SOLVED Dovecot passdb lock

[AlexandreVeezon]

Hello.

My dovecot is not authenticatin anymore.
I activated some debug in dovecot.conf and got this:

Dec 13 11:30:07 server dovecot: auth-worker(6636): Error: dict([email protected],xx.xxx.xxx.xxx,<F9voT+d82qNrm5iW>): Invalid password '*LOCKED*' in passdb: crypt() failed: Invalid argument

Dec 13 11:30:07 server dovecot: auth-worker(6636): Debug: dict([email protected],xxx.xxx.xxx.xxx,<F9voT+d82qNrm5iW>): CRYPT(PLAIN_TEXT_PASSWORD_HERE) != '*LOCKED*'

Any ideas on how to fix this? Automagically, for everyone at the same time, transparent for the user.

I tried a lot of things, but I'm out of ideas.

 

[Human_bieng]

Hello there,
We had a problem with our server & in order to fix this issue we did an OS reload
But once reload done & everything get back as before
NOTE : nothing in dns, or ip have been changed, just the OS changed from Centos6 to Centos7 !
After OS reload done, we found that no one could log into his email account
All email accounts get "Authentication failed" error
Steps done to resolve this issue :
1) removed & installed dovecot
2) copied "dovecot.conf" contents from working server to this server
3) did "/scripts/mailperm, /scripts/fixvaliases, /scripts/upcp --force"
Nothing of the above solved our issue
The following is the error message that we got from "/var/log/maillog" :

auth: Error: dict([email protected],xx.xx.xx.xx,<xxxxx>): Invalid password in passdb: crypt() failed: Invalid argument

The following is the output of "doveconf -n" command :

# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)
# Hostname: server.hostname.com
auth_cache_size = 1 M
auth_mechanisms = plain login
auth_policy_hash_mech = sha512
auth_policy_hash_nonce = 72326358
auth_policy_hash_truncate = 64
auth_policy_request_attributes = auth_database=mail database=mail service=dovecot username=%{orig_user} authtoken_hash=$0$0$%{hashed_password} local_host=%{real_lip} local_port=%{real_lport} remote_host=%{real_rip} remote_port=%{real_rport}
auth_policy_server_api_header = X-API-Key:dovecot:YtuXFPFFrOIWFwQc
auth_policy_server_timeout_msecs = 3000
auth_policy_server_url = http://127.0.0.1:579/dovecot-auth-policy
auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$-=?^_{}~./@+%"
disable_plaintext_auth = no
first_valid_uid = 201
lda_mailbox_autocreate = yes
lmtp_save_to_detail_mailbox = yes
lmtp_user_concurrency_limit = 4
mail_access_groups = dovecot
mail_plugins = quota quota_clone zlib
mail_prefetch_count = 20
mailbox_list_index = yes
maildir_very_dirty_syncs = yes
mdbox_rotate_size = 10 M
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
    auto = create
    special_use = \Archive
  }
  mailbox Archives {
    auto = no
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  mailbox spam {
    auto = subscribe
    special_use = \Junk
  }
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /usr/local/cpanel/etc/dovecot/cpauthd-dict.conf
  driver = dict
  result_failure = return-fail
}
plugin {
  acl = vfile:cache_secs=86400
  quota_exceeded_message = Mailbox is full / Blocks limit exceeded / Inode limit exceeded
}
protocols = lmtp imap pop3
service auth {
  unix_listener auth-client {
    mode = 0666
  }
}
service config {
  vsz_limit = 2 G
}
service dict {
  unix_listener dict {
    group = dovecot
    mode = 0660
  }
}
service imap-login {
  client_limit = 500
  inet_listener imap {
    address = *,::
  }
  inet_listener imaps {
    address = *,::
  }
  process_limit = 50
  process_min_avail = 2
  service_count = 0
  vsz_limit = 128 M
}
service imap {
  process_limit = 512
  vsz_limit = 512 M
}
service lmtp {
  client_limit = 1
  process_limit = 500
  unix_listener lmtp {
    group = mail
    mode = 0660
    user = mailnull
  }
  vsz_limit = 512 M
}
service managesieve-login {
  client_limit = 500
  process_limit = 50
  process_min_avail = 2
  service_count = 0
  vsz_limit = 128 M
}
service managesieve {
  process_limit = 512
  vsz_limit = 512 M
}
service pop3-login {
  client_limit = 500
  inet_listener pop3 {
    address = *,::
  }
  inet_listener pop3s {
    address = *,::
  }
  process_limit = 50
  process_min_avail = 2
  service_count = 0
  vsz_limit = 128 M
}
service pop3 {
  process_limit = 512
  vsz_limit = 512 M
}
service quota-status {
  executable = quota-status -p postfix
  unix_listener quota-status {
    mode = 0666
  }
}
ssl_cert = </etc/dovecot/ssl/dovecot.crt
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_key =  # hidden, use -P to show it
ssl_protocols = TLSv1.2
userdb {
  driver = prefetch
}
userdb {
  args = /usr/local/cpanel/etc/dovecot/cpauthd-dict.conf
  driver = dict
}
protocol imap {
  imap_capability = +NAMESPACE
  imap_idle_notify_interval = 24 mins
  imap_logout_format = in=%i, out=%o, bytes=%i/%o
  mail_max_userip_connections = 20
  mail_plugins = acl quota imap_quota zlib imap_zlib quota_clone virtual
  namespace sent {
    hidden = yes
    list = no
    location = virtual:/usr/local/cpanel/etc/dovecot/virtual/sent:INDEX=~/mail/virtual/%u/sent
    prefix = sent
    separator = .
  }
  namespace spam {
    hidden = yes
    list = no
    location = virtual:/usr/local/cpanel/etc/dovecot/virtual/spam:INDEX=~/mail/virtual/%u/spam
    prefix = spam
    separator = .
  }
}
protocol pop3 {
  mail_max_userip_connections = 3
  mail_plugins = quota quota quota_clone virtual zlib
  namespace sent {
    hidden = yes
    list = no
    location = virtual:/usr/local/cpanel/etc/dovecot/virtual/sent:INDEX=~/mail/virtual/%u/sent
    prefix = sent
    separator = .
  }
  namespace spam {
    hidden = yes
    list = no
    location = virtual:/usr/local/cpanel/etc/dovecot/virtual/spam:INDEX=~/mail/virtual/%u/spam
    prefix = spam
    separator = .
  }
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o
  pop3_uidl_format = UID%u-%v
}
protocol lmtp {
  mail_plugins = quota quota_clone zlib
  postmaster_address = root
  quota_full_tempfail = no
}
protocol lda {
  mail_plugins = quota quota_clone zlib
  postmaster_address = root
  quota_full_tempfail = no
}
local_name server.hostname.com {
  ssl_cert = </etc/dovecot/ssl/dovecot.crt
  ssl_key =  # hidden, use -P to show it
}
......

I also have tried login locally from server by using either domain name or localhost, but also get "Authentication failed" error as shown bellow :

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a LOGIN [email protected] 'password'
a NO [AUTHENTICATIONFAILED] Authentication failed.


Trying xx.xx.xx.xx...
Connected to mail.domain.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login [email protected] 'password'
a NO [AUTHENTICATIONFAILED] Authentication failed.

The following is the output of "doveadm user [email protected]" command for checking specific email :

field   value
uid     1001
gid     1003
home    /home/username/mail/domain.tld/user
mail    maildir:/home/username/mail/domain.tld/user
userdb_quota_rule       *:messages=2147483647
userdb_quota_status_overquota   552 5.2.2 Mailbox is full / Blocks limit exceeded / Inode limit exceeded
userdb_quota_rule3      INBOX.Trash:ignore
quota_rule2     INBOX.INBOX:ignore
quota_vsizes    yes
userdb_uid      1001
quota_rule      *:messages=2147483647
quota_clone_dict        file:/home/username/mail/domain.tld/user/dovecot-quota
quota_rule3     INBOX.Trash:ignore
quota   maildir:Mailbox:ns=INBOX.
userdb_password {CRYPT}$6$dlPKP3T7OWofDVIj$9j4MdqzNCq6/qtC5lUuaF4OS3r95giWsdEo8FZHkLfFi2I4XviSWRCyO.HGAEYRf2xDlzz/8rEJ5OdlMt.MZD1
password        {CRYPT}*LOCKED*
userdb_quota_rule2      INBOX.INBOX:ignore
userdb_user     [email protected]
userdb_quota    maildir:Mailbox:ns=INBOX.
userdb_gid      1003
userdb_quota_vsizes     yes
userdb_quota_clone_dict file:/home/username/mail/domain.tld/user/dovecot-quota
userdb_mail     maildir:/home/username/mail/domain.tld/user
quota_status_overquota  552 5.2.2 Mailbox is full / Blocks limit exceeded / Inode limit exceeded
userdb_home     /home/username/mail/domain.tld/user

Any help will be appreciated as no one could access any email account after server reload

Any updates ???

 

[Infopro]

The following is the output of "doveadm user [email protected]" command for checking specific email :

Did you note this item in that output?

userdb_quota_status_overquota   552 5.2.2 Mailbox is full / Blocks limit exceeded / Inode limit exceeded

 

[AlexandreVeezon]

I have the exact same problem (New Thread - Dovecot passdb lock), but the issue is not related to full mailbox, afterwards the entire server, every single email accounts, cannot be full in the same time, right? Plus, I checked, and I have accounts with less than 40M.

Plus2: If an user uses all it's quota, he should be able to log in and delete content.

 

[cPanelMichael]

Hello,

Does a main.local file exist with Dovecot configuration modifications in the /var/cpanel/templates/dovecot2.2/ directory? If so, note the following information from the cPanel & WHM 76 Release Notes:

Legacy Dovecot authentication removed

• We removed the legacy /usr/local/cpanel/bin/dovecot-auth and the /usr/local/cpanel/bin/dovecot-wrap binaries. The system now uses the more efficient DICT lookups.
  
  
• When you upgrade to cPanel & WHM version 76, the system invalidates the .local Dovecot configuration template (for example, (/var/cpanel/templates/dovecot2.2/main.local) that references the deprecated /usr/local/cpanel/bin/dovecot-wrap binary. If a system's .local Dovecot configuration template references this binary, the system saves its .local template then rebuilds the .local file with the standard template. You must reapply your customizations to the new.local template. For more information about Dovecot customizations, read our Mailserver Configuration documentation.
  
  Important:
  • We strongly recommend that you back up any .local template customizations before you upgrade.
  • If you use the /var/cpanel/templates/dovecot2.2/main.local file to override the default Dovecot configuration template, you must merge the changes in the /usr/local/cpanel/src/templates/dovecot2.2/main.default file when you upgrade to cPanel & WHM version 76; otherwise you will lose your customizations.
  • You should verify that your prior customizations will function version 76. For more information, read our Mailserver Configuration documentation.

Let me know if this is applicable to the issue you are facing.

Thank you.

 

[AlexandreVeezon]

Does a main.local file exist with Dovecot configuration modifications in the /var/cpanel/templates/dovecot2.2/ directory?

No.

[root@server dovecot2.2]# pwd
/var/cpanel/templates/dovecot2.2
[root@server dovecot2.2]# ll
total 512
drwxr-xr-x. 2 root root  4096 Dez 13 14:35 .
drwxr-xr-x. 8 root root  4096 Set  2  2016 ..
-rw-r--r--. 1 root root 56099 Dez 13 14:35 main.default
-rw-r--r--. 1 root root 56099 Nov  9 22:40 main.default.bkp
-rw-r--r--. 1 root root 54555 Set  2  2016 main.default.outdated.2017-05-09T17:17:05Z.0.0919538536845756
-rw-r--r--. 1 root root 54444 Mai  9  2017 main.default.outdated.2017-09-22T03:52:35Z.57306737
-rw-r--r--. 1 root root 54682 Set 22  2017 main.default.outdated.2017-09-22T04:04:42Z.65671047
-rw-r--r--. 1 root root 56144 Set 22  2017 main.default.outdated.2017-09-22T04:13:03Z.46645447
-rw-r--r--. 1 root root 56329 Set 22  2017 main.default.outdated.2018-02-20T20:29:26Z.87243114
-rw-r--r--. 1 root root 56349 Fev 20  2018 main.default.outdated.2018-09-04T17:42:53Z.07662602
-rw-r--r--. 1 root root 56288 Set  4 14:42 main.default.outdated.2018-11-10T00:40:58Z.15994583

 

[cPanelMichael]

Hello @AlexandreVeezon,

The other issue to be aware of is described on the following thread:

Pending Publication - [CPANEL-24359] Inaccurate service failure notifications sent out when license is not valid

If the above thread isn't applicable, feel free to open a support ticket so we can take a closer look at the affected system. You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[AlexandreVeezon]

That's right. I miss this point.

My license got expired really. I didn't notice because this was a new behavior for me.

Thanks Michael!