Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 3/31/2014 5:47 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Mar 31, 2014 at 5:39 PM, Reindl Haraldh.rei...@thelounge.net wrote: and the settings are*really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Jeffrey, What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. simply cat'ing the contents of a file that you areediting is not good enough. Like postconf -n in postfix, doveconf -n dumps the output of the config that the running version of dovecot is qactually using. This shines the light on obvious errors, like when you are editing a config file that is NOT being used. This is a common mistake, especially in distributions that put things in non-standard places. So, what is output of doveconf -n? And postconf -n (if needed)? -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 3/31/2014 5:37 PM, Jeffrey Walton noloa...@gmail.com wrote: My dovecot.conf has the following: You still have yet to prove this (doveconf -n output). # No results when searching the wiki disable_plaintext_auth = no Then you are searching the wiki wrong. After entering the parameter in the searchbox (obviously you should not add the '=no' part), did you click 'Titles'? Or 'Text'? Or did you just hit [enter]? You have to click the 'Text' button (to the right of the searchbox) to search the article CONTENT. Just hitting [Enter] results in a simple 'Titles' search, which only searches the wiki article Titles. Personally I don't like this. I think the default should be to search content. #http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Then you are looking at the wrong log files. Any ideas why dovecot is not honoring the setting in its config file? Best guess is you are not using the config file you think you are using. What distro is this? -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no log_path = /var/log/dovecot.log mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /var/mail/%d/users driver = passwd-file } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 ssl_cert = /etc/dovecot/dovecot.pem ssl_key = /etc/dovecot/private/dovecot.pem userdb { driver = passwd } ** # postconf -n alias_maps = hash:/etc/postfix/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all inet_protocols = all mailbox_command = mailbox_size_limit = 0 mydestination = debian-x2.home.pvt, localhost.home.pvt, localhost myhostname = debian-x2.home.pvt mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_protocols = !SSLv2 !SSLv3 !PSK !SRP !KRB5 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/aliases virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail virtual_mailbox_domains = hash:/etc/postfix/domains virtual_mailbox_maps = hash:/etc/postfix/mailboxes virtual_minimum_uid = 100 virtual_uid_maps = static:5000
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to auth_mechanisms = plain login digest-md5 cram-md5 Fix this and try again... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Am 01.04.2014 12:22, schrieb Charles Marcus: On 3/31/2014 5:47 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Mar 31, 2014 at 5:39 PM, Reindl Haraldh.rei...@thelounge.net wrote: and the settings are*really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... if you would really follow the thread you whould have noticed that he did that already and i asked for the complete config file because: * the mentioned one is clearly stated by doveconf -n * the values in question are not displayed in the output Am 01.04.2014 12:44, schrieb Charles Marcus: So... where is auth_mechanisms? You said you had it set to auth_mechanisms = plain login digest-md5 cram-md5 Fix this and try again.. and *that* is why i asked for the complete config yesterday because 2.1.7: /etc/dovecot/dovecot.conf is stated as config file and the value in question is not listed signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 6:44 AM, Charles Marcus cmar...@media-brokers.com wrote: On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to # doveconf -n | head -1 # 2.1.7: /etc/dovecot/dovecot.conf # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Obviously, I don't know how. That's the file that conf dovecot claims it is using. It you know how to find out the conf file dovecot is *really* using, then please let me know. Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:56 AM, Jeffrey Walton noloa...@gmail.com wrote: Obviously, I don't know how. That's the file that conf dovecot claims it is using. It you know how to find out the conf file dovecot is *really* using, then please let me know. First read this: http://wiki2.dovecot.org/BasicConfiguration Especially this part: The default configuration starts from dovecot.conf, which contains an !include conf.d/*.conf statement to read the rest of the configuration. This split of configuration files isn't a requirement to use, and it doesn't really matter which .conf file you add any particular setting, just as long as it isn't overridden in another file. You can verify with doveconf -n that everything looks as you intended. If you want all settings in a single config file, you need to tell dovecot this. If you don't, then the last settings that are applied, based on the order these split config files (in conf.d) are read (the number prefix determines the order) win. Personally, I put all of mine in /etc/dovecot/conf.d/99-mysettings.conf The 99- prefix makes sure that these settings get applied plast. Also, you never answered my last question - what distro? Some distros put config files in different (non-standard) places, and/or enable chroot by default, complicating things for their users (although it is fully documented, so users who encounter problems because of this do so because they didn't rtfm well enough)... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 4/1/2014 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... Apologies Jeffrey, I didn't see your doveconf -n at the end, guess I got distracted by someone else's nonsense... -- Best regards, Charles
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On 04/ 1/14 06:56 AM, Jeffrey Walton wrote: On Tue, Apr 1, 2014 at 6:44 AM, Charles Marcus cmar...@media-brokers.com wrote: On 4/1/2014 6:34 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 1, 2014 at 6:22 AM, Charles Marcus cmar...@media-brokers.com wrote: ... What you are missing is that there is a very good reason that ONLY the output of doveconf -n is wanted here... It proves that you are using the settings you think you are using. # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no So... where is auth_mechanisms? You said you had it set to # doveconf -n | head -1 # 2.1.7: /etc/dovecot/dovecot.conf Check ALL actual settings: # doveconf -a | grep mechanisms auth_mechanisms = plain login .. I guess yours is missing login and using only auth, as the default (hence not showing in doveconf -n). You should still be able to use imapsync with --authmech1 PLAIN --authmech2 PLAIN
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes: passdb { args = /var/mail/%d/users driver = passwd-file } ... userdb { driver = passwd } Your userdb and passdb are not using the same DB: did you intend this? Does the userdb have user@domain entries, rather than just user entries? The diagnostics I referred to in my last post would have been helpful here. # postconf -n If you're having problems authenticating to the IMAP service, then you ought to concentrate on that problem: it's likely your LDA problem is dependent on that solution. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, Apr 1, 2014 at 8:19 PM, Joseph Tam jtam.h...@gmail.com wrote: Jeffrey Walton noloa...@gmail.com writes: passdb { args = /var/mail/%d/users driver = passwd-file } ... userdb { driver = passwd } Your userdb and passdb are not using the same DB: did you intend this? Yeah, I did not add that. That's coming from somewhere else (like the auth_mechanisms). I think Charles said it was a config file in a different directory. I'll be looking at in more detail soon. I suspect it one of these two lines from dovecot.conf: !include conf.d/*.conf or !include_try local.conf Related: what does the bang mean? I've got a programming background, and to me its a NOT. So I would read that as don't include conf.d/ It would have the same effect as commenting it out. Does the userdb have user@domain entries, rather than just user entries? user@domain I just performed a fresh install of Debian, so I can look at things without all the tutorial knob turning. Thanks for the help.
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, 1 Apr 2014, Jeffrey Walton wrote: Related: what does the bang mean? I've got a programming background, and to me its a NOT. So I would read that as don't include conf.d/ It would have the same effect as commenting it out. I guess it's the semi-arbitray syntax Timo chose for the include directive. Maybe it came from the bang syntax for Unix scripts. Joseph Tam jtam.h...@gmail.com
[Dovecot] Dovecot not honoring configuration settings (auth failure)
My dovecot.conf has the following: # No results when searching the wiki disable_plaintext_auth = no # http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Any ideas why dovecot is not honoring the setting in its config file? ** # dovecot --version 2.1.7 # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no log_path = /var/log/dovecot.log mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } ... prefix = } passdb { args = /var/mail/%d/users driver = passwd-file } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 ssl_cert = /etc/dovecot/dovecot.pem ssl_key = /etc/dovecot/private/dovecot.pem userdb { driver = passwd }
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Am 31.03.2014 23:37, schrieb Jeffrey Walton: My dovecot.conf has the following: # No results when searching the wiki disable_plaintext_auth = no # http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Any ideas why dovecot is not honoring the setting in its config file? and the settings are *really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? ** # dovecot --version 2.1.7 # doveconf -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.4 disable_plaintext_auth = no log_path = /var/log/dovecot.log mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } ... prefix = } passdb { args = /var/mail/%d/users driver = passwd-file } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 ssl_cert = /etc/dovecot/dovecot.pem ssl_key = /etc/dovecot/private/dovecot.pem userdb { driver = passwd } -- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, Mar 31, 2014 at 5:39 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 31.03.2014 23:37, schrieb Jeffrey Walton: My dovecot.conf has the following: # No results when searching the wiki disable_plaintext_auth = no # http://wiki2.dovecot.org/Authentication/Mechanisms auth_mechanisms = plain login digest-md5 cram-md5 When I attempt to run imapsync, I receive an error: Host2: host says it has NO CAPABILITY for AUTHENTICATE LOGIN imapsync also dumps the helo string, and it is missing: Host2: * OK [CAPABILITY IMAP4rev1 LITERAL+ ... STARTTLS AUTH=PLAIN] Dovecot ready. I've restarted the dovecot service with 'service dovecot restart' and even rebooted the machine. There is nothing reported in any on the log files (/var/mail/dovecot.log and /var/log/mail.level). Any ideas why dovecot is not honoring the setting in its config file? and the settings are *really* in /etc/dovecot/dovecot.conf or in some .d-folder which may or may not be included? I believe they are in /etc/dovecot/dovecot.conf: # cat /etc/dovecot/dovecot.conf | grep -i auth_ auth_mechanisms = plain login digest-md5 cram-md5 #auth_proxy_self = Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes: I specified the following in my dovecot.conf. passdb { args = /var/mail/%d/users driver = passwd-file } Attempts to use the configuration result in an authentication failure. Here's an entry from dovecot.log when the failure happens: Mar 31 16:04:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=j...@foo.com, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, secured, session=n5/ajez1FgB/AAAB Just to confirm, your user specified in the passdb corresponds to what is being authenticated (i.e. client is authenticating as j...@foo.com, not jeff)? Otherwise, you'll need to add domains to your passdb, or configure username_format=%n Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, Mar 31, 2014 at 6:29 PM, Joseph Tam jtam.h...@gmail.com wrote: Jeffrey Walton noloa...@gmail.com writes: I specified the following in my dovecot.conf. passdb { args = /var/mail/%d/users driver = passwd-file } Attempts to use the configuration result in an authentication failure. Here's an entry from dovecot.log when the failure happens: Mar 31 16:04:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=j...@foo.com, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, secured, session=n5/ajez1FgB/AAAB Just to confirm, your user specified in the passdb corresponds to what is being authenticated (i.e. client is authenticating as j...@foo.com, not jeff)? Otherwise, you'll need to add domains to your passdb, or configure username_format=%n Yes, I believe so: $ sudo cat /var/mail/foo.com/users # Generate passwords with: # doveadm pw -s PLAIN -p password # Real users t...@foo.com:{PLAIN}some-password j...@foo.com:{PLAIN}some-password In case it matters, here are the Postfix settings (but they should not apply since this is an IMAP exercise): $ sudo cat /etc/postfix/mailboxes # Real users t...@foo.com foo.com/tad/ j...@foo.com foo.com/jeff/ Its compiled with `postmap`: postmap /etc/postfix/mailboxes And then specified in `main.cf` with: virtual_mailbox_maps = hash:/etc/postfix/mailboxes And my two domains are handled similarly in `domains`. Jeff
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, 31 Mar 2014, Jeffrey Walton wrote: Just to confirm, your user specified in the passdb corresponds to what is being authenticated (i.e. client is authenticating as j...@foo.com, not jeff)? Otherwise, you'll need to add domains to your passdb, or configure username_format=%n Yes, I believe so: $ sudo cat /var/mail/foo.com/users # Generate passwords with: # doveadm pw -s PLAIN -p password # Real users t...@foo.com:{PLAIN}some-password j...@foo.com:{PLAIN}some-password OK, I guess the next step is to see whether the dovecot auth process is able to read the passdb file. Does your dovecot auth process have enough authorization to get/read to these files (check what dovecot/auth runs as versus the file permissions of your passdb)? doveadm user j...@foo.com checks the userdb, and if it coincides with your passdb, might point out a problem. Tracing the auth process might also help. Joseph Tam jtam.h...@gmail.com