EDIT
WTF?!!!!! Das Problem ist behoben. Der Fehler ist nicht so wirklich fassbar... Das Problem war, dass sowohl der Client als auch Dovecot mit den bestimmten Sonderzeichen nicht klar gekommen sind und diese falsch kodiert haben. So viel zur Sicherheit.... -.- Die Passwörter wurden vorher von mir schon abgetippt und es lag auch kein Encodingproblem beim Ändern des Passworts vor.
Moin,
ich habe am Montag aufgrund des Heatbleed-Bugs einige Systeme geupdated (Einzelne Pakete & OpenSSL) und auch ebenfalls überall neue Zertifikate, etc. erstellt. Dies verlief auf allen System bis auf einem auch alles reibungslos. Ich habe ebenfalls die Passwörter aller Benutzer gewechselt - die natürlich bereits ein Passwort haben, also keine User ein Passwort zugeteilt, welcher vorher keins hatte. Ich habe allerdings seit Montag das Problem, dass bei einem Sytem, auf dem ein eMailserver in der Kombi von Dovecot und Postfix läuft, nicht mehr funktioniert. Ich hatte die letzten Tage da schon ausgiebig im Internet gesucht und leider bislang noch gefunden. Das Problem ist nun, dass kein Login mehr möglich ist. Ich kann über Postfix auf der Kommandozeile und mit Hilfe von mailsutils noch eMails versenden, allerdings ist ein einloggen über Thunderbird bei Dovecot nicht mehr möglich. Der Fehler ist natürlich nicht das inkorrekte Passwort, dass habe ich 50 mal überprüft. Ich bin mit meinem Latein im wesentlich am Ende, obwohl ich mich jetzt nicht unbedingt als Anfänger bezeichnen würde. Evtl. ist das Problem so simpel, dass ich es nicht in betracht ziehe oder es ist so kaputt, dass nur noch eine System-Neuinstallation hilft. Also zumindestens nach meiner Einschätzung.
Da als Authentifizierung bei diesem System PAM bzw. die Linux-Nutzer genutzt werden habe ich das Passwort mit folgendem Befehl geändert:
root@HOST:~# passwd USER
Die Zertifikate für Dovecot und Postfix habe ich mit folgendem Befehl erstellt:
openssl req -x509 -out /etc/ssl/certs/NAME-cert.pem -newkey rsa:4096 -keyout /etc/ssl/private/NAME-key.pem -nodes -sha256 -days 3650
Dovecot -n
root@HOST:~# dovecot -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-23-virtual x86_64 Ubuntu 12.04.4 LTS
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
listen = *
mail_debug = yes
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap sieve
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl = required
ssl_cert = </etc/ssl/certs/dovecot-cert.pem
ssl_key = </etc/ssl/private/dovecot-key.pem
userdb {
driver = passwd
}
verbose_ssl = yes
protocol imap {
imap_client_workarounds = delay-newmail
mail_max_userip_connections = 50
}
protocol pop3 {
mail_max_userip_connections = 10
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = postmaster@DOMAIN
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}mail.log
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 10 09:49:00 HOST dovecot: auth: Debug: auth client connected (pid=21546) Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read certificate verify A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [12.345.678.910] Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [12.345.678.910] Apr 10 09:49:04 HOST dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=10.11.12.134#011rip=12.345.678.910#011lport=993#011rport=49211#011resp=AGlyaW5hADNYMS$ Apr 10 09:49:04 HOST dovecot: auth-worker: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Apr 10 09:49:04 HOST dovecot: auth-worker: Debug: pam(USER,12.345.678.910): lookup service=dovecot Apr 10 09:49:04 HOST dovecot: auth-worker: Debug: pam(USER,12.345.678.910): #1/1 style=1 msg=Password: Apr 10 09:49:06 HOST dovecot: auth-worker: pam(USER,12.345.678.910): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: PASSWORD) Apr 10 09:49:08 HOST dovecot: auth: Debug: client out: FAIL#0111#011user=USER Apr 10 09:49:08 HOST dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=256: warning close notify [12.345.678.910] Apr 10 09:49:08 HOST dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [12.345.678.910] Apr 10 09:49:08 HOST dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<USER>, method=PLAIN, rip=12.345.678.910, lip=10.11.12.134, TLS
mail.err
Apr 9 02:25:47 HOST dovecot: imap-login: Error: read(anvil) failed: EOF Apr 9 03:09:59 HOST dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF Apr 9 03:09:59 HOST dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied Apr 9 07:07:35 HOST dovecot: master: Fatal: Dovecot is already running with PID 2707 (read from /var/run/dovecot/master.pid) Apr 9 07:49:30 HOST dovecot: doveadm: Error: This is Dovecot's error log (1397022570) Apr 9 07:49:30 HOST dovecot: doveadm: Fatal: This is Dovecot's fatal log (1397022570) Apr 9 12:12:13 HOST postfix/smtpd[5462]: fatal: no SASL authentication mechanisms Apr 9 12:13:14 HOST postfix/smtpd[5473]: fatal: no SASL authentication mechanisms Apr 9 12:14:15 HOST postfix/smtpd[5494]: fatal: no SASL authentication mechanisms Apr 9 12:15:16 HOST postfix/smtpd[5660]: fatal: no SASL authentication mechanisms Apr 9 12:16:17 HOST postfix/smtpd[5684]: fatal: no SASL authentication mechanisms Apr 9 12:52:27 HOST dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF Apr 9 12:52:27 HOST dovecot: auth: Error: net_connect_unix(anvil-auth-penalty) failed: Permission denied
main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem
smtpd_tls_key_file = /etc/ssl/private/postfix-key.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_tls_security_level = may
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = HOST
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = DOMAIN, localhost.de, mail.DOMAIN, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
#smtpd_tls_security_level = may
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"
#smtp_use_tls = yes
#smtp_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
#smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
virtual_alias_maps = hash:/etc/postfix/virtual
inet_protocols = all
message_size_limit = 204800master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o smtpd_enforce_tls=yes
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}Installierte Versionen:
root@HOST:/etc/dovecot/conf.d# dpkg -l | grep "dov" ii dovecot-core 1:2.0.19-0ubuntu2 secure mail server that supports mbox, maildir, dbox and mdbox mailboxes ii dovecot-imapd 1:2.0.19-0ubuntu2 secure IMAP server that supports mbox, maildir, dbox and mdbox mailboxes ii dovecot-managesieved 1:2.0.19-0ubuntu2 secure ManageSieve server for Dovecot ii dovecot-pop3d 1:2.0.19-0ubuntu2 secure POP3 server that supports mbox, maildir, dbox and mdbox mailboxes ii dovecot-postfix 1:2.0.19-0ubuntu2 mail server delivery agent stack provided by Ubuntu server team ii dovecot-sieve 1:2.0.19-0ubuntu2 sieve filters support for Dovecot root@HOST:/etc/dovecot/conf.d# dpkg -l | grep "postfix" ii dovecot-postfix 1:2.0.19-0ubuntu2 mail server delivery agent stack provided by Ubuntu server team ii postfix 2.9.6-1~12.04.1 High-performance mail transport agent
Hat irgendwer hierzu eine Idee?
Meine Vermutung bislang ist, dass die Authentifizierung von Dovecot zu PAM defekt ist, ich kann diese Vermutung, aber nicht weiter konkretisieren. Mehrere Neuinstallationen aller oben aufgezählten Pakete haben nichts gebracht. Mehrfache Konfigurationsänderungen haben ebenfalls nichts gebracht.
Gruß, trafex
Die Usernamen, IP-Adressen und HOST sind von mir ersetzt worden.