PDA

View Full Version : Internal login error



ReneDx
03-21-2007, 03:39 PM
Hello,

Dovecot is now working but doesn't allow "roots" to access there mails.

It says: "Internal Login Failure. Refer the log file for more information."

The log file told me:

Mar 21 22:46:49 da1 dovecot[29052]: Logins for users with primary group ID 0 (user rene) not permitted (see first_valid_gid in config file).
Mar 21 22:46:49 da1 dovecot[29052]: pop3-login: Internal login failure: user=<rene>, method=PLAIN, rip=(<deleted*>), lip=(<deleted*>)

So was searching on the "first_valid_gid" var but it doesn't exists on the config file (/etc/dovecot.conf), i tried to add it but then the whole process gives a loop by login in.

My config file looks like:

## Dovecot 1.0 configuration file

protocols = imap imaps pop3 pop3s

ssl_cert_file = /etc/exim.cert
ssl_key_file = /etc/exim.key

disable_plaintext_auth = no

##
## Login processes
##

#login_chroot = yes

#login_user = dovecot

login_greeting = Dovecot DA ready.

##
## Mail processes
##

verbose_proctitle = yes

first_valid_uid = 500
last_valid_uid = 0

mail_extra_groups = mail

#mail_debug = no

default_mail_env = maildir:~/Maildir

# Like mailbox_check_interval, but used for IDLE command.
#mailbox_idle_check_interval = 30

# Copy mail to another folders using hard links. This is much faster than
# actually copying the file. This is problematic only if something modifies
# the mail in one folder but doesn't want it modified in the others. I don't
# know any MUA which would modify mail files directly. IMAP protocol also
# requires that the mails don't change, so it would be problematic in any case.
# If you care about performance, enable it.
#maildir_copy_with_hardlinks = no

# umask to use for mail files and directories
umask = 0007

# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
#mail_process_size = 256

# Log prefix for mail processes. See doc/variables.txt for list of possible
# variables you can use.
#mail_log_prefix = "&#37;Us(%u): "

##
## IMAP specific settings
##

protocol imap {

# Maximum IMAP command line length in bytes. Some clients generate very long
# command lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 65536

# Send IMAP capabilities in greeting message. This makes it unnecessary for
# clients to request it with CAPABILITY command, so it saves one round-trip.
# Many clients however don't understand it and ask the CAPABILITY anyway.
#login_greeting_capability = no

# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example
# OSX Mail. Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# outlook-idle:
# Outlook and Outlook Express never abort IDLE command, so if no mail
# arrives in half a hour, Dovecot closes the connection. This is still
# fine, except Outlook doesn't connect back so you don't see if new mail
# arrives.
# netscape-eoh:
# Netscape 4.x breaks if message headers don't end with the empty "end of
# headers" line. Normally all messages have this, but setting this
# workaround makes sure that Netscape never breaks by adding the line if
# it doesn't exist. This is done only for FETCH BODY[HEADER.FIELDS..]
# commands. Note that RFC says this shouldn't be done.
# tb-extra-mailbox-sep:
# With mbox storage a mailbox can contain either mails or submailboxes,
# but not both. Thunderbird separates these two by forcing server to
# accept '/' suffix in mailbox names in subscriptions list.
#imap_client_workarounds = outlook-idle
}

##
## POP3 specific settings
##

protocol pop3 {

# Don't try to set mails non-recent or seen with POP3 sessions. This is
# mostly intended to reduce disk I/O. With maildir it doesn't move files
# from new/ to cur/, with mbox it doesn't write Status-header.
#pop3_no_flag_updates = no

# Support LAST command which exists in old POP3 specs, but has been removed
# from new ones. Some clients still wish to use this though. Enabling this
# makes RSET command clear all \Seen flags from messages.
#pop3_enable_last = no

# POP3 UIDL format to use. You can use following variables:
#
# %v - Mailbox UIDVALIDITY
# %u - Mail UID
# %m - MD5 sum of the mailbox headers in hex (mbox only)
# %f - filename (maildir only)
#
# If you want UIDL compatibility with other POP3 servers, use:
# UW's ipop3d : %08Xv%08Xu
# Courier version 0 : %f
# Courier version 1 : %u
# Courier version 2 : %v-%u
# Cyrus (<= 2.1.3) : %u
# Cyrus (>= 2.1.4) : %v.%u
#
# Note that Outlook 2003 seems to have problems with %v.%u format which is
# Dovecot's default, so if you're building a new server it would be a good
# idea to change this. %08Xu%08Xv should be pretty fail-safe.

#pop3_uidl_format = %v.%u
pop3_uidl_format = %08Xu%08Xv

# POP3 logout format string:
# %t - number of TOP commands
# %T - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %R - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
#pop3_logout_format = top=%t/%T, retr=%r/%R, del=%d/%m, size=%s

# Support for dynamically loadable modules.
#mail_use_modules = no
#mail_modules = /usr/lib/dovecot/pop3

# Workarounds for various client bugs:
# outlook-no-nuls:
# Outlook and Outlook Express hang if mails contain NUL characters.
# This setting replaces them with 0x80 character.
# oe-ns-eoh:
# Outlook Express and Netscape Mail breaks if end of headers-line is
# missing. This option simply sends it if it's missing.
#pop3_client_workarounds =
}

##
## Authentication processes
##

# Set max. process size in megabytes.
#auth_process_size = 256

# Authentication cache size in kilobytes.
auth_cache_size = 0
# Time to live in seconds for cached data. After this many seconds a cached
# record is forced out of cache.
#auth_cache_ttl = 3600

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@&

# More verbose logging. Useful for figuring out why authentication isn't
# working.
#auth_verbose = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

auth default {
mechanisms = plain

#FreeBSD may require this instead of 'passdb shadow'
#passdb passwd {
#}

passdb shadow {
}

passdb passwd-file {
args = /etc/virtual/%d/passwd
}

userdb passwd {
}

userdb passwd-file {
args = /etc/virtual/%d/passwd
}

# User to use for the process. This user needs access to only user and
# password databases, nothing else. Only shadow and pam authentication
# requires roots, so use something else if possible. Note that passwd
# authentication with BSDs internally accesses shadow files, which also
# requires roots. Note that this user is NOT used to access mails.
# That user is specified by userdb above.
user = root

# Number of authentication processes to create
#count = 1
}


I hope someone can help me with this problem.

- Rene.

nobaloney
03-22-2007, 09:08 PM
It's not a bug; it's a feature. You really don't want passwords to accounts with root access passed over the net in plaintext, do you?

Jeff