4

I'm installing dovecot onto a Virtualbox VM running Ubuntu Server 64-bit 14.04 guest. Dovecot itself is being installed into a Docker container (I'm not sure that that's relevant here, but am noting it just in case). I'm having trouble getting dovecot to allow me to log in via telnet to test user authentication using a passwd file.

Dovecot itself seems to have installed fine. I've started it up with sudo dovecot, and am now trying to test it following the wiki guide at http://wiki2.dovecot.org/TestInstallation.

Within the container, I enter telnet localhost 143. Dovecot connects fine with * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.. I then enter a login "test" "test", but get the following output: a NO [AUTHENTICATIONFAILED] Authentication failed.

I've confirmed that this command works on an existing (working) Ubuntu 12.04 dovecot server, with a similar passwd file at /etc/dovecot/users.

The /etc/dovecot/users file contains the following line:

test:{SHA512-CRYPT}$6$PHmKiepXqf1vbk7u$.ruON3KVGW7LfuqxAFKG3kG5O0s3tocK5jpbaMH2Qh9scnjj.RENQ230ulYXgp9SEaZbJjFlD9HJdA6o4wVIJ1::::/home/dovecot-user/Maildir/test

The user here is called "test" with password "test".

The dovecot logfile contains this:

Aug 04 08:49:18 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 04 08:49:18 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 04 08:49:18 auth: Error: passwd-file: open(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:18 auth: Error: passwd-file: open(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:23 auth: Error: passwd-file(test,::1,<4V3V0Mn/5QAAAAAAAAAAAAAAAAAAAAAB>): stat(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:26 imap-login: Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 3 secs): user=<test>, method=PLAIN, rip=::1, lip=::1, secured, session=<4V3V0Mn/5QAAAAAAAAAAAAAAAAAAAAAB>

I've not found any solutions to this problem, including changing the permissions on the files in /etc/dovecot/ and /home/dovecot-user/Maildir/ to be as lenient as possible, and chowning the files to dovecot:dovecot, root:root, and dovecot-user:dovecot-user. The current file permissions are as follows:

ls -lR /etc/dovecot:

/etc/dovecot/dovecot:
-rwxrwx--- 1 dovecot dovecot  116 Aug  3 20:07 README
drwxrwx--- 2 dovecot dovecot 4096 Aug  4 08:45 conf.d
-rwxrwx--- 1 dovecot dovecot  410 Aug  3 20:07 dovecot-db.conf.ext
-rwxrwx--- 1 dovecot dovecot  782 Aug  3 20:07 dovecot-dict-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot 5348 Aug  3 20:07 dovecot-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot 3794 Aug  3 20:07 dovecot.conf
-rwxrwx--- 1 dovecot dovecot 3795 Aug  3 20:07 dovecot.conf.factory_settings
-rw-r--r-- 1 dovecot dovecot 1314 Aug  3 22:02 dovecot.pem
drwx------ 2 dovecot dovecot 4096 Aug  4 03:53 private
-rwxr-xr-x 1 dovecot dovecot  357 Aug  4 08:23 users


/etc/dovecot/conf.d:
total 108
-rwxrwx--- 1 dovecot dovecot  5258 Aug  3 20:07 10-auth.conf
-rwxrwx--- 1 dovecot dovecot  1691 Aug  3 20:07 10-director.conf
-rwxrwx--- 1 dovecot dovecot  2650 Aug  4 03:50 10-logging.conf
-rwxrwx--- 1 dovecot dovecot 14476 Aug  3 20:07 10-mail.conf
-rwxrwx--- 1 dovecot dovecot  2920 Aug  3 20:07 10-master.conf
-rwxrwx--- 1 dovecot dovecot  1654 Aug  3 20:07 10-ssl.conf
-rwxrwx--- 1 dovecot dovecot  1654 Aug  3 20:07 10-ssl.conf.save
-rw-r--r-- 1 dovecot dovecot   291 May 14 18:11 10-tcpwrapper.conf
-rwxrwx--- 1 dovecot dovecot  1607 Aug  3 20:07 15-lda.conf
-rw-r--r-- 1 dovecot dovecot  1137 May 14 18:11 15-mailboxes.conf
-rwxrwx--- 1 dovecot dovecot  2402 Aug  3 20:07 20-imap.conf
-rw-r--r-- 1 dovecot dovecot  4007 May 14 18:11 20-pop3.conf
-rwxrwx--- 1 dovecot dovecot   676 Aug  3 20:07 90-acl.conf
-rwxrwx--- 1 dovecot dovecot   292 Aug  3 20:07 90-plugin.conf
-rwxrwx--- 1 dovecot dovecot  2251 Aug  3 20:07 90-quota.conf
-rw-r--r-- 1 dovecot dovecot   499 May 14 18:11 auth-checkpassword.conf.ext
-rwxrwx--- 1 dovecot dovecot   486 Aug  3 20:07 auth-deny.conf.ext
-rwxrwx--- 1 dovecot dovecot   558 Aug  3 20:07 auth-master.conf.ext
-rwxrwx--- 1 dovecot dovecot   329 Aug  4 03:45 auth-passwdfile.conf.ext
-rw-r--r-- 1 dovecot dovecot   788 May 14 18:11 auth-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot   608 Aug  3 20:07 auth-static.conf.ext
-rwxrwx--- 1 dovecot dovecot  2106 Aug  3 20:07 auth-system.conf.ext
-rwxrwx--- 1 dovecot dovecot   327 Aug  3 20:07 auth-vpopmail.conf.ext

ls -lR /home/dovecot-user/Maildir/:

/home/dovecot-user/Maildir/:
total 4
drwx------ 10 dovecot-user dovecot-user 4096 Aug  4 03:45 test

/home/dovecot-user/Maildir/test:

total 12
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 cur
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 new
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 tmp

Output from dovecot -n:

# 2.2.9: /etc/dovecot/dovecot.conf  
doveconf: Error: setmntent(/etc/mtab) failed: No such file or directory  
 # OS: Linux 3.13.0-32-generic x86_64 Ubuntu 14.04.1 LTS  
first_valid_uid = 8
last_valid_uid = 1001
log_path = /testout
mail_gid = 1000
mail_location = maildir:/home/dovecot-user/Maildir/%u
mail_privileged_group = mail
mail_uid = 1000
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}
namespace inbox {
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap pop3"
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}
verbose_ssl = yes

I'm not sure whether this is a file permissions problem, or an apparmor or selinux problem, and how to go about doing debugging and fixing it. I've seen almost a dozen forum posts on this from the last few years, but no well-documented fixes. Thus, I think that this problem is not unique to me, and am hoping to get some help here, where it will be well-documented for the future.

sebix
  • 4,175
  • 2
  • 25
  • 45
J L
  • 151
  • 1
  • 4
  • To confirm, neither `chmod +x /etc/dovecot` nor `chmod --recursive +x /etc/dovecot` make a difference in the output above (including the '`Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?)`' message). I also ran `doveadm reload` after making the `chmod` changes, to no avail. – J L Aug 04 '14 at 09:27
  • Indeed it looks like an AppArmor issue (I don't think SELinux is installed on Ubuntu)... I have no clue on how to fix this (reading AppArmor's documentation should be a good start, and I'm pretty sure you'll find a ready-to-use policy file for Dovecot that sets the correct permissions, maybe you have it already and it's just not enabled ?) but you can try disabling AppArmor temporarily to see if your actual Dovecot config is working. –  Aug 04 '14 at 09:31

2 Answers2

1

I'm not sure whether this was indeed an AppArmor issue (following @André-Daniel's comment above), since turning off / uninstalling AppArmor didn't help with the error messages. For the record, though, I've found one way to solve the problem. The fix involved several components:

  1. Making sure that a valid uid and gid (e.g., of the user in whose home directory the Maildir directory is stored) are set in /etc/dovecot/conf.d/10-mail.conf
  2. Making sure that all files in the Maildir directory are owned by that uid and gid (chown --recursive $(id -u):$(id -g) /home/username/Maildir)
  3. Storing the users/password file outside of /etc/dovecot, where the user from (1) above could have access to it. Once I had done this, and chowned as in (2) above, I started getting a separate error message in the dovecot log, about duplicate namespaces.
  4. I solved the error from (3) above following https://workaround.org/comment/3326#comment-3326, which recommends adding inbox = yes to the namespace inbox {... section of /etc/dovecot/conf.d/15-mailboxes.conf, and commenting out the entire namespace section in /etc/dovecot/conf.d/10-mail.conf
J L
  • 151
  • 1
  • 4
0

In my case I solved the following errors:

Mar  7 22:55:01 servername dovecot: pop3-login: Error: auth: connect(login) in directory / failed: Permission denied (euid=996(<unknown>) egid=995(<unknown>) missing +w perm: //login, dir owned by 0:995 mode=0750)
Mar  7 22:55:03 servername dovecot: pop3-login: Error: auth: connect(login) in directory / failed: Permission denied (euid=996(<unknown>) egid=995(<unknown>) missing +w perm: //login, dir owned by 0:995 mode=0750)
Mar  7 22:55:06 servername dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=12.12.123.123, lip=12.12.123.124, session=<vzAfW30twwDVf4d6>
Mar  7 22:55:11 servername dovecot: pop3-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<8Z5uW30tLgB/AAAB>
Mar  7 22:55:13 servername dovecot: pop3-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=12.12.123.123, lip=12.12.123.124, session=<B9+JW30tAgBRBHv8>

By running:

setfacl -k /var/run/dovecot/login
BVB Media
  • 1
  • 1