MySQL Auth Troubles during Migration to 2.4.1

Mon, 05 May 2025 00:32:22 -0700 

I am between a rock and a hard place while doing my migration from 2.3.19.1 to
2.4.1
I have setup a clean system to test the running before I import my database of
virtual users.

I haven't changed much from the config examples provided at 
My auth-sql.conf.ext:
sql_driver = mysql
mysql /var/run/mysqld/mysqld.sock {
  user        =  db_user
  password = XXXXX
  dbname   = dbname
}

passdb sql {
  default_password_scheme = SHA512
  query = SELECT crypt AS password FROM users,domains WHERE users.username = '%
{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1'
and domains.domain_id = users.domain_id
}

userdb sql {
  query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}'
  iterate_query = SELECT username AS user FROM users
}

dovecot -n:
```
root@mail:/etc/dovecot/conf.d# doveconf -n
# 2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4+debian12 (0a86619f)
# OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10
# Hostname: mail.domain.name
dovecot_config_version = 2.4.1
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = yes
dovecot_storage_version = 2.4.1
fts_autoindex = yes
fts_autoindex_max_recent_msgs = 999
fts_search_add_missing = yes
info_log_path = /var/log/dovecot.log
log_debug = category=auth
mail_plugins {
  notify = yes
  mail_log = yes
}
protocols = imap pop3 lmtp sieve
sql_driver = mysql
mysql /var/run/mysqld/mysqld.sock {
  dbname = exim4u
  password = # hidden, use -P to show it
  user = exim4u
}
passdb sql {
  default_password_scheme = SHA512
  query = SELECT crypt AS password FROM users,domains WHERE users.username = '%
{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1'
and domains.domain_id = users.domain_id
}
userdb sql {
  iterate_query = SELECT username AS user FROM users
  query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}'
}
namespace inbox {
  inbox = yes
  mailbox Drafts {
    special_use = "\\Drafts"
  }
  mailbox Junk {
    special_use = "\\Junk"
  }
  mailbox Trash {
    special_use = "\\Trash"
  }
  mailbox Sent {
    special_use = "\\Sent"
  }
  mailbox "Sent Messages" {
    special_use = "\\Sent"
  }
}
service imap-login {
  inet_listener imap {
  }
  inet_listener imaps {
  }
}
service pop3-login {
  inet_listener pop3 {
  }
  inet_listener pop3s {
  }
}
service submission-login {
  inet_listener submission {
  }
  inet_listener submissions {
  }
}
service lmtp {
  unix_listener lmtp {
  }
}
service imap {
}
service pop3 {
}
service submission {
}
service auth {
  unix_listener auth-userdb {
  }
}
service auth-worker {
}
service dict {
  unix_listener dict {
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
}
service managesieve {
}
```
I ran a test  against the POP3 daemon:
```
telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK Dovecot ready.
user  '[email protected]
+OK
pass XXXXXXX
-ERR [SYS/TEMP] Temporary authentication failure.
```
And the debugging ends up in "pop3-login: Info: Login aborted: Logged out (auth
service reported temporary failure".
I am not sure where to look for this.

May 04 13:08:46 auth: Debug: sqlpool(mysql): Creating new connection
May 04 13:08:46 auth: Debug: Read auth token secret from /run/auth-token-
secret.dat
May 04 13:08:46 auth: Debug: mysql(/var/run/mysqld/mysqld.sock): Connecting
May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: Server
accepted connection (fd=19)
May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: auth
client connected (pid=9061)
May 04 13:09:12 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client in:
AUTH    1       PLAIN   protocol=pop3   final-resp-ok   secured
session=0sexkUw07I1/AAAB        lip=127.0.0.1   rip=127.0.0.1   lport=110      
rport=36332          resp=AHdhc2hAbWFyYS5jbG91ZAB3YXNoQG1hcmEuY2xvdWQ=
(previous base64 data may contain sensitive data)
May 04 13:09:12 auth([email protected],127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>:
Debug: sql: Performing passdb lookup
May 04 13:09:12 auth: Debug: conn unix:auth-worker: Connecting
May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Client
connected (fd=20)
May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Sending
version handshake
May 04 13:09:12 auth-worker(9138): Debug: Loading modules from directory: /usr/
lib/dovecot/modules/auth
May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/
modules/auth/libdriver_mysql.so
May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/
modules/auth/libdriver_pgsql.so
May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/
modules/auth/libdriver_sqlite.so
May 04 13:09:12 auth-worker(9138): Debug: sqlpool(mysql): Creating new
connection
May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock):
Connecting
May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
(pid=9063,uid=116): Server accepted connection (fd=13)
May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
(pid=9063,uid=116): Sending version handshake
May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
(pid=9063,uid=116): auth-worker<1>: Handling PASSV request
May 04 13:09:12 auth-worker([email protected],127.0.0.1)<9138><0sexkUw07I1/AAAB>:
request [1]: Debug: sql: Performing passdb lookup
May 04 13:09:12 auth: Debug: auth-worker: Worker sent process limit '30'
May 04 13:09:12 auth-worker([email protected],127.0.0.1)<9138><0sexkUw07I1/AAAB>:
request [1]: Debug: sql: query: SELECT crypt AS password FROM users,domains
WHERE users.username = '[email protected]' AND users.enabled = '1' AND
users.type='local' and domains.enabled='1' and domains.domain_id =
users.domain_id
May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock):
Finished query 'SELECT crypt AS password FROM users,domains WHERE
users.username = '[email protected]' AND users.enabled = '1' AND users.type='local'
and domains.enabled='1' and domains.domain_id = users.domain_id' in 0 msecs
May 04 13:09:12 auth-worker([email protected],127.0.0.1)<9138><0sexkUw07I1/AAAB>:
request [1]: Debug: sql: Finished passdb lookup
May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker
(pid=9063,uid=116): auth-worker<1>: Finished: internal_failure
May 04 13:09:12 auth([email protected],127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>:
Debug: sql: Finished passdb lookup
May 04 13:09:14 auth([email protected],127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>:
Debug: Auth request finished
May 04 13:09:14 auth([email protected],127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>:
Debug: immediate auth failure due to internal failure
May 04 13:09:14 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client
passdb out: FAIL    1       [email protected]    code=temp_fail
May 04 13:09:18 pop3-login: Info: Login aborted: Logged out (auth service
reported temporary failure, 1 attempts in 6 secs) (temp_fail):
user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=<0sexkUw07I1/AAAB>

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions: http://www.catb.org/~esr/faqs/smart-
questions.html]

_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to