Dovecot auth-worker error after cram-md5 auth

Poliman - Serwis serwis at poliman.pl
Wed Feb 1 11:16:08 UTC 2017


Is there any strange thing in these config lines?

2017-02-01 9:40 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:

> doveadm log errors can be helpful too
>
>
> On 01.02.2017 10:25, Poliman - Serwis wrote:
> > I can check each logs, I have root privileges.
> >
> > 2017-02-01 9:04 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> >> Can you check your logs?
> >>
> >> Aki
> >>
> >>
> >> On 01.02.2017 10:02, Poliman - Serwis wrote:
> >>> When I used backup copy of the dovecot.conf file I have this same
> error.
> >> So
> >>> I think that maybe something was written to database? I really would
> >> point
> >>> out that I only added
> >>> passdb {
> >>>   driver = passwd-file
> >>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>> }
> >>>
> >>> and comment out from above block default lines
> >>>   #args = /etc/dovecot/dovecot-sql.conf
> >>>   #driver = sql
> >>>
> >>> And in auth_mechanisms add line cram-md5. Nothing more in any other
> file.
> >>>
> >>> I don't want to use cram-md5. I need move back to default settings.
> >>> Cram-md5 was only for testing purposes. :) But I supposed that I can
> move
> >>> back to default by commenting out added lines. But unfortunately it
> isn't
> >>> that simple.
> >>>
> >>> 2017-02-01 8:59 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>
> >>>> Are you still trying to authenticate using cram-md5?
> >>>>
> >>>> Aki
> >>>>
> >>>>
> >>>> On 01.02.2017 09:51, Poliman - Serwis wrote:
> >>>>> It still use:
> >>>>> passdb {
> >>>>>   driver = passwd-file
> >>>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>> }
> >>>>>
> >>>>> When I delete above and delete "cram-md5" in auth_mechanisms it still
> >> not
> >>>>> working.
> >>>>>
> >>>>> 2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>
> >>>>>> You are probably wanting to do
> >>>>>> passdb {
> >>>>>>   driver = passwd-file
> >>>>>>   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>> }
> >>>>>>
> >>>>>> passdb {
> >>>>>>   driver = sql
> >>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>> }
> >>>>>>
> >>>>>> Why you want to use cram-md5 is beyond me, because using SSL is much
> >>>>>> more safer.
> >>>>>>
> >>>>>> Aki
> >>>>>>
> >>>>>> On 01.02.2017 09:41, Poliman - Serwis wrote:
> >>>>>>> Default it was: "auth_mechanisms = plain login"  and I added
> >> cram-md5.
> >>>>>>> After restart all work perfectly. But after I added:
> >>>>>>>    driver = passwd-file
> >>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>> I can't set default lines because I got error. Please tell me which
> >>>> lines
> >>>>>>> should be changed to resolve this issue. Should I remove "login"
> from
> >>>>>>> auth_mechanism ("login" was default setting and I would like to
> move
> >>>> back
> >>>>>>> to default settings)?
> >>>>>>>
> >>>>>>> 2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>>>
> >>>>>>>> Because cram-md5 needs the user's password for calculating
> >> responses,
> >>>> it
> >>>>>>>> cannot work with hashed passwords (one-way encrypted). The only
> >>>>>>>> supported password schemes are PLAIN and CRAM-MD5.
> >>>>>>>>
> >>>>>>>> Aki
> >>>>>>>>
> >>>>>>>> On 01.02.2017 09:33, Poliman - Serwis wrote:
> >>>>>>>>> I always restart dovecot after change config. ;) Sure, I
> commented
> >>>> out
> >>>>>>>>> added two lines by me, restarted dovecot and here it is:
> >>>>>>>>>
> >>>>>>>>> # 2.2.9: /etc/dovecot/dovecot.conf
> >>>>>>>>> # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
> >>>>>>>>> auth_mechanisms = plain login cram-md5
> >>>>>>>>> listen = *,[::]
> >>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>>>>>> mail_max_userip_connections = 100
> >>>>>>>>> mail_plugins = " quota"
> >>>>>>>>> mail_privileged_group = vmail
> >>>>>>>>> passdb {
> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>   driver = sql
> >>>>>>>>> }
> >>>>>>>>> plugin {
> >>>>>>>>>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
> >>>>>>>>>   sieve = /var/vmail/%d/%n/.sieve
> >>>>>>>>>   sieve_max_redirects = 25
> >>>>>>>>> }
> >>>>>>>>> postmaster_address = postmaster at example.com
> >>>>>>>>> protocols = imap pop3
> >>>>>>>>> service auth {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/auth {
> >>>>>>>>>     group = postfix
> >>>>>>>>>     mode = 0660
> >>>>>>>>>     user = postfix
> >>>>>>>>>   }
> >>>>>>>>>   unix_listener auth-userdb {
> >>>>>>>>>     group = vmail
> >>>>>>>>>     mode = 0600
> >>>>>>>>>     user = vmail
> >>>>>>>>>   }
> >>>>>>>>>   user = root
> >>>>>>>>> }
> >>>>>>>>> service imap-login {
> >>>>>>>>>   client_limit = 1000
> >>>>>>>>>   process_limit = 512
> >>>>>>>>> }
> >>>>>>>>> service lmtp {
> >>>>>>>>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >>>>>>>>>     group = postfix
> >>>>>>>>>     mode = 0600
> >>>>>>>>>     user = postfix
> >>>>>>>>>   }
> >>>>>>>>> }
> >>>>>>>>> ssl = required
> >>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
> >>>>>>>>> ssl_cipher_list =
> >>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> >>>>>>>> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> >>>>>>>> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> >>>>>>>> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> >>>>>>>> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> >>>>>>>> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> >>>>>>>> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> >>>>>>>> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> >>>>>>>> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> >>>>>>>> SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
> >>>>>>>> EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
> >>>>>>>> EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> >>>>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>>>> ssl_key = </etc/postfix/smtpd.key
> >>>>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>>>> userdb {
> >>>>>>>>>   driver = prefetch
> >>>>>>>>> }
> >>>>>>>>> userdb {
> >>>>>>>>>   args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>   driver = sql
> >>>>>>>>> }
> >>>>>>>>> protocol imap {
> >>>>>>>>>   mail_plugins = quota imap_quota
> >>>>>>>>> }
> >>>>>>>>> protocol pop3 {
> >>>>>>>>>   mail_plugins = quota
> >>>>>>>>>   pop3_uidl_format = %08Xu%08Xv
> >>>>>>>>> }
> >>>>>>>>> protocol lda {
> >>>>>>>>>   mail_plugins = sieve quota
> >>>>>>>>>   postmaster_address = webmaster at localhost
> >>>>>>>>> }
> >>>>>>>>> protocol lmtp {
> >>>>>>>>>   mail_plugins = quota sieve
> >>>>>>>>>   postmaster_address = webmaster at localhost
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> 2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>>>>>
> >>>>>>>>>> On 01.02.2017 08:18, Poliman - Serwis wrote:
> >>>>>>>>>>> This is debug log files in syslog:
> >>>>>>>>>>> Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb
> >> out:
> >>>>>>>>>>> CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ
> >>>>>> 4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL
> >>>>>>>>>> m5ldD4=
> >>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:
> >>>>>> CONT<hidden>
> >>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug:
> >> sql(
> >>>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email
> as
> >>>>>> user,
> >>>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
> >>>>>> maildir,
> >>>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >>>>>>>>>> userdb_mail,
> >>>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',
> quota,
> >>>>>> 'B')
> >>>>>>>> AS
> >>>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve
> >> FROM
> >>>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email
> = '
> >>>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND
> >> server_id =
> >>>>>> '1'
> >>>>>>>>>>> Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069):
> password(
> >>>>>>>>>>> do_not_reply at example.com, 12.173.211.32): Requested CRAM-MD5
> >>>> scheme,
> >>>>>>>>>> but we
> >>>>>>>>>>> have only CRYPT
> >>>>>>>>>>> Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb
> >> out:
> >>>>>>>>>>> FAIL#0112#011user=do_not_reply at example.com
> >>>>>>>>>>> Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
> >>>>>>>>>>> host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5
> >>>>>> authentication
> >>>>>>>>>>> failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT
> >>>> kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l
> >>>>>>>> dD4=
> >>>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
> >>>>>>>>>>> (/usr/local/ispconfig/server/server.sh 2>&1 | while read line;
> >> do
> >>>>>> echo
> >>>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> >>>>>>>>>>> Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
> >>>>>>>>>>> (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line;
> do
> >>>> echo
> >>>>>>>>>>> `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
> >>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> >>>>>>>>>>> AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#
> >>>>>>>>>> 011lip=173.72.31.7#011rip=12.173.211.32#011secured
> >>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb
> >> out:
> >>>>>>>>>>> CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ
> >>>>>> 4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL
> >>>>>>>>>> m5ldD4=
> >>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
> >>>>>> CONT<hidden>
> >>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug:
> >> sql(
> >>>>>>>>>>> do_not_reply at example.com,12.173.211.32): query: SELECT email
> as
> >>>>>> user,
> >>>>>>>>>>> password, maildir as userdb_home, CONCAT( maildir_format, ':',
> >>>>>> maildir,
> >>>>>>>>>>> '/', IF(maildir_format='maildir','Maildir',maildir_format)) as
> >>>>>>>>>> userdb_mail,
> >>>>>>>>>>> uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',
> quota,
> >>>>>> 'B')
> >>>>>>>> AS
> >>>>>>>>>>> userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve
> >> FROM
> >>>>>>>>>>> mail_user WHERE (login = 'do_not_reply at example.com' OR email
> = '
> >>>>>>>>>>> do_not_reply at example.com') AND `disablesmtp` = 'n' AND
> >> server_id =
> >>>>>> '1'
> >>>>>>>>>>> Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069):
> password(
> >>>>>>>>>>> do_not_reply at example.com,12.173.211.32): Requested CRAM-MD5
> >>>> scheme,
> >>>>>>>> but
> >>>>>>>>>> we
> >>>>>>>>>>> have only CRYPT
> >>>>>>>>>>> Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb
> >> out:
> >>>>>>>>>>> FAIL#0113#011user=do_not_reply at example.com
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> #####################
> >>>>>>>>>>> I added in dovecot.conf lines in passdb block:
> >>>>>>>>>>>    driver = passwd-file
> >>>>>>>>>>>    args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>>>>>> and commented out default lines
> >>>>>>>>>>>   #args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>>>   #driver = sql
> >>>>>>>>>>> When I try set again default lines I got above error
> >>>>>>>>>> Can you run doveconf -n with the configuration that causes the
> >> above
> >>>>>>>>>> error? Also it clearly does SQL lookup, so that error is
> happening
> >>>>>> with
> >>>>>>>>>> SQL passdb. You need to remember to restart dovecot between
> >>>>>>>>>> configuration changes.
> >>>>>>>>>>
> >>>>>>>>>> Aki
> >>>>>>>>>>
> >>>>>>>>>>> 2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>>>>>>>>>
> >>>>>>>>>>>> On 31.01.2017 09:06, Poliman - Serwis wrote:
> >>>>>>>>>>>>> I set up cram-md5 using this tutorial
> >>>>>>>>>>>>> https://wiki2.dovecot.org/HowTo/CRAM-MD5 in
> >>>>>>>> /etc/dovecot/dovecot.conf
> >>>>>>>>>> in
> >>>>>>>>>>>>> passdb code block:
> >>>>>>>>>>>>> listen = *,[::]
> >>>>>>>>>>>>> protocols = imap pop3
> >>>>>>>>>>>>> #auth_mechanisms = plain login cram-md5
> >>>>>>>>>>>>> auth_mechanisms = cram-md5 plain login
> >>>>>>>>>>>>> #dodana nizej linia
> >>>>>>>>>>>>> ssl = required
> >>>>>>>>>>>>> disable_plaintext_auth = yes
> >>>>>>>>>>>>> log_timestamp = "%Y-%m-%d %H:%M:%S "
> >>>>>>>>>>>>> mail_privileged_group = vmail
> >>>>>>>>>>>>> postmaster_address = postmaster at vps342401.ovh.net
> >>>>>>>>>>>>> ssl_cert = </etc/postfix/smtpd.cert
> >>>>>>>>>>>>> ssl_key = </etc/postfix/smtpd.key
> >>>>>>>>>>>>> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >>>>>>>>>>>>> ssl_cipher_list =
> >>>>>>>>>>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> >>>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[
> >> image:
> >>>>>>>>>>>>> :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
> >>>>>>>>>>>>> ssl_prefer_server_ciphers = yes
> >>>>>>>>>>>>> ssl_dh_parameters_length = 2048
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> mail_max_userip_connections = 100
> >>>>>>>>>>>>> passdb {
> >>>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>>>>> # driver = sql
> >>>>>>>>>>>>> driver = passwd-file
> >>>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>>>>>>>> }
> >>>>>>>>>>>>> userdb {
> >>>>>>>>>>>>> driver = prefetch
> >>>>>>>>>>>>> }
> >>>>>>>>>>>>> userdb {
> >>>>>>>>>>>>> args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>>>>> driver = sql
> >>>>>>>>>>>>> }
> >>>>>>>>>>>>> Of course I created cram-md5.pwd file. All mails go out and
> >> come
> >>>>>>>>>> nicely.
> >>>>>>>>>>>>> But after I want to do default settings by commented out
> these
> >>>> two
> >>>>>>>>>> lines:
> >>>>>>>>>>>>> driver = passwd-file
> >>>>>>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
> >>>>>>>>>>>>> and uncomment
> >>>>>>>>>>>>> # args = /etc/dovecot/dovecot-sql.conf
> >>>>>>>>>>>>> # driver = sql
> >>>>>>>>>>>>> I can't send emails - I use Thunderbird - get error "logging
> on
> >>>>>>>> server
> >>>>>>>>>>>>> mail.example.com not work out". Error in logs:
> >>>>>>>>>>>>> dovecot: auth-worker(22698): Error: Auth worker sees
> different
> >>>>>>>>>>>>> passdbs/userdbs than auth server.
> >>>>>>>>>>>>> dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Is it possible that hashed password from cram-md5.pwd file
> was
> >>>>>>>> written
> >>>>>>>>>> to
> >>>>>>>>>>>>> database (if yes then where - I have ISPconfig)? I wasn't
> >> change
> >>>>>> any
> >>>>>>>>>>>> userdb
> >>>>>>>>>>>>> {} block and this second userdb block has this same lines
> like
> >>>>>>>> default
> >>>>>>>>>>>>> settings in passdb block.
> >>>>>>>>>>>>>
> >>>>>>>>>>>> Try
> >>>>>>>>>>>>
> >>>>>>>>>>>> auth_debug=yes
> >>>>>>>>>>>> auth_verbose=yes
> >>>>>>>>>>>>
> >>>>>>>>>>>> and see if it gives any more reasonable messages.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Aki
> >>>>>>>>>>>>
> >>>
> >
> >
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*


More information about the dovecot mailing list