Dovecot authentication error

M

mroussin51

Greetings,

I have installed Dovecot from ports. I have configured it and I am able to access it using OpenSSL but the client is unable to connect. The clients I have tested are Thunderbird and Aquamail on an Android device. Neither connect; both have different errors in the maillog.

I am trying to authenticate on the IMAPS protocol. I will try to relay the changes I have made to dovecot.conf. So here goes

Code: 
protocols = imaps
auth_debug = yes
auth_debug_passwords = yes
passdb pam {
args = session=yes dovecot
}

I have created the /etc/pam.d/dovecot file as directed by the Dovecot documentation.

Code: 
auth    required        pam_unix.so nullok
account required        pam_unix.so

Finally here is my log when I attempt to connect from the Android device.

Code: 
Jul 20 17:52:19 mail dovecot: imap-login: Disconnected (no auth attempts): rip=192.168.1.1, lip=192.168.1.20, TLS: SSL_read() syscall failed: Connection reset by peer
Jul 20 17:52:19 mail dovecot: auth(default): client in: AUTH    1       PLAIN   service=imap    secured lip=192.168.1.20        rip=192.168.1.1 lport=993       rport=56819
Jul 20 17:52:19 mail dovecot: auth(default): client out: CONT   1
Jul 20 17:52:19 mail dovecot: auth(default): client in: CONT    1       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [obscured sensitive stuff -- mod]
Jul 20 17:52:19 mail dovecot: auth-worker(default): pam(me@mydomain.net,192.168.1.1): lookup service=dovecot
Jul 20 17:52:19 mail dovecot: auth-worker(default): pam(me@mydomain.net,192.168.1.1): #1/1 style=1 msg=Password:
Jul 20 17:52:19 mail dovecot: auth-worker(default): pam(me@mydomain.net,192.168.1.1): #1/1 style=3 msg=pam_unix: pam_sm_authenticate: UNIX authentication refused
Jul 20 17:52:19 mail dovecot: auth-worker(default):
Jul 20 17:52:19 mail dovecot: auth-worker(default): pam(me@mydomain.net,192.168.1.1): pam_authenticate() failed: authentication error (password mismatch?) (given password: mypasswd)
Jul 20 17:52:20 mail dovecot: auth(default): new auth connection: pid=1166
Jul 20 17:52:20 mail dovecot: auth(default): new auth connection: pid=1165
Jul 20 17:52:21 mail dovecot: auth(default): client out: FAIL   1       user=me@mydomain.net
Jul 20 17:52:22 mail sm-mta[1167]: r6KLqL2u001167: from=<me@mydomain.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MSA, relay=www.asusnetwork.net [192.168.1.1]
Jul 20 17:52:26 mail dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<me@mydomain.net>, method=PLAIN, rip=192.168.1.1, lip=192.168.1.20, TLS

Here is what attempting to connect Thunderbird produces.

Code: 
Jul 20 18:01:01 mail sm-mta[1232]: r6KM11HS001232: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 20 18:01:01 mail sm-mta[1233]: r6KM11UR001233: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:01 mail sm-mta[1234]: r6KM11JZ001234: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:01 mail sm-mta[1235]: r6KM11KL001235: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 20 18:01:01 mail sm-mta[1237]: r6KM11V8001237: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 20 18:01:01 mail sm-mta[1236]: r6KM11qd001236: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:01 mail sm-mta[1238]: r6KM11Lw001238: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:01 mail sm-mta[1239]: r6KM11J1001239: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 20 18:01:02 mail sm-mta[1240]: r6KM12wd001240: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:02 mail sm-mta[1241]: r6KM120E001241: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 20 18:01:02 mail sm-mta[1242]: r6KM12Ep001242: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 20 18:01:02 mail sm-mta[1243]: r6KM12Zx001243: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4

Thank you for taking the time to look at this. I appreciate your time and efforts.

Best regards,

Mike
 
I can connect to IMAP

For the record I am able to connect to the IMAP server using Mozilla. I believe that means that my PAM authentication is working properly but being a novice I am not sure.

I also noticed that my username is mike in the IMAP maillog output while my IMAPS username is my email address. I think that may be the problem but I don't know how to correct it.

Thank for reading this.

regards,

mroussin51
 
Ok, trying to get the complete picture here.

For starters: Which FreeBSD version are you using? Also; can we assume that you're using an up to date ports tree?

Ok; several issues come to mind. What strikes me as odd first is that you say that neither of your clients connect, yet the log you share shows us errors about a password mismatch. Better yet: that PAM authentication was refused.

I know I'm 'nitpicking' a bit here, but more than often the cause for problems such as these are in the details. Could you share the error message which you got on the client side?

Now, although I don't speak from personal experience I do think I can come up with one reason why your endeavour could have failed: /usr/local/etc/pam.d versus /etc/pam.d. For the record; I'm guessing here. But I could imagine that the directory in /etc has some safeguards.

I'd strongly suggest to keep system changes like these confined to /usr/local, it was designed for it. Not saying that moving that script fixes your problem, but I wouldn't be surprised if it did.

Finally; I'm also interested to learn which version of Thunderbird you're using.
 
The rest of the info I failed to report!

Thanks for your time and sharing your experience.

1. I am using FreeBSD 9.1.
2. My ports tree is up to date.
3. The Thunderbird is v 17.0.7.

Here is the Android Aquamail Client error:

Code: 
Incoming mail server (IMAP): Authentication error. NO Authentication failed. 

Please make sure the data is correct.

The Thunderbird mail client error is:

Code: 
Configuration could not be verified--is the username or password wrong?

It says my username is my email address.

I moved /etc/pam.d/dovecot to /usr/local/etc/pam.d/dovecot as advised but I am still not authenticating. My log is indicating that UNIX authentication refused and password mismatch. I am using my user account password. The one I use to login to my FreeBSD box everyday. To my untrained eye it appears that the client is trying to authenticate my email address and not my user name. My /var/log/maillog indicate that the user=me@mydomain.net. When I connect via IMAP the log says user=mike

Thanks for your assistance,

Mike
 
mroussin51 said:
...
Finally here is my log when I attempt to connect from the Android device.
Code: 
Jul 20 17:52:19 mail dovecot: imap-login: Disconnected (no auth attempts): rip=192.168.1.1, lip=192.168.1.20, TLS: SSL_read() syscall failed: Connection reset by peer
Jul 20 17:52:19 mail dovecot: auth(default): client in: AUTH    1       PLAIN   service=imap    secured lip=192.168.1.20        rip=192.168.1.1 lport=993       rport=56819
...
Click to expand...

This log tells us two things:
1. The client could not establish a TLS session and obviously fell back to a standard non-encrypted connection.
2. It continued using the PLAIN authentication mechanism.

However, the default setting of dovecot does not permit plaintext authentication (for obvious reasons) unless TLS/SSL is used.

You need to either fix the TLS setup, something may be wrong with the certificates, or you need to set disable_plaintext_auth = no in /usr/local/etc/dovecot/conf.d/10-auth.conf.

At the end of the day, you want to have some sort of encrypted password exchange. If you cannot establich TLS connections, you want to abandon PAM in favor of a SASL method - CRAM-MD5 seems to be a good choice.
 
Thank you rolfheinrich

This log tells us two things:
1. The client could not establish a TLS session and obviously fell back to a standard non-encrypted connection.
2. It continued using the PLAIN authentication mechanism.
Click to expand...

I was able to connect to IMAPS from the Evolution Mail Client that comes with Fedora. It complained that my SSL Certificate is not trusted and required a check in a box to allow it to connect. I signed my own certificate using the mkcert.sh script that comes with Dovecot.

I am going to get a trusted certificate and I think I will have better luck.

Thanks for helping me understand the maillog output.

regards,

Mike
 
Please take a peak at my log!

Greetings,

I think I have it Dovecot working with Evolution Mail. Here is /var/log/maillog.

Code: 
Jul 21 23:42:47 theroussins dovecot: auth(default): new auth connection: pid=1006
Jul 21 23:42:58 theroussins dovecot: auth(default): client in: AUTH     1       PLAIN   service=imap    secured lip=192.168.1.227       rip=192.168.1.177       lport=993       rport=57532     resp=xxxxxxxxxxxxxxxx [obscured sensitive stuff -- mod]
Jul 21 23:42:58 theroussins dovecot: auth-worker(default): pam(mike,192.168.1.177): lookup service=dovecot
Jul 21 23:42:58 theroussins dovecot: auth-worker(default): pam(mike,192.168.1.177): #1/1 style=1 msg=Password:
Jul 21 23:42:58 theroussins dovecot: auth(default): client out: OK      1       user=mike
Jul 21 23:42:58 theroussins dovecot: auth(default): master in: REQUEST  7       1002    1
Jul 21 23:42:58 theroussins dovecot: auth-worker(default): passwd(mike,192.168.1.177): lookup
Jul 21 23:42:58 theroussins dovecot: auth(default): master out: USER    7       mike    system_groups_user=mike uid=1001        gid=1001        home=/home/mike
Jul 21 23:42:58 theroussins dovecot: imap-login: Login: user=<mike>, method=PLAIN, rip=192.168.1.177, lip=192.168.1.227, TLS

Please let me know if it is insecure.

I am unable to connect using Mozilla Thunderbird's latest release. Here is the maillog.

Code: 
Jul 21 23:29:13 theroussins sm-mta[958]: r6M3TDfQ000958: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:13 theroussins sm-mta[960]: r6M3TDYs000960: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:13 theroussins sm-mta[959]: r6M3TDZU000959: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 21 23:29:13 theroussins sm-mta[961]: r6M3TDrr000961: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 21 23:29:14 theroussins sm-mta[962]: r6M3TExj000962: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:14 theroussins sm-mta[963]: r6M3TEDh000963: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 21 23:29:14 theroussins sm-mta[964]: r6M3TEhg000964: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:14 theroussins sm-mta[965]: r6M3TExX000965: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 21 23:29:14 theroussins sm-mta[966]: r6M3TEJA000966: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:14 theroussins sm-mta[967]: r6M3TESO000967: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Jul 21 23:29:14 theroussins sm-mta[968]: r6M3TE93000968: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Jul 21 23:29:14 theroussins sm-mta[969]: r6M3TEVd000969: www.asusnetwork.net [192.168.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4

I am behind an ASUS Router but I am using DMZ. I tested Thunderbird using the IMAP Protocol and connected just fine. I have searched for an answer to this but have come up null.

Thanks,

Mike
 
You must log in or register to reply here.
Back
Top