Dovecot auth-worker error after cram-md5 auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Feb 1 07:36:09 UTC 2017


Because cram-md5 needs the user's password for calculating responses, it
cannot work with hashed passwords (one-way encrypted). The only
supported password schemes are PLAIN and CRAM-MD5.

Aki

On 01.02.2017 09:33, Poliman - Serwis wrote:
> I always restart dovecot after change config. ;) Sure, I commented out
> added two lines by me, restarted dovecot and here it is:
>
> # 2.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> auth_mechanisms = plain login cram-md5
> listen = *,[::]
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> mail_max_userip_connections = 100
> mail_plugins = " quota"
> mail_privileged_group = vmail
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> plugin {
>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>   sieve = /var/vmail/%d/%n/.sieve
>   sieve_max_redirects = 25
> }
> postmaster_address = postmaster at example.com
> protocols = imap pop3
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0600
>     user = vmail
>   }
>   user = root
> }
> service imap-login {
>   client_limit = 1000
>   process_limit = 512
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> ssl = required
> ssl_cert = </etc/postfix/smtpd.cert
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> ssl_dh_parameters_length = 2048
> ssl_key = </etc/postfix/smtpd.key
> ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> protocol imap {
>   mail_plugins = quota imap_quota
> }
> protocol pop3 {
>   mail_plugins = quota
>   pop3_uidl_format = %08Xu%08Xv
> }
> protocol lda {
>   mail_plugins = sieve quota
>   postmaster_address = webmaster at localhost
> }
> protocol lmtp {
>   mail_plugins = quota sieve
>   postmaster_address = webmaster at localhost
> }
>
>
> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>>
>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>> This is debug log files in syslog:
>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>> m5ldD4=
>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT<hidden>
>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as user,
>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>> userdb_mail,
>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id = '1'
>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5 scheme,
>> but we
>>> have only CRYPT
>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
>>> FAIL#0112#011user=do_not_reply at example.com
>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5ldD4=
>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
>> m5ldD4=
>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT<hidden>
>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as user,
>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>> userdb_mail,
>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS
>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id = '1'
>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5 scheme, but
>> we
>>> have only CRYPT
>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
>>> FAIL#0113#011user=do_not_reply at example.com
>>>
>>>
>>>
>>> #####################
>>> I added in dovecot.conf lines in passdb block:
>>>    driver = passwd-file
>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>> and commented out default lines
>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>   #driver = sql
>>> When I try set again default lines I got above error
>> Can you run doveconf -n with the configuration that causes the above
>> error? Also it clearly does SQL lookup, so that error is happening with
>> SQL passdb. You need to remember to restart dovecot between
>> configuration changes.
>>
>> Aki
>>
>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>>>> I set up cram-md5 using this tutorial
>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf
>> in
>>>>> passdb code block:
>>>>> listen = *,[::]
>>>>> protocols = imap pop3
>>>>> #auth_mechanisms = plain login cram-md5
>>>>> auth_mechanisms = cram-md5 plain login
>>>>> #dodana nizej linia
>>>>> ssl = required
>>>>> disable_plaintext_auth = yes
>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>> mail_privileged_group = vmail
>>>>> postmaster_address = postmaster at vps342401.ovh.net
>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>> ssl_cipher_list =
>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>>>> ssl_prefer_server_ciphers = yes
>>>>> ssl_dh_parameters_length = 2048
>>>>>
>>>>>
>>>>> mail_max_userip_connections = 100
>>>>> passdb {
>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>> # driver = sql
>>>>> driver = passwd-file
>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>> }
>>>>> userdb {
>>>>> driver = prefetch
>>>>> }
>>>>> userdb {
>>>>> args = /etc/dovecot/dovecot-sql.conf
>>>>> driver = sql
>>>>> }
>>>>> Of course I created cram-md5.pwd file. All mails go out and come
>> nicely.
>>>>> But after I want to do default settings by commented out these two
>> lines:
>>>>> driver = passwd-file
>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>> and uncomment
>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>> # driver = sql
>>>>> I can't send emails - I use Thunderbird - get error "logging on server
>>>>> mail.example.com not work out". Error in logs:
>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
>>>>> passdbs/userdbs than auth server.
>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>>>>>
>>>>> Is it possible that hashed password from cram-md5.pwd file was written
>> to
>>>>> database (if yes then where - I have ISPconfig)? I wasn't change any
>>>> userdb
>>>>> {} block and this second userdb block has this same lines like default
>>>>> settings in passdb block.
>>>>>
>>>> Try
>>>>
>>>> auth_debug=yes
>>>> auth_verbose=yes
>>>>
>>>> and see if it gives any more reasonable messages.
>>>>
>>>> Aki
>>>>
>>>
>
>



More information about the dovecot mailing list