Internal login error

ReneDx

Verified User
Joined
Feb 28, 2007
Messages
20
Hello,

Dovecot is now working but doesn't allow "roots" to access there mails.

It says: "Internal Login Failure. Refer the log file for more information."

The log file told me:
Code:
Mar 21 22:46:49 da1 dovecot[29052]: Logins for users with primary group ID 0 (user rene) not permitted (see first_valid_gid in config file).
Mar 21 22:46:49 da1 dovecot[29052]: pop3-login: Internal login failure: user=<rene>, method=PLAIN, rip=(<deleted*>), lip=(<deleted*>)

So was searching on the "first_valid_gid" var but it doesn't exists on the config file (/etc/dovecot.conf), i tried to add it but then the whole process gives a loop by login in.

My config file looks like:
Code:
## Dovecot 1.0 configuration file

protocols = imap imaps pop3 pop3s

ssl_cert_file = /etc/exim.cert
ssl_key_file =  /etc/exim.key

disable_plaintext_auth = no

##
## Login processes
##

#login_chroot = yes

#login_user = dovecot

login_greeting = Dovecot DA ready.

##
## Mail processes
##

verbose_proctitle = yes

first_valid_uid = 500
last_valid_uid = 0

mail_extra_groups = mail

#mail_debug = no

default_mail_env = maildir:~/Maildir

# Like mailbox_check_interval, but used for IDLE command.
#mailbox_idle_check_interval = 30

# Copy mail to another folders using hard links. This is much faster than
# actually copying the file. This is problematic only if something modifies
# the mail in one folder but doesn't want it modified in the others. I don't
# know any MUA which would modify mail files directly. IMAP protocol also
# requires that the mails don't change, so it would be problematic in any case.
# If you care about performance, enable it.
#maildir_copy_with_hardlinks = no

# umask to use for mail files and directories
umask = 0007

# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
#mail_process_size = 256

# Log prefix for mail processes. See doc/variables.txt for list of possible
# variables you can use.
#mail_log_prefix = "%Us(%u): "

##
## IMAP specific settings
##

protocol imap {

  # Maximum IMAP command line length in bytes. Some clients generate very long
  # command lines with huge mailboxes, so you may need to raise this if you get
  # "Too long argument" or "IMAP command line too large" errors often.
  #imap_max_line_length = 65536

  # Send IMAP capabilities in greeting message. This makes it unnecessary for
  # clients to request it with CAPABILITY command, so it saves one round-trip.
  # Many clients however don't understand it and ask the CAPABILITY anyway.
  #login_greeting_capability = no

  # Workarounds for various client bugs:
  #   delay-newmail:
  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
  #     and CHECK commands. Some clients ignore them otherwise, for example
  #     OSX Mail. Outlook Express breaks more badly though, without this it
  #     may show user "Message no longer in server" errors. Note that OE6 still
  #     breaks even with this workaround if synchronization is set to
  #     "Headers Only".
  #   outlook-idle:
  #     Outlook and Outlook Express never abort IDLE command, so if no mail
  #     arrives in half a hour, Dovecot closes the connection. This is still
  #     fine, except Outlook doesn't connect back so you don't see if new mail
  #     arrives.
  #   netscape-eoh:
  #     Netscape 4.x breaks if message headers don't end with the empty "end of
  #     headers" line. Normally all messages have this, but setting this
  #     workaround makes sure that Netscape never breaks by adding the line if
  #     it doesn't exist. This is done only for FETCH BODY[HEADER.FIELDS..]
  #     commands. Note that RFC says this shouldn't be done.
  #   tb-extra-mailbox-sep:
  #     With mbox storage a mailbox can contain either mails or submailboxes,
  #     but not both. Thunderbird separates these two by forcing server to
  #     accept '/' suffix in mailbox names in subscriptions list.
  #imap_client_workarounds = outlook-idle
}

##
## POP3 specific settings
##

protocol pop3 {

  # Don't try to set mails non-recent or seen with POP3 sessions. This is
  # mostly intended to reduce disk I/O. With maildir it doesn't move files
  # from new/ to cur/, with mbox it doesn't write Status-header.
  #pop3_no_flag_updates = no

  # Support LAST command which exists in old POP3 specs, but has been removed
  # from new ones. Some clients still wish to use this though. Enabling this
  # makes RSET command clear all \Seen flags from messages.
  #pop3_enable_last = no

  # POP3 UIDL format to use. You can use following variables:
  #
  #  %v - Mailbox UIDVALIDITY
  #  %u - Mail UID
  #  %m - MD5 sum of the mailbox headers in hex (mbox only)
  #  %f - filename (maildir only)
  #
  # If you want UIDL compatibility with other POP3 servers, use:
  #  UW's ipop3d         : %08Xv%08Xu
  #  Courier version 0   : %f
  #  Courier version 1   : %u
  #  Courier version 2   : %v-%u
  #  Cyrus (<= 2.1.3)    : %u
  #  Cyrus (>= 2.1.4)    : %v.%u
  #
  # Note that Outlook 2003 seems to have problems with %v.%u format which is
  # Dovecot's default, so if you're building a new server it would be a good
  # idea to change this. %08Xu%08Xv should be pretty fail-safe.

  #pop3_uidl_format = %v.%u
  pop3_uidl_format = %08Xu%08Xv

  # POP3 logout format string:
  #  %t - number of TOP commands
  #  %T - number of bytes sent to client as a result of TOP command
  #  %r - number of RETR commands
  #  %R - number of bytes sent to client as a result of RETR command
  #  %d - number of deleted messages
  #  %m - number of messages (before deletion)
  #  %s - mailbox size in bytes (before deletion)
  #pop3_logout_format = top=%t/%T, retr=%r/%R, del=%d/%m, size=%s

  # Support for dynamically loadable modules.
  #mail_use_modules = no
  #mail_modules = /usr/lib/dovecot/pop3

  # Workarounds for various client bugs:
  #   outlook-no-nuls:
  #     Outlook and Outlook Express hang if mails contain NUL characters.
  #     This setting replaces them with 0x80 character.
  #   oe-ns-eoh:
  #     Outlook Express and Netscape Mail breaks if end of headers-line is
  #     missing. This option simply sends it if it's missing.
  #pop3_client_workarounds =
}

##
## Authentication processes
##

# Set max. process size in megabytes.
#auth_process_size = 256

# Authentication cache size in kilobytes.
auth_cache_size = 0
# Time to live in seconds for cached data. After this many seconds a cached
# record is forced out of cache.
#auth_cache_ttl = 3600

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@&

# More verbose logging. Useful for figuring out why authentication isn't
# working.
#auth_verbose = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

auth default {
  mechanisms = plain

  #FreeBSD may require this instead of 'passdb shadow'
  #passdb passwd {
  #}

  passdb shadow {
  }

  passdb passwd-file {
    args = /etc/virtual/%d/passwd
  }

  userdb passwd {
  }

  userdb passwd-file {
    args = /etc/virtual/%d/passwd
  }

  # User to use for the process. This user needs access to only user and
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible. Note that passwd
  # authentication with BSDs internally accesses shadow files, which also
  # requires roots. Note that this user is NOT used to access mails.
  # That user is specified by userdb above.
  user = root

  # Number of authentication processes to create
  #count = 1
}

I hope someone can help me with this problem.

- Rene.
 
It's not a bug; it's a feature. You really don't want passwords to accounts with root access passed over the net in plaintext, do you?

Jeff
 
Back
Top