Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 3/31/2014 5:47 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Mar 31, 2014 at 5:39 PM, Reindl Haraldh.rei...@thelounge.net wrote: and the settings are*really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Jeffrey, What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. simply cat'ing the contents of a file that you areediting is not good enough. Like postconf -n in postfix, doveconf -n dumps the output of the config that the running version of dovecot is qactually using. This shines the light on obvious errors, like when you are editing a config file that is NOT being used. This is a common mistake, especially in distributions that put things in non-standard places. So, what is output of doveconf -n? And postconf -n (if needed)? -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 3/31/2014 5:37 PM, Jeffrey Walton noloa...@gmail.com wrote: My dovecot.conf has the following: You still have yet to prove this (doveconf -n output). # No results when searching the wiki disable_plaintext_auth = no Then you are searching the wiki wrong. After entering the parameter in the searchbox (obviously you should not add the '=no' part), did you click 'Titles'? Or 'Text'? Or did you just hit [enter]? You have to click the 'Text' button (to the right of the searchbox) to search the article CONTENT. Just hitting [Enter] results in a simple 'Titles' search, which only searches the wiki article Titles. Personally I don't like this. I think the default should be to search content. #http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Then you are looking at the wrong log files. Any ideas why dovecot is not honoring the setting in its config file? Best guess is you are not using the config file you think you are using. What distro is this? -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus
cmar...@media-brokers.com wrote:
...
What you are missing is that there is a very good reason that ONLY the
output of doveconf -n is wanted here...
It proves that you are using the settings you think you are using.
# doveconf -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.4
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox Sent Messages {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3
ssl_cert = /etc/dovecot/dovecot.pem
ssl_key = /etc/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
**
# postconf -n
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = debian-x2.home.pvt, localhost.home.pvt, localhost
myhostname = debian-x2.home.pvt
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_protocols = !SSLv2 !SSLv3 !PSK !SRP !KRB5
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/aliases
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = hash:/etc/postfix/domains
virtual_mailbox_maps = hash:/etc/postfix/mailboxes
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to auth_mechanisms = plain login digest-md5 cram-md5 Fix this and try again... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Am 01.04.2014 12:22, schrieb Charles Marcus: On 3/31/2014 5:47 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Mar 31, 2014 at 5:39 PM, Reindl Haraldh.rei...@thelounge.net wrote: and the settings are*really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... if you would really follow the thread you whould have noticed that he did that already and i asked for the complete config file because: * the mentioned one is clearly stated by doveconf -n * the values in question are not displayed in the output Am 01.04.2014 12:44, schrieb Charles Marcus: So... where is auth_mechanisms? You said you had it set to auth_mechanisms = plain login digest-md5 cram-md5 Fix this and try again.. and *that* is why i asked for the complete config yesterday because 2.1.7: /etc/dovecot/dovecot.conf is stated as config file and the value in question is not listed signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 6:44 AM, Charles Marcus cmar...@media-brokers.com wrote: On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to # doveconf -n | head -1 # 2.1.7: /etc/dovecot/dovecot.conf # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Obviously, I don't know how. That's the file that conf dovecot claims it is using. It you know how to find out the conf file dovecot is *really* using, then please let me know. Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:56 AM, Jeffrey Walton noloa...@gmail.com wrote: Obviously, I don't know how. That's the file that conf dovecot claims it is using. It you know how to find out the conf file dovecot is *really* using, then please let me know. First read this: http://wiki2.dovecot.org/BasicConfiguration Especially this part: The default configuration starts from dovecot.conf, which contains an !include conf.d/*.conf statement to read the rest of the configuration. This split of configuration files isn't a requirement to use, and it doesn't really matter which .conf file you add any particular setting, just as long as it isn't overridden in another file. You can verify with doveconf -n that everything looks as you intended. If you want all settings in a single config file, you need to tell dovecot this. If you don't, then the last settings that are applied, based on the order these split config files (in conf.d) are read (the number prefix determines the order) win. Personally, I put all of mine in /etc/dovecot/conf.d/99-mysettings.conf The 99- prefix makes sure that these settings get applied plast. Also, you never answered my last question - what distro? Some distros put config files in different (non-standard) places, and/or enable chroot by default, complicating things for their users (although it is fully documented, so users who encounter problems because of this do so because they didn't rtfm well enough)... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... Apologies Jeffrey, I didn't see your doveconf -n at the end, guess I got distracted by someone else's nonsense... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 04/ 1/14 06:56 AM, Jeffrey Walton wrote: On Tue, Apr 1, 2014 at 6:44 AM, Charles Marcus cmar...@media-brokers.com wrote: On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to # doveconf -n | head -1 # 2.1.7: /etc/dovecot/dovecot.conf Check ALL actual settings: # doveconf -a | grep mechanisms auth_mechanisms = plain login .. I guess yours is missing login and using only auth, as the default (hence not showing in doveconf -n). You should still be able to use imapsync with --authmech1 PLAIN --authmech2 PLAIN
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes:
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
...
userdb {
driver = passwd
}
Your userdb and passdb are not using the same DB: did you intend this?
Does the userdb have user@domain entries, rather than just user
entries? The diagnostics I referred to in my last post would have been
helpful here.
# postconf -n
If you're having problems authenticating to the IMAP service, then you
ought to concentrate on that problem: it's likely your LDA problem is
dependent on that solution.
Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 8:19 PM, Joseph Tam jtam.h...@gmail.com wrote:
Jeffrey Walton noloa...@gmail.com writes:
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
...
userdb {
driver = passwd
}
Your userdb and passdb are not using the same DB: did you intend this?
Yeah, I did not add that. That's coming from somewhere else (like the
auth_mechanisms).
I think Charles said it was a config file in a different directory.
I'll be looking at in more detail soon. I suspect it one of these two
lines from dovecot.conf:
!include conf.d/*.conf
or
!include_try local.conf
Related: what does the bang mean? I've got a programming background,
and to me its a NOT. So I would read that as don't include
conf.d/ It would have the same effect as commenting it out.
Does the userdb have user@domain entries, rather than just user
entries?
user@domain
I just performed a fresh install of Debian, so I can look at things
without all the tutorial knob turning.
Thanks for the help.
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, 1 Apr 2014, Jeffrey Walton wrote: Related: what does the bang mean? I've got a programming background, and to me its a NOT. So I would read that as don't include conf.d/ It would have the same effect as commenting it out. I guess it's the semi-arbitray syntax Timo chose for the include directive. Maybe it came from the bang syntax for Unix scripts. Joseph Tam jtam.h...@gmail.com
[Dovecot] Dovecot not honoring configuration settings (auth failure)
My dovecot.conf has the following:
# No results when searching the wiki
disable_plaintext_auth = no
# http://wiki2.dovecot.org/Authentication/Mechanisms
auth_mechanisms = plain login digest-md5 cram-md5
When I attempt to run imapsync, I receive an error:
Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN
imapsync also dumps the helo string, and it is missing:
Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS
AUTH=PLAIN] Dovecot ready.
I've restarted the dovecot service with 'service dovecot restart' and
even rebooted the machine.
There is nothing reported in any on the log files
(/var/mail/dovecot.log and /var/log/mail.level).
Any ideas why dovecot is not honoring the setting in its config file?
**
# dovecot --version
2.1.7
# doveconf -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.4
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
...
prefix =
}
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3
ssl_cert = /etc/dovecot/dovecot.pem
ssl_key = /etc/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Am 31.03.2014 23:37, schrieb Jeffrey Walton:
My dovecot.conf has the following:
# No results when searching the wiki
disable_plaintext_auth = no
# http://wiki2.dovecot.org/Authentication/Mechanisms
auth_mechanisms = plain login digest-md5 cram-md5
When I attempt to run imapsync, I receive an error:
Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN
imapsync also dumps the helo string, and it is missing:
Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS
AUTH=PLAIN] Dovecot ready.
I've restarted the dovecot service with 'service dovecot restart' and
even rebooted the machine.
There is nothing reported in any on the log files
(/var/mail/dovecot.log and /var/log/mail.level).
Any ideas why dovecot is not honoring the setting in its config file?
and the settings are *really* in /etc/dovecot/dovecot.conf
or in some .d-folder which may or may not be included?
**
# dovecot --version
2.1.7
# doveconf -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.4
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
...
prefix =
}
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3
ssl_cert = /etc/dovecot/dovecot.pem
ssl_key = /etc/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33
icq: 154546673, http://www.thelounge.net/
http://www.thelounge.net/signature.asc.what.htm
signature.asc
Description: OpenPGP digital signature
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, Mar 31, 2014 at 5:39 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 31.03.2014 23:37, schrieb Jeffrey Walton: My dovecot.conf has the following: # No results when searching the wiki disable_plaintext_auth = no # http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Any ideas why dovecot is not honoring the setting in its config file? and the settings are *really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes:
I specified the following in my dovecot.conf.
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
Attempts to use the configuration result in an authentication failure.
Here's an entry from dovecot.log when the failure happens:
Mar 31 16:04:12 imap-login: Info: Disconnected (auth failed, 1
attempts in 5 secs): user=j...@foo.com, method=PLAIN, rip=127.0.0.1,
lip=127.0.1.1, secured, session=n5/ajez1FgB/AAAB
Just to confirm, your user specified in the passdb corresponds to what
is being authenticated (i.e. client is authenticating as j...@foo.com,
not jeff)? Otherwise, you'll need to add domains to your passdb,
or configure username_format=%n
Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, Mar 31, 2014 at 6:29 PM, Joseph Tam jtam.h...@gmail.com wrote:
Jeffrey Walton noloa...@gmail.com writes:
I specified the following in my dovecot.conf.
passdb {
args = /var/mail/%d/users
driver = passwd-file
}
Attempts to use the configuration result in an authentication failure.
Here's an entry from dovecot.log when the failure happens:
Mar 31 16:04:12 imap-login: Info: Disconnected (auth failed, 1
attempts in 5 secs): user=j...@foo.com, method=PLAIN, rip=127.0.0.1,
lip=127.0.1.1, secured, session=n5/ajez1FgB/AAAB
Just to confirm, your user specified in the passdb corresponds to what
is being authenticated (i.e. client is authenticating as j...@foo.com,
not jeff)? Otherwise, you'll need to add domains to your passdb,
or configure username_format=%n
Yes, I believe so:
$ sudo cat /var/mail/foo.com/users
# Generate passwords with:
# doveadm pw -s PLAIN -p password
# Real users
t...@foo.com:{PLAIN}some-password
j...@foo.com:{PLAIN}some-password
In case it matters, here are the Postfix settings (but they should not
apply since this is an IMAP exercise):
$ sudo cat /etc/postfix/mailboxes
# Real users
t...@foo.com foo.com/tad/
j...@foo.com foo.com/jeff/
Its compiled with `postmap`:
postmap /etc/postfix/mailboxes
And then specified in `main.cf` with:
virtual_mailbox_maps = hash:/etc/postfix/mailboxes
And my two domains are handled similarly in `domains`.
Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, 31 Mar 2014, Jeffrey Walton wrote:
Just to confirm, your user specified in the passdb corresponds to what
is being authenticated (i.e. client is authenticating as j...@foo.com,
not jeff)? Otherwise, you'll need to add domains to your passdb,
or configure username_format=%n
Yes, I believe so:
$ sudo cat /var/mail/foo.com/users
# Generate passwords with:
# doveadm pw -s PLAIN -p password
# Real users
t...@foo.com:{PLAIN}some-password
j...@foo.com:{PLAIN}some-password
OK, I guess the next step is to see whether the dovecot auth process
is able to read the passdb file. Does your dovecot auth process have
enough authorization to get/read to these files (check what dovecot/auth
runs as versus the file permissions of your passdb)? doveadm user
j...@foo.com checks the userdb, and if it coincides with your passdb,
might point out a problem.
Tracing the auth process might also help.
Joseph Tam jtam.h...@gmail.com
