This morning on our newly built server, the following was logged twice:
auth: Error: pam(username, pam_authenticate() failed: Authentication 
failure (/etc/pam.d/dovecot missing?)

This also happened to be during a time of 100+ imap-login processes, where we 
were seeing:
master: Warning: service(imap-login): process_limit reached, client connections 
are being dropped

The initial error was correct, in that I had not yet created 
/etc/pam.d/dovecot. I have since created the file. However, we brought this 
server into production yesterday & there were no complaints, nor was the error 
logged besides twice this morning within 3.5 minutes of eachother.

In looking at pam documentation, it is my understanding that when a service 
(dovecot) does not have its own file existing under /etc/pam.d, then pam will 
instead use the settings from /etc/pam.d/others as defaults. This seems logical 
to me, and would explain why things have been working fairly well with no 
errors regarding pam (other than the 2 logged this morning). However, what this 
does not explain, is why dovecot auth logged about the file missing at all. I 
can only guess that it was related to logins being dropped due to high load, 
and was incorrectly logged??

For reference, my current /etc/pam.d/dovecot is:
auth    required nullok
account required

My current /etc/pam.d/other is:
@include common-auth
@include common-account
@include common-password
@include common-session

Which results in (confirmed via : grep -v ^# common-auth common-account 
common-password common-session)
auth    [success=1 default=ignore] nullok_secure
auth    requisite             
auth    required              
account [success=1 new_authtok_reqd=done default=ignore]
account requisite             
password        [success=1 default=ignore] obscure sha512
password        requisite             
password        required              
session [default=1]           
session requisite             
session required              
session required

So there definitely is quite a difference between the dovecot pam file I 
created (based on the dovecot2 wiki), and the system default (other). I don't 
know whether this could have been related, so I figured I'd share.

Otherwise, I'm running dovecot 2.0.9 compiled from source. dovecot -n at the 
time of the pam errors was probably:

# 2.0.9: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0
auth_debug = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_debug = yes
mail_location = maildir:~/
mail_privileged_group = mail
passdb {
  driver = pam
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  user = root
ssl_cert = </etc/ssl/certs/
ssl_key = </etc/ssl/private/
userdb {
  driver = passwd

Doug Mortensen
Network Consultant
Impala Networks Inc
CCNA, MCSA, Security+, A+
Linux+, Network+, Server+
P: (505) 327-7300
F: (505) 327-7545

Reply via email to