[Dovecot] dovecot imap permission denied
Daminto Lie
dlie76 at yahoo.com.au
Thu Sep 1 09:07:57 EEST 2011
Thanks Timo for your reply.
It now works fine with Passdb LDAP with password lookups. Users can now login with no problem.
However, when trying to do LDAP authentication with Authentication binds, I received the following errors from mail.log
Sep 1 15:34:22 server1 dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=34719#011resp=AG1pa2VfbGVlAGRsaWUzMjA1
Sep 1 15:34:22 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): lookup service=dovecot
Sep 1 15:34:22 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): #1/1 style=1 msg=Password:
Sep 1 15:34:22 server1 dovecot: auth(default): new auth connection: pid=1947
Sep 1 15:34:24 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: secrets)
Sep 1 15:34:24 server1 dovecot: auth(default): passwd(mike_lee,127.0.0.1): lookup
Sep 1 15:34:24 server1 dovecot: auth(default): passwd(mike_lee,127.0.0.1): unknown user
Sep 1 15:34:24 server1 dovecot: auth(default): ldap(mike_lee,127.0.0.1): invalid credentials (given password: secrets)
Sep 1 15:34:26 server1 dovecot: auth(default): client out: FAIL#0111#011user=mike_lee
Sep 1 15:34:31 server1 dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<mike_lee>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
I do not understand why I am getting pam() authentication issue when I deliberately chose not to use it.
The following is the setting I have in dovecot-ldap.conf
hosts = localhost
#uris =
dn = uid=dovecot,ou=accounts,dc=companyexample,dc=com,dc=au
dnpass = helloworld
#sasl_bind = no
#sasl_mech =
#sasl_realm =
#sasl_authz_id =
#tls = no
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cert_file =
#tls_key_file =
#tls_cipher_suite =
#tls_require_cert =
#ldaprc_path =
#debug_level = 0
auth_bind = yes
auth_bind_userdn = cn=%u,ou=accounts,dc=companyexample,dc=com,dc=au
ldap_version = 3
base = ou=accounts,dc=companyexample,dc=com,dc=au
deref = never
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(objectClass=posixAccount)(uid=%u))
#pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = PLAIN
This is what I have in dovecot.conf
base_dir = /var/run/dovecot
protocols = imap
protocol imap {
listen = *:143
}
# protocol pop3 {
# listen = *:10100
# ..
# }
# protocol managesieve {
# listen = *:12000
# ..
# }
#listen = *
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
#ssl_listen =
ssl = no
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
#ssl_key_password =
#ssl_ca_file =
#ssl_verify_client_cert = no
#ssl_cert_username_field = commonName
#ssl_parameters_regenerate = 168
#ssl_cipher_list = ALL:!LOW:!SSLv2
#verbose_ssl = no
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
#login_process_size = 64
#login_process_per_connection = yes
#login_processes_count = 3
#login_max_processes_count = 128
#login_max_connections = 256
#login_greeting = Dovecot ready.
#login_trusted_networks =
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
#login_log_format = %$: %s
mail_location = maildir:/home/%u/Maildir
mail_uid = 3000
mail_gid = 8
mail_privileged_group = mail
#mail_access_groups =
#mail_full_filesystem_access = no
#mail_debug = no
#mail_log_max_lines_per_sec = 10
#mmap_disable = no
#dotlock_use_excl = yes
#fsync_disable = no
#mail_nfs_index = no
#lock_method = fcntl
#mail_drop_priv_before_exec = no
verbose_proctitle = yes
first_valid_uid = 3000
last_valid_uid = 3000
first_valid_gid = 8
last_valid_gid = 8
#max_mail_processes = 512
#mail_process_size = 256
#mail_max_keyword_length = 50
#valid_chroot_dirs =
#mail_chroot =
#mail_cache_min_mail_count = 0
#mailbox_idle_check_interval = 30
mail_save_crlf = no
#maildir_stat_dirs = no
maildir_copy_with_hardlinks = yes
#maildir_copy_preserve_filename = no
#maildir_very_dirty_syncs = no
protocol imap {
#login_executable = /usr/lib/dovecot/imap-login
#mail_executable = /usr/lib/dovecot/imap
#imap_max_line_length = 65536
#mail_max_userip_connections = 10
#mail_plugin_dir = /usr/lib/dovecot/modules/imap
#imap_logout_format = bytes=%i/%o
#imap_capability =
#imap_idle_notify_interval = 120
#imap_id_send =
#imap_id_log =
imap_client_workarounds = outlook-idle delay-newmail netscape-eoh tb-extra-mailbox-sep oe6-fetch-no-newmail
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
protocol managesieve {
}
#auth_executable = /usr/lib/dovecot/dovecot-auth
#auth_process_size = 256
#auth_cache_size = 0
#auth_cache_ttl = 3600
#auth_cache_negative_ttl = 3600
#auth_realms =
#auth_default_realm =
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
#auth_username_translation =
#auth_username_format =
#auth_master_user_separator =
#auth_anonymous_username = anonymous
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
#auth_worker_max_count = 30
#auth_gssapi_hostname =
#auth_krb5_keytab =
#auth_use_winbind = no
#auth_winbind_helper_path = /usr/bin/ntlm_auth
#auth_failure_delay = 2
auth default {
mechanisms = plain
passdb pam {
}
passdb passwd {
}
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb passwd {
args = /etc/dovecot/dovecot-ldap-userdb.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
user = root
#user = dovecot-auth
#chroot =
#count = 1
#ssl_require_client_cert = no
#ssl_username_from_cert = no
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
!include_try /etc/dovecot/auth.d/*.auth
}
plugin {
}
# Config files can also be included. deliver doesn't support them currently.
#!include /etc/dovecot/conf.d/*.conf
# Optional configurations, don't give an error if it's not found:
!include_try /etc/dovecot/conf.d/*.conf
#!include_try /etc/dovecot/extra.conf
I wonder where I did it wrong. I did not set pam authentication.
Any help would be appreciated. Thank you
________________________________
From: Timo Sirainen <tss at iki.fi>
To: Daminto Lie <dlie76 at yahoo.com.au>
Cc: "dovecot at dovecot.org" <dovecot at dovecot.org>
Sent: Wednesday, 31 August 2011 4:52 PM
Subject: Re: [Dovecot] dovecot imap permission denied
On 31.8.2011, at 9.47, Daminto Lie wrote:
> Thanks a lot Timo,
>
> Creating directories for new users is not an issue. It's the permission that makes me headache.
The error message you showed said that the user's home directory didn't exist, and the permission problem came only because it didn't exist and Dovecot tried to create it.
> I tried the following
>
> sudo chmod o-r /home/$USER
> sudo chmod g+rw /home/$USER
>
> It did not work until I did chmod 777 /home.
Right, because only then did it have enough permissions to create the home dir.
> Is it safe to make home directory with permission 777?
No.
More information about the dovecot
mailing list