Configure Dovecot Master User

Discussion:

Clovis Tristao

2014-09-08 15:48:20 UTC

Hi,

Does anyone have any idea or hint how to configure dovecot master user?
I'm already on it for almost fifteen days and can not find a solution.
I appreciate any help,

Clovis

--
Clovis Tristao - UNICAMP/Faculdade de Engenharia Agricola
Administrador de Redes - Secao de Informatica (SINFO)
E-mail: clovis at feagri.unicamp.br http://www.feagri.unicamp.br
MSN: clovis_tristao33 at hotmail.com
Fone: 55(19) 35211031-35211038-35211047-91173116

listas at adminlinux.com.br ()

2014-09-08 17:00:01 UTC

Permalink

Hi Clovis,

try something like this:

**In this example you should have your users in a MySQL database.

On /etc/dovecot/conf.d/10-auth.conf file add this:

# Master login <username>*master-user
auth_master_user_separator = *
# Use for master login
passdb {
args = /etc/dovecot/dovecot-sql-master.conf.ext
driver = sql
master = yes
pass = yes
}

Create /etc/dovecot/dovecot-sql-master.conf.ext file with this content:

driver = mysql
connect = host=<mysqlserverhostname.com> dbname=<database name>
user=<user> password=<pass>
default_pass_scheme = MD5-CRYPT
password_query = \
SELECT Password AS password \
FROM Users \
WHERE User = 'master-user'

user_query = \
SELECT Password AS password \
FROM Users \
WHERE User = 'master-user'

To do tests:
telnet your-dovecot-server.com 143
AUTH LOGIN <user>*master-user <master-user password>

Good Luck
--
Thiago Henrique

Post by Clovis Tristao
Hi,
Does anyone have any idea or hint how to configure dovecot master user?
I'm already on it for almost fifteen days and can not find a solution.
I appreciate any help,
Clovis

Clovis Tristao

2014-09-10 19:11:37 UTC

Permalink

I'm using this setting in dovecot:

# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.29.2.el6.x86_64 x86_64 CentOS release 6.5 (Final)
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = shadow
}
ssl = no
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
args = allow_all_users=yes master_user=%u
driver = static
}

I still can not authenticate with the master user, any suggestions or tips?
Tkx

Clovis

Post by listas at adminlinux.com.br ()
Hi Clovis,
**In this example you should have your users in a MySQL database.
# Master login <username>*master-user
auth_master_user_separator = *
# Use for master login
passdb {
args = /etc/dovecot/dovecot-sql-master.conf.ext
driver = sql
master = yes
pass = yes
}
driver = mysql
connect = host=<mysqlserverhostname.com> dbname=<database name>
user=<user> password=<pass>
default_pass_scheme = MD5-CRYPT
password_query = \
SELECT Password AS password \
FROM Users \
WHERE User = 'master-user'
user_query = \
SELECT Password AS password \
FROM Users \
WHERE User = 'master-user'
telnet your-dovecot-server.com 143
AUTH LOGIN <user>*master-user <master-user password>
Good Luck
--
Thiago Henrique

Daniel Parthey

2014-09-10 19:24:13 UTC

Permalink

Hi Clovis,

What do you get in your dovecot debug log when you try to log in?

Kind regards
Daniel
--
https://emailselfdefense.fsf.org
https://pgp.mit.edu/pks/lookup?op=get&search=0xB4DD34660B6F0F1B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140910/c785c429/attachment.sig>

Clovis Tristao

2014-09-10 19:40:01 UTC

Permalink

Hi Daniel,

Post by listas at adminlinux.com.br ()
Hi Clovis,
What do you get in your dovecot debug log when you try to log in?

Sep 10 16:38:18 centosVM dovecot: master: Dovecot v2.0.9 starting up
(core dumps disabled)
Sep 10 16:38:18 centosVM dovecot: ssl-params: Generating SSL parameters
Sep 10 16:38:19 centosVM dovecot: ssl-params: SSL parameters
regeneration completed
Sep 10 16:38:26 centosVM dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Sep 10 16:38:26 centosVM dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Sep 10 16:38:26 centosVM dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Sep 10 16:38:26 centosVM dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Sep 10 16:38:26 centosVM dovecot: auth: Debug: passwd-file
/etc/dovecot/passwd.masterusers: Read 1 users
Sep 10 16:38:26 centosVM dovecot: auth: Debug: auth client connected
(pid=1492)
Sep 10 16:38:42 centosVM dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011lip=10.0.2.15#011rip=10.0.2.2#011lport=143#011rport=59979#011resp=AG1haWxhZG0qbWFzdGVyAHNpYm5mbyoyODE0
Sep 10 16:38:42 centosVM dovecot: auth: Debug:
auth(master,10.0.2.2,master): Master user lookup for login: mailadm
Sep 10 16:38:42 centosVM dovecot: auth: Debug:
passwd-file(master,10.0.2.2,master): lookup: user=master
file=/etc/dovecot/passwd.masterusers
Sep 10 16:38:42 centosVM dovecot: auth:
passwd-file(master,10.0.2.2,master): unknown user
Sep 10 16:38:44 centosVM dovecot: auth: Debug: client out:
FAIL#0111#011user=master

Post by listas at adminlinux.com.br ()
Kind regards
Daniel

Tkx a lot,

Clovis

Daniel Parthey

2014-09-10 20:14:41 UTC

Permalink

Sep 10 16:38:26 centosVM dovecot: auth: Debug: passwd-file /etc/dovecot/passwd.masterusers: Read 1 users
Sep 10 16:38:42 centosVM dovecot: auth: Debug: auth(master,10.0.2.2,master): Master user lookup for login: mailadm
Sep 10 16:38:42 centosVM dovecot: auth: Debug: passwd-file(master,10.0.2.2,master): lookup: user=master file=/etc/dovecot/passwd.masterusers
Sep 10 16:38:42 centosVM dovecot: auth: passwd-file(master,10.0.2.2,master): unknown user
Sep 10 16:38:44 centosVM dovecot: auth: Debug: client out: FAIL#0111#011user=master

The passdb lookup fails to find user "master" in file
/etc/dovecot/passwd.masterusers. This file needs to contain the master
usernames and passwords:

http://wiki2.dovecot.org/Authentication/MasterUsers

Kind regards
Daniel
--
https://emailselfdefense.fsf.org
https://pgp.mit.edu/pks/lookup?op=get&search=0xB4DD34660B6F0F1B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140910/a084b9c4/attachment-0001.sig>

Clovis Tristao

2014-09-11 14:37:04 UTC

Permalink

Hi, Daniel,

My testing,

# telnet My_IP My_Port-143
Trying 143.106.74.228...
Connected to My_IP.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login mailadm*master master_password
a NO [AUTHENTICATIONFAILED] Authentication failed.

a login clovis pass_user
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in

This sequence of commands is correct?

When I use a normal user without privileges passwd based authentication
it does.

Oh my good, I'm going crazy with this. :-)

Clovis

Post by Daniel Parthey

The passdb lookup fails to find user "master" in file
/etc/dovecot/passwd.masterusers. This file needs to contain the master
http://wiki2.dovecot.org/Authentication/MasterUsers
Kind regards
Daniel

listas at adminlinux.com.br ()

2014-09-12 11:58:36 UTC

Permalink

Replace
"a login mailadm*master master_password"
for
"a login master*clovis master_password"

--
Thiago

Post by Clovis Tristao
a login mailadm*master master_password

Oscar del Rio

2014-09-12 13:45:41 UTC

Permalink

Post by listas at adminlinux.com.br ()
Replace
"a login mailadm*master master_password"
for
"a login master*clovis master_password"

It should be the opposite:

a login username*masteruser master_password

where username is the regular user (e.g. "clovis") and masteruser is the
master defined in /etc/dovecot/passwd.masterusers

Dovecot would log:
auth: passdb(*masteruser*,IPADDRESS,master,<SESSIONID>): Master user
logging in as *username*

The OP should also check that the master password file has the correct
entries (it is a standard htpasswd file format) and it is readable by
the dovecot process.

Clovis Tristao

2014-09-15 15:26:38 UTC

Permalink

Hi, Oscar,

Thank you all, worked with these tips. Very nice.

"a login username*masteruser master_password "

Clovis

Post by Oscar del Rio

Post by listas at adminlinux.com.br ()
Replace
"a login mailadm*master master_password"
for
"a login master*clovis master_password"

a login username*masteruser master_password
where username is the regular user (e.g. "clovis") and masteruser is
the master defined in /etc/dovecot/passwd.masterusers
auth: passdb(*masteruser*,IPADDRESS,master,<SESSIONID>): Master user
logging in as *username*
The OP should also check that the master password file has the correct
entries (it is a standard htpasswd file format) and it is readable by
the dovecot process.

Joseph Tam

2014-09-10 22:43:15 UTC

Permalink

Post by Clovis Tristao
userdb {
args = allow_all_users=yes master_user=%u
driver = static
}
...
I still can not authenticate with the master user, any suggestions or tips?

Just a wild-ass guess, but shouldn't "master_user=%u" be something like
"master_user=muser" where "muser" is the master user as defined in your
master password file?

Joseph Tam <jtam.home at gmail.com>

Alan McGinlay

2014-09-12 14:32:58 UTC

Permalink

It's quite simple:

# Authentication for master users. Included from 10-auth.conf.

# By adding master=yes setting inside a passdb you make the passdb a
list
# of "master users", who can log in as anyone else.
# <doc/wiki/Authentication.MasterUsers.txt>

# Example master user passdb using passwd-file. You can use any passdb
though.
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/passwd.masterusers

# Unless you're using PAM, you probably still want the destination
user to
# be looked up from passdb that it really exists. pass=yes does that.
pass = yes
}

then use htpasswd from Apache to generate the file
"/etc/dovecot/passwd.masterusers"

The documentation explains it quite well:

http://wiki2.dovecot.org/Authentication/MasterUsers