Dovecot auth-worker error after cram-md5 auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Feb 1 07:45:09 UTC 2017 

You are probably wanting to do
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

Why you want to use cram-md5 is beyond me, because using SSL is much
more safer.

Aki

On 01.02.2017 09:41, Poliman - Serwis wrote:
> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
> After restart all work perfectly. But after I added:
>    driver = passwd-file
>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> I can't set default lines because I got error. Please tell me which lines
> should be changed to resolve this issue. Should I remove "login" from
> auth_mechanism ("login" was default setting and I would like to move back
> to default settings)?
>
> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>> Because cram-md5 needs the user's password for calculating responses, it
>> cannot work with hashed passwords (one-way encrypted). The only
>> supported password schemes are PLAIN and CRAM-MD5.
>>
>> Aki
>>
>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>> I always restart dovecot after change config. ;) Sure, I commented out
>>> added two lines by me, restarted dovecot and here it is:
>>>
>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>> auth_mechanisms = plain login cram-md5
>>> listen = *,[::]
>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>> mail_max_userip_connections = 100
>>> mail_plugins = " quota"
>>> mail_privileged_group = vmail
>>> passdb {
>>>   args = /etc/dovecot/dovecot-sql.conf
>>>   driver = sql
>>> }
>>> plugin {
>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>   sieve = /var/vmail/%d/%n/.sieve
>>>   sieve_max_redirects = 25
>>> }
>>> postmaster_address = postmaster at example.com
>>> protocols = imap pop3
>>> service auth {
>>>   unix_listener /var/spool/postfix/private/auth {
>>>     group = postfix
>>>     mode = 0660
>>>     user = postfix
>>>   }
>>>   unix_listener auth-userdb {
>>>     group = vmail
>>>     mode = 0600
>>>     user = vmail
>>>   }
>>>   user = root
>>> }
>>> service imap-login {
>>>   client_limit = 1000
>>>   process_limit = 512
>>> }
>>> service lmtp {
>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>     group = postfix
>>>     mode = 0600
>>>     user = postfix
>>>   }
>>> }
>>> ssl = required
>>> ssl_cert = </etc/postfix/smtpd.cert
>>> ssl_cipher_list =
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>> ssl_dh_parameters_length = 2048
>>> ssl_key = </etc/postfix/smtpd.key
>>> ssl_prefer_server_ciphers = yes
>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>> userdb {
>>>   driver = prefetch
>>> }
>>> userdb {
>>>   args = /etc/dovecot/dovecot-sql.conf
>>>   driver = sql
>>> }
>>> protocol imap {
>>>   mail_plugins = quota imap_quota
>>> }
>>> protocol pop3 {
>>>   mail_plugins = quota
>>>   pop3_uidl_format = %08Xu%08Xv
>>> }
>>> protocol lda {
>>>   mail_plugins = sieve quota
>>>   postmaster_address = webmaster at localhost
>>> }
>>> protocol lmtp {
>>>   mail_plugins = quota sieve
>>>   postmaster_address = webmaster at localhost
>>> }
>>>
>>>
>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>> This is debug log files in syslog:
>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>>>> m5ldD4=
>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in: CONT<hidden>
>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as user,
>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>> userdb_mail,
>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B')
>> AS
>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id = '1'
>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5 scheme,
>>>> but we
>>>>> have only CRYPT
>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
>>>>> FAIL#0112#011user=do_not_reply at example.com
>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5 authentication
>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NTkyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
>> dD4=
>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
>>>> m5ldD4=
>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in: CONT<hidden>
>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as user,
>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir,
>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>> userdb_mail,
>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B')
>> AS
>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id = '1'
>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5 scheme,
>> but
>>>> we
>>>>> have only CRYPT
>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
>>>>> FAIL#0113#011user=do_not_reply at example.com
>>>>>
>>>>>
>>>>>
>>>>> #####################
>>>>> I added in dovecot.conf lines in passdb block:
>>>>>    driver = passwd-file
>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>> and commented out default lines
>>>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>>>   #driver = sql
>>>>> When I try set again default lines I got above error
>>>> Can you run doveconf -n with the configuration that causes the above
>>>> error? Also it clearly does SQL lookup, so that error is happening with
>>>> SQL passdb. You need to remember to restart dovecot between
>>>> configuration changes.
>>>>
>>>> Aki
>>>>
>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>
>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>>>>>> I set up cram-md5 using this tutorial
>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
>> /etc/dovecot/dovecot.conf
>>>> in
>>>>>>> passdb code block:
>>>>>>> listen = *,[::]
>>>>>>> protocols = imap pop3
>>>>>>> #auth_mechanisms = plain login cram-md5
>>>>>>> auth_mechanisms = cram-md5 plain login
>>>>>>> #dodana nizej linia
>>>>>>> ssl = required
>>>>>>> disable_plaintext_auth = yes
>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>> mail_privileged_group = vmail
>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>> ssl_cipher_list =
>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>
>>>>>>>
>>>>>>> mail_max_userip_connections = 100
>>>>>>> passdb {
>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>> # driver = sql
>>>>>>> driver = passwd-file
>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>> }
>>>>>>> userdb {
>>>>>>> driver = prefetch
>>>>>>> }
>>>>>>> userdb {
>>>>>>> args = /etc/dovecot/dovecot-sql.conf
>>>>>>> driver = sql
>>>>>>> }
>>>>>>> Of course I created cram-md5.pwd file. All mails go out and come
>>>> nicely.
>>>>>>> But after I want to do default settings by commented out these two
>>>> lines:
>>>>>>> driver = passwd-file
>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>> and uncomment
>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>> # driver = sql
>>>>>>> I can't send emails - I use Thunderbird - get error "logging on
>> server
>>>>>>> mail.example.com not work out". Error in logs:
>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
>>>>>>> passdbs/userdbs than auth server.
>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>>>>>>>
>>>>>>> Is it possible that hashed password from cram-md5.pwd file was
>> written
>>>> to
>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't change any
>>>>>> userdb
>>>>>>> {} block and this second userdb block has this same lines like
>> default
>>>>>>> settings in passdb block.
>>>>>>>
>>>>>> Try
>>>>>>
>>>>>> auth_debug=yes
>>>>>> auth_verbose=yes
>>>>>>
>>>>>> and see if it gives any more reasonable messages.
>>>>>>
>>>>>> Aki
>>>>>>
>>>
>
>

More information about the dovecot mailing list