Re: pam authentication error?

[@lbutlr via dovecot]

On 27 May 2019, at 14:18, @lbutlr via dovecot  wrote:
> auth-worker(5045): Error: pam(kremels,xxx.xxx.xxx.xxx: pam_authenticate() 
> failed: authentication error (/etc/pam.d/dovecot missing?)

Stopped dovecot, reloaded it, stopped it and postfix, rebuilt dovecot just for 
grins. Nothing seemed to work.

Rebooted.

Sigh. Seems to be working now.  ¯\_(ツ)_/¯ 

-- 
Two of the most famous products of Berkeley are LSD and Unix. 
I don't think that is a coincidence

pam authentication error?

[@lbutlr via dovecot]

Getting this:

auth-worker(5045): Error: pam(kremels,xxx.xxx.xxx.xxx: pam_authenticate() 
failed: authentication error (/etc/pam.d/dovecot missing?)

# cat /etc/pam.d/dovcot 
authrequiredpam_unix.so nullok
account requiredpam_unix.so

(file was last updated in April of 2018)

passdb {
 username_filter = "!*@*"
 driver = pam
}
userdb {
 driver = passwd
}

service auth {
 unix_listener auth-userdb {
 }

 unix_listener /var/spool/postfix/private/auth {
   mode = 0666
 }
}

# ls -ls /var/spool/postfix/private/auth 
0 srw-rw-rw-  1 root  wheel  0 May 27 13:57 /var/spool/postfix/private/auth

postfix/main.cf:
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_starttls_timeout = 20s
smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

16 -rw---  1 root  443  4152 May 20 21:08 fullchain-1558408117.pem
0 lrwx--  1 root  44324 May 20 21:08 fullchain.pem -> 
fullchain-1558408117.pem
8 -rw---  1 root  443  3243 May 20 21:08 privkey-1558408117.pem
0 lrwx--  1 root  44322 May 20 21:08 privkey.pem -> 
privkey-1558408117.pem

Re: FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)

[Ben Woods]

On 12 February 2018 at 23:34, Ben Woods  wrote:

> Hi everyone,
>
> I have a repeatable core dump when running dovecot on FreeBSD in the
> specific scenario described below.
>
> Dovecot is linked against MIT kerberos in /usr/local/lib/, whilst PAM is
> linked against Heimdal in /usr/lib/.
> My expectation was that dovecot authentication using GSSAPI would use MIT
> kerberos in /usr/local/lib, whereas PAM authentication is independent from
> dovecot and would therefore use Herimdal in /usr/lib/.
>
> What actually seems to occur during PAM authentication is the Heimdal code
> in /usr/lib/ is initially being used, but part way through it switches to
> using the MIT kerberos code in /usr/local/lib/.
>
> I have reported this bug on the FreeBSD bug tracker here:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225818
>
> Any help troubleshooting this issue would be much appreciated. I suspect
> it has something to do with the CFLAGS and LDFLAGS being used during the
> build, so I have attached the build log to the FreeBSD bug report.
>
> Thanks in advance,
> Ben
>


Hi everyone,

Can anyone recommend a way to fix the dovecot build process so that the
dovecot code for PAM authentication is not dynamically linked to the
kerberos libraries?

The issue appears to be that a single dovecot library is created for all
authentication mechanisms (libauth.la), so whilst the PAM authentication
code does not need to link to the kerberos libraries, the GSSAPI
authentication code does.

This results in dovecot being linked to the MIT kerberos libraries, whilst
my PAM is linked to the Heimdal kerberos libraries. Therefore, when dovecot
runs PAM, both the MIT and Heimdal libraries are loaded at the same time.

Regards,
Ben

--
From: Benjamin Woods
woods...@gmail.com

Re: FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)

[Ben Woods]

Hi Aki,

Thanks for your response. Indeed, I don't know why the first 2 lines don't
have debugging symbols, as my build of dovecot definitely has them. Any
hints on how I can get them?

$ file /usr/local/libexec/dovecot/auth
/usr/local/libexec/dovecot/auth: ELF 64-bit LSB executable, x86-64, version
1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for
FreeBSD 12.0 (1200054), FreeBSD-style, with debug_info, not stripped


Regardless, it is not really necessary, as I was able to determine from
/var/log/debug.log and aslo by attaching gdb to the running "auth -w"
process that this all occurred during the pam_authenticate step in
src/auth/passdb-pam.c (as per my DIAGNOSIS section in the previous email):
https://github.com/dovecot/core/blob/2.2.33.2/src/auth/passdb-pam.c#L158

Regards,
Ben

--
From: Benjamin Woods
woods...@gmail.com

On 13 February 2018 at 00:44, Aki Tuomi  wrote:

> Hi!
>
> Can you attempt to get core dump with debugging symbols with dovecot too?
> Currently it seems to only contain symbols from kerberos bit, which is not
> very useful on it's own.
>
> Aki
>
> > On 12 February 2018 at 17:34 Ben Woods  wrote:
> > GDB BACKTRACE OF COREDUMP:
> > $ gdb /usr/local/libexec/dovecot/auth
> > GNU gdb (GDB) 8.0.1 [GDB v8.0.1 for FreeBSD]
> > Copyright (C) 2017 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later  html
> > >
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.  Type "show
> copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-portbld-freebsd12.0".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > .
> > Find the GDB manual and other documentation resources online at:
> > .
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from /usr/local/libexec/dovecot/auth...done.
> > (gdb) core /tmp/auth.core
> > [New LWP 102627]
> > warning: Can't read pathname for load map: Unknown error: -1.
> > warning: Can't read pathname for load map: Unknown error: -1.
> > warning: Can't read pathname for load map: Unknown error: -1.
> > warning: Can't read pathname for load map: Unknown error: -1.
> > Core was generated by `dovecot/auth -w'.
> > Program terminated with signal SIGSEGV, Segmentation fault.
> > #0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:100
> > warning: Source file is more recent than executable.
> > 100  */
> > (gdb) bt
> > #0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:100
> > #1  0x12130022 in strdup (str=0x0) at
> > /usr/src/lib/libc/string/strdup.c:46
> > #2  0x11b65e9d in krb5_appdefault_string (context=0x10777000,
> > appname=0x106f0018 "imap", realm=0x0, option=0x13b1f403
> "ticket_lifetime",
> > default_value=0x0, ret_value=0x7fffe088)
> > at appdefault.c:165
> > #3  0x13af4a80 in krb5_appdefault_time (context=0x0,
> > appname=0xaaca6003  > 0xaaca6003>,
> > realm=0x50 , option=0x0,
> > def_val=0, ret_val=0x7fffe0e0) at
> > /usr/src/crypto/heimdal/lib/krb5/appdefault.c:130
> > #4  0x13ae3e79 in krb5_get_init_creds_opt_set_default_flags
> > (context=0x10777000, appname=0x106f0018 "imap", realm=0x0,
> opt=0x1070f3c0)
> > at /usr/src/crypto/heimdal/lib/krb5/init_creds.c:171
> > #5  0x138b738f in ?? ()
> > #6  0x in ?? ()
> >
>

Re: FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)

[Aki Tuomi]

Hi!

Can you attempt to get core dump with debugging symbols with dovecot too? 
Currently it seems to only contain symbols from kerberos bit, which is not very 
useful on it's own.

Aki

> On 12 February 2018 at 17:34 Ben Woods  wrote:
> 
> 
> Hi everyone,
> 
> I have a repeatable core dump when running dovecot on FreeBSD in the
> specific scenario described below.
> 
> Dovecot is linked against MIT kerberos in /usr/local/lib/, whilst PAM is
> linked against Heimdal in /usr/lib/.
> My expectation was that dovecot authentication using GSSAPI would use MIT
> kerberos in /usr/local/lib, whereas PAM authentication is independent from
> dovecot and would therefore use Herimdal in /usr/lib/.
> 
> What actually seems to occur during PAM authentication is the Heimdal code
> in /usr/lib/ is initially being used, but part way through it switches to
> using the MIT kerberos code in /usr/local/lib/.
> 
> I have reported this bug on the FreeBSD bug tracker here:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225818
> 
> Any help troubleshooting this issue would be much appreciated. I suspect it
> has something to do with the CFLAGS and LDFLAGS being used during the
> build, so I have attached the build log to the FreeBSD bug report.
> 
> Thanks in advance,
> Ben
> 
> 
> SCENARIO:
> - Build mail/dovecot with option GSSAPI_MIT (link against MIT kerberos from
> ports rather than Heimdal in base)
> - Configure dovecot for PAM authentication, using PAM service "imap":
>   $ cat /usr/local/etc/dovecot/conf.d/10-auth.conf
>   auth_mechanisms = plain
>   passdb {
> driver = pam
> args = %s
>   }
>   userdb {
> driver = passwd
>   }
> - Configure imap pam to authenticate against kerberos (and enable
> debugging):
>   $ cat /etc/pam.d/imap
>   authsufficient  pam_krb5.so debug
>   account requiredpam_krb5.so debug
> 
> 
> RESULT:
> This results in a crash of the dovecot authentication worker before any
> kerberos messages are even exchanged.
> 
> 
> DIAGNOSIS:
> Reviewing the log output below, my explanation of the backtrace is below
> (cronological order / newest item last):
> 
> - Dovecot had successfully performed pam_start(), the necessary
> pam_set_item(), and called pam_authenticate(pamh, 0)
> https://github.com/dovecot/core/blob/2.2.33.2/src/auth/passdb-pam.c#L158
> 
> - PAM called pam_sm_authenticate() in
> /usr/lib/libpam/modules/pam_krb5/pam_krb5.c which successfully got the
> user, ruser, service, principal, password, checked local user, and then ran
> krb5_get_init_creds_opt_set_default_flags
> https://github.com/freebsd/freebsd/blob/master/lib/libpam/modules/pam_krb5/pam_krb5.c#L242
> 
> - Heimdal krb5_get_init_creds_opt_set_default_flags ran the Heimdal version
> of krb5_appdefault_time:
> https://github.com/freebsd/freebsd/blob/master/crypto/heimdal/lib/krb5/init_creds.c#L171
> 
> - Heimdal function krb5_appdefault_time ran the MIT kerberos version of
> krb5_appdefault_string:
> https://github.com/freebsd/freebsd/blob/master/crypto/heimdal/lib/krb5/appdefault.c#L130
> 
> This is where the code path cross from using the Heimdal code to the MIT
> kerberos code, which it should not do. I know this, because the GDB
> backtrace shows the krb5_appdefault_string function called strdup in file
> appdefault.c:165, but the Heimdal appdefault.c file only has 140 lines.
> Reviewing the MIT kerberos code, the strdup function is indeed called at
> appdefault.c:165.
> 
> Why did the Heimdal appdefault.c code call the MIT kerberos version of
> krb5_appdefault_string, when the Heimdal version was only 50 lines higher
> in the same appdefault.c file?
> 
> 
> ENVIRONMENT:
> $ dovecot -n
> # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 12.0-CURRENT amd64  zfs
> auth_debug = yes
> auth_debug_passwords = yes
> auth_krb5_keytab = /usr/local/etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_realms = WOODS.AM
> auth_verbose = yes
> mail_location = mdbox:/var/mail/%u
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = failure_show_msg=yes %s
>   driver = pam
> }
> service auth-worker {
>   drop_priv_before_exec = yes
> }
> ssl_cert =  ssl_key =  # hidden, use -P to show it
> userdb {
>   driver = passwd
>

FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)

[Ben Woods]

Hi everyone,

I have a repeatable core dump when running dovecot on FreeBSD in the
specific scenario described below.

Dovecot is linked against MIT kerberos in /usr/local/lib/, whilst PAM is
linked against Heimdal in /usr/lib/.
My expectation was that dovecot authentication using GSSAPI would use MIT
kerberos in /usr/local/lib, whereas PAM authentication is independent from
dovecot and would therefore use Herimdal in /usr/lib/.

What actually seems to occur during PAM authentication is the Heimdal code
in /usr/lib/ is initially being used, but part way through it switches to
using the MIT kerberos code in /usr/local/lib/.

I have reported this bug on the FreeBSD bug tracker here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225818

Any help troubleshooting this issue would be much appreciated. I suspect it
has something to do with the CFLAGS and LDFLAGS being used during the
build, so I have attached the build log to the FreeBSD bug report.

Thanks in advance,
Ben


SCENARIO:
- Build mail/dovecot with option GSSAPI_MIT (link against MIT kerberos from
ports rather than Heimdal in base)
- Configure dovecot for PAM authentication, using PAM service "imap":
  $ cat /usr/local/etc/dovecot/conf.d/10-auth.conf
  auth_mechanisms = plain
  passdb {
driver = pam
args = %s
  }
  userdb {
driver = passwd
  }
- Configure imap pam to authenticate against kerberos (and enable
debugging):
  $ cat /etc/pam.d/imap
  authsufficient  pam_krb5.so debug
  account requiredpam_krb5.so debug


RESULT:
This results in a crash of the dovecot authentication worker before any
kerberos messages are even exchanged.


DIAGNOSIS:
Reviewing the log output below, my explanation of the backtrace is below
(cronological order / newest item last):

- Dovecot had successfully performed pam_start(), the necessary
pam_set_item(), and called pam_authenticate(pamh, 0)
https://github.com/dovecot/core/blob/2.2.33.2/src/auth/passdb-pam.c#L158

- PAM called pam_sm_authenticate() in
/usr/lib/libpam/modules/pam_krb5/pam_krb5.c which successfully got the
user, ruser, service, principal, password, checked local user, and then ran
krb5_get_init_creds_opt_set_default_flags
https://github.com/freebsd/freebsd/blob/master/lib/libpam/modules/pam_krb5/pam_krb5.c#L242

- Heimdal krb5_get_init_creds_opt_set_default_flags ran the Heimdal version
of krb5_appdefault_time:
https://github.com/freebsd/freebsd/blob/master/crypto/heimdal/lib/krb5/init_creds.c#L171

- Heimdal function krb5_appdefault_time ran the MIT kerberos version of
krb5_appdefault_string:
https://github.com/freebsd/freebsd/blob/master/crypto/heimdal/lib/krb5/appdefault.c#L130

This is where the code path cross from using the Heimdal code to the MIT
kerberos code, which it should not do. I know this, because the GDB
backtrace shows the krb5_appdefault_string function called strdup in file
appdefault.c:165, but the Heimdal appdefault.c file only has 140 lines.
Reviewing the MIT kerberos code, the strdup function is indeed called at
appdefault.c:165.

Why did the Heimdal appdefault.c code call the MIT kerberos version of
krb5_appdefault_string, when the Heimdal version was only 50 lines higher
in the same appdefault.c file?


ENVIRONMENT:
$ dovecot -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 12.0-CURRENT amd64  zfs
auth_debug = yes
auth_debug_passwords = yes
auth_krb5_keytab = /usr/local/etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_realms = WOODS.AM
auth_verbose = yes
mail_location = mdbox:/var/mail/%u
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = failure_show_msg=yes %s
  driver = pam
}
service auth-worker {
  drop_priv_before_exec = yes
}
ssl_cert = http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd12.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/libexec/dovecot/auth...done.
(gdb) core /tmp/auth.core
[New LWP 102627]
warning: Can't read pathname for load map: Unknown error: -1.
warning: Can't read pathname for load map: Unknown error: -1.
warning: Can't read pa

Re: pam authentication

[dovecotml]

I'm sorry but there's a problem with virtual users: seems that dovecot 
processes first part of domain, for example: testdomain.org, and 
testdomain.com for dovecot are the same


I can login using user00@testdomain

well if I've

use...@testdomain.com and use...@testdomain.org

an user can login using: user00@testdomain and dovecot check first 
domain


it's strange (!)

how to solve?

Pol

On 2017-09-05 13:54, Aki Tuomi wrote:


Sorry, small typo

passdb {
driver = static
args = user=%n noauthenticate
}

Aki

On 05.09.2017 14:51, Pol Hallen wrote: does not work :-/

Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
Sep 05 13:49:41 auth: Debug: client in: AUTH1   PLAIN
service=imapsecured session=IFCT0m9Y0KjAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143
rport=43216
resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== (previous
base64 data may contain sensitive data)
Sep 05 13:49:41 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,): lookup
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,):
Allowing any password
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,): Not
performing authentication (noauthenticate set)
==> /var/log/dovecot.info <==
Sep 05 13:49:41 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,):
unknown user (given password: pass) - trying the next passdb
==> /var/log/dovecot.debug <==
Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): lookup
service=dovecot
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:42 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): lookup
service=dovecot
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:45 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:47 auth: Debug: client passdb out: FAIL1
user=use...@realdomain.org
Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extra field:
==> /var/log/dovecot.info <==
Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=, method=PLAIN,
rip=192.168.1.100, lip=192.168.1.100, secured

On 2017-09-05 13:41, Aki Tuomi wrote:

No, you modify dovecot.conf

Aki

On 05.09.2017 14:40, Pol Hallen wrote: Do I modify
auth-system.conf.ext only (sorry for the question)

if yes, I've same problem

Pol

On 2017-09-05 13:34, Aki Tuomi wrote:

Try configuring like this:

passdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}

passdb {
driver = static
args = username=%n noauthenticate
skip = authenticated
}

passdb {
driver = pam
skip = authenticated
}

On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks

cat /var/log/dovecot/[...]

Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN
service=imapsecured session=JK0Bfm9YuqfAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143
rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
(previous base64 data may contain sensitive data)
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): lookup
service=username_format=user00
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth-worker(30088): Info:
pam(use...@realsystem.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:04 auth: Debug:
passwd-file(use...@realsystem.org,192.168.1.100,):
lookup: user=use...@realsystem.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth: Info:
passwd-file(use...@realsystem.org,192.168.1.100

Re: pam authentication

[Pol Hallen]

How cl!!! Works! :-)))

Very very thanks for your help!!!

Pol :)


On 2017-09-05 13:54, Aki Tuomi wrote:

Sorry, small typo

passdb {
 driver = static
 args = user=%n noauthenticate
}

Aki


On 05.09.2017 14:51, Pol Hallen wrote:

does not work :-/

Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
Sep 05 13:49:41 auth: Debug: client in: AUTH1   PLAIN
service=imapsecured session=IFCT0m9Y0KjAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143
rport=43216
resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== (previous
base64 data may contain sensitive data)
Sep 05 13:49:41 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,): lookup
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,):
Allowing any password
Sep 05 13:49:41 auth: Debug:
static(use...@realdomain.org,192.168.1.100,): Not
performing authentication (noauthenticate set)
==> /var/log/dovecot.info <==
Sep 05 13:49:41 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,):
unknown user (given password: pass) - trying the next passdb
==> /var/log/dovecot.debug <==
Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): lookup
service=dovecot
Sep 05 13:49:41 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:42 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): lookup
service=dovecot
Sep 05 13:49:42 auth-worker(31116): Debug:
pam(use...@realdomain.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth-worker(31116): Info:
pam(use...@realdomain.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:45 auth: Debug:
passwd-file(use...@realdomain.org,192.168.1.100,):
lookup: user=use...@realdomain.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth: Info:
passwd-file(use...@realdomain.org,192.168.1.100,):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:49:47 auth: Debug: client passdb out: FAIL1
user=use...@realdomain.org
Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extra 
field:

==> /var/log/dovecot.info <==
Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1
attempts in 6 secs): user=, method=PLAIN,
rip=192.168.1.100, lip=192.168.1.100, secured



On 2017-09-05 13:41, Aki Tuomi wrote:


No, you modify dovecot.conf

Aki

On 05.09.2017 14:40, Pol Hallen wrote: Do I modify
auth-system.conf.ext only (sorry for the question)

if yes, I've same problem

Pol

On 2017-09-05 13:34, Aki Tuomi wrote:

Try configuring like this:

passdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}

passdb {
driver = static
args = username=%n noauthenticate
skip = authenticated
}

passdb {
driver = pam
skip = authenticated
}

On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks

cat /var/log/dovecot/[...]

Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN
service=imapsecured session=JK0Bfm9YuqfAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143
rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
(previous base64 data may contain sensitive data)
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): lookup
service=username_format=user00
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth-worker(30088): Info:
pam(use...@realsystem.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password 
mismatch?)

(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:04 auth: Debug:
passwd-file(use...@realsystem.org,192.168.1.100,):
lookup: user=use...@realsystem.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth: Info:
passwd-file(use...@realsystem.org,192.168.1.100,):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1
user=use...@realsystem.org
==> /var/log/dovecot.info <==
Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
attempts in 4 secs): user=, method=PLAIN,
rip=192.168.1.100, li

Re: pam authentication

[Aki Tuomi]

Sorry, small typo

passdb {
 driver = static
 args = user=%n noauthenticate
}

Aki


On 05.09.2017 14:51, Pol Hallen wrote:
> does not work :-/
>
> Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
> Sep 05 13:49:41 auth: Debug: client in: AUTH1   PLAIN  
> service=imapsecured session=IFCT0m9Y0KjAqAFk   
> lip=192.168.1.100   rip=192.168.1.100   lport=143  
> rport=43216  
> resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== (previous
> base64 data may contain sensitive data)
> Sep 05 13:49:41 auth: Debug:
> passwd-file(use...@realdomain.org,192.168.1.100,):
> lookup: user=use...@realdomain.org file=/etc/dovecot/users
> Sep 05 13:49:41 auth: Debug:
> static(use...@realdomain.org,192.168.1.100,): lookup
> Sep 05 13:49:41 auth: Debug:
> static(use...@realdomain.org,192.168.1.100,):
> Allowing any password
> Sep 05 13:49:41 auth: Debug:
> static(use...@realdomain.org,192.168.1.100,): Not
> performing authentication (noauthenticate set)
> ==> /var/log/dovecot.info <==
> Sep 05 13:49:41 auth: Info:
> passwd-file(use...@realdomain.org,192.168.1.100,):
> unknown user (given password: pass) - trying the next passdb
> ==> /var/log/dovecot.debug <==
> Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from
> directory: /usr/lib/dovecot/modules/auth
> Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file
> /etc/dovecot/users: Read 4 users in 0 secs
> Sep 05 13:49:41 auth-worker(31116): Debug:
> pam(use...@realdomain.org,192.168.1.100,): lookup
> service=dovecot
> Sep 05 13:49:41 auth-worker(31116): Debug:
> pam(use...@realdomain.org,192.168.1.100,): #1/1
> style=1 msg=Password:
> ==> /var/log/dovecot.info <==
> Sep 05 13:49:42 auth-worker(31116): Info:
> pam(use...@realdomain.org,192.168.1.100,):
> pam_authenticate() failed: Authentication failure (password mismatch?)
> (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:49:42 auth-worker(31116): Debug:
> pam(use...@realdomain.org,192.168.1.100,): lookup
> service=dovecot
> Sep 05 13:49:42 auth-worker(31116): Debug:
> pam(use...@realdomain.org,192.168.1.100,): #1/1
> style=1 msg=Password:
> ==> /var/log/dovecot.info <==
> Sep 05 13:49:45 auth-worker(31116): Info:
> pam(use...@realdomain.org,192.168.1.100,):
> pam_authenticate() failed: Authentication failure (password mismatch?)
> (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:49:45 auth: Debug:
> passwd-file(use...@realdomain.org,192.168.1.100,):
> lookup: user=use...@realdomain.org file=/etc/dovecot/users
> ==> /var/log/dovecot.info <==
> Sep 05 13:49:45 auth: Info:
> passwd-file(use...@realdomain.org,192.168.1.100,):
> unknown user (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:49:47 auth: Debug: client passdb out: FAIL1  
> user=use...@realdomain.org
> Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extra field:
> ==> /var/log/dovecot.info <==
> Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1
> attempts in 6 secs): user=, method=PLAIN,
> rip=192.168.1.100, lip=192.168.1.100, secured
>
>
>
> On 2017-09-05 13:41, Aki Tuomi wrote:
>
>> No, you modify dovecot.conf
>>
>> Aki
>>
>> On 05.09.2017 14:40, Pol Hallen wrote: Do I modify
>> auth-system.conf.ext only (sorry for the question)
>>
>> if yes, I've same problem
>>
>> Pol
>>
>> On 2017-09-05 13:34, Aki Tuomi wrote:
>>
>> Try configuring like this:
>>
>> passdb {
>> args = scheme=SHA256 username_format=%u /etc/dovecot/users
>> driver = passwd-file
>> }
>>
>> passdb {
>> driver = static
>> args = username=%n noauthenticate
>> skip = authenticated
>> }
>>
>> passdb {
>> driver = pam
>> skip = authenticated
>> }
>>
>> On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks
>>
>> cat /var/log/dovecot/[...]
>>
>> Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
>> Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN
>> service=imapsecured session=JK0Bfm9YuqfAqAFk
>> lip=192.168.1.100   rip=192.168.1.100   lport=143
>> rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
>> (previous base64 data may contain sensitive data)
>> Sep 05 13:26:02 auth-worker(30088): Debug:
>> pam(use...@realsystem.org,192.168.1.100,): lookup
>> service=username_format=user00
>> Sep 05 13:26:02 auth-worker(30088): Debug:
>> pam(use...@realsystem.org,192.168.1.100,): #1/1
>> style=1 msg=Password:
>> ==> /var/log/dovecot.info <==
>> Sep 05 13:26:04 auth-worker(30088): Info:
>> pam(use...@realsystem.org,192.168.1.100,):
>> pam_authenticate() failed: Authentication failure (password mismatch?)
>> (given password: pass)
>> ==> /var/log/dovecot.debug <==
>> Sep 05 13:26:04 auth: Debug:
>> passwd-file(use...@realsystem.org,192.168.1.100,):
>> lookup: user=use...@realsystem.org file=/etc/dovecot/users
>> ==> /var/log/dovecot.info <==
>> Sep 05 13:26:04 auth: Info:
>> passwd-file(use...@realsystem.org,192.168.1.100,):
>> unknown user (given password: pass)
>> ==> /var/log/dovecot.debug <==
>> Sep 05 13:26:06 auth:

Re: pam authentication

[Pol Hallen]

does not work :-/

Sep 05 13:49:41 auth: Debug: auth client connected (pid=31115)
Sep 05 13:49:41 auth: Debug: client in: AUTH1   PLAIN   
service=imapsecured session=IFCT0m9Y0KjAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143   
rport=43216   resp=AHBvbGhhbGxlbkBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== 
(previous base64 data may contain sensitive data)
Sep 05 13:49:41 auth: Debug: 
passwd-file(use...@realdomain.org,192.168.1.100,): 
lookup: user=use...@realdomain.org file=/etc/dovecot/users
Sep 05 13:49:41 auth: Debug: 
static(use...@realdomain.org,192.168.1.100,): lookup
Sep 05 13:49:41 auth: Debug: 
static(use...@realdomain.org,192.168.1.100,): Allowing 
any password
Sep 05 13:49:41 auth: Debug: 
static(use...@realdomain.org,192.168.1.100,): Not 
performing authentication (noauthenticate set)

==> /var/log/dovecot.info <==
Sep 05 13:49:41 auth: Info: 
passwd-file(use...@realdomain.org,192.168.1.100,): 
unknown user (given password: pass) - trying the next passdb

==> /var/log/dovecot.debug <==
Sep 05 13:49:41 auth-worker(31116): Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Sep 05 13:49:41 auth-worker(31116): Debug: passwd-file 
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 13:49:41 auth-worker(31116): Debug: 
pam(use...@realdomain.org,192.168.1.100,): lookup 
service=dovecot
Sep 05 13:49:41 auth-worker(31116): Debug: 
pam(use...@realdomain.org,192.168.1.100,): #1/1 
style=1 msg=Password:

==> /var/log/dovecot.info <==
Sep 05 13:49:42 auth-worker(31116): Info: 
pam(use...@realdomain.org,192.168.1.100,): 
pam_authenticate() failed: Authentication failure (password mismatch?) 
(given password: pass)

==> /var/log/dovecot.debug <==
Sep 05 13:49:42 auth-worker(31116): Debug: 
pam(use...@realdomain.org,192.168.1.100,): lookup 
service=dovecot
Sep 05 13:49:42 auth-worker(31116): Debug: 
pam(use...@realdomain.org,192.168.1.100,): #1/1 
style=1 msg=Password:

==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth-worker(31116): Info: 
pam(use...@realdomain.org,192.168.1.100,): 
pam_authenticate() failed: Authentication failure (password mismatch?) 
(given password: pass)

==> /var/log/dovecot.debug <==
Sep 05 13:49:45 auth: Debug: 
passwd-file(use...@realdomain.org,192.168.1.100,): 
lookup: user=use...@realdomain.org file=/etc/dovecot/users

==> /var/log/dovecot.info <==
Sep 05 13:49:45 auth: Info: 
passwd-file(use...@realdomain.org,192.168.1.100,): 
unknown user (given password: pass)

==> /var/log/dovecot.debug <==
Sep 05 13:49:47 auth: Debug: client passdb out: FAIL1   
user=use...@realdomain.org

Sep 05 13:49:47 imap-login: Debug: Ignoring unknown passdb extra field:
==> /var/log/dovecot.info <==
Sep 05 13:49:47 imap-login: Info: Disconnected (auth failed, 1 attempts 
in 6 secs): user=, method=PLAIN, 
rip=192.168.1.100, lip=192.168.1.100, secured




On 2017-09-05 13:41, Aki Tuomi wrote:


No, you modify dovecot.conf

Aki

On 05.09.2017 14:40, Pol Hallen wrote: Do I modify auth-system.conf.ext 
only (sorry for the question)


if yes, I've same problem

Pol

On 2017-09-05 13:34, Aki Tuomi wrote:

Try configuring like this:

passdb {
args = scheme=SHA256 username_format=%u /etc/dovecot/users
driver = passwd-file
}

passdb {
driver = static
args = username=%n noauthenticate
skip = authenticated
}

passdb {
driver = pam
skip = authenticated
}

On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks

cat /var/log/dovecot/[...]

Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN
service=imapsecured session=JK0Bfm9YuqfAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143
rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
(previous base64 data may contain sensitive data)
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): lookup
service=username_format=user00
Sep 05 13:26:02 auth-worker(30088): Debug:
pam(use...@realsystem.org,192.168.1.100,): #1/1
style=1 msg=Password:
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth-worker(30088): Info:
pam(use...@realsystem.org,192.168.1.100,):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:04 auth: Debug:
passwd-file(use...@realsystem.org,192.168.1.100,):
lookup: user=use...@realsystem.org file=/etc/dovecot/users
==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth: Info:
passwd-file(use...@realsystem.org,192.168.1.100,):
unknown user (given password: pass)
==> /var/log/dovecot.debug <==
Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1
user=use...@realsystem.org
==> /var/log/dovecot.info <==
Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
attempts in 4 secs): user=, method=PLAIN,
rip=192.168.1.100, lip=192.168.1.100, secured

doveconf -n

# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
au

Re: pam authentication

[Aki Tuomi]

No, you modify dovecot.conf

Aki


On 05.09.2017 14:40, Pol Hallen wrote:
> Do I modify auth-system.conf.ext only (sorry for the question) 
>
> if yes, I've same problem 
>
> Pol 
>
> On 2017-09-05 13:34, Aki Tuomi wrote:
>
>> Try configuring like this:
>>
>> passdb {
>> args = scheme=SHA256 username_format=%u /etc/dovecot/users
>> driver = passwd-file
>> }
>>
>> passdb {
>> driver = static
>> args = username=%n noauthenticate
>> skip = authenticated
>> }
>>
>> passdb {
>> driver = pam
>> skip = authenticated
>> }
>>
>> On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks
>>
>> cat /var/log/dovecot/[...]
>>
>> Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
>> Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN  
>> service=imapsecured session=JK0Bfm9YuqfAqAFk   
>> lip=192.168.1.100   rip=192.168.1.100   lport=143  
>> rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
>> (previous base64 data may contain sensitive data)
>> Sep 05 13:26:02 auth-worker(30088): Debug:
>> pam(use...@realsystem.org,192.168.1.100,): lookup
>> service=username_format=user00
>> Sep 05 13:26:02 auth-worker(30088): Debug:
>> pam(use...@realsystem.org,192.168.1.100,): #1/1
>> style=1 msg=Password:
>> ==> /var/log/dovecot.info <==
>> Sep 05 13:26:04 auth-worker(30088): Info:
>> pam(use...@realsystem.org,192.168.1.100,):
>> pam_authenticate() failed: Authentication failure (password mismatch?)
>> (given password: pass)
>> ==> /var/log/dovecot.debug <==
>> Sep 05 13:26:04 auth: Debug:
>> passwd-file(use...@realsystem.org,192.168.1.100,):
>> lookup: user=use...@realsystem.org file=/etc/dovecot/users
>> ==> /var/log/dovecot.info <==
>> Sep 05 13:26:04 auth: Info:
>> passwd-file(use...@realsystem.org,192.168.1.100,):
>> unknown user (given password: pass)
>> ==> /var/log/dovecot.debug <==
>> Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1  
>> user=use...@realsystem.org
>> ==> /var/log/dovecot.info <==
>> Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
>> attempts in 4 secs): user=, method=PLAIN,
>> rip=192.168.1.100, lip=192.168.1.100, secured
>>
>> doveconf -n
>>
>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.16 (fed8554)
>> # OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_mechanisms = login plain
>> auth_verbose = yes
>> auth_verbose_passwords = yes
>> debug_log_path = /var/log/dovecot.debug
>> disable_plaintext_auth = no
>> info_log_path = /var/log/dovecot.info
>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
>> mail_debug = yes
>> mail_home = /home/vmail/%d/%n/Maildir
>> mail_location = maildir:~/Maildir
>> mail_plugins = " quota quota"
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date index ihave duplicate mime foreverypart
>> extracttext imapflags notify
>> namespace inbox {
>> inbox = yes
>> location =
>> mailbox Drafts {
>> special_use = \Drafts
>> }
>> mailbox Junk {
>> special_use = \Junk
>> }
>> mailbox Sent {
>> special_use = \Sent
>> }
>> mailbox "Sent Messages" {
>> special_use = \Sent
>> }
>> mailbox Trash {
>> special_use = \Trash
>> }
>> prefix =
>> subscriptions = yes
>> type = private
>> }
>> passdb {
>> args = username_format=%n
>> driver = pam
>> }
>> passdb {
>> args = scheme=SHA256 username_format=%u /etc/dovecot/users
>> driver = passwd-file
>> }
>> plugin {
>> mail_log_events = delete undelete expunge copy mailbox_delete
>> mailbox_rename append flag_change
>> mail_log_fields = uid box msgid size from subject vsize
>> quota = maildir:User quota
>> quota_rule = *:storage=1M
>> quota_rule2 = Junk:storage=+100M
>> quota_rule3 = SPAM:storage=+100M
>> quota_warning = storage=90%% quota-warning 90 %u
>> sieve = file:~/sieve;active=~/.dovecot.sieve
>> sieve_extensions = +notify +imapflags
>> }
>> protocols = " imap sieve pop3 sieve"
>> quota_full_tempfail = yes
>> service auth {
>> unix_listener /var/spool/postfix/private/auth {
>> group = postfix
>> mode = 0666
>> user = postfix
>> }
>> }
>> service imap-login {
>> inet_listener imap {
>> port = 143
>> }
>> inet_listener imaps {
>> port = 993
>> ssl = yes
>> }
>> }
>> service managesieve-login {
>> inet_listener sieve {
>> port = 4190
>> }
>> service_count = 1
>> vsz_limit = 64 M
>> }
>> service pop3-login {
>> inet_listener pop3 {
>> port = 110
>> }
>> inet_listener pop3s {
>> port = 995
>> ssl = yes
>> }
>> }
>> service quota-warning {
>> executable = script /root/bin/quota-warning.sh
>> unix_listener quota-warning {
>> mode = 0666
>> user = vmail
>> }
>> user = root
>> }
>> ssl_cert = > ssl_dh_parameters_length = 2048
>> ssl_key =  # hidden, use -P to show it
>> userdb {
>> driver = passwd
>> }
>> userdb {
>> args = scheme=SHA256 username_format=%u /etc/dov

Re: pam authentication

[Pol Hallen]

Do I modify auth-system.conf.ext only (sorry for the question) 

if yes, I've same problem 

Pol 

On 2017-09-05 13:34, Aki Tuomi wrote:

> Try configuring like this:
> 
> passdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> 
> passdb {
> driver = static
> args = username=%n noauthenticate
> skip = authenticated
> }
> 
> passdb {
> driver = pam
> skip = authenticated
> }
> 
> On 05.09.2017 14:29, Pol Hallen wrote: Sure :) thanks
> 
> cat /var/log/dovecot/[...]
> 
> Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
> Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN  
> service=imapsecured session=JK0Bfm9YuqfAqAFk   
> lip=192.168.1.100   rip=192.168.1.100   lport=143  
> rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
> (previous base64 data may contain sensitive data)
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(use...@realsystem.org,192.168.1.100,): lookup
> service=username_format=user00
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(use...@realsystem.org,192.168.1.100,): #1/1
> style=1 msg=Password:
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth-worker(30088): Info:
> pam(use...@realsystem.org,192.168.1.100,):
> pam_authenticate() failed: Authentication failure (password mismatch?)
> (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:04 auth: Debug:
> passwd-file(use...@realsystem.org,192.168.1.100,):
> lookup: user=use...@realsystem.org file=/etc/dovecot/users
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth: Info:
> passwd-file(use...@realsystem.org,192.168.1.100,):
> unknown user (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1  
> user=use...@realsystem.org
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
> attempts in 4 secs): user=, method=PLAIN,
> rip=192.168.1.100, lip=192.168.1.100, secured
> 
> doveconf -n
> 
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = login plain
> auth_verbose = yes
> auth_verbose_passwords = yes
> debug_log_path = /var/log/dovecot.debug
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot.info
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> mail_debug = yes
> mail_home = /home/vmail/%d/%n/Maildir
> mail_location = maildir:~/Maildir
> mail_plugins = " quota quota"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> subscriptions = yes
> type = private
> }
> passdb {
> args = username_format=%n
> driver = pam
> }
> passdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> plugin {
> mail_log_events = delete undelete expunge copy mailbox_delete
> mailbox_rename append flag_change
> mail_log_fields = uid box msgid size from subject vsize
> quota = maildir:User quota
> quota_rule = *:storage=1M
> quota_rule2 = Junk:storage=+100M
> quota_rule3 = SPAM:storage=+100M
> quota_warning = storage=90%% quota-warning 90 %u
> sieve = file:~/sieve;active=~/.dovecot.sieve
> sieve_extensions = +notify +imapflags
> }
> protocols = " imap sieve pop3 sieve"
> quota_full_tempfail = yes
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service managesieve-login {
> inet_listener sieve {
> port = 4190
> }
> service_count = 1
> vsz_limit = 64 M
> }
> service pop3-login {
> inet_listener pop3 {
> port = 110
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> service quota-warning {
> executable = script /root/bin/quota-warning.sh
> unix_listener quota-warning {
> mode = 0666
> user = vmail
> }
> user = root
> }
> ssl_cert =  ssl_dh_parameters_length = 2048
> ssl_key =  # hidden, use -P to show it
> userdb {
> driver = passwd
> }
> userdb {
> args = scheme=SHA256 username_format=%u /etc/dovecot/users
> driver = passwd-file
> }
> userdb {
> args = uid=vmail gid=vmail home=/home/vmail/%d/%n
> driver = static
> }
> verbose_proctitle = yes
> protocol lda {
> mail_plugins = " quota quota sieve quota"
> }
> protocol imap {
> mail_plugins = 

Re: pam authentication

[Aki Tuomi]

Try configuring like this:

passdb {
  args = scheme=SHA256 username_format=%u /etc/dovecot/users
  driver = passwd-file
}

passdb {
  driver = static
  args = username=%n noauthenticate
  skip = authenticated
}

passdb {
  driver = pam
  skip = authenticated
}

On 05.09.2017 14:29, Pol Hallen wrote:
> Sure :) thanks
>
> cat /var/log/dovecot/[...]
>
> Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
> Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN  
> service=imapsecured session=JK0Bfm9YuqfAqAFk   
> lip=192.168.1.100   rip=192.168.1.100   lport=143  
> rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA==
> (previous base64 data may contain sensitive data)
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(use...@realsystem.org,192.168.1.100,): lookup
> service=username_format=user00
> Sep 05 13:26:02 auth-worker(30088): Debug:
> pam(use...@realsystem.org,192.168.1.100,): #1/1
> style=1 msg=Password:
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth-worker(30088): Info:
> pam(use...@realsystem.org,192.168.1.100,):
> pam_authenticate() failed: Authentication failure (password mismatch?)
> (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:04 auth: Debug:
> passwd-file(use...@realsystem.org,192.168.1.100,):
> lookup: user=use...@realsystem.org file=/etc/dovecot/users
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:04 auth: Info:
> passwd-file(use...@realsystem.org,192.168.1.100,):
> unknown user (given password: pass)
> ==> /var/log/dovecot.debug <==
> Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1  
> user=use...@realsystem.org
> ==> /var/log/dovecot.info <==
> Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1
> attempts in 4 secs): user=, method=PLAIN,
> rip=192.168.1.100, lip=192.168.1.100, secured
>
> doveconf -n
>
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = login plain
> auth_verbose = yes
> auth_verbose_passwords = yes
> debug_log_path = /var/log/dovecot.debug
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot.info
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> mail_debug = yes
> mail_home = /home/vmail/%d/%n/Maildir
> mail_location = maildir:~/Maildir
> mail_plugins = " quota quota"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
>   subscriptions = yes
>   type = private
> }
> passdb {
>   args = username_format=%n
>   driver = pam
> }
> passdb {
>   args = scheme=SHA256 username_format=%u /etc/dovecot/users
>   driver = passwd-file
> }
> plugin {
>   mail_log_events = delete undelete expunge copy mailbox_delete
> mailbox_rename append flag_change
>   mail_log_fields = uid box msgid size from subject vsize
>   quota = maildir:User quota
>   quota_rule = *:storage=1M
>   quota_rule2 = Junk:storage=+100M
>   quota_rule3 = SPAM:storage=+100M
>   quota_warning = storage=90%% quota-warning 90 %u
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_extensions = +notify +imapflags
> }
> protocols = " imap sieve pop3 sieve"
> quota_full_tempfail = yes
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0666
> user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
> port = 143
>   }
>   inet_listener imaps {
> port = 993
> ssl = yes
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
> port = 4190
>   }
>   service_count = 1
>   vsz_limit = 64 M
> }
> service pop3-login {
>   inet_listener pop3 {
> port = 110
>   }
>   inet_listener pop3s {
> port = 995
> ssl = yes
>   }
> }
> service quota-warning {
>   executable = script /root/bin/quota-warning.sh
>   unix_listener quota-warning {
> mode = 0666
> user = vmail
>   }
>   user = root
> }
> ssl_cert =  ssl_dh_parameters_length = 2048
> ssl_key =  # hidden, use -P to show it
> userdb {
>   driver = passwd
> }
> userdb {
>   args = scheme=SHA256 username_format=%u /etc/dovecot/users
>   driver = passwd-file
> }
> userdb {
>   args = uid=vmail gid=vmail home=/home/vmail/%d/%n
>   driver = static
> }
> verbose_proctitle = yes
> protocol lda {
>   mail_plugins = " quota quota sieve quota"
> }
> protocol imap {
>   mail_

Re: pam authentication

[Pol Hallen]

Sure :) thanks

cat /var/log/dovecot/[...]

Sep 05 13:26:02 auth: Debug: auth client connected (pid=30131)
Sep 05 13:26:02 auth: Debug: client in: AUTH1   PLAIN   
service=imapsecured session=JK0Bfm9YuqfAqAFk
lip=192.168.1.100   rip=192.168.1.100   lport=143   
rport=42938   resp=AG1heEBmdWNrYXJvdW5kLm9yZwBQYW5kb3JhMjAwMA== 
(previous base64 data may contain sensitive data)
Sep 05 13:26:02 auth-worker(30088): Debug: 
pam(use...@realsystem.org,192.168.1.100,): lookup 
service=username_format=user00
Sep 05 13:26:02 auth-worker(30088): Debug: 
pam(use...@realsystem.org,192.168.1.100,): #1/1 
style=1 msg=Password:

==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth-worker(30088): Info: 
pam(use...@realsystem.org,192.168.1.100,): 
pam_authenticate() failed: Authentication failure (password mismatch?) 
(given password: pass)

==> /var/log/dovecot.debug <==
Sep 05 13:26:04 auth: Debug: 
passwd-file(use...@realsystem.org,192.168.1.100,): 
lookup: user=use...@realsystem.org file=/etc/dovecot/users

==> /var/log/dovecot.info <==
Sep 05 13:26:04 auth: Info: 
passwd-file(use...@realsystem.org,192.168.1.100,): 
unknown user (given password: pass)

==> /var/log/dovecot.debug <==
Sep 05 13:26:06 auth: Debug: client passdb out: FAIL1   
user=use...@realsystem.org

==> /var/log/dovecot.info <==
Sep 05 13:26:06 imap-login: Info: Disconnected (auth failed, 1 attempts 
in 4 secs): user=, method=PLAIN, 
rip=192.168.1.100, lip=192.168.1.100, secured


doveconf -n

# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = login plain
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /var/log/dovecot.debug
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.info
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_debug = yes
mail_home = /home/vmail/%d/%n/Maildir
mail_location = maildir:~/Maildir
mail_plugins = " quota quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext imapflags notify

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
  subscriptions = yes
  type = private
}
passdb {
  args = username_format=%n
  driver = pam
}
passdb {
  args = scheme=SHA256 username_format=%u /etc/dovecot/users
  driver = passwd-file
}
plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete 
mailbox_rename append flag_change

  mail_log_fields = uid box msgid size from subject vsize
  quota = maildir:User quota
  quota_rule = *:storage=1M
  quota_rule2 = Junk:storage=+100M
  quota_rule3 = SPAM:storage=+100M
  quota_warning = storage=90%% quota-warning 90 %u
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_extensions = +notify +imapflags
}
protocols = " imap sieve pop3 sieve"
quota_full_tempfail = yes
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  service_count = 1
  vsz_limit = 64 M
}
service pop3-login {
  inet_listener pop3 {
port = 110
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
service quota-warning {
  executable = script /root/bin/quota-warning.sh
  unix_listener quota-warning {
mode = 0666
user = vmail
  }
  user = root
}
ssl_cert = 
Can you provide

doveconf -n  (with the new config)

enable auth_debug=yes, auth_verbose=yes and provide logs from
authentication attempt?

Aki

On 05.09.2017 13:37, Pol Hallen wrote: thanks Aki, but with all your 
advices I've same problem: in the logs

always I see the authentication with user and domain name, so dovecot
doesn't accept it

any idea?

thanks!

Pol

On 2017-09-05 10:58, Aki Tuomi wrote:

Oh right, you need to do it like this...

after the passwd-file drivers add

passdb {
driver = static
args = username=%n noauthenticate
}

Aki

On 05.09.2017 11:03, Pol Hallen wrote: Hello, thanks for your reply

I already tried with:

username_format=%n or auth_username_format=%n but I've same problem

Pol

passdb {
driver = pam
args = username_format=%n
}

also you probably want to consider using driver=passwd instead, if you
really don't need pam due to some special plugins.

Aki



--
Pol

Re: pam authentication

[Aki Tuomi]

Can you provide

doveconf -n  (with the new config)

enable auth_debug=yes, auth_verbose=yes and provide logs from
authentication attempt?

Aki


On 05.09.2017 13:37, Pol Hallen wrote:
> thanks Aki, but with all your advices I've same problem: in the logs
> always I see the authentication with user and domain name, so dovecot
> doesn't accept it
>
> any idea?
>
> thanks!
>
> Pol
>
> On 2017-09-05 10:58, Aki Tuomi wrote:
>
>> Oh right, you need to do it like this...
>>
>> after the passwd-file drivers add
>>
>> passdb {
>> driver = static
>> args = username=%n noauthenticate
>> }
>>
>> Aki
>>
>> On 05.09.2017 11:03, Pol Hallen wrote: Hello, thanks for your reply
>>
>> I already tried with:
>>
>> username_format=%n or auth_username_format=%n but I've same problem
>>
>> Pol
>>
>> passdb {
>> driver = pam
>> args = username_format=%n
>> }
>>
>> also you probably want to consider using driver=passwd instead, if you
>> really don't need pam due to some special plugins.
>>
>> Aki
>
>

Re: pam authentication

[Pol Hallen]

thanks Aki, but with all your advices I've same problem: in the logs 
always I see the authentication with user and domain name, so dovecot 
doesn't accept it


any idea?

thanks!

Pol

On 2017-09-05 10:58, Aki Tuomi wrote:


Oh right, you need to do it like this...

after the passwd-file drivers add

passdb {
driver = static
args = username=%n noauthenticate
}

Aki

On 05.09.2017 11:03, Pol Hallen wrote: Hello, thanks for your reply

I already tried with:

username_format=%n or auth_username_format=%n but I've same problem

Pol

passdb {
driver = pam
args = username_format=%n
}

also you probably want to consider using driver=passwd instead, if you
really don't need pam due to some special plugins.

Aki



--
Pol

Re: pam authentication

[Aki Tuomi]

Oh right, you need to do it like this...

after the passwd-file drivers add

passdb {
  driver = static
  args = username=%n noauthenticate
}

Aki


On 05.09.2017 11:03, Pol Hallen wrote:
> Hello, thanks for your reply
>
> I already tried with:
>
> username_format=%n or auth_username_format=%n but I've same problem
>
> Pol
>
>> passdb {
>> driver = pam
>> args = username_format=%n
>> }
>>
>> also you probably want to consider using driver=passwd instead, if you
>> really don't need pam due to some special plugins.
>>
>> Aki
>
>

Re: pam authentication

[Pol Hallen]

Hello, thanks for your reply

I already tried with:

username_format=%n or auth_username_format=%n but I've same problem

Pol


passdb {
driver = pam
args = username_format=%n
}

also you probably want to consider using driver=passwd instead, if you
really don't need pam due to some special plugins.

Aki



--
Pol

Re: pam authentication

[Aki Tuomi]

On 05.09.2017 10:52, Pol Hallen wrote:
> Hello all
>
> I use debian 9 with dovecot 2.x: real system users and virtual users:
> almost all works perfectly ;)
>
> Virtual users can connect via imap and pop using name + domain name:
> use...@domain1.org, etc.
>
> pam (real system users) users can connect via imap and pop ONLY
> without domain name
>
> It's a problem with pam authentication because linux make users
> authentication with only username (and not with also domain name) but
> I'd like user full email like tes...@realdomain.org
>
> cat /etc/dovecot/conf.d/auth-passwdfile.conf.ext
>
> passdb {
>   driver = passwd-file
>   args = scheme=SHA256 username_format=%u /etc/dovecot/users
> }
>
> userdb {
>   driver = passwd-file
>   args = scheme=SHA256 username_format=%u /etc/dovecot/users
> }
>
> cat /etc/dovecot/conf.d/auth-system.conf.ext
>
> passdb {
>   driver = pam
> }
>
> userdb {
>   driver = passwd
> }
>

passdb {
  driver = pam
  args = username_format=%n
}

also you probably want to consider using driver=passwd instead, if you
really don't need pam due to some special plugins.

Aki

pam authentication

[Pol Hallen]

Hello all

I use debian 9 with dovecot 2.x: real system users and virtual users: 
almost all works perfectly ;)


Virtual users can connect via imap and pop using name + domain name: 
use...@domain1.org, etc.


pam (real system users) users can connect via imap and pop ONLY without 
domain name


It's a problem with pam authentication because linux make users 
authentication with only username (and not with also domain name) but 
I'd like user full email like tes...@realdomain.org


cat /etc/dovecot/conf.d/auth-passwdfile.conf.ext

passdb {
  driver = passwd-file
  args = scheme=SHA256 username_format=%u /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = scheme=SHA256 username_format=%u /etc/dovecot/users
}

cat /etc/dovecot/conf.d/auth-system.conf.ext

passdb {
  driver = pam
}

userdb {
  driver = passwd
}

inside /etc/dovecot/conf.d/10-auth.conf
[...]
#auth_username_format = %n

is commented because I've multiple domains

cat /var/log/dovecot.debug

Sep 05 01:49:51 auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Sep 05 01:49:51 auth: Debug: passwd-file /etc/dovecot/users: Read 4 
users in 0 secs

Sep 05 01:49:51 auth: Debug: auth client connected (pid=23412)
Sep 05 01:49:51 auth: Debug: client in: AUTH1   PLAIN   
service=imapsecured session=hjdhgfghhglip=192.168.1.100  
 rip=192.168.1.100   lport=143   rport=39356 
resp=hsdfhsfddfjk
jklsdfkljkdlskfljsdkjlfds== (previous base64 data may contain sensitive 
data)
Sep 05 01:49:51 auth-worker(23414): Debug: Loading modules from 
directory: /usr/lib/dovecot/modules/auth
Sep 05 01:49:51 auth-worker(23414): Debug: passwd-file 
/etc/dovecot/users: Read 4 users in 0 secs
Sep 05 01:49:51 auth-worker(23414): Debug: 
pam(t...@realdomain.org,192.168.1.100,): lookup 
service=dovecot
Sep 05 01:49:51 auth-worker(23414): Debug: 
pam(t...@realdomain.org,192.168.1.100,): #1/1 style=1 
msg=Password:
Sep 05 01:49:53 auth: Debug: 
passwd-file(t...@realdomain.org,192.168.1.100,): 
lookup: user=t...@realdomain.org file=/etc/dovecot/users
Sep 05 01:49:55 auth: Debug: client passdb out: FAIL1   
user=t...@realdomain.com
Sep 05 01:51:15 auth: Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/auth
Sep 05 01:51:15 auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Sep 05 01:51:15 auth: Debug: passwd-file /etc/dovecot/users: Read 4 
users in 0 secs

Sep 05 01:51:15 auth: Debug: auth client connected (pid=23461)
Sep 05 01:51:26 auth: Debug: client in: AUTH1   PLAIN   
service=imapsecured session=ycnxyWVYQYokInmilip=192.168.0.2 
rip=36.34.121.162   lport=993   rport=35393

Sep 05 0

any idea?

thanks for help!

Pol
--
Pol

Re: Dovecot with pam authentication and user@domain

[Christian Schneider]

Sorry for bringing up this issue again, but I still have no solution.
Is the describtion of my problem unclear? I suppose this setup is not 
uncommon...
Greetings
Christian

On Samstag, 16. Januar 2016 00:51:27 CET Christian Schneider wrote:
> Hello all,
> I'm trying to setup dovecot for local users with pam authentication.
> The passdb and userdb entries are as follows:
> 
> passdb {
>   args = username_format=%n
>   driver = pam
> }
> userdb {
>   args = username_format=%n
>   driver = passwd
> }
> 
> Using "doveadm user chriss" returns the user record as expected, but
> "doveadm user chr...@testmail.ch-sc.de" gives an error:
> field   valueuserdb lookup: user chr...@testmail.ch-sc.de doesn't exist
> 
> As far as I understand, username_format=%n should drop the domain part and
> only search for the user in the userdb, but it doesn't. What am I missing?
> 
> Greetings
> Christian

signature.asc
Description: This is a digitally signed message part.

Dovecot with pam authentication and user@domain

[Christian Schneider]

Hello all,
I'm trying to setup dovecot for local users with pam authentication.
The passdb and userdb entries are as follows:

passdb {
  args = username_format=%n
  driver = pam
}
userdb {
  args = username_format=%n
  driver = passwd
}

Using "doveadm user chriss" returns the user record as expected, but "doveadm 
user chr...@testmail.ch-sc.de" gives an error:
field   valueuserdb lookup: user chr...@testmail.ch-sc.de doesn't exist

As far as I understand, username_format=%n should drop the domain part and 
only search for the user in the userdb, but it doesn't. What am I missing?

Greetings
Christian



signature.asc
Description: This is a digitally signed message part.

[Dovecot] Pam authentication failure message but it works

[Wayne Andersen]

I am running Centos 6.4 64bit.
Dovecot 2.0.9

I am getting the following messages in /var/log/secure, which looks like 
the pam authentication is not working but the users are allowed to login 
and the system works great.
I am wondering if pam is actually failing and yet the system is getting 
the login info from elsewhere, or is this just a nuisance message?


/var/log/secure
Jun 12 23:11:29 smtp auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=christineg 
rhost=65.13.54.123  user=christineg
Jun 12 23:11:45 smtp auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=susieg 
rhost=70.208.29.109  user=susieg
Jun 12 23:12:03 smtp auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=bobs 
rhost=70.59.189.210  user=bobs


In the debug log file I see what looks like a successful connection, but 
don't know how to read the two pam lines.


/var/log/dovecot.debug.log
Jun 12 23:11:29 auth: Debug: auth client connected (pid=10098)
Jun 12 23:11:29 auth: Debug: client in: AUTH1   PLAIN 
service=imaplip=206.169.228.24  rip=65.13.54.123 lport=143   
rport=54049 resp=AGNocmlzZwBjZzQ4MjU=
Jun 12 23:11:29 auth: Debug: pam(christineg,65.13.54.123): lookup 
service=dovecot
Jun 12 23:11:29 auth: Debug: pam(christineg,65.13.54.123): #1/1 style=1 
msg=Password:

Jun 12 23:11:29 auth: Debug: client out: OK 1 user=christineg
Jun 12 23:11:29 auth: Debug: master in: REQUEST 4079353857 10098   
1   0229474c9c1038e161328ecd28884af2

Jun 12 23:11:29 auth: Debug: passwd(christineg,65.13.54.123): lookup
Jun 12 23:11:29 auth: Debug: master out: USER   4079353857 christineg  
system_groups_user=christineg   uid=1116 gid=100 home=/home/christineg
Jun 12 23:11:29 imap(christineg): Debug: Effective uid=1116, gid=100, 
home=/home/christineg
Jun 12 23:11:29 imap(christineg): Debug: maildir++: 
root=/home/christineg/Maildir, index=, control=, 
inbox=/home/christineg/Maildir


Jun 12 23:11:44 auth: Debug: auth client connected (pid=10100)
Jun 12 23:11:45 auth: Debug: client in: AUTH1   PLAIN 
service=imaplip=206.169.228.24  rip=70.208.29.109 
lport=143   rport=14107

Jun 12 23:11:45 auth: Debug: client out: CONT   1
Jun 12 23:11:45 auth: Debug: client in: CONT1 
AHJpY2hhcmRnQGNsaW1hLXRlY2guY29tAHJnMzgyMg==
Jun 12 23:11:45 auth: Debug: pam(susieg,70.208.29.109): lookup 
service=dovecot
Jun 12 23:11:45 auth: Debug: pam(susieg,70.208.29.109): #1/1 style=1 
msg=Password:

Jun 12 23:11:45 auth: Debug: client out: OK 1   user=susieg
Jun 12 23:11:45 auth: Debug: master in: REQUEST 3368157185 10100   
1   5a8d4b15a417d0bc4d2f818c5a5710f0

Jun 12 23:11:45 auth: Debug: passwd(susieg,70.208.29.109): lookup
Jun 12 23:11:45 auth: Debug: master out: USER   3368157185 susieg
system_groups_user=susieg uid=1087gid=100 home=/home/susieg
Jun 12 23:11:45 imap(susieg): Debug: Effective uid=1087, gid=100, 
home=/home/susieg
Jun 12 23:11:45 imap(susieg): Debug: maildir++: 
root=/home/susieg/Maildir, index=, control=, inbox=/home/susieg/Maildir


Jun 12 23:12:03 auth: Debug: auth client connected (pid=10104)
Jun 12 23:12:03 auth: Debug: auth client connected (pid=10105)
Jun 12 23:12:03 auth: Debug: client in: AUTH1   PLAIN 
service=imaplip=206.169.228.24  rip=70.59.189.210 
lport=143   rport=38705

Jun 12 23:12:03 auth: Debug: client out: CONT   1
Jun 12 23:12:03 auth: Debug: client in: CONT1 
AGJyZW5kb25jQGNsaW1hLXRlY2guY29tAGJjMTU1NA==

Jun 12 23:12:03 auth: Debug: pam(bobs,70.59.189.210): lookup service=dovecot
Jun 12 23:12:03 auth: Debug: pam(bobs,70.59.189.210): #1/1 style=1 
msg=Password:

Jun 12 23:12:03 auth: Debug: client out: OK 1   user=bobs
Jun 12 23:12:03 auth: Debug: master in: REQUEST 709623809 10104   
1   0c261d849b956bf9cb5c0833b498bb97

Jun 12 23:12:03 auth: Debug: passwd(bobs,70.59.189.210): lookup
Jun 12 23:12:03 auth: Debug: master out: USER   709623809 bobs
system_groups_user=bobs uid=1188gid=100 home=/home/bobs
Jun 12 23:12:03 imap(bobs): Debug: Effective uid=1188, gid=100, 
home=/home/bobs
Jun 12 23:12:03 imap(bobs): Debug: maildir++: root=/home/bobs/Maildir, 
index=, control=, inbox=/home/bobs/Maildir



/etc/pam.d/dovecot
#%PAM-1.0
auth   required pam_nologin.so
auth   include  password-auth
accountinclude  password-auth
sessioninclude  password-auth

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.22.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %n
auth_verbose = yes
debug_log_path = /var/log/dovecot.debug.log
disable_plaintext_auth = no
hostname = mail.mydomain.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capab

Re: [Dovecot] Virtual Users, PAM authentication, MySql backend

[Álvaro Leão]

i agree with you...but it's my boss order.. :(
and...he is the boss


Álvaro César Leão Teixeira


2010/11/30 Noel Butler 

> On Tue, 2010-11-30 at 14:13 -0200, Álvaro Leão wrote:
>
>
> > with this example, and the correct pam,d/dovecot (with the mysql acess),
> > i'll just use the mysql to authenticate, using the pam module to acess
> the
> > user/password, right?
>
>
> Why be concerned about needing to use PAM?
> It is evil, it is why some distros do not include/use it, you're better
> of using MySQL for all and be done with it, at least if something fails
> you don't have many places to look, only one.
>
>
>

Re: [Dovecot] Virtual Users, PAM authentication, MySql backend

[Noel Butler]

On Tue, 2010-11-30 at 14:13 -0200, Álvaro Leão wrote:


> with this example, and the correct pam,d/dovecot (with the mysql acess),
> i'll just use the mysql to authenticate, using the pam module to acess the
> user/password, right?


Why be concerned about needing to use PAM?
It is evil, it is why some distros do not include/use it, you're better
of using MySQL for all and be done with it, at least if something fails
you don't have many places to look, only one.




signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Virtual Users, PAM authentication, MySql backend

[Álvaro Leão]

thank's again Timo...

with this example, and the correct pam,d/dovecot (with the mysql acess),
i'll just use the mysql to authenticate, using the pam module to acess the
user/password, right?


Álvaro César Leão Teixeira


2010/11/30 Timo Sirainen 

> On 30.11.2010, at 12.30, Álvaro Leão wrote:
>
> > Can I use PAM authentication, witch get the users data from a external
> > database (like mysql)? I've found many ways to do this stuff
> disconnectedly
> > (like pam authentication with passwd ), but i can put all together? I
> can't
> > use the passwd...
>
> So I guess you mean something like (v1.x configuration):
>
> passdb pam {
> }
> userdb sql {
>  args = /etc/dovecot/dovecot-sql.conf
> }
>
>

Re: [Dovecot] Virtual Users, PAM authentication, MySql backend

[Timo Sirainen]

On 30.11.2010, at 12.30, Álvaro Leão wrote:

> Can I use PAM authentication, witch get the users data from a external
> database (like mysql)? I've found many ways to do this stuff disconnectedly
> (like pam authentication with passwd ), but i can put all together? I can't
> use the passwd...

So I guess you mean something like (v1.x configuration):

passdb pam {
}
userdb sql {
  args = /etc/dovecot/dovecot-sql.conf
}

[Dovecot] Virtual Users, PAM authentication, MySql backend

[Álvaro Leão]

Hi,

I'm sorry if this is a silly question, but i know that is not possible in
Courier, so, I need to check if I can do it with Dovecot.

Can I use PAM authentication, witch get the users data from a external
database (like mysql)? I've found many ways to do this stuff disconnectedly
(like pam authentication with passwd ), but i can put all together? I can't
use the passwd...

Thank's,


Álvaro

Re: [Dovecot] pam authentication error

[Timo Sirainen]

On Tue, 2010-11-23 at 15:58 +0100, Oliver Berse wrote:

> Nov 23 15:06:55 debian dovecot: auth(default): Fatal: Support not compiled
> in for passdb driver 'pam' 

You didn't have libpam0g-dev package installed when compiling Dovecot.

Re: [Dovecot] pam authentication error

[Mohit Chawla]

Hi,

On Tue, Nov 23, 2010 at 8:28 PM, Oliver Berse  wrote:

> Nov 23 15:06:55 debian dovecot: auth(default): Fatal: Support not compiled
> in for passdb driver 'pam'
>

Probably this  ^^ ?

Anyway, since you seem to be testing dovecot, why not use the debian package
instead ( you could probably use the one from backports if the one in lenny
is too old).

[Dovecot] pam authentication error

[Oliver Berse]

Hi all,

I compiled Dovecot 1.2.16 (on Debian 5/lenny) and followed the quick
configuration guide (wiki.dovecot.org/QuickConfiguration). I just need
plaintext authentication. After starting Dovecot I get "Last died with
error" and in var/log/mail.err:
Nov 23 15:06:55 debian dovecot: auth(default): Fatal: Support not compiled
in for passdb driver 'pam'
Nov 23 15:06:55 debian dovecot: dovecot: Fatal: Auth process died too
early - shutting down

In /etc/pam.d/dovecot:
authrequiredpam_unix.so
account requiredpam_unix.so

In /usr/local/etc/dovecot.conf:
passdb pam {
args = *
}

So, what may be wrong with my configuration?
Oliver

Re: [Dovecot] PAM authentication fails

[Egbert Jan van den Bussche]

Op 29-8-2010 20:51, Egbert Jan van den Bussche schreef:

Hi,

I'm fighting all weekend on with auth and pam to authenticate local
system users. testuser is such local user and is in passwd and shadow. I
want to have local system users (testuser is one of them) and virtual
users. The virtual part works fine but I cannot get the local user to
connect.
Still pam fails finding the user. The suggested password mismatch at the
end is, in my eyes, because there is no user in the first place. I
verified the password by interactive login to the account. The pam
module (dovecot) is just the default file with three @includes in it.

Syslog:
Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
AUTH#0112#011LOGIN#011service=imap#011lip=2a02:968:1:2:212:72:224:16#011rip=2001:888:1740:10:250:daff:fe41:4d1c#011lport=143#011rport=1093


Aug 29 20:18:02 mail-dev dovecot: auth(default): client out:
CONT#0112#011VXNlcm5hbWU6

Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
CONT#0112#011dGVzdHVzZXI=

Aug 29 20:18:02 mail-dev dovecot: auth(default): client out:
CONT#0112#011UGFzc3dvcmQ6

Aug 29 20:18:02 mail-dev dovecot: auth(default): client in:
CONT#0112#011dmF4dm1z

Aug 29 20:18:02 mail-dev dovecot: auth-worker(default):
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): lookup service=dovecot

Aug 29 20:18:02 mail-dev dovecot: auth-worker(default):
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): #1/1 style=1
msg=Password:

Aug 29 20:18:02 mail-dev dovecot: auth(default):
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): miss

Aug 29 20:18:04 mail-dev dovecot: auth(default):
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): hit:

Aug 29 20:18:04 mail-dev dovecot: auth(default):
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): User unknown

Aug 29 20:18:04 mail-dev dovecot: auth-worker(default):
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): pam_authenticate()
failed: Authentication failure (password mismatch?) (given password:
)

Aug 29 20:18:06 mail-dev dovecot: auth(default): client out:
FAIL#0112#011user=testuser


Relevant settings in dovecot:
r...@mail-dev:/etc/dovecot# dovecot -n
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-24-server x86_64 Ubuntu 10.04.1 LTS ext4
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s managesieve
listen: *, [::]
ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
ssl_key_file: /etc/ssl/private/ssl-mail.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_max_userip_connections(default): 10
mail_max_userip_connections(imap): 10
mail_max_userip_connections(pop3): 3
mail_max_userip_connections(managesieve): 10
mail_privileged_group: mail
mail_location: maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n
mail_debug: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
lda:
postmaster_address: postmaster
deliver_log_format: msgid=%m: %$
rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth_socket_path: /var/run/dovecot/auth-master

auth default:
mechanisms: plain login
realms: kader.hcc.nl hobby.nl
cache_size: 1024
user: vmail
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: pam
args: setcred=yes failure_show_msg=yes cache_key=%u dovecot
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
userdb:
driver: passwd
userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
socket:
type: listen
client:
path: /var/spool/postfix/private/dovecot-auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmail

Where should I look further for this dovecot pam problem? Is there such
a thing as pam debugging?

TIA
Egbert Jan


Answering to myself:

Auth user needs to be root not vmail. Restrictions on shadow make it 
neccessary to do the auth and read shadow


Also needed to add mail=aildir:~/Maildir in the userdb passwd to 
override the default setting for virtual users 
(/ho

[Dovecot] PAM authentication fails

[Egbert Jan van den Bussche]

Hi,

I'm fighting all weekend on with auth and pam to authenticate local 
system users. testuser is such local user and is in passwd and shadow. I 
want to have local system users (testuser is one of them) and virtual 
users. The virtual part works fine but I cannot get the local user to 
connect.
Still pam fails finding the user. The suggested password mismatch at the 
end is, in my eyes, because there is no user in the first place. I 
verified the password by interactive login to the account. The pam 
module (dovecot) is just the default file with three @includes in it.


Syslog:
Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: 
AUTH#0112#011LOGIN#011service=imap#011lip=2a02:968:1:2:212:72:224:16#011rip=2001:888:1740:10:250:daff:fe41:4d1c#011lport=143#011rport=1093


Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: 
CONT#0112#011VXNlcm5hbWU6


Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: 
CONT#0112#011dGVzdHVzZXI=


Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: 
CONT#0112#011UGFzc3dvcmQ6


Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: 
CONT#0112#011dmF4dm1z


Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): 
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): lookup service=dovecot


Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): 
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): #1/1 style=1 
msg=Password:


Aug 29 20:18:02 mail-dev dovecot: auth(default): 
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): miss


Aug 29 20:18:04 mail-dev dovecot: auth(default): 
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): hit:


Aug 29 20:18:04 mail-dev dovecot: auth(default): 
cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): User unknown


Aug 29 20:18:04 mail-dev dovecot: auth-worker(default): 
pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): pam_authenticate() 
failed: Authentication failure (password mismatch?) (given password: 
)


Aug 29 20:18:06 mail-dev dovecot: auth(default): client out: 
FAIL#0112#011user=testuser



Relevant settings in dovecot:
r...@mail-dev:/etc/dovecot# dovecot -n
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-24-server x86_64 Ubuntu 10.04.1 LTS ext4
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s managesieve
listen: *, [::]
ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
ssl_key_file: /etc/ssl/private/ssl-mail.key
ssl_cipher_list: 
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM

disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_max_userip_connections(default): 10
mail_max_userip_connections(imap): 10
mail_max_userip_connections(pop3): 3
mail_max_userip_connections(managesieve): 10
mail_privileged_group: mail
mail_location: maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n
mail_debug: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
lda:
  postmaster_address: postmaster
  deliver_log_format: msgid=%m: %$
  rejection_reason: Your message to <%t> was automatically rejected:%n%r
  auth_socket_path: /var/run/dovecot/auth-master

auth default:
  mechanisms: plain login
  realms: kader.hcc.nl hobby.nl
  cache_size: 1024
  user: vmail
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
driver: pam
args: setcred=yes failure_show_msg=yes cache_key=%u dovecot
  passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  userdb:
driver: passwd
  userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/dovecot-auth
  mode: 432
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  user: vmail
  group: vmail

Where should I look further for this dovecot pam problem? Is there such 
a thing as pam debugging?


TIA
Egbert Jan

Re: [Dovecot] PAM Authentication with OSX Snow Leopard

[Nicola Tiling]

I 've copied /etc/pam.d/ftpd to /etc/pam.d/dovecot. This configuration  
works for OSX 10.6 with user passdb



auth   required   pam_opendirectory.so
accountrequired   pam_permit.so
password   required   pam_deny.so
sessionrequired   pam_permit.so


Am 29.08.2009 um 01:11 schrieb Nicola Tiling:


Hi

Apple changed from Linux PAM to OpenPAM and the dovecot pam file  
(dovecot installed from macports) doesn't work anymore.


Installed pam modules are:

-r--r--r--1 root  wheel   76640 31 Jul 09:15 pam_env.so.2
-r--r--r--1 root  wheel   51024 31 Jul 09:15 pam_group.so.2
-r--r--r--1 root  wheel   99776 31 Jul 09:15 pam_krb5.so.2
-r--r--r--1 root  wheel   51552 31 Jul 09:15 pam_launchd.so.2
-r--r--r--1 root  wheel   68800 31 Jul 09:15 pam_mount.so.2
-r--r--r--1 root  wheel   50896 31 Jul 09:15 pam_nologin.so.2
-r--r--r--1 root  wheel   64272 31 Jul 09:15  
pam_opendirectory.so.2

-r--r--r--1 root  wheel   51008 31 Jul 09:15 pam_sacl.so.2
-r--r--r--1 root  wheel   50608 31 Jul 09:15 pam_self.so.2
-r--r--r--1 root  wheel   60448 31 Jul 09:15 pam_serialnumber.so.2
-r--r--r--1 root  wheel   50880 31 Jul 09:15 pam_uwtmp.so.2


Does anyone know to get dovecot with this modules work?

Nicola

[Dovecot] PAM Authentication with OSX Snow Leopard

[Nicola Tiling]

Hi

Apple changed from Linux PAM to OpenPAM and the dovecot pam file  
(dovecot installed from macports) doesn't work anymore.


Installed pam modules are:

-r--r--r--1 root  wheel   76640 31 Jul 09:15 pam_env.so.2
-r--r--r--1 root  wheel   51024 31 Jul 09:15 pam_group.so.2
-r--r--r--1 root  wheel   99776 31 Jul 09:15 pam_krb5.so.2
-r--r--r--1 root  wheel   51552 31 Jul 09:15 pam_launchd.so.2
-r--r--r--1 root  wheel   68800 31 Jul 09:15 pam_mount.so.2
-r--r--r--1 root  wheel   50896 31 Jul 09:15 pam_nologin.so.2
-r--r--r--1 root  wheel   64272 31 Jul 09:15 pam_opendirectory.so.2
-r--r--r--1 root  wheel   51008 31 Jul 09:15 pam_sacl.so.2
-r--r--r--1 root  wheel   50608 31 Jul 09:15 pam_self.so.2
-r--r--r--1 root  wheel   60448 31 Jul 09:15 pam_serialnumber.so.2
-r--r--r--1 root  wheel   50880 31 Jul 09:15 pam_uwtmp.so.2


Does anyone know to get dovecot with this modules work?

Nicola

Re: [Dovecot] PAM authentication problems

[Tom Lobato]

Timo Sirainen escreveu:
> On Oct 5, 2008, at 12:37 AM, Timo Sirainen wrote:
>> On Oct 4, 2008, at 10:27 AM, Tom Lobato wrote:
>>> Oct  3 09:00:10 coan dovecot: auth(default):
>>> pam(rodrigo.botan,121.120.119.179): pipe() failed: Too many open files
>> Set this to non-zero:
>>
>> # Number of auth requests to handle before destroying the process.
>> This may
>> # be useful if PAM plugins leak memory.
>> #auth_worker_max_request_count = 0
> Oops, sorry, you're using v1.0.rc15 which doesn't have this setting.
> In that case I don't really know why it's failing. Look at
> /proc/`pidof dovecot-auth`/fd/. Where are all the file descriptors going?
>
> In any case I'd suggest upgrading to a newer version (from
> backports.org). That alone might fix the problem.

great!
I upgraded dovecot (with backports.org package) and now it works.
I don`t know why it started to give such problems but the upgrade solved it.
thank you very much, Timo!


Tom Lobato

Re: [Dovecot] PAM authentication problems

[Timo Sirainen]

On Oct 5, 2008, at 12:37 AM, Timo Sirainen wrote:


On Oct 4, 2008, at 10:27 AM, Tom Lobato wrote:


Oct  3 09:00:10 coan dovecot: auth(default):
pam(rodrigo.botan,121.120.119.179): pipe() failed: Too many open  
files


Set this to non-zero:

# Number of auth requests to handle before destroying the process.  
This may

# be useful if PAM plugins leak memory.
#auth_worker_max_request_count = 0


Oops, sorry, you're using v1.0.rc15 which doesn't have this setting.  
In that case I don't really know why it's failing. Look at /proc/ 
`pidof dovecot-auth`/fd/. Where are all the file descriptors going?


In any case I'd suggest upgrading to a newer version (from  
backports.org). That alone might fix the problem.




PGP.sig
Description: This is a digitally signed message part

Re: [Dovecot] PAM authentication problems

[Timo Sirainen]

On Oct 4, 2008, at 10:27 AM, Tom Lobato wrote:


Oct  3 09:00:10 coan dovecot: auth(default):
pam(rodrigo.botan,121.120.119.179): pipe() failed: Too many open files


Set this to non-zero:

# Number of auth requests to handle before destroying the process.  
This may

# be useful if PAM plugins leak memory.
#auth_worker_max_request_count = 0



PGP.sig
Description: This is a digitally signed message part

[Dovecot] PAM authentication problems

[Tom Lobato]

Hi all!
I`m using dovecot for a while with no problems.
Some days ago it started to delay the authentication until the timeout.

syslog...

Oct  3 09:00:10 coan dovecot: auth(default):
pam(rodrigo.botan,121.120.119.179): pipe() failed: Too many open files
Oct  3 09:00:11 coan dovecot: auth(default): pam(katia,121.120.200.97):
pipe() failed: Too many open files
Oct  3 09:00:11 coan dovecot: auth(default):
pam(andersoncampos,121.120.200.35): pipe() failed: Too many open files

Oct  3 08:25:55 coan dovecot: pop3-login: Disconnected: Inactivity:
method=PLAIN, rip=121.120.119.39, lip=121.120.119.251
Oct  3 08:25:58 coan dovecot: pop3-login: Disconnected: Inactivity:
method=PLAIN, rip=121.120.119.94, lip=121.120.119.251
Oct  3 08:26:01 coan dovecot: pop3-login: Disconnected: Inactivity:
method=PLAIN, rip=121.120.119.148, lip=121.120.119.251

After the commands

/etc/init.d/dovecot stop
killall -9 dovecot-auth
/etc/init.d/dovecot start

It come back to work, then after some time, I need to restart again and
again...
I tried 'ulimit -n 5000' in /etc/init.d/dovecot, but the problem remains.

The problem is in the authentication backend, I guess.
I`m using PAM, so I leaved only one line in /etc/pam.d/dovecot:

authsufficient  pam_permit.so

and all worked fine. Of course, just for test, since this allows login
with any password.

My system:
Debian Etch 64bit
dovecot version: 1.0.rc15 (from etch repositories)
PAM lib version: 0.79-5 (from etch repositories)
The system has 200 users, with 30 logins per minute.
hardware: Intel(R) Xeon(R) CPU 3050  @ 2.13GHz, 2GB RAM.

If you have some pointer to the solution, it will be welcome.


Thank you,

Tom Lobato