Dovecot auth-worker error after cram-md5 auth

Poliman - Serwis serwis at poliman.pl
Wed Feb 1 08:02:24 UTC 2017 

When I used backup copy of the dovecot.conf file I have this same error. So
I think that maybe something was written to database? I really would point
out that I only added
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

and comment out from above block default lines
  #args = /etc/dovecot/dovecot-sql.conf
  #driver = sql

And in auth_mechanisms add line cram-md5. Nothing more in any other file.

I don't want to use cram-md5. I need move back to default settings.
Cram-md5 was only for testing purposes. :) But I supposed that I can move
back to default by commenting out added lines. But unfortunately it isn't
that simple.

2017-02-01 8:59 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:

> Are you still trying to authenticate using cram-md5?
>
> Aki
>
>
> On 01.02.2017 09:51, Poliman - Serwis wrote:
> > It still use:
> > passdb {
> >   driver = passwd-file
> >   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> > }
> >
> > When I delete above and delete "cram-md5" in auth_mechanisms it still not
> > working.
> >
> > 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> >> You are probably wanting to do
> >> passdb {
> >>   driver = passwd-file
> >>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >> }
> >>
> >> passdb {
> >>   driver = sql
> >>   args = /etc/dovecot/dovecot-sql.conf
> >> }
> >>
> >> Why you want to use cram-md5 is beyond me, because using SSL is much
> >> more safer.
> >>
> >> Aki
> >>
> >> On 01.02.2017 09:41, Poliman - Serwis wrote:
> >>> Default it was: "auth_mechanisms = plain login"  and I added cram-md5.
> >>> After restart all work perfectly. But after I added:
> >>>    driver = passwd-file
> >>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>> I can't set default lines because I got error. Please tell me which
> lines
> >>> should be changed to resolve this issue. Should I remove "login" from
> >>> auth_mechanism ("login" was default setting and I would like to move
> back
> >>> to default settings)?
> >>>
> >>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>
> >>>> Because cram-md5 needs the user's password for calculating responses,
> it
> >>>> cannot work with hashed passwords (one-way encrypted). The only
> >>>> supported password schemes are PLAIN and CRAM-MD5.
> >>>>
> >>>> Aki
> >>>>
> >>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
> >>>>> I always restart dovecot after change config. ;) Sure, I commented
> out
> >>>>> added two lines by me, restarted dovecot and here it is:
> >>>>>
> >>>>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>>>> auth_mechanisms = plain login cram-md5
> >>>>> listen = *,[::]
> >>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>> mail_max_userip_connections = 100
> >>>>> mail_plugins = " quota"
> >>>>> mail_privileged_group = vmail
> >>>>> passdb {
> >>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>   driver = sql
> >>>>> }
> >>>>> plugin {
> >>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>>>   sieve = /var/vmail/%d/%n/.sieve
> >>>>>   sieve_max_redirects = 25
> >>>>> }
> >>>>> postmaster_address = postmaster at example.com
> >>>>> protocols = imap pop3
> >>>>> service auth {
> >>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>     group = postfix
> >>>>>     mode = 0660
> >>>>>     user = postfix
> >>>>>   }
> >>>>>   unix_listener auth-userdb {
> >>>>>     group = vmail
> >>>>>     mode = 0600
> >>>>>     user = vmail
> >>>>>   }
> >>>>>   user = root
> >>>>> }
> >>>>> service imap-login {
> >>>>>   client_limit = 1000
> >>>>>   process_limit = 512
> >>>>> }
> >>>>> service lmtp {
> >>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>     group = postfix
> >>>>>     mode = 0600
> >>>>>     user = postfix
> >>>>>   }
> >>>>> }
> >>>>> ssl = required
> >>>>> ssl_cert = </etc/postfix/smtpd.cert
> >>>>> ssl_cipher_list =
> >>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>> ssl_dh_parameters_length = 2048
> >>>>> ssl_key = </etc/postfix/smtpd.key
> >>>>> ssl_prefer_server_ciphers = yes
> >>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>> userdb {
> >>>>>   driver = prefetch
> >>>>> }
> >>>>> userdb {
> >>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>   driver = sql
> >>>>> }
> >>>>> protocol imap {
> >>>>>   mail_plugins = quota imap_quota
> >>>>> }
> >>>>> protocol pop3 {
> >>>>>   mail_plugins = quota
> >>>>>   pop3_uidl_format = %08Xu%08Xv
> >>>>> }
> >>>>> protocol lda {
> >>>>>   mail_plugins = sieve quota
> >>>>>   postmaster_address = webmaster at localhost
> >>>>> }
> >>>>> protocol lmtp {
> >>>>>   mail_plugins = quota sieve
> >>>>>   postmaster_address = webmaster at localhost
> >>>>> }
> >>>>>
> >>>>>
> >>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>
> >>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>>>>>> This is debug log files in syslog:
> >>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
> >> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >>>>>> m5ldD4=
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
> >> CONT<hidden>
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug: sql(
> >>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
> >> user,
> >>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
> >> maildir,
> >>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >>>>>> userdb_mail,
> >>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
> >> 'B')
> >>>> AS
> >>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> >>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
> >>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
> >> '1'
> >>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
> >>>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5
> scheme,
> >>>>>> but we
> >>>>>>> have only CRYPT
> >>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> FAIL#0112#011user=do_not_reply at example.com
> >>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
> >>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
> >> authentication
> >>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT
> kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
> >>>> dD4=
> >>>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
> >>>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do
> >> echo
> >>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> >>>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
> >>>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do
> echo
> >>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> >>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> >>>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
> >>>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
> >>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ
> >> 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
> >>>>>> m5ldD4=
> >>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> >> CONT<hidden>
> >>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug: sql(
> >>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
> >> user,
> >>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
> >> maildir,
> >>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >>>>>> userdb_mail,
> >>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
> >> 'B')
> >>>> AS
> >>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM
> >>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
> >>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND server_id =
> >> '1'
> >>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
> >>>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5
> scheme,
> >>>> but
> >>>>>> we
> >>>>>>> have only CRYPT
> >>>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb out:
> >>>>>>> FAIL#0113#011user=do_not_reply at example.com
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> #####################
> >>>>>>> I added in dovecot.conf lines in passdb block:
> >>>>>>>    driver = passwd-file
> >>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>> and commented out default lines
> >>>>>>>   #args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>   #driver = sql
> >>>>>>> When I try set again default lines I got above error
> >>>>>> Can you run doveconf -n with the configuration that causes the above
> >>>>>> error? Also it clearly does SQL lookup, so that error is happening
> >> with
> >>>>>> SQL passdb. You need to remember to restart dovecot between
> >>>>>> configuration changes.
> >>>>>>
> >>>>>> Aki
> >>>>>>
> >>>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>>>
> >>>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
> >>>>>>>>> I set up cram-md5 using this tutorial
> >>>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
> >>>> /etc/dovecot/dovecot.conf
> >>>>>> in
> >>>>>>>>> passdb code block:
> >>>>>>>>> listen = *,[::]
> >>>>>>>>> protocols = imap pop3
> >>>>>>>>> #auth_mechanisms = plain login cram-md5
> >>>>>>>>> auth_mechanisms = cram-md5 plain login
> >>>>>>>>> #dodana nizej linia
> >>>>>>>>> ssl = required
> >>>>>>>>> disable_plaintext_auth = yes
> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>>>>>> mail_privileged_group = vmail
> >>>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
> >>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
> >>>>>>>>> ssl_key = </etc/postfix/smtpd.key
> >>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>>>> ssl_cipher_list =
> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image:
> >>>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
> >>>>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> mail_max_userip_connections = 100
> >>>>>>>>> passdb {
> >>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>> # driver = sql
> >>>>>>>>> driver = passwd-file
> >>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>>>> }
> >>>>>>>>> userdb {
> >>>>>>>>> driver = prefetch
> >>>>>>>>> }
> >>>>>>>>> userdb {
> >>>>>>>>> args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>> driver = sql
> >>>>>>>>> }
> >>>>>>>>> Of course I created cram-md5.pwd file. All mails go out and come
> >>>>>> nicely.
> >>>>>>>>> But after I want to do default settings by commented out these
> two
> >>>>>> lines:
> >>>>>>>>> driver = passwd-file
> >>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>>>> and uncomment
> >>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>> # driver = sql
> >>>>>>>>> I can't send emails - I use Thunderbird - get error "logging on
> >>>> server
> >>>>>>>>> mail.example.com not work out". Error in logs:
> >>>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
> >>>>>>>>> passdbs/userdbs than auth server.
> >>>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
> >>>>>>>>>
> >>>>>>>>> Is it possible that hashed password from cram-md5.pwd file was
> >>>> written
> >>>>>> to
> >>>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't change
> >> any
> >>>>>>>> userdb
> >>>>>>>>> {} block and this second userdb block has this same lines like
> >>>> default
> >>>>>>>>> settings in passdb block.
> >>>>>>>>>
> >>>>>>>> Try
> >>>>>>>>
> >>>>>>>> auth_debug=yes
> >>>>>>>> auth_verbose=yes
> >>>>>>>>
> >>>>>>>> and see if it gives any more reasonable messages.
> >>>>>>>>
> >>>>>>>> Aki
> >>>>>>>>
> >>>
> >
> >
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*

More information about the dovecot mailing list