search

r-raymond / nixos-mailserver

A complete and Simple Nixos Mailserver
GNU General Public License v3.0
181 stars 27 forks source link

Failing to log into IMAP #5

Closed phdoerfler closed 7 years ago

phdoerfler commented 7 years ago

Just installed this module and found that I had to invoke

sudo passwd user1@example.com

to allow "user1" to actually log in via IMAP. Shouldn't this be covered by the nix files already?

The error message (as given from dovecot to the IMAP client):

t NO [AUTHENTICATIONFAILED] Authentication failed.

I tested this with

openssl s_client -host mail.example.com -port 143 -starttls imap

Showing up in the logs was this (after I set various logging options in dovecot) (faithfully reproduction):

-- Logs begin at Fri 2017-08-11 19:29:05 UTC, end at Tue 2017-09-12 19:47:46 UTC. --
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth: Debug: client in: AUTH        1        PLAIN        service=imap        secured        session=34c4qQJZDPq8wGJm        lip=111.111.111.111        rip=222.222.222.222        lport=143        rport=64012        resp=<hidden>
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth-worker(2587): Debug: pam(user1@example.com,222.222.222.222,<34c4qQJZDPq8wGJm>): lookup service=dovecot2
Sep 12 19:00:47 mail.example.com dovecot[2574]: auth-worker(2587): Debug: pam(user1@example.com,222.222.222.222,<34c4qQJZDPq8wGJm>): #1/1 style=1 msg=Password:
Sep 12 19:00:47 mail.example.com auth[2587]: pam_unix(dovecot2:auth): check pass; user unknown
Sep 12 19:00:47 mail.example.com auth[2587]: pam_unix(dovecot2:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1@example.com rhost=222.222.222.222
Sep 12 19:00:49 mail.example.com dovecot[2574]: auth-worker(2587): pam(user1@example.com,222.222.222.222,<34c4qQJZDPq8wGJm>): pam_authenticate() failed: Authentication failure (password mismatch?)
Sep 12 19:00:51 mail.example.com dovecot[2574]: auth: Debug: client passdb out: FAIL        1        user=user1@example.com

A faithful reproduction of my config:

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./own/users.nix
      ./own/services/ssh.nix
      ./nixos-mailserver/default.nix
    ];

  config.mailserver = {
    enable = true;
    domain = "example.com";
    hostPrefix = "mail";
    loginAccounts = {
      user1 = {
        hashedPassword = "$6$B6f7I1Y2/$oKY9IMcwpICYLds7H6.PMqxDQsq0.Dz.eUZNzohQFyTVLDwUz1SBeEj0bd4oDgQuxdgQT.BhV5yYILfGUTCsl.";
      };
    };
    virtualAliases = {
      info = "user1";
      postmaster = "user1";
      abuse = "user1";
    };
  };
}
r-raymond commented 7 years ago

You are right, it should be taken care of by the "hashedPassword" option. Thanks for the detailed report, I'll try to reproduce the bug as soon as I find some time.

r-raymond commented 7 years ago

Ok I tried, but I cannot reproduce this. Here is my config on a clean Virtual Box

{
  network.description = "mail server";

  mailserver =
    { config, pkgs, ... }:
    {
        imports = [
            ./../default.nix
        ];

        mailserver = {
          enable = true;
          domain = "example.com";

          hostPrefix = "mail";
          loginAccounts = {
              user1 = {
                  hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
              };
          };
          virtualAliases = {
              info = "user1";
              postmaster = "user1";
              abuse = "user1";
          };
        };
    };
}

(the password is user1). After deploying I log in with the same openssl command you use, to get

    .
    .
    .
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
. OK Pre-login capabilities listed, post-login capabilities have more.
a login user1@example.com user1
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE
a OK Logged in

I think once the user1@example.com user is created, Nixos will not update the password anymore if you change the hashPassword value. To test if this is the problem, maybe try to define a new user (user2) and see if it works for that. If you can still reproduce, can you check /etc/shadow if it contains the correct password?

phdoerfler commented 7 years ago

Interesting. I shall try this. FYI @Infinisil was able to reproduce this issue as well.

r-raymond commented 7 years ago

I've added a test (tests/userPassword.nix) to ensure that the user is created and password is set correctly.

phdoerfler commented 7 years ago

Just tried it: A new user with a user name not previously used does have the password correctly set. I can not reproduce the issue there.

Does the test get called automatically or does it have to be invoked manually?

r-raymond commented 7 years ago

Ok, so I guess you can also fix it by manually deleting the user before rebuilding. Since I'm always testing on fresh Virtual Box images, I don't run into this much. On the other hand there is not much we can do, since this is how Nixos handles user passwords.

Unfortunately the tests have to be run manually so far, because I have no idea how to integrate them with a CI solution. I guess I'd need to set up a hydra instance for that.