[Dovecot] dovecot imap permission denied

Daminto Lie dlie76 at yahoo.com.au
Thu Sep 1 09:07:57 EEST 2011


Thanks Timo for your reply.

It now works fine with Passdb LDAP with password lookups. Users can now login with no problem. 

However, when trying to do LDAP authentication with Authentication binds, I received the following errors from mail.log

Sep  1 15:34:22 server1 dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=34719#011resp=AG1pa2VfbGVlAGRsaWUzMjA1
Sep  1 15:34:22 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): lookup service=dovecot
Sep  1 15:34:22 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): #1/1 style=1 msg=Password: 
Sep  1 15:34:22 server1 dovecot: auth(default): new auth connection: pid=1947
Sep  1 15:34:24 server1 dovecot: auth-worker(default): pam(mike_lee,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: secrets)
Sep  1 15:34:24 server1 dovecot: auth(default): passwd(mike_lee,127.0.0.1): lookup
Sep  1 15:34:24 server1 dovecot: auth(default): passwd(mike_lee,127.0.0.1): unknown user
Sep  1 15:34:24 server1 dovecot: auth(default): ldap(mike_lee,127.0.0.1): invalid credentials (given password: secrets)
Sep  1 15:34:26 server1 dovecot: auth(default): client out: FAIL#0111#011user=mike_lee
Sep  1 15:34:31 server1 dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<mike_lee>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

I do not understand why I am getting pam() authentication issue when I deliberately chose not to use it.

The following is the setting I have in dovecot-ldap.conf

hosts = localhost
#uris = 
dn = uid=dovecot,ou=accounts,dc=companyexample,dc=com,dc=au 
dnpass = helloworld 

#sasl_bind = no
#sasl_mech =
#sasl_realm =
#sasl_authz_id =

#tls = no
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cert_file =
#tls_key_file =
#tls_cipher_suite =
#tls_require_cert =
#ldaprc_path =
#debug_level = 0

auth_bind = yes

auth_bind_userdn = cn=%u,ou=accounts,dc=companyexample,dc=com,dc=au

ldap_version = 3

base = ou=accounts,dc=companyexample,dc=com,dc=au

deref = never
scope = subtree

user_attrs = homeDirectory=home
user_filter = (&(objectClass=posixAccount)(uid=%u))

#pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))

default_pass_scheme = PLAIN


This is what I have in dovecot.conf

base_dir = /var/run/dovecot
protocols = imap

   protocol imap {
     listen = *:143
   }
#   protocol pop3 {
#     listen = *:10100
#     ..
#   }
#   protocol managesieve {
#     listen = *:12000
#     ..
#   }
#listen = *

disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "

#ssl_listen =
ssl = no
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
#ssl_key_password =
#ssl_ca_file = 
#ssl_verify_client_cert = no
#ssl_cert_username_field = commonName
#ssl_parameters_regenerate = 168
#ssl_cipher_list = ALL:!LOW:!SSLv2
#verbose_ssl = no

login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
#login_process_size = 64
#login_process_per_connection = yes
#login_processes_count = 3
#login_max_processes_count = 128
#login_max_connections = 256
#login_greeting = Dovecot ready.
#login_trusted_networks =
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
#login_log_format = %$: %s

mail_location = maildir:/home/%u/Maildir 

mail_uid = 3000
mail_gid = 8

mail_privileged_group = mail
#mail_access_groups =
#mail_full_filesystem_access = no

#mail_debug = no
#mail_log_max_lines_per_sec = 10
#mmap_disable = no
#dotlock_use_excl = yes
#fsync_disable = no
#mail_nfs_index = no
#lock_method = fcntl
#mail_drop_priv_before_exec = no

verbose_proctitle = yes

first_valid_uid = 3000
last_valid_uid = 3000

first_valid_gid = 8
last_valid_gid = 8

#max_mail_processes = 512
#mail_process_size = 256
#mail_max_keyword_length = 50
#valid_chroot_dirs = 
#mail_chroot = 
#mail_cache_min_mail_count = 0

#mailbox_idle_check_interval = 30
mail_save_crlf = no

#maildir_stat_dirs = no
maildir_copy_with_hardlinks = yes

#maildir_copy_preserve_filename = no
#maildir_very_dirty_syncs = no

protocol imap {
  #login_executable = /usr/lib/dovecot/imap-login
  #mail_executable = /usr/lib/dovecot/imap
  #imap_max_line_length = 65536
  #mail_max_userip_connections = 10
  #mail_plugin_dir = /usr/lib/dovecot/modules/imap
  #imap_logout_format = bytes=%i/%o
  #imap_capability = 
  #imap_idle_notify_interval = 120
  #imap_id_send = 
  #imap_id_log =

  imap_client_workarounds = outlook-idle delay-newmail netscape-eoh tb-extra-mailbox-sep oe6-fetch-no-newmail
}

protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

protocol managesieve {
}

#auth_executable = /usr/lib/dovecot/dovecot-auth
#auth_process_size = 256
#auth_cache_size = 0
#auth_cache_ttl = 3600
#auth_cache_negative_ttl = 3600
#auth_realms =
#auth_default_realm = 
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
#auth_username_translation =
#auth_username_format =
#auth_master_user_separator =

#auth_anonymous_username = anonymous
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
#auth_worker_max_count = 30
#auth_gssapi_hostname =
#auth_krb5_keytab = 
#auth_use_winbind = no
#auth_winbind_helper_path = /usr/bin/ntlm_auth
#auth_failure_delay = 2

auth default {
  mechanisms = plain

  passdb pam {
  }

  passdb passwd {
  }

  passdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }

  userdb passwd {
    args = /etc/dovecot/dovecot-ldap-userdb.conf 
  }

  userdb ldap {
    args = /etc/dovecot/dovecot-ldap.conf
  }

  user = root
  #user = dovecot-auth    

  #chroot = 
  #count = 1
  #ssl_require_client_cert = no
  #ssl_username_from_cert = no

  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
  !include_try /etc/dovecot/auth.d/*.auth
}

plugin {
}

# Config files can also be included. deliver doesn't support them currently.
#!include /etc/dovecot/conf.d/*.conf
# Optional configurations, don't give an error if it's not found:
!include_try /etc/dovecot/conf.d/*.conf
#!include_try /etc/dovecot/extra.conf


I wonder where I did it wrong. I did not set pam authentication.

Any help would be appreciated. Thank you




________________________________
From: Timo Sirainen <tss at iki.fi>
To: Daminto Lie <dlie76 at yahoo.com.au>
Cc: "dovecot at dovecot.org" <dovecot at dovecot.org>
Sent: Wednesday, 31 August 2011 4:52 PM
Subject: Re: [Dovecot] dovecot imap permission denied

On 31.8.2011, at 9.47, Daminto Lie wrote:

> Thanks a lot Timo,
> 
> Creating directories for new users is not an issue. It's the permission that makes me headache.

The error message you showed said that the user's home directory didn't exist, and the permission problem came only because it didn't exist and Dovecot tried to create it.

> I tried the following
> 
> sudo chmod o-r /home/$USER
> sudo chmod g+rw /home/$USER
> 
> It did not work until I did chmod 777 /home.

Right, because only then did it have enough permissions to create the home dir.

> Is it safe to make home directory with permission 777?

No.


More information about the dovecot mailing list