Authentication Problem with dovecot-2.3.0.1
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Mar 8 10:16:25 EET 2018
> On 08 March 2018 at 10:00 Odhiambo Washington <odhiambo at gmail.com> wrote:
>
>
> On 8 March 2018 at 10:09, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
> >
> >
> > On 07.03.2018 22:07, Odhiambo Washington wrote:
> >
> > I am a little confused here.
> >
> > I have been running 2.2.34 which I installed in /opt/dovecot2.2
> > I installed 2.3.0.1 to /opt/dovecot23
> >
> > I then used config files from /opt/dovecot2.2/etc/dovecot to
> > /opt/dovecot2.3/etc/dovecot and all I did was sed -i.BAK
> > 's/dovecot2.2/dovecot2.3/g'. Dovecot started and was running file.
> >
> > Next, I manually crafted config files for 2.3.0.1 based on the example
> > config files provided which diff-ing those with what I had for 2.2.34. I
> > doub't if I missed something crucial during the process.
> >
> > 1. I realized that I cannot start 2.3.0.1 when I enable submission, since
> > my Exim MTA is already using that port. This persists even if I tell the
> > submission protocol to use a different port than 587. I tested 2587, but it
> > would appear that 587 is hard-coded!
> >
> > 2. I realize that "unix_listener auth-client" service ceased to exist!
> >
> > 3. *I realized that while 2.2.34 runs with default_pass_scheme =
> > MD5-CRYPT, 2.3.0.1 would not run with it.*
> >
> > 4. I have run dovecot -n from my 2.2.x installation and 2.3.x installation
> > and here is the diff from the two files.
> >
> > I am confused why authentication is failing with dovecot-2.3.0.1 when it
> > uses 2.3.x config files using MD5-CRYPT scheme while it is succeeding with
> > dovecot-2.2.34 using the same.
> > *Mar 07 22:30:22 auth: Info: sql(user.name at domain.name
> > <user.name at domain.name>,192.168.55.97,<4CETl9dmscvAqDdh>): Requested
> > DIGEST-MD5 scheme, but we have only MD5-CRYPT*
> >
> > Maybe the problem is elsewhere??? I need a 3rd eye to help me.
> >
> > For now
> >
> > root at gw:~wash/public_html # sdiff dovecot-2.2.txt dovecot-2.3.txt | less
> > # 2.2.34 (874deae): /opt/dovecot2.2/etc/dovecot/dovecot.conf | # 2.3.0.1
> > (ffd8a29): /opt/dovecot2.3/etc/dovecot/dovecot.conf
> > # OS: FreeBSD 9.3-STABLE i386 ufs # OS:
> > FreeBSD 9.3-STABLE i386 ufs
> > # Hostname: localhost <
> > auth_cache_size = 20 M
> > auth_cache_size = 20 M
> > auth_master_user_separator = *
> > auth_master_user_separator = *
> > auth_mechanisms = plain login digest-md5
> > auth_mechanisms = plain login digest-md5
> > auth_socket_path = /var/run/dovecot/auth-userdb
> > auth_socket_path = /var/run/dovecot/auth-userdb
> > base_dir = /var/run/dovecot/ base_dir =
> > /var/run/dovecot/
> > default_login_user = dovecot
> > default_login_user = dovecot
> > disable_plaintext_auth = no
> > disable_plaintext_auth = no
> > first_valid_gid = 0
> > first_valid_gid = 0
> > first_valid_uid = 26
> > first_valid_uid = 26
> > hostname = gw hostname = gw
> > info_log_path = /var/log/dovecot.log
> > info_log_path = /var/log/dovecot.log
> > mail_location = maildir:/var/spool/virtual/%d/%n/Maildir:INDE
> > mail_location = maildir:/var/spool/virtual/%d/%n/Maildir:INDE
> > mail_plugins = " quota" <
> > namespace inbox { namespace
> > inbox {
> > inbox = yes inbox =
> > yes
> > location = location
> > =
> > mailbox Drafts { mailbox
> > Drafts {
> > special_use = \Drafts
> > special_use = \Drafts
> > } }
> > mailbox Junk { mailbox
> > Junk {
> > special_use = \Junk
> > special_use = \Junk
> > } }
> > mailbox Sent { mailbox
> > Sent {
> > special_use = \Sent
> > special_use = \Sent
> > } }
> > mailbox "Sent Messages" { mailbox
> > "Sent Messages" {
> > special_use = \Sent
> > special_use = \Sent
> > } }
> > mailbox Trash { mailbox
> > Trash {
> > special_use = \Trash
> > special_use = \Trash
> > } }
> > prefix = prefix =
> > } }
> > passdb { passdb {
> > args = /opt/dovecot2.2/etc/dovecot/passwd.master_users.ext | args =
> > /opt/dovecot2.3/etc/dovecot/passwd.master_users.ext
> > driver = passwd-file driver =
> > passwd-file
> > master = yes master =
> > yes
> > pass = yes pass =
> > yes
> > } }
> > passdb { passdb {
> > args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext | args =
> > /opt/dovecot2.3/etc/dovecot/dovecot-sql.conf.ext
> > driver = sql driver =
> > sql
> > } }
> > plugin { plugin {
> > mail_log_fields = uid box msgid size
> > mail_log_fields = uid box msgid size
> > quota_rule = *:storage=1G
> > quota_rule = *:storage=1G
> > quota_rule2 = Trash:storage=+100M
> > quota_rule2 = Trash:storage=+100M
> > quota_warning = storage=95%% quota-warning 95 %u
> > quota_warning = storage=95%% quota-warning 95 %u
> > quota_warning2 = storage=80%% quota-warning 80 %u
> > quota_warning2 = storage=80%% quota-warning 80 %u
> > quota_warning3 = -storage=100%% quota-warning below %u
> > quota_warning3 = -storage=100%% quota-warning below %u
> > } }
> > service auth { service
> > auth {
> > unix_listener auth-client { <
> > mode = 0600 <
> > user = mailnull <
> > }
> > <
> > unix_listener auth-userdb {
> > unix_listener auth-userdb {
> > group = mailnull group
> > = mailnull
> > user = mailnull user =
> > mailnull
> > } }
> > } }
> > service quota-warning { service
> > quota-warning {
> > executable = script /opt/dovecot2.2/scripts/quota-warning.s |
> > executable = script /opt/dovecot2.3/scripts/quota-warning.s
> > unix_listener quota-warning {
> > unix_listener quota-warning {
> > user = mailnull user =
> > mailnull
> > } }
> > user = dovecot user =
> > dovecot
> > } }
> > ssl_cert = </usr/local/etc/letsencrypt/live/gw.crownkenya.com ssl_cert
> > = </usr/local/etc/letsencrypt/live/gw.crownkenya.com
> > ssl_key = # hidden, use -P to show it ssl_key =
> > # hidden, use -P to show it
> > >
> > submission_max_mail_size = 4 G
> > userdb { userdb {
> > args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext | args =
> > /opt/dovecot2.3/etc/dovecot/dovecot-sql.conf.ext
> > driver = sql driver =
> > sql
> > } }
> > protocol lda { <
> > mail_plugins = quota <
> > } <
> > protocol imap { protocol
> > imap {
> > mail_max_userip_connections = 5
> > mail_max_userip_connections = 5
> > mail_plugins = " quota imap_quota" <
> > } }
> > protocol pop3 { | protocol
> > lda {
> > mail_max_userip_connections = 5 |
> > mail_plugins = quota
> > } }
> >
> >
> > Maybe I am just suffering brainlock and need to debug auth further, but I
> > have see a question about this auth issue already from another poster, and
> > it's not been answered by anyone.
> >
> >
> >
> >
> >
> > Can you send 'doveconf -n' for the 2.3.0.1 instance?
> >
> > Also. You cannot use hashed passwords with DIGEST-MD5. MD5-CRYPT is hashed
> > password scheme.
> >
> > To change dovecot's submission service port, use
> >
> > service submission-login {
> > inet_listener {
> > port = 2587
> > }
> > }
> >
> > "auth-client" cannot be missing, since you can specify arbitrary listeners
> > in dovecot, so https://wiki.dovecot.org/HowTo/EximAndDovecotSASL is still
> > quite valid.
> >
> > Aki
> >
>
>
> Here is the output:
>
> root at gw:/opt/dovecot2.3/etc # ../bin/doveconf -n
> # 2.3.0.1 (ffd8a29): /opt/dovecot2.3/etc/dovecot/dovecot.conf
> # OS: FreeBSD 9.3-STABLE i386 ufs
> auth_cache_size = 20 M
> auth_master_user_separator = *
> auth_mechanisms = plain login digest-md5
> auth_socket_path = /var/run/dovecot/auth-userdb
> base_dir = /var/run/dovecot/
> default_login_user = dovecot
> disable_plaintext_auth = no
> first_valid_gid = 0
> first_valid_uid = 26
> hostname = gw.crownkenya.com
> info_log_path = /var/log/dovecot.log
> mail_location = maildir:/var/spool/virtual/%d/%n/Maildir:INDEX=MEMORY
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /opt/dovecot2.3/etc/dovecot/passwd.master_users.ext
> driver = passwd-file
> master = yes
> pass = yes
> }
> passdb {
> args = /opt/dovecot2.3/etc/dovecot/dovecot-sql.conf.ext
> driver = sql
> }
> plugin {
> mail_log_fields = uid box msgid size
> quota_rule = *:storage=1G
> quota_rule2 = Trash:storage=+100M
> quota_warning = storage=95%% quota-warning 95 %u
> quota_warning2 = storage=80%% quota-warning 80 %u
> quota_warning3 = -storage=100%% quota-warning below %u
> }
> postmaster_address = postmaster at ccc.com
> service auth {
> unix_listener auth-userdb {
> group = mailnull
> user = mailnull
> }
> }
> service quota-warning {
> executable = script /opt/dovecot2.3/scripts/quota-warning.sh
> unix_listener quota-warning {
> user = mailnull
> }
> user = dovecot
> }
> ssl_cert = </usr/local/etc/letsencrypt/live/gw.ccc.com/fullchain.pem
> ssl_key = # hidden, use -P to show it
> submission_max_mail_size = 4 G
> userdb {
> args = /opt/dovecot2.3/etc/dovecot/dovecot-sql.conf.ext
> driver = sql
> }
> protocol imap {
> mail_max_userip_connections = 5
> }
> protocol lda {
> mail_plugins = quota
> }
>
>
>
> My default_pass_scheme = MD5-CRYPT, but while running 2.3.0.1 there were
> many authentication failures and I would see some MS OutHouse clients were
> asking for DIGEST-MD5!
> Right now I am back to running 2.2.33.1 (2.2.34 has been having issues
> which were forcing me to reboot the server, but being a busy server it'e
> been hard to find a good time to figure out why server would run out of
> buffers) and everything is good!
>
>
> About submission, I looked in 10-master.conf and modified as follows:
>
> service submission-login {
> inet_listener submission {
> port = 2587
> }
> }
>
> .... but it would still make dovecot fail to start, because Exim is
> listening on port 587.
>
> I see that your suggested modification is slightly different when it comes
> to inet_listener line, because you do not include "submission" after
> inet_listener and that is different from the format used in 10-master.conf:
>
> service submission-login {
> inet_listener {
> port = 2587
> }
> }
>
> PS: I will look at whether I accidentally did something during my editing
> which resulted in the auth-client line missing in my new configuration.
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
service submission-login {
inet_listener submission {
address =
haproxy = no
port = 587
reuse_port = no
ssl = no
}
}
this is the default config. We have not hard-coded any listener port.
Aki
More information about the dovecot
mailing list