dovecot - Jul 2017 - Strange Error: Password data is not valid for scheme SHA256. Please help me resolve it.

Hello,

I am using version 2.2.31 (65cde28) on an Ubuntu 16.04 VPS.

I am attempting to setup a mail server using a flat file system as an  
experiment.

I am able to send e-mail from external domain names and the messages  
land in my /var/mail/vmail/domain/user/ directories.

I am trying to setup Thunderbird as an MUA using the information I  
generated on my VPS namely the IMAP server, username at domain.com,  
password, and SMTP server.

IMAP server - www.domain.com
SMTP server - www.domain.com
Username - created in /etc/postfix/virtual-mailbox-users.db and  
/etc/dovecot/passwd.db
Password - created by dovadm pw -s SHA256 and entered (along with the  
username) in /etc/dovecot/passwd.db

I enter this information into "new accounts" in Thunderbird and select
STARTTLS with ports 143 (IMAP) and 587 (SMTP). (I have experimented  
with a variety of other combinations too). I click "Done" which  
transmits the information to the domain server to verify the details.

My /var/log/mail.log shows:

Jul 22 18:40:48 www dovecot: auth: Error:  
passwd-file(test at domain.com,46.xxx.xxx.xxx,<wZoHUuxU6IAu9j4y>):  
Password data is not valid for scheme SHA256: Input length isn't valid  
(0 instead of 32)
Jul 22 18:41:00 www dovecot: message repeated 2 times: [ auth: Error:  
passwd-file(test at domain.com,46.xxx.xxx.xxx,<fGoHUuxU6IAu9j4y>):  
Password data is not valid for scheme SHA256: Input length isn't valid  
(0 instead of 32)]
Jul 22 18:41:02 www dovecot: imap-login: Disconnected (auth failed, 3  
attempts in 14 secs): user=<test at domain.com>, method=PLAIN,  
rip=46.xxx.xxx.xxx, lip=139.xxx.xxx.xxx, TLS, session=<fGoHUuxU6IAu9j4y>

What does "Password data is not valid for scheme SHA256: Input length  
isn't valid (0 instead of 32)]" mean? I assume that there is some kind
of a mismatch between the way I generated the password with doveadm  
and entered it in passwd.db and the way I entered the non-hashed  
password into the password field in the new account section of  
Thunderbird.

Is there a way to resolve this issue? My dovecot -n is below. You will  
note that the passdb section does have the scheme as SHA256. Many  
thanks.

# 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.4.0-83-generic x86_64 Ubuntu 16.04.2 LTS ext4
auth_mechanisms = plain login
auth_verbose = yes
mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope  
encoded-character vacation subaddress comparator-i;ascii-numeric  
relational regex imap4flags copy include variables body enotify  
environment mailbox date index ihave duplicate mime foreverypart  
extracttext
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Junk {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   prefix }
passdb {
   args = username_format=%u scheme=SHA256 /etc/dovecot/passwd.db
   driver = passwd-file
}
plugin {
   sieve = file:~/sieve;active=~/.dovecot.sieve
   sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
   unix_listener /var/spool/postfix/private/dovecot-auth {
     group = postfix
     mode = 0660
     user = postfix
   }
}
ssl_cert = </etc/letsencrypt/live/www.domain.com/fullchain.pem
ssl_cipher_list =  
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
ssl_key =  # hidden, use -P to show it
userdb {
   args = uid=5000 gid=5000 home=/var/mail/vmail/%d/%n
   driver = static
}
protocol imap {
   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
   mail_max_userip_connections = 10
}
protocol pop3 {
   mail_max_userip_connections = 10
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
   deliver_log_format = msgid=%m: %$
   mail_plugins = sieve
   postmaster_address = postmaster at domain.com
   quota_full_tempfail = yes
   rejection_reason = Your message to <%t> was automatically rejected:%n%r
}



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

Am 23.07.2017 um 17:50 schrieb david.madman2 at
vfemail.net:
> My /var/log/mail.log shows:
> 
> Jul 22 18:40:48 www dovecot: auth: Error: 
> passwd-file(test at domain.com,46.xxx.xxx.xxx,<wZoHUuxU6IAu9j4y>):
Password
> data is not valid for scheme SHA256: Input length isn't valid (0
instead
> of 32)
> Jul 22 18:41:00 www dovecot: message repeated 2 times: [ auth: Error: 
> passwd-file(test at domain.com,46.xxx.xxx.xxx,<fGoHUuxU6IAu9j4y>):
Password
> data is not valid for scheme SHA256: Input length isn't valid (0
instead
> of 32)]
> Jul 22 18:41:02 www dovecot: imap-login: Disconnected (auth failed, 3 
> attempts in 14 secs): user=<test at domain.com>, method=PLAIN, 
> rip=46.xxx.xxx.xxx, lip=139.xxx.xxx.xxx, TLS,
session=<fGoHUuxU6IAu9j4y>
> 
> What does "Password data is not valid for scheme SHA256: Input length 
> isn't valid (0 instead of 32)]" mean? I assume that there is some
kind
> of a mismatch between the way I generated the password with doveadm and 
> entered it in passwd.db and the way I entered the non-hashed password 
> into the password field in the new account section of Thunderbird.
It means that dovecot expacts to verify a 32 byte long password hash. 
What it detects has a size of 0 byte. You haven't shown an example line 
of your passwd.db file, but I would guess you build it up not correct.

See

https://wiki.dovecot.org/Authentication/PasswordSchemes

Alexander

Quoting Alexander Dalloz <ad+lists at uni-x.org>:
> Am 23.07.2017 um 17:50 schrieb david.madman2 at vfemail.net:
>> My /var/log/mail.log shows:
>>
>> Jul 22 18:40:48 www dovecot: auth: Error:  
>> passwd-file(test at
domain.com,46.xxx.xxx.xxx,<wZoHUuxU6IAu9j4y>):
>> Password data is not valid for scheme SHA256: Input length isn't  
>> valid (0 instead of 32)
>> Jul 22 18:41:00 www dovecot: message repeated 2 times: [ auth:  
>> Error:  
>> passwd-file(test at
domain.com,46.xxx.xxx.xxx,<fGoHUuxU6IAu9j4y>):
>> Password data is not valid for scheme SHA256: Input length isn't  
>> valid (0 instead of 32)]
>> Jul 22 18:41:02 www dovecot: imap-login: Disconnected (auth failed,  
>> 3 attempts in 14 secs): user=<test at domain.com>, method=PLAIN,
>> rip=46.xxx.xxx.xxx, lip=139.xxx.xxx.xxx, TLS,  
>> session=<fGoHUuxU6IAu9j4y>
>>
>> What does "Password data is not valid for scheme SHA256: Input  
>> length isn't valid (0 instead of 32)]" mean? I assume that
there is
>> some kind of a mismatch between the way I generated the password  
>> with doveadm and entered it in passwd.db and the way I entered the  
>> non-hashed password into the password field in the new account  
>> section of Thunderbird.
>
> It means that dovecot expacts to verify a 32 byte long password  
> hash. What it detects has a size of 0 byte. You haven't shown an  
> example line of your passwd.db file, but I would guess you build it  
> up not correct.
>
> See
>
> https://wiki.dovecot.org/Authentication/PasswordSchemes
>
> Alexander
Thank you for your reply. My /etc/dovecot/passwd.db shows:

test at domain.com:
{SHA256}tdA2DIOZhwLOKVxA2WiOY0oy9GB8A6baW/okY+DTFi0
I'm not sure what could be wrong with this file. It is a plain text  
file created in vim.

Permissions:

-rw-r--r-- 1 root root 70 Jul 23 19:14 /etc/dovecot/passwd.db

In Thunderbird, I simply enter the text equivalent of the SHA256 in  
the "password" field when creating a new account.

Do you - or anyone else - have another suggestion? Many thanks!



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

Quoting Alexander Dalloz <ad+lists at uni-x.org>:
> Am 23.07.2017 um 17:50 schrieb david.madman2 at vfemail.net:
>> My /var/log/mail.log shows:
>>
>> Jul 22 18:40:48 www dovecot: auth: Error:  
>> passwd-file(test at
domain.com,46.xxx.xxx.xxx,<wZoHUuxU6IAu9j4y>):
>> Password data is not valid for scheme SHA256: Input length isn't  
>> valid (0 instead of 32)
>> Jul 22 18:41:00 www dovecot: message repeated 2 times: [ auth:  
>> Error:  
>> passwd-file(test at
domain.com,46.xxx.xxx.xxx,<fGoHUuxU6IAu9j4y>):
>> Password data is not valid for scheme SHA256: Input length isn't  
>> valid (0 instead of 32)]
>> Jul 22 18:41:02 www dovecot: imap-login: Disconnected (auth failed,  
>> 3 attempts in 14 secs): user=<test at domain.com>, method=PLAIN,
>> rip=46.xxx.xxx.xxx, lip=139.xxx.xxx.xxx, TLS,  
>> session=<fGoHUuxU6IAu9j4y>
>>
>> What does "Password data is not valid for scheme SHA256: Input  
>> length isn't valid (0 instead of 32)]" mean? I assume that
there is
>> some kind of a mismatch between the way I generated the password  
>> with doveadm and entered it in passwd.db and the way I entered the  
>> non-hashed password into the password field in the new account  
>> section of Thunderbird.
>
> It means that dovecot expacts to verify a 32 byte long password  
> hash. What it detects has a size of 0 byte. You haven't shown an  
> example line of your passwd.db file, but I would guess you build it  
> up not correct.
>
> See
>
> https://wiki.dovecot.org/Authentication/PasswordSchemes
>
> Alexander
Just to add to my previous message:

I modified the args= in the passdb section of /etc/dovecot/passwd.db  
from SHA256 to SHA256-CRYPT which gave a different error when I tried  
to do the same creation of the account in Thunderbird. The new error is:

Jul 23 22:12:23 www dovecot: auth:  
passwd-file(test at domain.com,46.xxx.xxx.xxx,<u4CLZBNVys4u8ic/>):  
Password mismatch




-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!