At least doveconf -n output would help. I guess related to authentication settings. Are there any errors in logs?> On 1 Jun 2017, at 12.14, Odhiambo Washington <odhiambo at gmail.com> wrote: > >> On 30 May 2017 at 21:16, Timo Sirainen <tss at iki.fi> wrote: >> >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz.sig >> >> * auth: Use timing safe comparisons for everything related to >> passwords. It's unlikely that these could have been used for >> practical attacks, especially because Dovecot delays and flushes all >> failed authentications in 2 second intervals. Also it could have >> worked only when passwords were stored in plaintext in the passdb. >> * master process sends SIGQUIT to all running children at shutdown, >> which instructs them to close all the socket listeners immediately. >> This way restarting Dovecot should no longer fail due to some >> processes keeping the listeners open for a long time. >> >> + auth: Add passdb { mechanisms=none } to match separate passdb lookup >> + auth: Add passdb { username_filter } to use passdb only if user >> matches the filter. See https://wiki2.dovecot.org/PasswordDatabase >> + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit >> the transaction after saving this many new messages. Because of the >> way dsync works, it may not always be possible if mails are copied >> or UIDs need to change. >> + imapc: Support imapc_features=search without ESEARCH extension. >> + imapc: Add imapc_features=fetch-bodystructure to pass through remote >> server's FETCH BODY and BODYSTRUCTURE. >> + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the >> remote server. >> + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. >> + If dovecot.index.cache corruption is detected, reset only the one >> corrupted mail instead of the whole file. >> + doveadm mailbox status: Add "firstsaved" field. >> + director_flush_socket: Add old host's up/down and vhost count as >> parameters >> - More fixes to automatically fix corruption in dovecot.list.index >> - dsync-server: Fix support for dsync_features=empty-header-workaround >> - imapc: Various bugfixes, including infinite loops on some errors >> - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't >> enabled modseq tracking via CONDSTORE/QRESYNC. >> - fts-lucene: Fix it to work again with mbox format >> - Some internal error messages may have contained garbage in v2.2.29 >> - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys >> are used. Otherwise the copied mails can't be opened. >> - vpopmail: Fix compiling >> > > > Upgraded a 2.2.29 to this one and all hell broke loose! All users (MS > Outlook!) were being prompted for mail password! They'd enter it, mail is > fetched, and on the next check (even though the password had always been > saved) they'd be prompted again. So I quickly reverted to 2.2.29 and peace > prevailed. > > Now I am just wondering what exactly is causing this and how to fix it if I > am to come to 2.2.30.1 > > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft."
Nothing in the error log, because authentication is actually successful. 2.2.29 (13ebc01): /opt/dovecot2.2/etc/dovecot/dovecot.conf # OS: FreeBSD 9.3-STABLE i386 ufs auth_cache_size = 20 M auth_master_user_separator = * auth_mechanisms = plain login digest-md5 auth_socket_path = /var/run/dovecot/auth-userdb base_dir = /var/run/dovecot/ default_login_user = dovecot disable_plaintext_auth = no first_valid_gid = 0 first_valid_uid = 26 hostname = gw.localdomain info_log_path = /var/log/dovecot.log mail_location = maildir:/var/spool/virtual/%d/%n/Maildir:INDEX=MEMORY mail_plugins = " quota" namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { args = /opt/dovecot2.2/etc/dovecot/passwd.master_users.ext driver = passwd-file master = yes pass = yes } passdb { args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_log_fields = uid box msgid size quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u } postmaster_address = postmaster at localdomain service auth { unix_listener auth-client { mode = 0600 user = mailnull } unix_listener auth-userdb { group = mailnull user = mailnull } } service quota-warning { executable = script /opt/dovecot2.2/scripts/quota-warning.sh unix_listener quota-warning { user = mailnull } user = dovecot } ssl_cert = </usr/local/etc/letsencrypt/live/gw.localdomain/fullchain.pem ssl_key = # hidden, use -P to show it userdb { args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lda { mail_plugins = quota } protocol imap { mail_max_userip_connections = 2 mail_plugins = " quota imap_quota" } protocol pop3 { mail_max_userip_connections = 5 } On 1 June 2017 at 15:00, Timo Sirainen <tss at iki.fi> wrote:> At least doveconf -n output would help. I guess related to authentication > settings. Are there any errors in logs? > > > On 1 Jun 2017, at 12.14, Odhiambo Washington <odhiambo at gmail.com> wrote: > > > >> On 30 May 2017 at 21:16, Timo Sirainen <tss at iki.fi> wrote: > >> > >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz > >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz.sig > >> > >> * auth: Use timing safe comparisons for everything related to > >> passwords. It's unlikely that these could have been used for > >> practical attacks, especially because Dovecot delays and flushes all > >> failed authentications in 2 second intervals. Also it could have > >> worked only when passwords were stored in plaintext in the passdb. > >> * master process sends SIGQUIT to all running children at shutdown, > >> which instructs them to close all the socket listeners immediately. > >> This way restarting Dovecot should no longer fail due to some > >> processes keeping the listeners open for a long time. > >> > >> + auth: Add passdb { mechanisms=none } to match separate passdb lookup > >> + auth: Add passdb { username_filter } to use passdb only if user > >> matches the filter. See https://wiki2.dovecot.org/PasswordDatabase > >> + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit > >> the transaction after saving this many new messages. Because of the > >> way dsync works, it may not always be possible if mails are copied > >> or UIDs need to change. > >> + imapc: Support imapc_features=search without ESEARCH extension. > >> + imapc: Add imapc_features=fetch-bodystructure to pass through remote > >> server's FETCH BODY and BODYSTRUCTURE. > >> + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the > >> remote server. > >> + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. > >> + If dovecot.index.cache corruption is detected, reset only the one > >> corrupted mail instead of the whole file. > >> + doveadm mailbox status: Add "firstsaved" field. > >> + director_flush_socket: Add old host's up/down and vhost count as > >> parameters > >> - More fixes to automatically fix corruption in dovecot.list.index > >> - dsync-server: Fix support for dsync_features=empty-header-workaround > >> - imapc: Various bugfixes, including infinite loops on some errors > >> - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't > >> enabled modseq tracking via CONDSTORE/QRESYNC. > >> - fts-lucene: Fix it to work again with mbox format > >> - Some internal error messages may have contained garbage in v2.2.29 > >> - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys > >> are used. Otherwise the copied mails can't be opened. > >> - vpopmail: Fix compiling > >> > > > > > > Upgraded a 2.2.29 to this one and all hell broke loose! All users (MS > > Outlook!) were being prompted for mail password! They'd enter it, mail is > > fetched, and on the next check (even though the password had always been > > saved) they'd be prompted again. So I quickly reverted to 2.2.29 and > peace > > prevailed. > > > > Now I am just wondering what exactly is causing this and how to fix it > if I > > am to come to 2.2.30.1 > > > > > > > > -- > > Best regards, > > Odhiambo WASHINGTON, > > Nairobi,KE > > +254 7 3200 0004/+254 7 2274 3223 > > "Oh, the cruft." > >-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi, Same symptoms here when upgrading from 2.2.29 to 2.2.30. Getting back to 2.2.29 resolve the problem. The client here is a webmail ( rainloop ). User automatically logout as if the auth did'nt succed although log show successfull login attempt My configuration 2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) # OS: Linux 4.11.2-gentoo-xxxx-std-ipv6-64 x86_64 Gentoo Base System release 2.4.1 auth_cache_size = 10 M auth_default_realm = aprogsys.com auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_username_format = %Ln auth_worker_max_count = 80 dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u first_valid_uid = 1001 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_access_groups = dovecot mail_location = mdbox:~/mdbox mail_plugins = " acl fts fts_lucene notify replication virtual" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace { list = children location = mdbox:%%h/mdbox prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace { location = virtual:~/virtual prefix = virtual/ separator = / } namespace inbox { inbox = yes list = yes location = mailbox Drafts { auto = no special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox SPAM { auto = create special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Trash { auto = no special_use = \Trash } prefix = separator = / } passdb { args = cache_key=%s%u * driver = pam } plugin { acl = vfile acl_anyone = allow acl_shared_dict = proxy::acl antispam_backend = mailtrain antispam_mail_notspam = learn_ham antispam_mail_sendmail = /usr/bin/rspamc antispam_mail_sendmail_args = -h;localhost:11334;-P;q1 antispam_mail_spam = learn_spam antispam_spam = SPAM antispam_trash = Trash fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. mail_replica = remote:root at 192.168.1.7 replication_dsync_parameters = -d -U sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve sieve_default = /var/lib/dovecot/sieve/spam.sieve sieve_dir = ~/sieve } protocols = imap pop3 lmtp sieve replication_max_conns = 2 service aggregator { fifo_listener replication-notify-fifo { mode = 0666 } unix_listener replication-notify { mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-client { mode = 0666 } unix_listener auth-userdb { mode = 0777 } } service dict { unix_listener dict { mode = 0666 } } service imap-login { process_min_avail = 4 service_count = 0 vsz_limit = 256 M } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl_cert = </etc/letsencrypt/live/aprogsys.com/fullchain.pem ssl_key = # hidden, use -P to show it userdb { driver = passwd } protocol lda { mail_plugins = " acl fts fts_lucene notify replication virtual sieve" } protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags mail_max_userip_connections = 40 mail_plugins = " acl fts fts_lucene notify replication virtual antispam imap_acl" } local_name imap.agrobioconso.org { ssl_cert = </etc/letsencrypt/live/agrobioconso.org/fullchain.pem ssl_key = # hidden, use -P to show it } local_name imap.aprogsys.com { ssl_cert = </etc/letsencrypt/live/imap.aprogsys.com/fullchain.pem ssl_key = # hidden, use -P to show it } local_name imap.lesmontreursdours.fr { ssl_cert = </etc/letsencrypt/live/imap.lesmontreursdours.fr/fullchain.pem ssl_key = # hidden, use -P to show it } local_name pop.aprogsys.com { ssl_cert = </etc/letsencrypt/live/pop.aprogsys.com/fullchain.pem ssl_key = # hidden, use -P to show it } local_name imap.caves-explorer.com { ssl_cert = </etc/letsencrypt/live/caves-explorer.com/fullchain.pem ssl_key = # hidden, use -P to show it } local_name imap.vetienne.net { ssl_cert = </etc/letsencrypt/live/vetienne.net/fullchain.pem ssl_key = # hidden, use -P to show it } Regards, Vincent ETIENNE 1 juin 2017 18:48 "Odhiambo Washington" <odhiambo at gmail.com> a ?crit:> Nothing in the error log, because authentication is actually successful. >
Hi Vincent, The problem was resolved in 2.2.30.2 so feel free to update to that. On 13 June 2017 at 13:11, <ve at vetienne.net> wrote:> Hi, > > Same symptoms here when upgrading from 2.2.29 to 2.2.30. Getting back to > 2.2.29 resolve the problem. > > The client here is a webmail ( rainloop ). User automatically logout as if > the auth did'nt succed although log show successfull login attempt > > My configuration > > 2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.18 (29cc74d) > # OS: Linux 4.11.2-gentoo-xxxx-std-ipv6-64 x86_64 Gentoo Base System > release 2.4.1 > auth_cache_size = 10 M > auth_default_realm = aprogsys.com > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_username_format = %Ln > auth_worker_max_count = 80 > dict { > acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext > } > disable_plaintext_auth = no > dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u > first_valid_uid = 1001 > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > mail_access_groups = dovecot > mail_location = mdbox:~/mdbox > mail_plugins = " acl fts fts_lucene notify replication virtual" > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment mailbox date index ihave > duplicate mime foreverypart extracttext > namespace { > list = children > location = mdbox:%%h/mdbox > prefix = shared/%%n/ > separator = / > subscriptions = no > type = shared > } > namespace { > location = virtual:~/virtual > prefix = virtual/ > separator = / > } > namespace inbox { > inbox = yes > list = yes > location > mailbox Drafts { > auto = no > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox SPAM { > auto = create > special_use = \Junk > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > mailbox "Sent Messages" { > auto = no > special_use = \Sent > } > mailbox Trash { > auto = no > special_use = \Trash > } > prefix > separator = / > } > passdb { > args = cache_key=%s%u * > driver = pam > } > plugin { > acl = vfile > acl_anyone = allow > acl_shared_dict = proxy::acl > antispam_backend = mailtrain > antispam_mail_notspam = learn_ham > antispam_mail_sendmail = /usr/bin/rspamc > antispam_mail_sendmail_args = -h;localhost:11334;-P;q1 > antispam_mail_spam = learn_spam > antispam_spam = SPAM > antispam_trash = Trash > fts = lucene > fts_autoindex = yes > fts_lucene = whitespace_chars=@. > mail_replica = remote:root at 192.168.1.7 > replication_dsync_parameters = -d -U > sieve = file:~/sieve;active=~/.dovecot.sieve > sieve_before = /var/lib/dovecot/sieve > sieve_default = /var/lib/dovecot/sieve/spam.sieve > sieve_dir = ~/sieve > } > protocols = imap pop3 lmtp sieve > replication_max_conns = 2 > service aggregator { > fifo_listener replication-notify-fifo { > mode = 0666 > } > unix_listener replication-notify { > mode = 0666 > } > } > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-client { > mode = 0666 > } > unix_listener auth-userdb { > mode = 0777 > } > } > service dict { > unix_listener dict { > mode = 0666 > } > } > service imap-login { > process_min_avail = 4 > service_count = 0 > vsz_limit = 256 M > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > inet_listener sieve_deprecated { > port = 2000 > } > } > service replicator { > process_min_avail = 1 > unix_listener replicator-doveadm { > mode = 0666 > } > } > ssl_cert = </etc/letsencrypt/live/aprogsys.com/fullchain.pem > ssl_key = # hidden, use -P to show it > userdb { > driver = passwd > } > protocol lda { > mail_plugins = " acl fts fts_lucene notify replication virtual sieve" > } > protocol imap { > imap_client_workarounds = delay-newmail tb-extra-mailbox-sep > tb-lsub-flags > mail_max_userip_connections = 40 > mail_plugins = " acl fts fts_lucene notify replication virtual antispam > imap_acl" > } > local_name imap.agrobioconso.org { > ssl_cert = </etc/letsencrypt/live/agrobioconso.org/fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name imap.aprogsys.com { > ssl_cert = </etc/letsencrypt/live/imap.aprogsys.com/fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name imap.lesmontreursdours.fr { > ssl_cert = </etc/letsencrypt/live/imap.lesmontreursdours.fr/ > fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name pop.aprogsys.com { > ssl_cert = </etc/letsencrypt/live/pop.aprogsys.com/fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name imap.caves-explorer.com { > ssl_cert = </etc/letsencrypt/live/caves-explorer.com/fullchain.pem > ssl_key = # hidden, use -P to show it > } > local_name imap.vetienne.net { > ssl_cert = </etc/letsencrypt/live/vetienne.net/fullchain.pem > ssl_key = # hidden, use -P to show it > } > > Regards, > Vincent ETIENNE > > 1 juin 2017 18:48 "Odhiambo Washington" <odhiambo at gmail.com> a ?crit: > > Nothing in the error log, because authentication is actually successful. > > >-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Reasonably Related Threads
- v2.2.30 released
- Dovecot Replication Errors (only) when using tcps: as the mail_replica Protocol
- Warning: Global setting won't change the setting inside an earlier filter
- Unexpected config results with local_name + multiple SSL certs
- Fatal: setgid from userdb lookup fails with wrong gid