dovecot+pam authentication password mismatch

English Applications
#1

Hi all,

I’ve been having enormous problems with pam authentication. I use opensuse 11.1, postfix 2.5.5, dovecot 1.1.7. , ssl, dovecot-sasl. Everything works fine within local network, but I can’t log in from outside (using outlook express 6). Output of dovecot -n:

protocols: imap imaps pop3 pop3s
listen(default): *:143
listen(imap): *:143
listen(pop3): *:110
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_location: mbox:/var/spool/mail/%n
mail_debug: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
auth default:
mechanisms: plain login
debug_passwords: yes
passdb:
driver: pam
args: dovecot
userdb:
driver: passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix

/etc/pam.d/dovecot:

#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
auth    required        pam_unix.so
account required        pam_unix.so

mail log says something like:

Jun 12 21:07:56 mail dovecot: auth(default): new auth connection: pid=12127
Jun 12 21:08:44 mail dovecot: auth(default): client in: AUTH 1 PLAIN service=pop3 secured lip=192.168.1.67 rip=xx.xxx.xxx.xx lport=995 rport=2220 resp=AG1lc2luZ3ZhbABTWktPUE9XSUNaMQ==
Jun 12 21:08:44 mail dovecot: auth-worker(default): pam(username,xx.xxx.xxx.xx): lookup service=pop3
Jun 12 21:08:44 mail dovecot: auth-worker(default): pam(username,xx.xxx.xxx.xx): #1/1 style=1 msg=Password:
Jun 12 21:08:44 mail dovecot: auth-worker(default): pam(username,xx.xxx.xxx.xx): pam_authenticate() failed: Authentication failure (password mismatch?)
Jun 12 21:08:44 mail dovecot: auth(default): new auth connection: pid=12130
Jun 12 21:08:46 mail dovecot: auth(default): client out: FAIL 1 user=username
Jun 12 21:08:46 mail dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<username>, method=PLAIN, rip=xx.xxx.xxx.xx, lip=192.168.1.67, TLS: Disconnected

I can’t figure out what I am doing wrong. Any suggestions would be much appreciated.

#2

Try another client to see? Are you also using Outlook on the LAN? Have you tried using pop3s (secure POP) on the inside also?

#3

On the lan I used the same version of Outlook Express with exactly the same settings (including secure pop). And it worked fine:

Jun 12 15:57:57 mail dovecot: auth(default): new auth connection: pid=5643
Jun 12 16:03:03 mail dovecot: auth(default): client in: AUTH 1 PLAIN service=pop3 secured lip=192.168.1.67 rip=xx.xx.xxx.xxx lport=995 rport=50146 resp=AG1lc2luZ3ZhbABTemtvcG93aWN6MQ==
Jun 12 16:03:03 mail dovecot: auth-worker(default): pam(username,xx.xx.xxx.xxx): lookup service=pop3
Jun 12 16:03:03 mail dovecot: auth-worker(default): pam(username,xx.xx.xxx.xxx): #1/1 style=1 msg=Password:
Jun 12 16:03:03 mail dovecot: auth(default): client out: OK 1 user=username
Jun 12 16:03:03 mail dovecot: auth(default): master in: REQUEST 5 5644 1
Jun 12 16:03:03 mail dovecot: auth(default): passwd(username,xx.xx.xxx.xxx): lookup
Jun 12 16:03:03 mail dovecot: auth(default): master out: USER 5 username system_user=username uid=1000 gid=100 home=/home/username
Jun 12 16:03:03 mail dovecot: pop3-login: Login: user=<username>, method=PLAIN, rip=xx.xx.xxx.xxx, lip=192.168.1.67, TLS
Jun 12 16:03:03 mail dovecot: POP3(mesingval): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0

I won’t be able to try another client before evening. But still, there shouldn’t be any reason for outlook not to work. Sorry for noobish question, but why is pam using IP as an argument at all? (pam(username,xx.xx.xxx.xxx)) Remote IP is the only different value in the whole proccess. Any ideas?

#4

No idea, maybe it’s just logging, and not part of the comparison.

BTW, I only have the first 5 lines of your pam.d/dovecot. It’s not necessary to add the unix.so lines since they are already in common_*.

#5

Hi ken_yap. Thanks a lot for your responses. I managed to solve it. Simply I had dictated the IE settings on the phone, and the person I dictated it to apparently had made some mistakes, because today I did all the settings myself and it works. You can’t trust anybody these days :wink: