Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 7.1.2012, at 5.36, Yubao Liu wrote: In old version, auth-passdbs contains all passdbs, this revision changes auth-passdbs to only contain non-master passdbs. I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth-passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit(). Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users. b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials(). Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4 Another related question is pass option in master passdb, if I set it to yes, the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable, Right. but I feel the comment for pass option is confusing: # Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes } According the comment, it's to check whether the real user exists, why not to check userdb but another passdb? Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message. Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only. There's currently no passdb that supports does user exist? lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On Tue, Jan 10, 2012 at 2:59 AM, Timo Sirainen t...@iki.fi wrote: On 7.1.2012, at 5.36, Yubao Liu wrote: In old version, auth-passdbs contains all passdbs, this revision changes auth-passdbs to only contain non-master passdbs. I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth-passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit(). Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users. Sorry I don't understand well. This scheme adds all master dbs to auth-passdbs, auth-masterdbs are not changed and still contains only master users. I guess dovecot lookups auth-masterdbs for master users and auth-passdbs for regular users, regular users don't know master users' passwords so they can't login as other users. http://wiki2.dovecot.org/Authentication/MasterUsers The Example configuration already shows master user account can be added to auth-passdbs too. This scheme does bring unexpected issue, the master users can't have separate passwords for regular login as themselves(because masterdbs are also added to passdbs), the risk of password leak increases much, but I don't think it's a good practice to do regular login with master user account. Quoted from same wiki page(I really enjoy the wonderful Dovecot wiki, it's the most well organized and documented wiki in open source projects, thank you very much!): If you want master users to be able to log in as themselves, you'll need to either add the user to the normal passdb or add the passdb to dovecot.conf twice, with and without master=yes. Note that if the passdbs point to different locations, the user can have a different password when logging in as other users than when logging in as himself. This is a good idea since it can avoid accidentally logging in as someone else. Anyway, the scheme B is much less risky and much simple, just a little annoying code duplication:-) b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials(). Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4 Thank you very much, I don't have to maintain my private package:-) Another related question is pass option in master passdb, if I set it to yes, the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable, Right. but I feel the comment for pass option is confusing: # Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes } According the comment, it's to check whether the real user exists, why not to check userdb but another passdb? Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message. If Dovecot doesn't check password for the real user against passdb (actually it doesn't have the password of real user because it's doing master user proxy authorization), it won't fail on userdb lookup because the userdb does contain the real user, in my case, the real user is system user and absolutely exists. Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only. There's currently no passdb that supports does user exist? lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..) I don't understand why master user proxy authorization in Dovecot has to check real user against his credential, does that mean user*master has to authenticate twice? one for master, one for user, but often client can't provide two passwords in single login and the regular passdb such as PAM passdb doesn't support credentials lookup. So I feel it's better Dovecot checks only destination user names in passdbs or userdbs after master user authentication part succeeds to decide whether the destination user exists, just as the comment for pass=yes describes. This may not be a bug, IMHO just a confusing feature. Regards, Yubao Liu
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Hi Timo,
Did you review the patches in previous email? I tested two patches against
my configuration(pasted in this thread too), they both work well. I prefer
the first patch, but I'm not sure whether it breaks something else.
Regards,
Yubao Liu
On 01/07/2012 11:36 AM, Yubao Liu wrote:
On 01/07/2012 01:51 AM, Timo Sirainen wrote:
On 6.1.2012, at 19.45, Yubao Liu wrote:
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth-masterdbs, if I
insert these lines after line 128, that error goes away, and
dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, masterdbs contains passdb passwd-file,
passdbs contains passdb pam.
So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..
Is there any special reason that master passdb isn't taken into
account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
I feel master passdb is also a kind of passdb.
I guess it could be changed. It wasn't done intentionally that way.
I guess this change broke old way:
http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac
In old version, auth-passdbs contains all passdbs, this revision
changes auth-passdbs to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully:
a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
auth-passdbs too, and remove duplicate code for masterdbs
in auth_init() and auth_deinit().
b) add similar code for masterdbs in
auth_passdb_list_have_verify_plain(),
auth_passdb_list_have_lookup_credentials(),
auth_passdb_list_have_set_credentials().
This is exactly my use case, I use Kerberos for system users,
I'm curious why master passdb isn't used to check
have_lookup_credentials ability
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication
mechanism.
I hope this limitation can be relaxed.
It might already be .. I don't remember. In any case you have only
PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb.
If the fix above is added, then I can use CRAM-MD5 with master
passwd-file passdb
and normal pam passdb, else imap-login process can't startup due to
check in
auth_mech_list_verify_passdb().
Attached two patches against dovecot-2.0 branch for the two schemes,
the first is cleaner but may affect other logics in other source files.
Another related question is pass option in master passdb, if I set
it to yes,
the authentication fails:
Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771
Jan 7 11:26:00 gold dovecot: auth: Debug: client out:
CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg==
Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc=
Jan 7 11:26:00 gold dovecot: auth: Debug:
auth(webmail,127.0.0.1,master): Master user lookup for login: dieken
Jan 7 11:26:00 gold dovecot: auth: Debug:
passwd-file(webmail,127.0.0.1,master): lookup: user=webmail
file=/etc/dovecot/master-users
Jan 7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master):
Master user logging in as dieken
Jan 7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1):
No passdbs support skipping password verification - pass=yes can't be
used in master passdb
Jan 7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1):
passdb doesn't support credential lookups
My normal passdb is a PAM passdb, it doesn't support credential
lookups, that's
reasonable, but I feel the comment for pass option is confusing:
$ less /etc/dovecot/conf.d/auth-master.conf.ext
# Example master user passdb using passwd-file. You can use any passdb
though.
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/master-users
# Unless you're using PAM, you probably still want the destination
user to
# be looked up from passdb that it really exists. pass=yes does that.
pass = yes
}
According the comment, it's to check whether the real user exists, why
not
to check userdb but another passdb? Even it must check against passdb,
in this case, it's obvious not necessary to lookup credentials, it's
enough to
to lookup user name only.
Regards,
Yubao Liu
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Yubao Liu wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
problem.
Debian testing, Dovecot 2.0.15
$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
plugin {
sieve = /srv/mail/%u/.dovecot.sieve
sieve_dir = /srv/mail/%u/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem
userdb {
args = home=/srv/mail/%u
driver = passwd
}
protocol lmtp {
mail_plugins = sieve
}
protocol lda {
mail_plugins = sieve
}
# cat /etc/dovecot/master-users
x...@corp.example.com:
The z is obtained by doveadm pw -s digest-md5 -u
x...@corp.example.com,
I tried to add prefix {DIGEST-MD5} before the generated hash and/or add
scheme=DIGEST-MD5 to the passwd-file passdb's args option, both
don't help.
The error message:
dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
passdbs
gold dovecot: master: Error: service(auth): command startup failed,
throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users
and parsed one line, then the error occurred. Doesn't passwd-file
passdb support
digest-md5 password scheme? If it doesn't support, how do I configure
digest-md5 auth
mechanism with digest-md5 password scheme for virtual users?
Regards,
Yubao Liu
Rgds,
N.
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 01/06/2012 06:52 PM, Nick Rosier wrote:
Yubao Liu wrote:
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
You have 2 passdb entries; 1 with a file and 1 with pam. I'm pretty sure
PAM doesn't support DIGEST-MD5 authentication. Could be the cause of the
problem.
Thanks, that does be the cause.
http://hg.dovecot.org/dovecot-2.0/file/684381041dc4/src/auth/auth.c
121 static bool auth_passdb_list_have_lookup_credentials(struct auth
*auth)
122 {
123 struct auth_passdb *passdb;
124
125 for (passdb = auth-passdbs; passdb != NULL; passdb =
passdb-next) {
126 if (passdb-passdb-iface.lookup_credentials != NULL)
127 return TRUE;
128 }
129 return FALSE;
130 }
I don't know why this function doesn't check auth-masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, masterdbs contains passdb passwd-file,
passdbs contains passdb pam.
for (passdb = auth-masterdbs; passdb != NULL; passdb = passdb-next) {
if (passdb-passdb-iface.lookup_credentials != NULL)
return TRUE;
}
[1] But the authentication for user*master always fails, I realized
master users
can't login as other users by DIGEST-MD5 or CRAM-MD5 auth mechanisms
because these authentication mechanisms use user*master as username
in hash algorithm, not just master.
Regards,
Yubao Liu
Debian testing, Dovecot 2.0.15
$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
plugin {
sieve = /srv/mail/%u/.dovecot.sieve
sieve_dir = /srv/mail/%u/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
ssl_cert =/etc/ssl/certs/dovecot.pem
ssl_key =/etc/ssl/private/dovecot.pem
userdb {
args = home=/srv/mail/%u
driver = passwd
}
protocol lmtp {
mail_plugins = sieve
}
protocol lda {
mail_plugins = sieve
}
# cat /etc/dovecot/master-users
x...@corp.example.com:
The z is obtained by doveadm pw -s digest-md5 -u
x...@corp.example.com,
I tried to add prefix {DIGEST-MD5} before the generated hash and/or add
scheme=DIGEST-MD5 to the passwd-file passdb's args option, both
don't help.
The error message:
dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
passdbs
gold dovecot: master: Error: service(auth): command startup failed,
throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users
and parsed one line, then the error occurred. Doesn't passwd-file
passdb support
digest-md5 password scheme? If it doesn't support, how do I configure
digest-md5 auth
mechanism with digest-md5 password scheme for virtual users?
Regards,
Yubao Liu
Rgds,
N.
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth-masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, masterdbs contains passdb passwd-file,
passdbs contains passdb pam.
So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..
I hope users use GSSAPI authentication from native MUA, but RoundCube
webmail doesn't support that, so that I have to use DIGEST-MD5/CRAM-MD5/
PLAIN/LOGIN for authentication between RoundCube and Dovecot, and
let RoundCube login as master user for normal user.
I really don't like to transfer password as plain text, so I prefer
DIGEST-MD5
and CRAM-MD5 for both auth mechanisms and password schemes. My
last email is partially wrong, DIGEST-MD5 can't be used for master users
because 'real_user*master_user' is used to calculate digest in IMAP client,
this can't be consistent with digest in passdb because only 'master_user'
is used to calculate digest.
But CRAM-MD5 doesn't use user name to calculate digest, I just tried it
successfully
with my rude patch to src/auth/auth.c in my previous email:-)
# doveadm pw -s CRAM-MD5 -u webmail
(use 123456 as passwd)
# cat /etc/dovecot/master-users
webmail:{CRAM-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada8035dc7d8bae41b
^D
$ gsasl --imap imap.corp.example.com --verbose -m CRAM-MD5 -a
'dieken*webm...@corp.example.com' -p 123456
Trying `gold.corp.example.com'...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5]
Dovecot ready.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. STARTTLS
. OK Begin TLS negotiation now.
. CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
. OK Pre-login capabilities listed, post-login capabilities have more.
. AUTHENTICATE CRAM-MD5
+ PDM1OTIzODgxNjgyNzUxMjUuMTMyNTg3MDQwMkBnb2xkPg==
ZGlla2VuKndlYm1haWxAY29ycC5leGFtcGxlLmNvbSBkYjRlZWJlMTUwZGZjZjg5NTVkODZhNDBlMGJiZmQzNA==
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
It's also OK to use -a 'dieken*webmail' instead of -a
'dieken*webm...@corp.example.com'.
# doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5 cram-md5
auth_realms = corp.example.com
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
first_valid_gid = 1000
first_valid_uid = 1000
mail_debug = yes
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
}
passdb {
driver = pam
}
plugin {
sieve = /srv/mail/%u/.dovecot.sieve
sieve_dir = /srv/mail/%u/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem
userdb {
args = home=/srv/mail/%u
driver = passwd
}
verbose_ssl = yes
protocol lmtp {
mail_plugins = sieve
}
protocol lda {
mail_plugins = sieve
}
Regards,
Yubao Liu
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 01/07/2012 12:44 AM, Timo Sirainen wrote: On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote: I don't know why this function doesn't check auth-masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, masterdbs contains passdb passwd-file, passdbs contains passdb pam. So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that.. Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb. http://wiki2.dovecot.org/PasswordDatabase You can use multiple databases, so if the password doesn't match in the first database, Dovecot checks the next one. This can be useful if you want to easily support having both virtual users and also local system users (see Authentication/MultipleDatabases http://wiki2.dovecot.org/Authentication/MultipleDatabases). This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check have_lookup_credentials ability. http://wiki2.dovecot.org/Authentication/MultipleDatabases Currently the fallback works only with the PLAIN authentication mechanism. I hope this limitation can be relaxed. Regards, Yubao Liu
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 6.1.2012, at 19.45, Yubao Liu wrote: On 01/07/2012 12:44 AM, Timo Sirainen wrote: On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote: I don't know why this function doesn't check auth-masterdbs, if I insert these lines after line 128, that error goes away, and dovecot's imap-login process happily does DIGEST-MD5 authentication [1]. In my configuration, masterdbs contains passdb passwd-file, passdbs contains passdb pam. So .. you want DIGEST-MD5 authentication for the master users, but not for anyone else? I hadn't really thought anyone would want that.. Is there any special reason that master passdb isn't taken into account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ? I feel master passdb is also a kind of passdb. I guess it could be changed. It wasn't done intentionally that way. This is exactly my use case, I use Kerberos for system users, I'm curious why master passdb isn't used to check have_lookup_credentials ability http://wiki2.dovecot.org/Authentication/MultipleDatabases Currently the fallback works only with the PLAIN authentication mechanism. I hope this limitation can be relaxed. It might already be .. I don't remember. In any case you have only PAM passdb, so it shouldn't matter. GSSAPI isn't a passdb.
Re: [Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
On 01/07/2012 01:51 AM, Timo Sirainen wrote:
On 6.1.2012, at 19.45, Yubao Liu wrote:
On 01/07/2012 12:44 AM, Timo Sirainen wrote:
On Sat, 2012-01-07 at 00:15 +0800, Yubao Liu wrote:
I don't know why this function doesn't check auth-masterdbs, if I
insert these lines after line 128, that error goes away, and dovecot's
imap-login process happily does DIGEST-MD5 authentication [1].
In my configuration, masterdbs contains passdb passwd-file,
passdbs contains passdb pam.
So .. you want DIGEST-MD5 authentication for the master users, but not
for anyone else? I hadn't really thought anyone would want that..
Is there any special reason that master passdb isn't taken into
account in src/auth/auth.c:auth_passdb_list_have_lookup_credentials() ?
I feel master passdb is also a kind of passdb.
I guess it could be changed. It wasn't done intentionally that way.
I guess this change broke old way:
http://hg.dovecot.org/dovecot-2.0/rev/b05793c609ac
In old version, auth-passdbs contains all passdbs, this revision
changes auth-passdbs to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully:
a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to
auth-passdbs too, and remove duplicate code for masterdbs
in auth_init() and auth_deinit().
b) add similar code for masterdbs in
auth_passdb_list_have_verify_plain(),
auth_passdb_list_have_lookup_credentials(),
auth_passdb_list_have_set_credentials().
This is exactly my use case, I use Kerberos for system users,
I'm curious why master passdb isn't used to check have_lookup_credentials
ability
http://wiki2.dovecot.org/Authentication/MultipleDatabases
Currently the fallback works only with the PLAIN authentication mechanism.
I hope this limitation can be relaxed.
It might already be .. I don't remember. In any case you have only PAM passdb,
so it shouldn't matter. GSSAPI isn't a passdb.
If the fix above is added, then I can use CRAM-MD5 with master
passwd-file passdb
and normal pam passdb, else imap-login process can't startup due to check in
auth_mech_list_verify_passdb().
Attached two patches against dovecot-2.0 branch for the two schemes,
the first is cleaner but may affect other logics in other source files.
Another related question is pass option in master passdb, if I set it
to yes,
the authentication fails:
Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
AUTH#0111#011CRAM-MD5#011service=imap#011secured#011lip=127.0.1.1#011rip=127.0.0.1#011lport=143#011rport=51771
Jan 7 11:26:00 gold dovecot: auth: Debug: client out:
CONT#0111#011PDk4NjcwMDY1MTU3NzI3MjguMTMyNTkwNjc2MEBnb2xkPg==
Jan 7 11:26:00 gold dovecot: auth: Debug: client in:
CONT#0111#011ZGlla2VuKndlYm1haWwgYmNkMzFiMWE1YjQ1OWQ0OGRkZWQ4ZmIzZDhmMjVhZTc=
Jan 7 11:26:00 gold dovecot: auth: Debug:
auth(webmail,127.0.0.1,master): Master user lookup for login: dieken
Jan 7 11:26:00 gold dovecot: auth: Debug:
passwd-file(webmail,127.0.0.1,master): lookup: user=webmail
file=/etc/dovecot/master-users
Jan 7 11:26:00 gold dovecot: auth: passdb(webmail,127.0.0.1,master):
Master user logging in as dieken
Jan 7 11:26:00 gold dovecot: auth: Error: passdb(dieken,127.0.0.1): No
passdbs support skipping password verification - pass=yes can't be used
in master passdb
Jan 7 11:26:00 gold dovecot: auth: Debug: password(dieken,127.0.0.1):
passdb doesn't support credential lookups
My normal passdb is a PAM passdb, it doesn't support credential
lookups, that's
reasonable, but I feel the comment for pass option is confusing:
$ less /etc/dovecot/conf.d/auth-master.conf.ext
# Example master user passdb using passwd-file. You can use any passdb
though.
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/master-users
# Unless you're using PAM, you probably still want the destination
user to
# be looked up from passdb that it really exists. pass=yes does that.
pass = yes
}
According the comment, it's to check whether the real user exists, why not
to check userdb but another passdb? Even it must check against passdb,
in this case, it's obvious not necessary to lookup credentials, it's
enough to
to lookup user name only.
Regards,
Yubao Liu
diff -r 38972af8bd29 src/auth/auth.c
--- a/src/auth/auth.c Fri Jan 06 16:04:20 2012 +0200
+++ b/src/auth/auth.c Sat Jan 07 10:24:12 2012 +0800
@@ -69,12 +69,10 @@
db_count = 0;
}
- /* initialize passdbs first and count them */
for (passdb_count = 0, i = 0; i db_count; i++) {
if (passdbs[i]-master)
continue;
- auth_passdb_preinit(auth, passdbs[i], auth-passdbs);
passdb_count++;
last_passdb = i;
}
@@ -82,6 +80,8 @@
i_fatal(Last passdb can't have pass=yes);
for (i = 0; i db_count; i++) {
+ auth_passdb_preinit(auth, passdbs[i], auth-passdbs);
+
if (!passdbs[i]-master)
continue;
@@ -190,8 +190,6 @@
struct auth_passdb *passdb;
struct auth_userdb *userdb;
- for (passdb = auth-masterdbs; passdb
[Dovecot] Strange error: DIGEST-MD5 mechanism can't be supported with given passdbs
Hi all,
I have no idea about that message, here is my configuration, what's wrong?
Debian testing, Dovecot 2.0.15
$ doveconf -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.1.0-1-686-pae i686 Debian wheezy/sid
auth_default_realm = corp.example.com
auth_krb5_keytab = /etc/dovecot.keytab
auth_master_user_separator = *
auth_mechanisms = gssapi digest-md5
auth_realms = corp.example.com
auth_username_format = %n
first_valid_gid = 1000
first_valid_uid = 1000
mail_location = mdbox:/srv/mail/%u/Mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
plugin {
sieve = /srv/mail/%u/.dovecot.sieve
sieve_dir = /srv/mail/%u/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem
userdb {
args = home=/srv/mail/%u
driver = passwd
}
protocol lmtp {
mail_plugins = sieve
}
protocol lda {
mail_plugins = sieve
}
# cat /etc/dovecot/master-users
x...@corp.example.com:
The z is obtained by doveadm pw -s digest-md5 -u x...@corp.example.com,
I tried to add prefix {DIGEST-MD5} before the generated hash and/or add
scheme=DIGEST-MD5 to the passwd-file passdb's args option, both
don't help.
The error message:
dovecot: master: Dovecot v2.0.15 starting up (core dumps disabled)
dovecot: auth: Fatal: DIGEST-MD5 mechanism can't be supported with given
passdbs
gold dovecot: master: Error: service(auth): command startup failed,
throttling
I opened debug auth log, it showed dovecot read /etc/dovecot/master-users
and parsed one line, then the error occurred. Doesn't passwd-file
passdb support
digest-md5 password scheme? If it doesn't support, how do I configure
digest-md5 auth
mechanism with digest-md5 password scheme for virtual users?
Regards,
Yubao Liu
Re: [Dovecot] Strange Error
On Feb 18, 2008, at 11:03 PM, Davi Bariani Boin wrote: procmail: Non-zero exitcode (75) from /usr/libexec/dovecot/deliver 75 means temporary failure. Look at Dovecot's logs for the real error message. If you can't find anything, see http://wiki.dovecot.org/LDA#logging PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Strange Error
Davi Bariani Boin escreveu: Timo Sirainen escreveu: On Feb 18, 2008, at 11:03 PM, Davi Bariani Boin wrote: procmail: Non-zero exitcode (75) from /usr/libexec/dovecot/deliver 75 means temporary failure. Look at Dovecot's logs for the real error message. If you can't find anything, see http://wiki.dovecot.org/LDA#logging I found the solution. It might as well then just disable dotlocks and just use fcntl locks. I just modify the /etc/dovecot.conf like this: mbox_read_locks = fcntl mbox_write_locks = dotlock fcntl and done!!! See http://wiki.dovecot.org/MailboxFormat/mbox and http://wiki.dovecot.org/MboxLocking Hello Timo, Here comes the Dovecot´s log deliver(admin): Feb 19 10:05:40 Error: open(/var/mail/.temp.icon.icon.com.br.10297.271eea3f5567a71f) failed: Permission denied deliver(admin): Feb 19 10:05:40 Error: file_lock_dotlock() failed with mbox file /var/mail/admin: Permission denied deliver(admin): Feb 19 10:05:40 Info: msgid=[EMAIL PROTECTED]: save failed to INBOX I think is a permission problem. Any sugestion? -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. begin:vcard fn:Davi Bariani Boin n:Bariani Boin;Davi org;quoted-printable:Konsultex Inform=C3=A1tica email;internet:[EMAIL PROTECTED] title;quoted-printable:T=C3=A9cnico tel;work:(11) 3773-9009 tel;cell:(11) 8115-0469 note;quoted-printable:(11) 3773-9009=0D=0A= (11) 8115-0469 version:2.1 end:vcard
[Dovecot] Strange Error
Hello Everybody, I´m trying to make a work with procmail and deliver on Fedora 7. Part of flow are the following: - procmail get the mail from Sendmail - procmail ask to deliver/dovecot if have any retriction (sizer mailbox, etc) - procmail put the mail on inbox user. I had include the following line in the promail config: | /usr/libexec/dovecot/deliver -m $DEFAULT and the procmail log shows me the following : procmail: Assigning MAILDIR=/home/admin/mail procmail: Assigning INCLUDERC=/home/admin/Procmail/rc.spam-mail procmail: Couldn't determine implicit lockfile from /usr/libexec/dovecot/deliver procmail: Locking .lock procmail: Executing /usr/libexec/dovecot/deliver,-m,/var/spool/mail/admin procmail: Non-zero exitcode (75) from /usr/libexec/dovecot/deliver procmail: Assigning LASTFOLDER=/usr/libexec/dovecot/deliver -m /var/spool/mail/admin procmail: Unlocking .lock procmail: Skipped * ^X-Spam-Status:.*Yes procmail: Skipped spam procmail: Skipped -mail procmail: Locking /var/spool/mail/admin.lock procmail: Assigning LASTFOLDER=/var/spool/mail/admin procmail: Opening /var/spool/mail/admin procmail: Acquiring kernel-lock procmail: Unlocking /var/spool/mail/admin.lock procmail: Notified comsat: [EMAIL PROTECTED]:/var/spool/mail/admin From [EMAIL PROTECTED] Mon Feb 18 17:52:38 2008 Subject: Fw: te22 Folder: /var/spool/mail/admin3425 What happen afertall? Any clue will be very apreciated -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo. begin:vcard fn:Davi Bariani Boin n:Bariani Boin;Davi org;quoted-printable:Konsultex Inform=C3=A1tica email;internet:[EMAIL PROTECTED] title;quoted-printable:T=C3=A9cnico tel;work:(11) 3773-9009 tel;cell:(11) 8115-0469 note;quoted-printable:(11) 3773-9009=0D=0A= (11) 8115-0469 version:2.1 end:vcard
Re: [Dovecot] Strange Error
On Mon, 18 Feb 2008, Davi Bariani Boin wrote: Hello Everybody, I´m trying to make a work with procmail and deliver on Fedora 7. Part of flow are the following: - procmail get the mail from Sendmail - procmail ask to deliver/dovecot if have any retriction (sizer mailbox, etc) - procmail put the mail on inbox user. I had include the following line in the promail config: | /usr/libexec/dovecot/deliver -m $DEFAULT and the procmail log shows me the following : procmail: Assigning MAILDIR=/home/admin/mail procmail: Assigning INCLUDERC=/home/admin/Procmail/rc.spam-mail procmail: Couldn't determine implicit lockfile from /usr/libexec/dovecot/deliver procmail: Locking .lock procmail: Executing /usr/libexec/dovecot/deliver,-m,/var/spool/mail/admin procmail: Non-zero exitcode (75) from /usr/libexec/dovecot/deliver This is the interesting part. Why did Dovecot Deliver return 75? -- Asheesh. -- Your business will go through a period of considerable expansion.
[Dovecot] Strange error message
I apologise if this is a faq but I couldn't find it in the archives. FreeBSD math 4.11-RELEASE-p26 FreeBSD 4.11-RELEASE-p26 dovecot version 1.0.3 x86 cpu local disk (ufs) Trying to run deliver from user's .forward file. sendmail configured with smrsh, forward file says: | deliver Imap seems to work fine, but deliver says: deliver(rw): mbox read/write lock list settings are invalid. Lock ordering must be the same with both, and write locks must contain all read locks (and possibly more) #dovecot -n # 1.0.3: /usr/local/etc/dovecot.conf base_dir: /var/run/dovecot/ listen: localhost:996 ssl_disable: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting_capability: yes first_valid_uid: 100 mail_extra_groups: mail mail_location: mbox:~/mail:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot_indexes/%u lock_method: flock mbox_write_locks: flock auth default: passdb: driver: pam userdb: driver: passwd Any help would be much appreciated!! Rich
Re: [Dovecot] Strange error message
On Sat, 2007-09-22 at 16:27 -0500, Rich Winkel wrote: deliver(rw): mbox read/write lock list settings are invalid. Lock ordering must be the same with both, and write locks must contain all read locks (and possibly more) .. mbox_write_locks: flock The default for mbox_read_locks is fcntl. So you most likely want to set mbox_read_locks=flock. signature.asc Description: This is a digitally signed message part
