pam authentication

Pol Hallen dovecotml at fuckaround.org
Tue Sep 5 14:51:52 EEST 2017


does not work :-/

Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
Sep 05 13:49:41 auth: Debug: client in: AUTH    1       PLAIN   
service=imap    secured session=IFCT0m9Y0KjAqAFk        
lip=192.168.1.100       rip=192.168.1.100       lport=143       
rport=43216   resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== 
(previous base64 data may contain sensitive data)
Sep 05 13:49:41 auth: Debug: 
passwd-file(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
lookup: user=user00 at realdomain.org file=/etc/dovecot/users
Sep 05 13:49:41 auth: Debug: 
static(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup
Sep 05 13:49:41 auth: Debug: 
static(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): Allowing 
any password
Sep 05 13:49:41 auth: Debug: 
static(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): Not 
performing authentication (noauthenticate set)
==> /var/log/dovecot.info <==
Sep 05 13:49:41 auth: Info: 
passwd-file(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
unknown user (given password: pass) - trying the next passdb
==> /var/log/dovecot.debug <==
Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file 
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 13:49:41 auth-worker(31116): Debug: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup 
service=dovecot
Sep 05 13:49:41 auth-worker(31116): Debug: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): #1/1 
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:42 auth-worker(31116): Info: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
pam_authenticate() failed: Authentication failure (password mismatch?) 
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:42 auth-worker(31116): Debug: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): lookup 
service=dovecot
Sep 05 13:49:42 auth-worker(31116): Debug: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): #1/1 
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth-worker(31116): Info: 
pam(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
pam_authenticate() failed: Authentication failure (password mismatch?) 
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:45 auth: Debug: 
passwd-file(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
lookup: user=user00 at realdomain.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth: Info: 
passwd-file(user00 at realdomain.org,192.168.1.100,<IFCT0m9Y0KjAqAFk>): 
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:47 auth: Debug: client passdb out: FAIL    1       
user=user00 at realdomain.org
Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extra field:
==> /var/log/dovecot.info <==
Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1 attempts 
in 6 secs): user=<user00 at realdomain.org>, method=PLAIN, 
rip=192.168.1.100, lip=192.168.1.100, secured



On 2017-09-05 13:41, Aki Tuomi wrote:

> No, you modify dovecot.conf
> 
> Aki
> 
> On 05.09.2017 14:40, Pol Hallen wrote: Do I modify auth-system.conf.ext 
> only (sorry for the question)
> 
> if yes, I've same problem
> 
> Pol
> 
> On 2017-09-05 13:34, Aki Tuomi wrote:
> 
> Try configuring like this:
> 
> passdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> 
> passdb {
> driver = static
> args = username=%n noauthenticate
> skip = authenticated
> }
> 
> passdb {
> driver = pam
> skip = authenticated
> }
> 
> On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks
> 
> cat /var/log/dovecot/[...]
> 
> Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
> Sep 05 13:26:02 auth: Debug: client in: AUTH    1       PLAIN
> service=imap    secured session=JK0Bfm9YuqfAqAFk
> lip=192.168.1.100       rip=192.168.1.100       lport=143
> rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
> (previous base64 data may contain sensitive data)
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(user00 at realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>): lookup
> service=username_format=user00
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(user00 at realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>): #1/1
> style=1 msg=Password:
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth-worker(30088): Info:
> pam(user00 at realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):
> pam_authenticate() failed: Authentication failure (password mismatch?)
> (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:04 auth: Debug:
> passwd-file(user00 at realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):
> lookup: user=user00 at realsystem.org file=/etc/dovecot/users
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth: Info:
> passwd-file(user00 at realsystem.org,192.168.1.100,<JK0Bfm9YuqfAqAFk>):
> unknown user (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:06 auth: Debug: client passdb out: FAIL    1
> user=user00 at realsystem.org
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
> attempts in 4 secs): user=<user00 at realsystem.org>, method=PLAIN,
> rip=192.168.1.100, lip=192.168.1.100, secured
> 
> doveconf -n
> 
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = login plain
> auth_verbose = yes
> auth_verbose_passwords = yes
> debug_log_path = /var/log/dovecot.debug
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot.info
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e 
> %c
> mail_debug = yes
> mail_home = /home/vmail/%d/%n/Maildir
> mail_location = maildir:~/Maildir
> mail_plugins = " quota quota"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> subscriptions = yes
> type = private
> }
> passdb {
> args = username_format=%n
> driver = pam
> }
> passdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> plugin {
> mail_log_events = delete undelete expunge copy mailbox_delete
> mailbox_rename append flag_change
> mail_log_fields = uid box msgid size from subject vsize
> quota = maildir:User quota
> quota_rule = *:storage=10000M
> quota_rule2 = Junk:storage=+100M
> quota_rule3 = SPAM:storage=+100M
> quota_warning = storage=90%% quota-warning 90 %u
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_extensions = +notify +imapflags
> }
> protocols = " imap sieve pop3 sieve"
> quota_full_tempfail = yes
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service managesieve-login {
> inet_listener sieve {
> port = 4190
> }
> service_count = 1
> vsz_limit = 64 M
> }
> service pop3-login {
> inet_listener pop3 {
> port = 110
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> service quota-warning {
> executable = script /root/bin/quota-warning.sh
> unix_listener quota-warning {
> mode = 0666
> user = vmail
> }
> user = root
> }
> ssl_cert = </etc/dovecot/dovecot.pem
> ssl_dh_parameters_length = 2048
> ssl_key =  # hidden, use -P to show it
> userdb {
> driver = passwd
> }
> userdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> userdb {
> args = uid=vmail gid=vmail home=/home/vmail/%d/%n
> driver = static
> }
> verbose_proctitle = yes
> protocol lda {
> mail_plugins = " quota quota sieve quota"
> }
> protocol imap {
> mail_plugins = " quota quota imap_quota"
> }
> 
> On 2017-09-05 13:01, Aki Tuomi wrote:
> 
> Can you provide
> 
> doveconf -n  (with the new config)
> 
> enable auth_debug=yes, auth_verbose=yes and provide logs from
> authentication attempt?
> 
> Aki
> 
> On 05.09.2017 13:37, Pol Hallen wrote: thanks Aki, but with all your
> advices I've same problem: in the logs
> always I see the authentication with user and domain name, so dovecot
> doesn't accept it
> 
> any idea?
> 
> thanks!
> 
> Pol
> 
> On 2017-09-05 10:58, Aki Tuomi wrote:
> 
> Oh right, you need to do it like this...
> 
> after the passwd-file drivers add
> 
> passdb {
> driver = static
> args = username=%n noauthenticate
> }
> 
> Aki
> 
> On 05.09.2017 11:03, Pol Hallen wrote: Hello, thanks for your reply
> 
> I already tried with:
> 
> username_format=%n or auth_username_format=%n but I've same problem
> 
> Pol
> 
> passdb {
> driver = pam
> args = username_format=%n
> }
> 
> also you probably want to consider using driver=passwd instead, if you
> really don't need pam due to some special plugins.
> 
> Aki


-- 
Pol


More information about the dovecot mailing list