Re: Doveadm auth test fails
On Thu, 2022-01-06 at 14:05 -0800, Joseph Tam wrote: > On Wed, 5 Jan 2022, Ken Wright wrote: > > > Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out: > > FAIL#0111#011user=m...@mydomain.com > > Just a wild ass guess, but does your password backend expect "me", or > "m...@mydomain.com" (which is what it was given). It was expecting m...@mydomain.com, but that wasn't the problem. Turns out PostfixAdmin was hashing the passwords with MD5 and Dovecot was looking with ARGON. No wonder I was getting password mismatches! Ken
Re: Doveadm auth test fails
On Wed, 5 Jan 2022, Ken Wright wrote: Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out: FAIL#0111#011user=m...@mydomain.com Just a wild ass guess, but does your password backend expect "me", or "m...@mydomain.com" (which is what it was given). Joseph Tam
Re: Doveadm auth test fails
On Thu, 2022-01-06 at 04:46 +0100, John Fawcett wrote: > It looks like a mismatch between your dovecot and postfixadmin > password ARGON2I in dovecot and are using a MD5-crypt scheme in > postfixadmin. Therefore when you set the password in postfixadmin it > is saving the password with a different encryption scheme to the one > that dovecot is using when it verifies the password. I suggest to > align them. If you change the postfixadmin setting, remember you'll > have to change the existing passwords that have been stored while > using a different setting to the dovecot one. John, you magnificent soandso! That was indeed the problem. I changed PostfixAdmin to ARGON2 and everything worked. Thank you so much! > Also one other point (not sure if it's related to the multiple issues > you've been posting about), but ARGON2 apparently requires a lot of > virtual memory. Were you using this previously or did you change to > it during the server installation you did recently? I was using it previously. It was in the tutorial I followed. Ken
Re: Doveadm auth test fails
On 06/01/2022 04:20, Ken Wright wrote: On Thu, 2022-01-06 at 03:44 +0100, John Fawcett wrote: On 06/01/2022 01:16, Ken Wright wrote: I've been having trouble logging into my email server (postfix 3.4.13, dovecot 2.3.7.2, postfixadmin 3.3.8). I decided to try the doveadm auth test, and got the following result: kwright@grace:~$ sudo doveadm auth test m...@mydomain.com Password: passdb: m...@mydomain.com auth failed extra fields: user=m...@mydomain.com I logged in to PostfixAdmin and made sure I was using the correct password, but got exactly the same result afterward. Should I have restarted Dovecot after changing the password? I'm totally confused by this problem; any and all suggestions will be gratefully received! Ken Ken Dovecot does have credential caching, so potentially the info could be coming from the cache though dovecot uses some logic to understand when it should do a new query so normally its not necessary to flush the cache or restart dovecot after changing a password. If you're doing testing on a non live server in the process of being set up then you may want to take the cautious approach of restarting dovecot. about why the command is failing. You may be able to find other information in the log. You may want to investigate turning on authentication and password debugging to progress this problem. auth_debug = yes auth_debug_passwords = yes (and restart dovecot) Okay, I've done this. Then try an authentication test again or even a full login test doveadm auth login username Those settings will give you information in the log about what dovecot is doing internally in relation to lookup up the user info and password including information about password mismatches. Here's the latest output of tail /var/log/mail.log: Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: conn unix:auth-worker (pid=171742,uid=118): auth-worker<1590>: Handling PASSV request Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Performing passdb lookup Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): query: SELECT username AS user,password FROM mailbox WHERE username = 'm...@mydomain.com' AND active='1' Jan 5 22:09:28 grace dovecot: auth-worker(218040): sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Password mismatch Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): ARGON2I(password) != '$1$c9809462$ecGdXzPm2xqMK0TKngGkc.', try DES-CRYPT scheme instead Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Finished passdb lookup Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: conn unix:auth-worker (pid=171742,uid=118): auth-worker<1590>: Finished Jan 5 22:09:28 grace dovecot: auth: Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Finished passdb lookup Jan 5 22:09:28 grace dovecot: auth: Debug: auth(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Auth request finished Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out: FAIL#0111#011user=m...@mydomain.com I know the password is correct, but it still fails. I had some problems getting this mailbox set up in PostfixAdmin; could it be the database is faulty? Ken Ken It looks like a mismatch between your dovecot and postfixadmin password encryption schemes. If I'm reading this correctly you have configured ARGON2I in dovecot and are using a MD5-crypt scheme in postfixadmin. Therefore when you set the password in postfixadmin it is saving the password with a different encryption scheme to the one that dovecot is using when it verifies the password. I suggest to align them. If you change the postfixadmin setting, remember you'll have to change the existing passwords that have been stored while using a different setting to the dovecot one. Also one other point (not sure if it's related to the multiple issues you've been posting about), but ARGON2 apparently requires a lot of virtual memory. Were you using this previously or did you change to it during the server installation you did recently? Here's some more info in case you haven't seen it already: https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ John
Re: Doveadm auth test fails
On Thu, 2022-01-06 at 03:44 +0100, John Fawcett wrote: > On 06/01/2022 01:16, Ken Wright wrote: > > I've been having trouble logging into my email server (postfix > > 3.4.13, dovecot 2.3.7.2, postfixadmin 3.3.8). I decided to try the > > doveadm auth test, and got the following result: > > > > kwright@grace:~$ sudo doveadm auth test m...@mydomain.com > > Password: > > passdb: m...@mydomain.com auth failed > > extra fields: > > user=m...@mydomain.com > > > > I logged in to PostfixAdmin and made sure I was using the correct > > password, but got exactly the same result afterward. Should I have > > restarted Dovecot after changing the password? I'm totally confused > > by this problem; any and all suggestions will be gratefully received! > > > > Ken > > > > > > > Ken > > Dovecot does have credential caching, so potentially the info could be > coming from the cache though dovecot uses some logic to understand > when it should do a new query so normally its not necessary to flush > the cache or restart dovecot after changing a password. If you're doing > testing on a non live server in the process of being set up then you > may want to take the cautious approach of restarting dovecot. > > about why the command is failing. You may be able to find other > information in the log. > > You may want to investigate turning on authentication and password > debugging to progress this problem. > > auth_debug = yes > > auth_debug_passwords = yes > > (and restart dovecot) Okay, I've done this. > Then try an authentication test again or even a full login test > > doveadm auth login username > > Those settings will give you information in the log about what dovecot > is doing internally in relation to lookup up the user info and password > including information about password mismatches. Here's the latest output of tail /var/log/mail.log: Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: conn unix:auth-worker (pid=171742,uid=118): auth-worker<1590>: Handling PASSV request Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Performing passdb lookup Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): query: SELECT username AS user,password FROM mailbox WHERE username = 'm...@mydomain.com' AND active='1' Jan 5 22:09:28 grace dovecot: auth-worker(218040): sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Password mismatch Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): ARGON2I(password) != '$1$c9809462$ecGdXzPm2xqMK0TKngGkc.', try DES-CRYPT scheme instead Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Finished passdb lookup Jan 5 22:09:28 grace dovecot: auth-worker(218040): Debug: conn unix:auth-worker (pid=171742,uid=118): auth-worker<1590>: Finished Jan 5 22:09:28 grace dovecot: auth: Debug: sql(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Finished passdb lookup Jan 5 22:09:28 grace dovecot: auth: Debug: auth(m...@mydomain.com,192.168.1.1,<3VfPMuHUrpvAqAEB>): Auth request finished Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out: FAIL#0111#011user=m...@mydomain.com I know the password is correct, but it still fails. I had some problems getting this mailbox set up in PostfixAdmin; could it be the database is faulty? Ken
Re: Doveadm auth test fails
On 06/01/2022 01:16, Ken Wright wrote: I've been having trouble logging into my email server (postfix 3.4.13, dovecot 2.3.7.2, postfixadmin 3.3.8). I decided to try the doveadm auth test, and got the following result: kwright@grace:~$ sudo doveadm auth test m...@mydomain.com Password: passdb: m...@mydomain.com auth failed extra fields: user=m...@mydomain.com I logged in to PostfixAdmin and made sure I was using the correct password, but got exactly the same result afterward. Should I have restarted Dovecot after changing the password? I'm totally confused by this problem; any and all suggestions will be gratefully received! Ken Ken Dovecot does have credential caching, so potentially the info could be coming from the cache though dovecot uses some logic to understand when it should do a new query so normally its not necessary to flush the cache or restart dovecot after changing a password. If you're doing testing on a a non live server in the process of being set up then you may want to take the cautious approach of restarting dovecot. The command output you gave above does not provide useful information about why the command is failing. You may be able to find other information in the log. You may want to investigate turning on authentication and password debugging to progress this problem. auth_debug = yes auth_debug_passwords = yes (and restart dovecot) Then try an authentication test again or even a full login test doveadm auth login username Those settings will give you information in the log about what dovecot is doing internally in relation to lookup up the user info and password including information about password mismatches. John
