dovecot - Aug 2008 - Dovecot PAM sessions with Maildir

I am configuring a new mail server on RHEL 5 x64. I have configured 
dovecot as follows:
...
protocols = imaps
...
ssl_cert_file = /etc/pki/dovecot/certs/mailserver.cer
ssl_key_file = /etc/pki/dovecot/private/mailserver.pem
...
login_process_size = 64
...
mail_location = maildir:~/Maildir
...
passdb pam {
args = "session=yes cache_key=%u%s dovecot"
}
...

I'm getting the following error messages in /var/log/maillog:
Aug  5 20:57:45 [hostname] dovecot: imap-login: Aborted login: 
rip=::ffff:128.8.244.15, lip=::ffff:[server], TLS
Aug  5 21:01:34 [hostname] dovecot: imap-login: Aborted login: 
user=<[me]>, method=PLAIN, rip=::ffff:[server], lip=::ffff:[server], TLS

I'm getting the following messages in /var/log/audit/audit.log:
type=USER_AUTH msg=audit(1217984152.016:347): user pid=7669 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: 
authentication acct="[me]" :
exe="/usr/libexec/dovecot/dovecot-auth"
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=success)'
type=USER_ACCT msg=audit(1217984152.017:348): user pid=7669 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
acct="[me]" : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=success)'
type=USER_START msg=audit(1217984152.017:349): user pid=7669 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: session open 
acct="[me]" : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=failed)'

I find the message in the audit.log interesting because I configured the 
connection with SSL not TLS, but if I use TLS the result is the same.

On Aug 6, 2008, at 2:03 PM, Sean Smitz wrote:
> I am configuring a new mail server on RHEL 5 x64. I have configured  
> dovecot as follows:
> ...
> protocols = imaps
> ...
> ssl_cert_file = /etc/pki/dovecot/certs/mailserver.cer
> ssl_key_file = /etc/pki/dovecot/private/mailserver.pem
> ...
> login_process_size = 64
> ...
> mail_location = maildir:~/Maildir
> ...
> passdb pam {
> args = "session=yes cache_key=%u%s dovecot"
> }
> ...
>
> I'm getting the following error messages in /var/log/maillog:
> Aug  5 20:57:45 [hostname] dovecot: imap-login: Aborted login:  
> rip=::ffff:128.8.244.15, lip=::ffff:[server], TLS
> Aug  5 21:01:34 [hostname] dovecot: imap-login: Aborted login:  
> user=<[me]>, method=PLAIN, rip=::ffff:[server], lip=::ffff:[server],
> TLS
You could see if auth_debug=yes shows more. Although debugging PAM  
problems is annoying because PAM's logging is so bad.
> I find the message in the audit.log interesting because I configured  
> the connection with SSL not TLS, but if I use TLS the result is the  
> same.
I think you're confusing SSL and TLS with imaps port and STARTTLS  
command (and so do many client UIs..). You're going to be using TLS  
connections in any case.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080806/03d834b5/attachment-0002.bin>

I able to connect to the mail server with a MUA (Thunderbird) via SSL 
prior to attempting to set up the session and Maildir options

/var/log/audit/audit.log
type=USER_AUTH msg=audit(1217992493.198:389): user pid=8022 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: 
authentication acct="[me]" :
exe="/usr/libexec/dovecot/dovecot-auth"
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=success)'
type=USER_ACCT msg=audit(1217992493.199:390): user pid=8022 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
acct="[me]" : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=success)'
type=USER_START msg=audit(1217992493.199:391): user pid=8022 uid=0 
auid=10243 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: session open 
acct="[me]" : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=::ffff:[client], addr=::ffff:[client], terminal=dovecot 
res=failed)'


/var/log/maillog
Aug  5 23:14:37 mailserv1 dovecot: Dovecot v1.0.7 starting up
Aug  5 23:14:38 mailserv1 dovecot: auth(default): new auth connection: 
pid=8014
Aug  5 23:14:38 mailserv1 dovecot: auth(default): new auth connection: 
pid=8013
Aug  5 23:14:38 mailserv1 dovecot: auth(default): new auth connection: 
pid=8015
Aug  5 23:14:46 mailserv1 dovecot: auth(default): new auth connection: 
pid=8016
Aug  5 23:14:52 mailserv1 dovecot: auth(default): client in: AUTH       
1       PLAIN   service=IMAP    secured lip=::ffff:[server]        
rip=::ffff:[client]
Aug  5 23:14:52 mailserv1 dovecot: auth(default): client out: CONT      1
Aug  5 23:14:52 mailserv1 dovecot: auth(default): client in: CONT<hidden>
Aug  5 23:14:52 mailserv1 dovecot: auth(default): 
pam([me],::ffff:[client]): lookup service=dovecot
Aug  5 23:14:52 mailserv1 dovecot: auth(default): 
pam([me],::ffff:[client]): pam_open_session() failed: Cannot make/remove 
an entry for the specified session
Aug  5 23:14:53 mailserv1 dovecot: auth(default): client out: FAIL      
1       user=[me]
Aug  5 23:14:53 mailserv1 dovecot: auth(default): client in: AUTH       
2       PLAIN   service=IMAP    secured lip=::ffff:[server]        
rip=::ffff:[client] resp=<hidden>
Aug  5 23:14:53 mailserv1 dovecot: auth(default): 
pam([me],::ffff:[client]): lookup service=dovecot
Aug  5 23:14:53 mailserv1 dovecot: auth(default): 
pam([me],::ffff:[client]): pam_open_session() failed: Cannot make/remove 
an entry for the specified session
Aug  5 23:14:55 mailserv1 dovecot: auth(default): client out: FAIL      
2       user=[me]
Aug  5 23:14:58 mailserv1 dovecot: imap-login: Aborted login: 
user=<[me]>, method=PLAIN, rip=::ffff:[client], lip=::ffff:[server], TLS