obviously there's the problem that anyone
listening on the network can steal the password. For that reason
(and some others) other mechanisms were implemented.
Today however many people use SSL/TLS, and there's no problem with
sending unencrypted password inside SSL secured connections. So if
you're using SSL, you probably don't need to bother worrying about
anything else than the PLAIN mechanism.On 1/28/2011 2:48 AM, Mark Sapiro wrote:
O
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995 Connection security: SSL/TLS Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
On 11:59 AM, John Espiro wrote:
After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms It seems that PLAIN is OK, if I am using STARTTLS, which I believe I am. I mean, I've set it up, and it _seems_ to work. So the question I have, to the list, is... how can I verify that the passwords are being sent over STARTTLS.
Your client is ultimately logging in after STARTTLS because Dovecot is not allowing it to login before, but it apparently is trying and possibly sending a cleartext password or there would be no 'disconnected' log message.
Sniff the port 110 packets during a login from your client and see what's going on.
One other thought - Is there more than one account on this server configured in your client and if so, are they all using STARTTLS?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Jerry
-
John Espiro
-
Mark Sapiro
-
Paul Griffith