Dovecot auth-worker error after cram-md5 auth

Aki Tuomi aki.tuomi at dovecot.fi
Wed Feb 1 08:40:38 UTC 2017 

doveadm log errors can be helpful too


On 01.02.2017 10:25, Poliman - Serwis wrote:
> I can check each logs, I have root privileges.
>
> 2017-02-01 9:04 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>> Can you check your logs?
>>
>> Aki
>>
>>
>> On 01.02.2017 10:02, Poliman - Serwis wrote:
>>> When I used backup copy of the dovecot.conf file I have this same error.
>> So
>>> I think that maybe something was written to database? I really would
>> point
>>> out that I only added
>>> passdb {
>>>   driver = passwd-file
>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>> }
>>>
>>> and comment out from above block default lines
>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>   #driver = sql
>>>
>>> And in auth_mechanisms add line cram-md5. Nothing more in any other file.
>>>
>>> I don't want to use cram-md5. I need move back to default settings.
>>> Cram-md5 was only for testing purposes. :) But I supposed that I can move
>>> back to default by commenting out added lines. But unfortunately it isn't
>>> that simple.
>>>
>>> 2017-02-01 8:59 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>>> Are you still trying to authenticate using cram-md5?
>>>>
>>>> Aki
>>>>
>>>>
>>>> On 01.02.2017 09:51, Poliman - Serwis wrote:
>>>>> It still use:
>>>>> passdb {
>>>>>   driver = passwd-file
>>>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>> }
>>>>>
>>>>> When I delete above and delete "cram-md5" in auth_mechanisms it still
>> not
>>>>> working.
>>>>>
>>>>> 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>
>>>>>> You are probably wanting to do
>>>>>> passdb {
>>>>>>   driver = passwd-file
>>>>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>> }
>>>>>>
>>>>>> passdb {
>>>>>>   driver = sql
>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>> }
>>>>>>
>>>>>> Why you want to use cram-md5 is beyond me, because using SSL is much
>>>>>> more safer.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>> On 01.02.2017 09:41, Poliman - Serwis wrote:
>>>>>>> Default it was: "auth_mechanisms = plain login"  and I added
>> cram-md5.
>>>>>>> After restart all work perfectly. But after I added:
>>>>>>>    driver = passwd-file
>>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>> I can't set default lines because I got error. Please tell me which
>>>> lines
>>>>>>> should be changed to resolve this issue. Should I remove "login" from
>>>>>>> auth_mechanism ("login" was default setting and I would like to move
>>>> back
>>>>>>> to default settings)?
>>>>>>>
>>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>
>>>>>>>> Because cram-md5 needs the user's password for calculating
>> responses,
>>>> it
>>>>>>>> cannot work with hashed passwords (one-way encrypted). The only
>>>>>>>> supported password schemes are PLAIN and CRAM-MD5.
>>>>>>>>
>>>>>>>> Aki
>>>>>>>>
>>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
>>>>>>>>> I always restart dovecot after change config. ;) Sure, I commented
>>>> out
>>>>>>>>> added two lines by me, restarted dovecot and here it is:
>>>>>>>>>
>>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
>>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
>>>>>>>>> auth_mechanisms = plain login cram-md5
>>>>>>>>> listen = *,[::]
>>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>>>> mail_max_userip_connections = 100
>>>>>>>>> mail_plugins = " quota"
>>>>>>>>> mail_privileged_group = vmail
>>>>>>>>> passdb {
>>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>   driver = sql
>>>>>>>>> }
>>>>>>>>> plugin {
>>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
>>>>>>>>>   sieve_max_redirects = 25
>>>>>>>>> }
>>>>>>>>> postmaster_address = postmaster at example.com
>>>>>>>>> protocols = imap pop3
>>>>>>>>> service auth {
>>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
>>>>>>>>>     group = postfix
>>>>>>>>>     mode = 0660
>>>>>>>>>     user = postfix
>>>>>>>>>   }
>>>>>>>>>   unix_listener auth-userdb {
>>>>>>>>>     group = vmail
>>>>>>>>>     mode = 0600
>>>>>>>>>     user = vmail
>>>>>>>>>   }
>>>>>>>>>   user = root
>>>>>>>>> }
>>>>>>>>> service imap-login {
>>>>>>>>>   client_limit = 1000
>>>>>>>>>   process_limit = 512
>>>>>>>>> }
>>>>>>>>> service lmtp {
>>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>>>>>>>>     group = postfix
>>>>>>>>>     mode = 0600
>>>>>>>>>     user = postfix
>>>>>>>>>   }
>>>>>>>>> }
>>>>>>>>> ssl = required
>>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>>>> ssl_cipher_list =
>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
>>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
>>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>>>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>>>> userdb {
>>>>>>>>>   driver = prefetch
>>>>>>>>> }
>>>>>>>>> userdb {
>>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>   driver = sql
>>>>>>>>> }
>>>>>>>>> protocol imap {
>>>>>>>>>   mail_plugins = quota imap_quota
>>>>>>>>> }
>>>>>>>>> protocol pop3 {
>>>>>>>>>   mail_plugins = quota
>>>>>>>>>   pop3_uidl_format = %08Xu%08Xv
>>>>>>>>> }
>>>>>>>>> protocol lda {
>>>>>>>>>   mail_plugins = sieve quota
>>>>>>>>>   postmaster_address = webmaster at localhost
>>>>>>>>> }
>>>>>>>>> protocol lmtp {
>>>>>>>>>   mail_plugins = quota sieve
>>>>>>>>>   postmaster_address = webmaster at localhost
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>>>
>>>>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
>>>>>>>>>>> This is debug log files in syslog:
>>>>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb
>> out:
>>>>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
>>>>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
>>>>>>>>>> m5ldD4=
>>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
>>>>>> CONT<hidden>
>>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug:
>> sql(
>>>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>>>>>> user,
>>>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>>>>>> maildir,
>>>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>>>>>> userdb_mail,
>>>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>>>>>> 'B')
>>>>>>>> AS
>>>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve
>> FROM
>>>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND
>> server_id =
>>>>>> '1'
>>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): password(
>>>>>>>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5
>>>> scheme,
>>>>>>>>>> but we
>>>>>>>>>>> have only CRYPT
>>>>>>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb
>> out:
>>>>>>>>>>> FAIL#0112#011user=do_not_reply at example.com
>>>>>>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
>>>>>>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
>>>>>> authentication
>>>>>>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT
>>>> kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
>>>>>>>> dD4=
>>>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
>>>>>>>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line;
>> do
>>>>>> echo
>>>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
>>>>>>>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do
>>>> echo
>>>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
>>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>>>>>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
>>>>>>>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
>>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb
>> out:
>>>>>>>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ
>>>>>> 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
>>>>>>>>>> m5ldD4=
>>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
>>>>>> CONT<hidden>
>>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug:
>> sql(
>>>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email as
>>>>>> user,
>>>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
>>>>>> maildir,
>>>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
>>>>>>>>>> userdb_mail,
>>>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota,
>>>>>> 'B')
>>>>>>>> AS
>>>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve
>> FROM
>>>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email = '
>>>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND
>> server_id =
>>>>>> '1'
>>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): password(
>>>>>>>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5
>>>> scheme,
>>>>>>>> but
>>>>>>>>>> we
>>>>>>>>>>> have only CRYPT
>>>>>>>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb
>> out:
>>>>>>>>>>> FAIL#0113#011user=do_not_reply at example.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> #####################
>>>>>>>>>>> I added in dovecot.conf lines in passdb block:
>>>>>>>>>>>    driver = passwd-file
>>>>>>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>>>> and commented out default lines
>>>>>>>>>>>   #args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>>   #driver = sql
>>>>>>>>>>> When I try set again default lines I got above error
>>>>>>>>>> Can you run doveconf -n with the configuration that causes the
>> above
>>>>>>>>>> error? Also it clearly does SQL lookup, so that error is happening
>>>>>> with
>>>>>>>>>> SQL passdb. You need to remember to restart dovecot between
>>>>>>>>>> configuration changes.
>>>>>>>>>>
>>>>>>>>>> Aki
>>>>>>>>>>
>>>>>>>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>>>>>>>>>
>>>>>>>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
>>>>>>>>>>>>> I set up cram-md5 using this tutorial
>>>>>>>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
>>>>>>>> /etc/dovecot/dovecot.conf
>>>>>>>>>> in
>>>>>>>>>>>>> passdb code block:
>>>>>>>>>>>>> listen = *,[::]
>>>>>>>>>>>>> protocols = imap pop3
>>>>>>>>>>>>> #auth_mechanisms = plain login cram-md5
>>>>>>>>>>>>> auth_mechanisms = cram-md5 plain login
>>>>>>>>>>>>> #dodana nizej linia
>>>>>>>>>>>>> ssl = required
>>>>>>>>>>>>> disable_plaintext_auth = yes
>>>>>>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
>>>>>>>>>>>>> mail_privileged_group = vmail
>>>>>>>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
>>>>>>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
>>>>>>>>>>>>> ssl_key = </etc/postfix/smtpd.key
>>>>>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>>>>>>>>>>>>> ssl_cipher_list =
>>>>>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>>>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[
>> image:
>>>>>>>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
>>>>>>>>>>>>> ssl_prefer_server_ciphers = yes
>>>>>>>>>>>>> ssl_dh_parameters_length = 2048
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> mail_max_userip_connections = 100
>>>>>>>>>>>>> passdb {
>>>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>>>> # driver = sql
>>>>>>>>>>>>> driver = passwd-file
>>>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>>>>>> }
>>>>>>>>>>>>> userdb {
>>>>>>>>>>>>> driver = prefetch
>>>>>>>>>>>>> }
>>>>>>>>>>>>> userdb {
>>>>>>>>>>>>> args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>>>> driver = sql
>>>>>>>>>>>>> }
>>>>>>>>>>>>> Of course I created cram-md5.pwd file. All mails go out and
>> come
>>>>>>>>>> nicely.
>>>>>>>>>>>>> But after I want to do default settings by commented out these
>>>> two
>>>>>>>>>> lines:
>>>>>>>>>>>>> driver = passwd-file
>>>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
>>>>>>>>>>>>> and uncomment
>>>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
>>>>>>>>>>>>> # driver = sql
>>>>>>>>>>>>> I can't send emails - I use Thunderbird - get error "logging on
>>>>>>>> server
>>>>>>>>>>>>> mail.example.com not work out". Error in logs:
>>>>>>>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees different
>>>>>>>>>>>>> passdbs/userdbs than auth server.
>>>>>>>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is it possible that hashed password from cram-md5.pwd file was
>>>>>>>> written
>>>>>>>>>> to
>>>>>>>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't
>> change
>>>>>> any
>>>>>>>>>>>> userdb
>>>>>>>>>>>>> {} block and this second userdb block has this same lines like
>>>>>>>> default
>>>>>>>>>>>>> settings in passdb block.
>>>>>>>>>>>>>
>>>>>>>>>>>> Try
>>>>>>>>>>>>
>>>>>>>>>>>> auth_debug=yes
>>>>>>>>>>>> auth_verbose=yes
>>>>>>>>>>>>
>>>>>>>>>>>> and see if it gives any more reasonable messages.
>>>>>>>>>>>>
>>>>>>>>>>>> Aki
>>>>>>>>>>>>
>>>
>
>

More information about the dovecot mailing list