Re: Dovecot auth-worker error after cram-md5 auth

Fri, 03 Feb 2017 02:44:16 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 1 Feb 2017, Poliman - Serwis wrote:


I haven't doveadm logs in /var/log/. Are they default in another place or
maybe should I turn on something?


run

 doveadm log find

as root.

Maybe:  doveadm log errors


My config (default passdb block and auth_mechanisms, nothing more changed):


Is this still a question about CRAM ? I don't see it there.



root@vps342401:/etc/dovecot# doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
auth_mechanisms = plain login
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_max_userip_connections = 100
mail_plugins = " quota"
mail_privileged_group = vmail
passdb {
 args = /etc/dovecot/dovecot-sql.conf
 driver = sql
}
plugin {
 quota = dict:user::file:/var/vmail/%d/%n/.quotausage
 sieve = /var/vmail/%d/%n/.sieve
 sieve_max_redirects = 25
}
postmaster_address = postmas...@vps342401.ovh.net
protocols = imap pop3
service auth {
 unix_listener /var/spool/postfix/private/auth {
   group = postfix
   mode = 0660
   user = postfix
 }
 unix_listener auth-userdb {
   group = vmail
   mode = 0600
   user = vmail
 }
 user = root
}
service imap-login {
 client_limit = 1000
 process_limit = 512
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
 }
}
ssl = required
ssl_cert = </etc/postfix/smtpd.cert
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_key = </etc/postfix/smtpd.key
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
userdb {
 driver = prefetch
}
userdb {
 args = /etc/dovecot/dovecot-sql.conf
 driver = sql
}
protocol imap {
 mail_plugins = quota imap_quota
}
protocol pop3 {
 mail_plugins = quota
 pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
 mail_plugins = sieve quota
 postmaster_address = webmaster@localhost
}
protocol lmtp {
 mail_plugins = quota sieve
 postmaster_address = webmaster@localhost
}

Error from mail.err:
Feb  1 09:50:01 vps342401 postfix/smtpd[699]: fatal: no SASL authentication
mechanisms
Feb  1 09:51:02 vps342401 postfix/smtpd[724]: fatal: no SASL authentication
mechanisms
Feb  1 09:51:02 vps342401 postfix/smtpd[725]: fatal: no SASL authentication
mechanisms
Feb  1 09:52:21 vps342401 postfix/smtps/smtpd[773]: fatal: no SASL
authentication mechanisms

Error from syslog:
Feb  1 09:52:21 vps342401 postfix/smtps/smtpd[773]: connect from
host9323131.internet.3s.com[12.34.45.56]
Feb  1 09:52:21 vps342401 postfix/smtps/smtpd[773]: fatal: no SASL
authentication mechanisms
Feb  1 09:52:22 vps342401 postfix/master[29133]: warning: process
/usr/lib/postfix/smtpd pid 773 exit status 1
Feb  1 09:52:22 vps342401 postfix/master[29133]: warning:
/usr/lib/postfix/smtpd: bad command startup -- throttling
Feb  1 09:53:01 vps342401 CRON[777]: (root) CMD
(/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; do  ne)
Feb  1 09:53:01 vps342401 CRON[778]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done  )


2017-02-01 9:40 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


doveadm log errors can be helpful too


On 01.02.2017 10:25, Poliman - Serwis wrote:

I can check each logs, I have root privileges.

2017-02-01 9:04 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


Can you check your logs?

Aki


On 01.02.2017 10:02, Poliman - Serwis wrote:

When I used backup copy of the dovecot.conf file I have this same

error.

So

I think that maybe something was written to database? I really would

point

out that I only added
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

and comment out from above block default lines
  #args = /etc/dovecot/dovecot-sql.conf
  #driver = sql

And in auth_mechanisms add line cram-md5. Nothing more in any other

file.


I don't want to use cram-md5. I need move back to default settings.
Cram-md5 was only for testing purposes. :) But I supposed that I can

move

back to default by commenting out added lines. But unfortunately it

isn't

that simple.

2017-02-01 8:59 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


Are you still trying to authenticate using cram-md5?

Aki


On 01.02.2017 09:51, Poliman - Serwis wrote:

It still use:
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

When I delete above and delete "cram-md5" in auth_mechanisms it still

not

working.

2017-02-01 8:45 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


You are probably wanting to do
passdb {
  driver = passwd-file
  args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

Why you want to use cram-md5 is beyond me, because using SSL is much
more safer.

Aki

On 01.02.2017 09:41, Poliman - Serwis wrote:

Default it was: "auth_mechanisms = plain login"  and I added

cram-md5.

After restart all work perfectly. But after I added:
   driver = passwd-file
   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
I can't set default lines because I got error. Please tell me which

lines

should be changed to resolve this issue. Should I remove "login"

from

auth_mechanism ("login" was default setting and I would like to

move

back

to default settings)?

2017-02-01 8:36 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


Because cram-md5 needs the user's password for calculating

responses,

it

cannot work with hashed passwords (one-way encrypted). The only
supported password schemes are PLAIN and CRAM-MD5.

Aki

On 01.02.2017 09:33, Poliman - Serwis wrote:

I always restart dovecot after change config. ;) Sure, I

commented

out

added two lines by me, restarted dovecot and here it is:

# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
auth_mechanisms = plain login cram-md5
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_max_userip_connections = 100
mail_plugins = " quota"
mail_privileged_group = vmail
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve = /var/vmail/%d/%n/.sieve
  sieve_max_redirects = 25
}
postmaster_address = postmas...@example.com
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/postfix/smtpd.cert
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!
EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!
EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_dh_parameters_length = 2048
ssl_key = </etc/postfix/smtpd.key
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
  pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
  mail_plugins = sieve quota
  postmaster_address = webmaster@localhost
}
protocol lmtp {
  mail_plugins = quota sieve
  postmaster_address = webmaster@localhost
}


2017-02-01 8:27 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


On 01.02.2017 08:18, Poliman - Serwis wrote:

This is debug log files in syslog:
Feb  1 07:10:25 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0112#011PDAxODg3ODIzMTUwMzgxNzMuMTQ

4NTkyOTQyNUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:10:26 vps342401 dovecot: auth: Debug: client in:

CONT<hidden>

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:10:26 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com, 12.173.211.32): Requested CRAM-MD5

scheme,

but we

have only CRYPT
Feb  1 07:10:28 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0112#011user=do_not_re...@example.com
Feb  1 07:10:28 vps342401 postfix/smtps/smtpd[27067]: warning:
host23131.internet.3s.com[12.173.211.32]: SASL CRAM-MD5

authentication

failed: PDAxODg3ODIzMTUwMzgxNzMuMTQ4NT

kyOTQyNUB2cHMzNDI0MDEub3ZoLm5l

dD4=

Feb  1 07:11:02 vps342401 CRON[27074]: (root) CMD
(/usr/local/ispconfig/server/server.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:02 vps342401 CRON[27075]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line;

do

echo

`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:
AUTH#0113#011CRAM-MD5#011service=smtp#011nologin#

011lip=173.72.31.7#011rip=12.173.211.32#011secured

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client passdb

out:

CONT#0113#011PDE3NDg1NjE4MTgxNTk2OTAuMTQ

4NTkyOTQ3MUB2cHMzNDI0MDEub3ZoL

m5ldD4=

Feb  1 07:11:11 vps342401 dovecot: auth: Debug: client in:

CONT<hidden>

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069): Debug:

sql(

do_not_re...@example.com,12.173.211.32): query: SELECT email

as

user,

password, maildir as userdb_home, CONCAT( maildir_format, ':',

maildir,

'/', IF(maildir_format='maildir','Maildir',maildir_format)) as

userdb_mail,

uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=',

quota,

'B')

AS

userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve

FROM

mail_user WHERE (login = 'do_not_re...@example.com' OR email

= '

do_not_re...@example.com') AND `disablesmtp` = 'n' AND

server_id =

'1'

Feb  1 07:11:11 vps342401 dovecot: auth-worker(27069):

password(

do_not_re...@example.com,12.173.211.32): Requested CRAM-MD5

scheme,

but

we

have only CRYPT
Feb  1 07:11:13 vps342401 dovecot: auth: Debug: client passdb

out:

FAIL#0113#011user=do_not_re...@example.com



#####################
I added in dovecot.conf lines in passdb block:
   driver = passwd-file
   args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
and commented out default lines
  #args = /etc/dovecot/dovecot-sql.conf
  #driver = sql
When I try set again default lines I got above error

Can you run doveconf -n with the configuration that causes the

above

error? Also it clearly does SQL lookup, so that error is

happening

with

SQL passdb. You need to remember to restart dovecot between
configuration changes.

Aki


2017-01-31 8:08 GMT+01:00 Aki Tuomi <aki.tu...@dovecot.fi>:


On 31.01.2017 09:06, Poliman - Serwis wrote:

I set up cram-md5 using this tutorial
https://wiki2.dovecot.org/HowTo/CRAM-MD5 in

/etc/dovecot/dovecot.conf

in

passdb code block:
listen = *,[::]
protocols = imap pop3
#auth_mechanisms = plain login cram-md5
auth_mechanisms = cram-md5 plain login
#dodana nizej linia
ssl = required
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmas...@vps342401.ovh.net
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[

image:

:D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048


mail_max_userip_connections = 100
passdb {
# args = /etc/dovecot/dovecot-sql.conf
# driver = sql
driver = passwd-file
args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
Of course I created cram-md5.pwd file. All mails go out and

come

nicely.

But after I want to do default settings by commented out

these

two

lines:

driver = passwd-file
args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd
and uncomment
# args = /etc/dovecot/dovecot-sql.conf
# driver = sql
I can't send emails - I use Thunderbird - get error "logging

on

server

mail.example.com not work out". Error in logs:
dovecot: auth-worker(22698): Error: Auth worker sees

different

passdbs/userdbs than auth server.
dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF

Is it possible that hashed password from cram-md5.pwd file

was

written

to

database (if yes then where - I have ISPconfig)? I wasn't

change

any

userdb

{} block and this second userdb block has this same lines

like

default

settings in passdb block.


Try

auth_debug=yes
auth_verbose=yes

and see if it gives any more reasonable messages.

Aki
- -- Steffen Kaiser 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWJRepnz1H7kL/d9rAQKj6gf/eKXC6JV/69gmyXaC3iSwNHmOS6qjYlFl
L+cUexFQM/t/tk0z/N9olmcIm8tJd1HFruJGrb9/StBirenuJYJ54AOyd3zi8XDg
Gu+vbcBE2T97w48SqTsujJKPT/dVFZ9kHtYymNMjLNJANdr/X4r+/QNw710B96US
FDNc96xBGKjrn/uE0SToclFXuvOE4Ymu8JGQHDQO7X35r9M9NBLfSP8VXwtIlnDX
9P/UQvisFuLNtXHh4wO77b0Jdw3V2CYgER0l5ctHYAgaS4d8CNGHnINLZvFiJusL
s4TG5Yf1OHC3wMiRCikybkO5fNezXuvc7xMbKYV9HDKxjLvP1paAPA==
=gHJk
-----END PGP SIGNATURE-----

Reply via email to