dovecot - Feb 2013 - Requested xxxx scheme, but we have a NULL password after upgrade

I'm having an issue I can't seem to work around after upgrading from
Dovecot
1.0.7 to 1.2.17.

After getting Dovecot 1.07 working on CentOS 5.9, I decided that it might be
wise to upgrade to a later version, so I stuck with 1.x and went with
1.2.17, which I had to compile from source.  CentOS was originally using
/etc as the starting path for Dovecot files but the source distribution puts
most of the stuff under /usr/local/etc.  After the usual config>make>make
install dance I made the necessary changes to point to the new libraries,
modules, etc. and the "imap-login: Fatal: Dovecot version mismatch: Master
is v1.2.17, login is v1.0.7...." messages went away. 

After doing this though I cannot login, I get the following error messages:
Feb 13 15:50:40 auth(default): Info: client in: AUTH    7       NTLM   
service=imap    lip=192.168.2.102       rip=192.168.2.100       lport=143      
rport=1470
Feb 13 15:50:40 auth(default): Info: client out: CONT   7
Feb 13 15:50:40 auth(default): Info: client in: CONT    7      
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=Feb 13 15:50:40
auth(default): Info: client out: CONT   7
TlRMTVNTUAACAAAAMAAwADAAAAAFAooATj7XW6ve2hwAAAAAAAAAADgAOABgAAAAUwBlAHIAdgBlAHIAMQAuAGgAZQByAHMAYwBoAGwAYQB1AHIAZQBuAC4AYwBvAG0AAwAwAFMAZQByAHYAZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAAFeb
13 15:50:40 auth(default): Info: client in: CONT    7
TlRMTVNTUAADAAAAGAAYAGoAAABoAGgAggAAAAAAAABIAAAAEAAQAEgAAAASABIAWAAAAAAAAADqAAAABQKIAgUBKAoAAAAP*CENSORED*bgBiAFEAUwBFAC0AVwBJAE4AWABQAEXO6p/WuopqQ02x1kzJGW3NoQELKw32N88JqkbMOYOVErhiS492elwBAQAAAAAAA*CENSORED*ysN9jcAAAAAAwAwAFMAZQByAHYAZQByADEALgBoAGUAcgBzAGMAaABsAGEAdQByAGUAbgAuAGMAbwBtAAAAAAAAAAAA
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: passwd-file(pquesinb,192.168.2.100):
lookup: user=pquesinb file=/etc/dovecot.users
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
Requested NTLM scheme, but we have a NULL password
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:40 auth(default): Info: cache(pquesinb,192.168.2.100): miss
Feb 13 15:50:40 auth(default): Info: password(pquesinb,192.168.2.100):
passdb doesn't support credential lookups
Feb 13 15:50:42 auth(default): Info: client out: FAIL   7      
user=pquesinb


Looking at the log from the old version while it was working, I was getting
messages like the following:
dovecot: Feb 04 14:14:21 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 04 14:14:21 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 04 14:15:03 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 04 14:15:03 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 04 14:15:23 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 04 14:15:23 Info: imap-login: Login: user=<pquesinb>,
method=NTLM, rip=192.168.2.100, lip=192.168.2.102
dovecot: Feb 04 14:16:05 Info: IMAP(pquesinb): Disconnected: Logged out
dovecot: Feb 04 14:16:05 Info: IMAP(pquesinb): Disconnected: Logged out

/etc/dovecot.users contains a list of usernames.

Is this error the result of additional security which has been incorporated
into the later version of Dovecot, or is it because my installation of the
later version from source is broken, somehow incompatible, etc?  Dovecot was
configured to use PAM and it appeared to know the password of my account,
failing when it was entered incorrectly so I'm assuming that it was
successfully using PAM.  I kept the same syntax in the later config file.
>From dovecot.conf:
 passdb pam {
    # [session=yes] [setcred=yes] [failure_show_msg=yes]
[max_requests=<n>]
    # [cache_key=<key>] [<service name>]
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM
plugins
    # need that. They aren't ever deleted though, so this isn't enabled
by
    # default.
    #
    # max_requests specifies how many PAM lookups to do in one process
before
    # recreating the process. The default is 100, because many PAM plugins
    # leak memory.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking
password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # doc/wiki/Variables.txt) which must match for the cached data to be
used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    #
    # The service name can contain variables, for example %Ls expands to
    # pop3 or imap.
    #
    # Some examples:
    #   args = session=yes %Ls
       args = cache_key=%u dovecot
    #args = dovecot
  }

If anyone could give me some ideas on where to go from here, I'd really
appreciate it.  If there's little chance of getting the newer version to
work with CentOS 5 then I'm ready to just drop back to the older version.

Thanks a bunch.

- Phil

Config info follows:

[root at Server1 lda]# dovecot -n
# 1.2.17: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.18-348.el5.centos.plusxen x86_64 CentOS release 5.9 (Final)
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.log
protocols: imap imaps pop3 pop3s
ssl_cert_file: /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file: /etc/pki/dovecot/private/dovecot.pem
disable_plaintext_auth: no
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
max_mail_processes: 64
mail_location: maildir:~/Maildir
maildir_very_dirty_syncs: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
mail_log_max_lines_per_sec: 100
imap_client_workarounds(default): outlook-idle
imap_client_workarounds(imap): outlook-idle
imap_client_workarounds(pop3):
lda:
  mail_plugin_dir: /usr/local/lib/dovecot/lda
auth default:
  mechanisms: ntlm plain login digest-md5
  cache_size: 16
  cache_ttl: 90
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: passwd-file
    args: /etc/dovecot.users
  passdb:
    driver: pam
    args: cache_key=%u dovecot
  passdb:
    driver: passwd
  passdb:
    driver: shadow
  userdb:
    driver: passwd




--
View this message in context:
http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NULL-password-after-upgrade-tp40123.html
Sent from the Dovecot mailing list archive at Nabble.com.

Digging further:

I did some rc.d/init.d tweaking so that I could run either Dovecot version
on demand and changed the configuration so that authentication for both is
basically the same.  1.07 works and 1.2.17 still doesn't.

I'd really like to understand what's going on here as opposed to just
dropping back and declaring it "fixed".

Here is the -n output for both versions, login/mail executables and plugins
are present within the configured paths for both versions:

[root at Server1 init.d]# dovecot -n
# 1.2.17: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.18-348.el5.centos.plusxen x86_64 CentOS release 5.9 (Final)
log_path: /var/log/dovecot.log
info_log_path: /var/log/dovecot.log
protocols: imap imaps pop3 pop3s
ssl_cert_file: /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file: /etc/pki/dovecot/private/dovecot.pem
disable_plaintext_auth: no
login_dir: /usr/local/var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
max_mail_processes: 64
mail_location: maildir:~/Maildir
maildir_very_dirty_syncs: yes
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
mail_log_max_lines_per_sec: 100
imap_client_workarounds(default): outlook-idle
imap_client_workarounds(imap): outlook-idle
imap_client_workarounds(pop3):
lda:
  mail_plugin_dir: /usr/local/lib/dovecot/lda
auth default:
  mechanisms: ntlm plain
  cache_size: 16
  cache_ttl: 90
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: passwd-file
    args: /etc/dovecot.users
  passdb:
    driver: pam
    args: cache_key=%u dovecot
  userdb:
    driver: passwd



[root at Server1 init.d]# dovecot107 -n
# 1.0.7: /etc/dovecot.conf
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:~/Maildir
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
  mechanisms: ntlm plain
  passdb:
    driver: passwd-file
    args: /etc/dovecot.users
  passdb:
    driver: pam
    args: cache_key=%u dovecot
  userdb:
    driver: passwd


Many thanks,

- Phil




--
View this message in context:
http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NULL-password-after-upgrade-tp40123p40136.html
Sent from the Dovecot mailing list archive at Nabble.com.

This is definitely a PAM-related problem.  I can get authentication to work
with passdb shadow and userdb passwd.

Looking around, I saw something about a config option and a certain library
needing to be present at compile-time to support PAM authentication but I
thought I read something about an error-message related to that being shown
in the log.  Perhaps that error message is shown at compile-time.

If anyone is able to confirm my suspicions, please let me know.

Cheers,

- Phil



--
View this message in context:
http://dovecot.2317879.n4.nabble.com/Requested-xxxx-scheme-but-we-have-a-NULL-password-after-upgrade-tp40123p40137.html
Sent from the Dovecot mailing list archive at Nabble.com.