dovecot - Apr 2018 - Re: Can’t authenticate any users after upgrade.

I?m in the process of upgrading an old server from Fedora 21 to something more
modern.  Now, Dovecot won?t let any client login to get their email.

PAM audit_log_acct_message() failed: Operation not permitted
imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
session=<sessionid>

# 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
# OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) 
# Hostname: kjchome.homeip.net
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}


--
Kevin J. Cummings
cummings at kjchome.homeip.net
cummings at kjc386.framingham.ma.us
kjchome at icloud.com
Registered Linux User #1232
(http://www.linuxcounter.net/)

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180404/deaafc24/attachment.html>

On 2018-04-04 23:10, Kevin Cummings wrote:
> PAM audit_log_acct_message() failed: Operation not permitted
> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94,
TLS,
> session=<sessionid>
Please look at my pull request at:
https://github.com/dovecot/core/pull/71

Or, if it's any easier:

1) Stop dovecot
2) Replace /usr/lib/systemd/system/dovecot.service with the attached file
3) systemctl daemon-reload
4) systemctl start dovecot

Done.

Cheers,
 K. C.

-- 
regards Helmut K. C. Tessarek              KeyID 0x172380A011EF4944
Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/
-------------- next part --------------
# This file is part of Dovecot
#
# If you want to pass additionally command line options to the dovecot
# binary, create the file:
# 	`/etc/systemd/system/dovecot.service.d/service.conf'.

[Unit]
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
After=local-fs.target network-online.target dovecot-init.service
Requires=dovecot-init.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=/usr/sbin/dovecot -F
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
PrivateDevices=true
# disable this if you want to use apparmor plugin
#NoNewPrivileges=true
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
CAP_AUDIT_WRITE

# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
# If you have trouble with `Too many open files' you may set:
#LimitNOFILE=8192
# If you want to allow the Dovecot services to produce core dumps, use:
#LimitCORE=infinity

[Install]
WantedBy=multi-user.target
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180405/4ed25a65/attachment.sig>

On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:
> On 2018-04-04 23:10, Kevin Cummings wrote:
>> PAM audit_log_acct_message() failed: Operation not permitted
>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
>> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94,
TLS,
>> session=<sessionid>
> 
> Please look at my pull request at:
> https://github.com/dovecot/core/pull/71
> 
> Or, if it's any easier:
> 
> 1) Stop dovecot
> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached 
> file
I'd recommend to just override the necessary options by creating 
/etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the 
following content:

-<<--
[Service]
NoNewPrivileges=false
-->>-

This way the fix survives any updates and you don't have to mess with 
package-provided files.
> 3) systemctl daemon-reload
> 4) systemctl start dovecot

On 05.04.2018 07:33, Helmut K. C. Tessarek wrote:
> On 2018-04-04 23:10, Kevin Cummings wrote:
>> PAM audit_log_acct_message() failed: Operation not permitted
>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
>> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94,
TLS,
>> session=<sessionid>
> Please look at my pull request at:
> https://github.com/dovecot/core/pull/71
>
> Or, if it's any easier:
>
> 1) Stop dovecot
> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file
> 3) systemctl daemon-reload
> 4) systemctl start dovecot
>
> Done.
>
> Cheers,
>  K. C.
>
Hi!

Never replace /lib or /usr/lib systemd unit files, if you want to
replace the whole unit file, please put it under /etc/systemd/system/
directory. If unit file with same name is found under there, it is used
instead.

Aki

> On 04/04/18 23:10, Kevin Cummings wrote:
> I?m in the process of upgrading an old server from Fedora 21 to
> something more modern.  Now, Dovecot won?t let any client login to get
> their email.
> 
> PAM audit_log_acct_message() failed: Operation not permitted
> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94,
TLS,
> session=<sessionid>
> 
> # 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf
> 
> # OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) 
> 
> # Hostname: kjchome.homeip.net <http://kjchome.homeip.net>
> 
> mbox_write_locks = fcntl
> 
> namespace inbox {
> 
>   inbox = yes
> 
>   location = 
> 
>   mailbox Drafts {
> 
>     special_use = \Drafts
> 
>   }
> 
>   mailbox Junk {
> 
>     special_use = \Junk
> 
>   }
> 
>   mailbox Sent {
> 
>     special_use = \Sent
> 
>   }
> 
>   mailbox "Sent Messages" {
> 
>     special_use = \Sent
> 
>   }
> 
>   mailbox Trash {
> 
>     special_use = \Trash
> 
>   }
> 
>   prefix = 
> 
> }
> 
> passdb {
> 
>   driver = pam
> 
> }
> 
> ssl = required
> 
> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
> 
> ssl_cipher_list = PROFILE=SYSTEM
> 
> ssl_dh =  # hidden, use -P to show it
> 
> ssl_key =  # hidden, use -P to show it
> 
> userdb {
> 
>   driver = passwd
> 
> }
What ened up working for me.

I ended up downgrading to version 2.2.25 as packaged by city-fan.org

That worked.

Then, at the urging of the packager, I re-installed 2.3.1 (from the same
repository), but replaced the dovecot.service file with the one from 2.2.35.

[Always did a systemctl daemon-reload; systemctl restart dovecot between
attemptsz]

That worked.

Next he had me comment out the line that starts:

CapabilityBoundingSet
That also worked

-- 
Kevin J. Cummings
cummings at kjchome.homeip.net
cummings at kjc386.framingham.ma.us
kjchome at icloud.com
Registered Linux User #1232 (http://www.linuxcounter.net/)