On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:> On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull request at: > https://github.com/dovecot/core/pull/71 > > Or, if it's any easier: > > 1) Stop dovecot > 2) Replace /usr/lib/systemd/system/dovecot.service with the attached > fileI'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content: -<<-- [Service] NoNewPrivileges=false -->>- This way the fix survives any updates and you don't have to mess with package-provided files.> 3) systemctl daemon-reload > 4) systemctl start dovecot
Helmut K. C. Tessarek
2018-Apr-06 02:02 UTC
Re: Can’t authenticate any users after upgrade.
On 2018-04-05 02:34, B. Reino wrote:> This way the fix survives any updates and you don't have to mess with > package-provided files.You'd also have to add the following: CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE It won't work without CAP_AUDIT_WRITE, even, if NoNewPrivileges is set to false, at least not on my server. But as I've mentioned this _could_ be counterproductive if in the future the systemd file that comes with dovecot is changed and you forget to delete /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf again. -- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/074110d2/attachment.sig>
> On 04/05/18 02:34, B. Reino wrote: >> On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: >>> On 2018-04-04 23:10, Kevin Cummings wrote: >>> PAM audit_log_acct_message() failed: Operation not permitted >>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >>> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >>> session=<sessionid> >> >> Please look at my pull request at: >> https://github.com/dovecot/core/pull/71 >> >> Or, if it's any easier: >> >> 1) Stop dovecot >> 2) Replace /usr/lib/systemd/system/dovecot.service with the attached file > > I'd recommend to just override the necessary options by creating /etc/systemd/system/dovecot.service.d/NoNewPrivileges.conf with the following content: > > -<<-- > [Service] > NoNewPrivileges=false > -->>- > > This way the fix survives any updates and you don't have to mess with package-provided files. > >> 3) systemctl daemon-reload >> 4) systemctl start dovecotOK, so I went this root, added the new file, stopped dovecot, did the daemon-reload, then started it up again. It did not work for me. As I continued to read the other emails in this thread, I came to the conclusion that the Fedora configuration, as packaged by City-Fan.org is what is broken. Luckily for me, there was still a 2.2.35 version of dovecot in the repository, so I ended up doing the "dnf downgrade dovecot" and now I can read my emails again. I'm assuming that the packager for Fedora will ensure that this gets fixed in the current releases. I checked, and F26 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/297992d3/attachment-0001.html>
Helmut K. C. Tessarek
2018-Apr-06 03:19 UTC
Re: Can’t authenticate any users after upgrade.
On 2018-04-05 22:14, Kevin Cummings wrote:> OK, so I went this root, added the new file, stopped dovecot, did the > daemon-reload, then started it up again. > It did not work for me.? As I continued to read the other emails in this > thread, I came to the conclusion that the Fedora configuration, as > packaged by City-Fan.org <http://City-Fan.org> is what is broken.? > Luckily for me, there was still a 2.2.35 version of dovecot in the > repository, so I ended up doing the "dnf downgrade dovecot" and now I > can read my emails again.? I'm assuming that the packager for Fedora > will ensure that this gets fixed in the current releases.? I checked, > and F26Interesting, I'm still on an older Fedora release, but I used the original Fedora spec file, which I adjusted a bit (so that it uses my own openssl version instead of the system's, and a few other minor tweaks), and created my own dovecot 2.3.1 package. In any case, the changes I described fixed it for me. I don't think the Fedora packager even knows about the PAM configuration issue, otherwise he would have written a patch, but there's nothing in git master of the dovecot package repo. I've opend a bug with Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1564348 Cheers, K. C. -- regards Helmut K. C. Tessarek KeyID 0x172380A011EF4944 Key fingerprint = 8A55 70C1 BD85 D34E ADBC 386C 1723 80A0 11EF 4944 /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180405/620078c9/attachment.sig>