I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf # OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) # Hostname: kjchome.homeip.net mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_cipher_list = PROFILE=SYSTEM ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } -- Kevin J. Cummings cummings at kjchome.homeip.net cummings at kjc386.framingham.ma.us kjchome at icloud.com Registered Linux User #1232 (http://www.linuxcounter.net/) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180404/deaafc24/attachment.html>
Helmut K. C. Tessarek
2018-Apr-05 04:33 UTC
Re: Can’t authenticate any users after upgrade.
On 2018-04-04 23:10, Kevin Cummings wrote:> PAM audit_log_acct_message() failed: Operation not permitted > imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): > user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, > session=<sessionid>Please look at my pull request at: https://github.com/dovecot/core/pull/71 Or, if it's any easier: 1) Stop dovecot 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file 3) systemctl daemon-reload 4) systemctl start dovecot Done. Cheers, K. C. -- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ -------------- next part -------------- # This file is part of Dovecot # # If you want to pass additionally command line options to the dovecot # binary, create the file: # `/etc/systemd/system/dovecot.service.d/service.conf'. [Unit] Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=http://wiki2.dovecot.org/ After=local-fs.target network-online.target dovecot-init.service Requires=dovecot-init.service [Service] Type=simple ExecStartPre=/usr/libexec/dovecot/prestartscript ExecStart=/usr/sbin/dovecot -F PIDFile=/var/run/dovecot/master.pid ExecReload=/usr/bin/doveadm reload ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open files' you may set: #LimitNOFILE=8192 # If you want to allow the Dovecot services to produce core dumps, use: #LimitCORE=infinity [Install] WantedBy=multi-user.target -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/4ed25a65/attachment.sig>
On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:> On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull request at: > https://github.com/dovecot/core/pull/71 > > Or, if it's any easier: > > 1) Stop dovecot > 2) Replace /usr/lib/systemd/system/dovecot.service with the attached > fileI'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content: -<<-- [Service] NoNewPrivileges=false -->>- This way the fix survives any updates and you don't have to mess with package-provided files.> 3) systemctl daemon-reload > 4) systemctl start dovecot
On 05.04.2018 07:33, Helmut K. C. Tessarek wrote:> On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > Please look at my pull request at: > https://github.com/dovecot/core/pull/71 > > Or, if it's any easier: > > 1) Stop dovecot > 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file > 3) systemctl daemon-reload > 4) systemctl start dovecot > > Done. > > Cheers, > K. C. >Hi! Never replace /lib or /usr/lib systemd unit files, if you want to replace the whole unit file, please put it under /etc/systemd/system/ directory. If unit file with same name is found under there, it is used instead. Aki
Kevin Cummings
2018-Apr-08 00:50 UTC
Re: Can’t authenticate any users after upgrade. [SOLVED]
> On 04/04/18 23:10, Kevin Cummings wrote: > I?m in the process of upgrading an old server from Fedora 21 to > something more modern. Now, Dovecot won?t let any client login to get > their email. > > PAM audit_log_acct_message() failed: Operation not permitted > imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): > user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, > session=<sessionid> > > # 2.3.1 (8e2f634): /etc/dovecot/dovecot.conf > > # OS: Linux 4.4.14-200.fc22.x86_64 x86_64 Fedora release 22 (Twenty Two) > > # Hostname: kjchome.homeip.net <http://kjchome.homeip.net> > > mbox_write_locks = fcntl > > namespace inbox { > > inbox = yes > > location = > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix = > > } > > passdb { > > driver = pam > > } > > ssl = required > > ssl_cert = </etc/pki/dovecot/certs/dovecot.pem > > ssl_cipher_list = PROFILE=SYSTEM > > ssl_dh = # hidden, use -P to show it > > ssl_key = # hidden, use -P to show it > > userdb { > > driver = passwd > > }What ened up working for me. I ended up downgrading to version 2.2.25 as packaged by city-fan.org That worked. Then, at the urging of the packager, I re-installed 2.3.1 (from the same repository), but replaced the dovecot.service file with the one from 2.2.35. [Always did a systemctl daemon-reload; systemctl restart dovecot between attemptsz] That worked. Next he had me comment out the line that starts: CapabilityBoundingSet That also worked -- Kevin J. Cummings cummings at kjchome.homeip.net cummings at kjc386.framingham.ma.us kjchome at icloud.com Registered Linux User #1232 (http://www.linuxcounter.net/)