[Dovecot] Errors with doveadm when using checkpassword

Timo Sirainen tss at iki.fi
Tue Feb 5 04:39:07 EET 2013


On Mon, 2013-02-04 at 21:16 -0500, Andy Dills wrote:
> On Feb 4, 2013, at 8:56 PM, Timo Sirainen <tss at iki.fi> wrote:
> 
> > On Mon, 2013-02-04 at 12:08 -0500, Andy Dills wrote:
> >> We have a checkpassword authentication with mysql pre-fetch for the 
> >> userdb lookups.
> >> 
> >> When trying to do:
> >> 
> >> doveadm search -u andytest at xecu.net mailbox Trash DELETED
> >> 
> >> I get:
> >> 
> >> doveadm(andytest at xecu.net): Error: user andytest at xecu.net: Auth PASS 
> >> lookup failed
> >> doveadm(andytest at xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb 
> >> lookup failed (to see if user is proxied, because doveadm_proxy_port is 
> >> set)
> > 
> > Do you have proxying enabled? If not, remove doveadm_proxy_port and this
> > solves itself
> 
> Yes, I apologize, it appears I edited out the paragraph where I described our setup.
> 
> Cluster of dovecot dual instance servers, one proxy/director, one backend. The backend config lives in dovecot.conf, the proxy config in proxy.conf (let me know if the specific config would help). Version 2.1.12 (current version in FreeBSD ports).
> 
> I should mention, I have to specify the director-admin socket manually when using doveadm director, it's as if doveadm isn't quite aware of the config in the proxy instance.
> 
> However, the authentication happens in the primary "dovecot.conf" instance...that's where checkpassword gets called, and where the prefetch is configured. The proxy is "dumb".

OK, so you are using director, so it is good that doveadm is doing a
proxy lookup, otherwise it might run it on the wrong server and cause
troubles with NFS caching (which is exactly what director is supposed to
prevent).

> >> I'm not surprised the checkpassword lookup is failing; the password 
> >> isn't being supplied. Shouldn't it just be doing the prefetch lookup 
> >> instead, like the lmtp service?
> > 
> > doveadm doesn't care about the password. It cares about the proxy
> > destination host so that it can automatically connect to the correct
> > host to run the command.
> 
> 
> I understand doveadm doesn't care about the password; i was confused why checkpassword was being called when the password is unknown rather than using the mysql prefetch.
> 
> So, I guess what you're saying is doveadm should be talking to the proxy instance rather than the backend instance? I assume I need to move the backend to a differently named config and make my proxy instances live in dovecot.conf, so that doveadm sees the "right" config?

I think you need to remove doveadm_proxy_port from the backend
dovecot.conf. Then it doesn't perform the PASS lookup. But you also
should run doveadm via the proxy instance so that it gets run in the
correct server (doveadm -c /etc/dovecot/proxy.conf or doveadm -i proxy
if you've given it a name).





More information about the dovecot mailing list