Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Authentication with dovecot fails

  • 4 replies
  • 1 has this problem
  • 1 view
  • Last reply by MikkoP

more options

I have set up Dovecot with effective configuration (with dovecot -n)


   # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
   # OS: Linux 5.2.15-200.fc30.x86_64 x86_64 Fedora release 30 (Thirty)
   # Hostname: <my hostname>
   auth_debug = yes
   auth_mechanisms = plain login
   auth_verbose = yes
   listen = 10.168.0.9,<my external IP>
   mail_location = mbox:~/mail:INBOX=/var/mail/%u
   mbox_write_locks = fcntl
   namespace inbox {
       inbox = yes
       location =
       mailbox Drafts {
           special_use = \Drafts
       }
       mailbox Junk {
           special_use = \Junk
       }
       mailbox Sent {
           special_use = \Sent
       }
       mailbox "Sent Messages" {
           special_use = \Sent
       }
       mailbox Trash {
           special_use = \Trash
       }
       prefix =
   }
   passdb {
       driver = pam
   }
   protocols = imap
   ssl_cert = </etc/letsencrypt/live/<my hostname>/cert.pem
   ssl_cipher_list = PROFILE=SYSTEM
   ssl_key = # hidden, use -P to show it
   userdb {
       args = blocking=no
       driver = passwd
   }
   verbose_ssl = yes
</pre>


I am trying to connect to this with Thunderbird 60.9.0 (and 68.1.0) but no matter whether I use port 143 or 993, the authentication does not take place. journalctl -efu dovecot.service output:


   Sep 21 21:43:58 <myhostname> dovecot[31705]: auth: Debug: auth client connected (pid=2668)
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=10.168.0.53, lip<myhostextip>, TLS, session=<OvtgaBWT5iUKqAA1>
   Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL alert: close notify


The error appears to be indicated on the second-to-last row: "no auth attempts in 0 secs." Superuser topic "Problems with connecting Thunderbird client to dovecot installed on Ubuntu" indicated a potential problem with certificate exceptions. I deleted the certificate stored in Thunderbird (Windows version) and then obtained it again under Manage Certificates and added the security exception. This did not help. In addition, the log file above implies that the certificate dialog went OK.

If I add `cram-md5` as a supported authentication mechanism, I will additionally get auth: Fatal: CRAM-MD5 mechanism can't be supported with given passdbs in the log.

What am I not seeing or what am I misunderstanding or doing wrong? How do I make it work?

I have set up Dovecot with effective configuration (with dovecot -n) # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # OS: Linux 5.2.15-200.fc30.x86_64 x86_64 Fedora release 30 (Thirty) # Hostname: <my hostname> auth_debug = yes auth_mechanisms = plain login auth_verbose = yes listen = 10.168.0.9,<my external IP> mail_location = mbox:~/mail:INBOX=/var/mail/%u mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap ssl_cert = </etc/letsencrypt/live/<my hostname>/cert.pem ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = blocking=no driver = passwd } verbose_ssl = yes I am trying to connect to this with Thunderbird 60.9.0 (and 68.1.0) but no matter whether I use port 143 or 993, the authentication does not take place. journalctl -efu dovecot.service output: Sep 21 21:43:58 <myhostname> dovecot[31705]: auth: Debug: auth client connected (pid=2668) Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=10.168.0.53, lip<myhostextip>, TLS, session=<OvtgaBWT5iUKqAA1> Sep 21 21:43:58 <myhostname> dovecot[31705]: imap-login: Debug: SSL alert: close notify The error appears to be indicated on the second-to-last row: "no auth attempts in 0 secs." Superuser topic "Problems with connecting Thunderbird client to dovecot installed on Ubuntu" indicated a potential problem with certificate exceptions. I deleted the certificate stored in Thunderbird (Windows version) and then obtained it again under Manage Certificates and added the security exception. This did not help. In addition, the log file above implies that the certificate dialog went OK. If I add `cram-md5` as a supported authentication mechanism, I will additionally get auth: Fatal: CRAM-MD5 mechanism can't be supported with given passdbs in the log. What am I not seeing or what am I misunderstanding or doing wrong? How do I make it work?

Modified by MikkoP

All Replies (4)

more options

that log is so dense as to be impenetrable. Is your SSL using a self signed certificate? Thunderbird does not accept them.

more options

I have added double paragraph breaks to make the log more legible.

The server is using a Letsencrypt certificate, which is readily accepted by Firefox (and also Thunderbird; click Manage Certificates, Add Exception, Get Certificate says that the certificate is already valid).

more options

Perhaps try logging the Thunderbird side and see what Thunderbird thinks is happening.

https://wiki.mozilla.org/MailNews:Logging

more options

Thank you for the instructions on generating the log file. Curiously enough, the log file does get generated and it contains entries related to existing e-mail accounts that work perfectly and absolutely NOTHING (not a single line) related to the attempt to create the account that would connect to the Dovecot server.

EDIT: I set the options IMAP:5,timestamp.

EDIT 2: Connection with Galaxy S8's stock e-mail client works.

Modified by MikkoP