Discussion:
[Dovecot] dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): method=PLAIN
John Espiro
2011-01-27 10:57:27 UTC
Permalink
First, my problem. Settings are below that...

Everything works fine - I can login to webmail (users are tied to
LDAP). I can send and receive email via my Thunderbird Client.

However in my mail.err log I see lots of messages that say:

dovecot: pop3-login: Disconnected (tried to use disabled plaintext
auth): method=PLAIN

1.) What does that mean, and how can I solve it?
2.) With regards to pop3s I am not altogether sure that I am using the
right config in my dovecot.conf file (also below). Can someone let me know?


Version:
==================
dovecot --version = 1.2.12

System:
==================
Ubuntu Server 10.10 (64bit)

dovecot -n
==================
# 1.2.12: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.35.4-rscloud x86_64 Ubuntu 10.10
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: pop3 pop3s imap imaps
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_privileged_group: mail
mail_location: mbox:~/mail:INBOX=/var/mail/%u
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
auth default:
passdb:
driver: pam
userdb:
driver: passwd

Dovecot.conf
==================
egrep -v "^[[:space:]]*#|^$" /etc/dovecot/dovecot.conf
protocols = pop3 pop3s imap imaps
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
login_dir = /var/run/dovecot/login
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
protocol imap {
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
}

protocol pop3 {
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_uidl_format = %08Xu%08Xv
}
protocol managesieve {
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
!include_try /etc/dovecot/auth.d/*.auth
}
dict {
}
plugin {
}
!include_try /etc/dovecot/conf.d/*.conf
Paul Griffith
2011-01-27 13:28:04 UTC
Permalink
Post by John Espiro
First, my problem. Settings are below that...
Everything works fine - I can login to webmail (users are tied to
LDAP). I can send and receive email via my Thunderbird Client.
dovecot: pop3-login: Disconnected (tried to use disabled plaintext
auth): method=PLAIN
1.) What does that mean, and how can I solve it?
This looks like you are trying to connect to pop3 without SSL or TLS. If
you really want to allow plaintext over a non-secure connection then you
need to use the following.

disable_plaintext_auth = no

Paul
John Espiro
2011-01-27 14:42:46 UTC
Permalink
Hi Paul -

Well, I want to use STARTTLS... my Thunderbird settings are:

In thunderbird, I have the following settings:
Port 110
Username: <user>
Connection security: STARTTLS
Authentication: Normal password

Which should be correct, right?

John
Post by Paul Griffith
This looks like you are trying to connect to pop3 without SSL or TLS.
If you really want to allow plaintext over a non-secure connection
then you need to use the following.
disable_plaintext_auth = no
Paul
Paul Griffith
2011-01-27 17:03:50 UTC
Permalink
Post by John Espiro
Hi Paul -
Port 110
Username:<user>
Connection security: STARTTLS
Authentication: Normal password
Which should be correct, right?
John
What if you change STARTTTLS to SSL ?

Did you try setting disable_plaintext_auth = no ?
Post by John Espiro
Post by Paul Griffith
This looks like you are trying to connect to pop3 without SSL or TLS.
If you really want to allow plaintext over a non-secure connection
then you need to use the following.
disable_plaintext_auth = no
Paul
John Espiro
2011-01-27 18:18:51 UTC
Permalink
Still shows the same, pop3/plain. I will disable plaintext and see what
happens...
Post by Paul Griffith
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
John Espiro
2011-01-27 18:26:01 UTC
Permalink
OK... so one thing is that I see 4 dovecot.conf files:

/usr/share/dovecot/dovecot.conf
/etc/dovecot/dovecot.conf
/etc/init/dovecot.conf
/var/run/dovecot/dovecot.conf

It's not altogether clear which one is being used by the service... why
would there be four of them?

John
Post by Paul Griffith
Post by John Espiro
Hi Paul -
Port 110
Username:<user>
Connection security: STARTTLS
Authentication: Normal password
Which should be correct, right?
John
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
Post by John Espiro
Post by Paul Griffith
This looks like you are trying to connect to pop3 without SSL or TLS.
If you really want to allow plaintext over a non-secure connection
then you need to use the following.
disable_plaintext_auth = no
Paul
John Espiro
2011-01-27 18:30:20 UTC
Permalink
I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth
to both yes and no, and the result is the same... it uses pop3/plain.
I viewed the running process to see which of the 4 conf files it was
using, so I know i have the right file.

Thoughts?
Post by Paul Griffith
What if you change STARTTTLS to SSL ?
Did you try setting disable_plaintext_auth = no ?
Post by Paul Griffith
This looks like you are trying to connect to pop3 without SSL or TLS.
If you really want to allow plaintext over a non-secure connection
then you need to use the following.
disable_plaintext_auth = no
Paul
Mark Sapiro
2011-01-27 18:56:09 UTC
Permalink
Post by John Espiro
I set the auth to SSL and STARTTLS. I also set disable_plaintext_auth
to both yes and no, and the result is the same... it uses pop3/plain.
I viewed the running process to see which of the 4 conf files it was
using, so I know i have the right file.
Thoughts?
Are you able to get your mail via your pop client?

If so, the log messages are from other attempts (probably by crackers
trying to guess passwords on your system) to log in. Is there a "rip="
in the log messages giving the IP of the originator? If so, is it yours?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
John Espiro
2011-01-27 21:00:38 UTC
Permalink
Post by Mark Sapiro
Are you able to get your mail via your pop client?
Yes.
Post by Mark Sapiro
If so, the log messages are from other attempts (probably by crackers
trying to guess passwords on your system) to log in. Is there a "rip="
in the log messages giving the IP of the originator? If so, is it yours?
There is a "rip" and it's my IP address. I've got fail2ban and
denyhosts running very tightly, and so far, no one has even attempted to
log in to my mail accounts (ssh is a whole other story :)
Mark Sapiro
2011-01-28 01:48:13 UTC
Permalink
Post by John Espiro
Post by Mark Sapiro
Are you able to get your mail via your pop client?
Yes.
Post by Mark Sapiro
If so, the log messages are from other attempts (probably by crackers
trying to guess passwords on your system) to log in. Is there a "rip="
in the log messages giving the IP of the originator? If so, is it yours?
There is a "rip" and it's my IP address. I've got fail2ban and
denyhosts running very tightly, and so far, no one has even attempted to
log in to my mail accounts (ssh is a whole other story :)
So you successfully get mail via your pop client in spite of the above.

My guess is somehow the client first tries plain authentication without
STARTTLS before trying STARTTLS.

In my case with pop3 and T'bird I use

Port 995
Connection security: SSL/TLS
Authentication: Normal password

I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Jerry
2011-01-28 11:29:43 UTC
Permalink
On Thu, 27 Jan 2011 17:48:13 -0800
Post by Mark Sapiro
Post by John Espiro
Post by Mark Sapiro
Are you able to get your mail via your pop client?
Yes.
Post by Mark Sapiro
If so, the log messages are from other attempts (probably by
crackers trying to guess passwords on your system) to log in. Is
there a "rip=" in the log messages giving the IP of the
originator? If so, is it yours?
There is a "rip" and it's my IP address. I've got fail2ban and
denyhosts running very tightly, and so far, no one has even
attempted to log in to my mail accounts (ssh is a whole other
story :)
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication
without STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995
Connection security: SSL/TLS
Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
I honestly don't know why you would use port 995 as opposed to 110 if
employing STARTTLS. Switch to port 110, I don't know if a restart is
required, and try again.
--
Jerry ?
Dovecot.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
Fortune favors the lucky.
John Espiro
2011-01-30 11:59:37 UTC
Permalink
Yep - despite the above, I still get mail. And from my conf files,
plain auth is disabled. Should I re-port my conf file in case I missed
something?

John
Post by Mark Sapiro
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without
STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995
Connection security: SSL/TLS
Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
John Espiro
2011-01-30 12:06:02 UTC
Permalink
After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms
It seems that PLAIN is OK, if I am using STARTTLS, which I believe I
am. I mean, I've set it up, and it _seems_ to work.
So the question I have, to the list, is... how can I verify that the
passwords are being sent over STARTTLS.

Quoting:

The simplest authentication mechanism is PLAIN. The client simply
sends the password unencrypted to Dovecot. All clients support the
PLAIN mechanism, but obviously there's the problem that anyone
listening on the network can steal the password. For that reason
(and some others) other mechanisms were implemented.

Today however many people use SSL/TLS, and there's no problem with
sending unencrypted password inside SSL secured connections. So if
you're using SSL, you probably don't need to bother worrying about
anything else than the PLAIN mechanism.
Post by Mark Sapiro
O
So you successfully get mail via your pop client in spite of the above.
My guess is somehow the client first tries plain authentication without
STARTTLS before trying STARTTLS.
In my case with pop3 and T'bird I use
Port 995
Connection security: SSL/TLS
Authentication: Normal password
I haven't tried port 110 and STARTTLS (mostly I use IMAP anyway).
Mark Sapiro
2011-01-30 16:49:20 UTC
Permalink
Post by John Espiro
After reading this: http://wiki2.dovecot.org/Authentication/Mechanisms
It seems that PLAIN is OK, if I am using STARTTLS, which I believe I
am. I mean, I've set it up, and it _seems_ to work.
So the question I have, to the list, is... how can I verify that the
passwords are being sent over STARTTLS.
Your client is ultimately logging in after STARTTLS because Dovecot is
not allowing it to login before, but it apparently is trying and
possibly sending a cleartext password or there would be no
'disconnected' log message.

Sniff the port 110 packets during a login from your client and see
what's going on.

One other thought - Is there more than one account on this server
configured in your client and if so, are they all using STARTTLS?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Loading...