[GH-ISSUE #277] Cannot create new Mailbox or set Password #227

Closed
opened 2026-02-26 09:36:54 +03:00 by kerem · 6 comments
Owner

Originally created by @huddx01 on GitHub (Feb 18, 2021).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/277

Hi,

I cannot create new Mailboxes or set another password for the mailboxes since i modified something in the config...

It seems that the "doeveadm pw" fails... but if i run it as root, it works...

Example:

/usr/bin/doveadm pw -s 'SHA512-CRYPT' -u 'xxx@mydomain.com' -p 'myPass12345678!' {SHA512-CRYPT}$6$oLZ5VcgQoAoYleSu$5B71l9rHAkjkVKyCDFbGAdu6OwkeyYlh00ukniQkwcWZFc3JN8.EqwdhwRC6J5u.NSSuTvVy8pJuLpOPyjIo61

If i try it wit the www-data privileges, it fails:

runuser -u www-data -- /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u -u 'xxx@mydomain.com' -p 'myPass12345678!' doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 144: ssl_cert: Can't open file /etc/letsencrypt/live/mydomain.com/fullchain.pem: Permission denied

I know it seems to be something with the access rights to the le - certificates... But other apache-vhosts have no problem accessing to it...

Maybe someone has a hint?

Thanks in advance!

2021-02-18T21:49:26+01:00 DEBUG (7): Logger instantiated
2021-02-18T21:49:26+01:00 DEBUG (7): 

2021-02-18T21:49:26+01:00 DEBUG (7): ErrorController::errorAction()
2021-02-18T21:49:26+01:00 ERR (3): 

************************************************************************
****************************** EXCEPTIONS *******************************
************************************************************************

--------------------------- EXCEPTION --------------------------

Message: Error executing Dovecot password command: /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u xxx@mydomain.com' -p 'myPass12345678!'
Line: 57
File: /srv/vimbadmin/library/ViMbAdmin/Dovecot.php

Trace:

#0 /srv/vimbadmin/library/OSS/Auth/Password.php(97): ViMbAdmin_Dovecot::password()
#1 /srv/vimbadmin/application/controllers/MailboxController.php(316): OSS_Auth_Password::hash()
#2 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Action.php(516): MailboxController->addAction()
#3 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(308): Zend_Controller_Action->dispatch()
#4 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch()
#5 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application/Bootstrap/Bootstrap.php(105): Zend_Controller_Front->dispatch()
#6 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application.php(384): Zend_Application_Bootstrap_Bootstrap->run()
#7 /srv/vimbadmin/public/index.php(34): Zend_Application->run()
#8 {main}

Array
(
   [0] => Array
       (
           [file] => /srv/vimbadmin/library/OSS/Controller/Trait/Error.php
           [line] => 78
           [function] => compact_debug_backtrace
           [class] => OSS_Debug
       )

   [1] => Array
       (
           [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Action.php
           [line] => 516
           [function] => errorAction
           [class] => ErrorController
       )

   [2] => Array
       (
           [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php
           [line] => 308
           [function] => dispatch
           [class] => Zend_Controller_Action
       )

   [3] => Array
       (
           [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Front.php
           [line] => 954
           [function] => dispatch
           [class] => Zend_Controller_Dispatcher_Standard
       )

   [4] => Array
       (
           [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application/Bootstrap/Bootstrap.php
           [line] => 105
           [function] => dispatch
           [class] => Zend_Controller_Front
       )

   [5] => Array
       (
           [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application.php
           [line] => 384
           [function] => run
           [class] => Zend_Application_Bootstrap_Bootstrap
       )

   [6] => Array
       (
           [file] => /srv/vimbadmin/public/index.php
           [line] => 34
           [function] => run
           [class] => Zend_Application
       )

)

Originally created by @huddx01 on GitHub (Feb 18, 2021). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/277 Hi, I cannot create new Mailboxes or set another password for the mailboxes since i modified something in the config... It seems that the "doeveadm pw" fails... but if i run it as root, it works... Example: `/usr/bin/doveadm pw -s 'SHA512-CRYPT' -u 'xxx@mydomain.com' -p 'myPass12345678!' {SHA512-CRYPT}$6$oLZ5VcgQoAoYleSu$5B71l9rHAkjkVKyCDFbGAdu6OwkeyYlh00ukniQkwcWZFc3JN8.EqwdhwRC6J5u.NSSuTvVy8pJuLpOPyjIo61` If i try it wit the www-data privileges, it fails: `runuser -u www-data -- /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u -u 'xxx@mydomain.com' -p 'myPass12345678!' doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 144: ssl_cert: Can't open file /etc/letsencrypt/live/mydomain.com/fullchain.pem: Permission denied ` I know it seems to be something with the access rights to the le - certificates... But other apache-vhosts have no problem accessing to it... Maybe someone has a hint? Thanks in advance! ``` 2021-02-18T21:49:26+01:00 DEBUG (7): Logger instantiated 2021-02-18T21:49:26+01:00 DEBUG (7): 2021-02-18T21:49:26+01:00 DEBUG (7): ErrorController::errorAction() 2021-02-18T21:49:26+01:00 ERR (3): ************************************************************************ ****************************** EXCEPTIONS ******************************* ************************************************************************ --------------------------- EXCEPTION -------------------------- Message: Error executing Dovecot password command: /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u xxx@mydomain.com' -p 'myPass12345678!' Line: 57 File: /srv/vimbadmin/library/ViMbAdmin/Dovecot.php Trace: #0 /srv/vimbadmin/library/OSS/Auth/Password.php(97): ViMbAdmin_Dovecot::password() #1 /srv/vimbadmin/application/controllers/MailboxController.php(316): OSS_Auth_Password::hash() #2 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Action.php(516): MailboxController->addAction() #3 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(308): Zend_Controller_Action->dispatch() #4 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch() #5 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application/Bootstrap/Bootstrap.php(105): Zend_Controller_Front->dispatch() #6 /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application.php(384): Zend_Application_Bootstrap_Bootstrap->run() #7 /srv/vimbadmin/public/index.php(34): Zend_Application->run() #8 {main} Array ( [0] => Array ( [file] => /srv/vimbadmin/library/OSS/Controller/Trait/Error.php [line] => 78 [function] => compact_debug_backtrace [class] => OSS_Debug ) [1] => Array ( [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Action.php [line] => 516 [function] => errorAction [class] => ErrorController ) [2] => Array ( [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php [line] => 308 [function] => dispatch [class] => Zend_Controller_Action ) [3] => Array ( [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Controller/Front.php [line] => 954 [function] => dispatch [class] => Zend_Controller_Dispatcher_Standard ) [4] => Array ( [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application/Bootstrap/Bootstrap.php [line] => 105 [function] => dispatch [class] => Zend_Controller_Front ) [5] => Array ( [file] => /srv/vimbadmin/vendor/shardj/zf1-future/library/Zend/Application.php [line] => 384 [function] => run [class] => Zend_Application_Bootstrap_Bootstrap ) [6] => Array ( [file] => /srv/vimbadmin/public/index.php [line] => 34 [function] => run [class] => Zend_Application ) ) ```
kerem closed this issue 2026-02-26 09:36:54 +03:00
Author
Owner

@barryo commented on GitHub (Feb 19, 2021):

Hi @huddx01

This looks a bit awkward.

But other apache-vhosts have no problem accessing to it...

I take it you mean they have no issue accessing the LE certs for SSL? Which would be correct because Apache kicks off as root, accesses what it needs and drops to the www-data user then.

My inclination would be to configure sudo to that your config becomes something like:

defaults.mailbox.dovecot_pw_binary = "/usr/bin/sudo /usr/bin/doveadm pw"

and your (for example) /etc/sudoers.d/vimbadmin might have (untested, read the docs):

www-data  ALL = (ALL) NOPASSWD: /usr/bin/doveadm pw *
<!-- gh-comment-id:781977028 --> @barryo commented on GitHub (Feb 19, 2021): Hi @huddx01 This looks a bit awkward. > But other apache-vhosts have no problem accessing to it... I take it you mean they have no issue accessing the LE certs for SSL? Which would be correct because Apache kicks off as root, accesses what it needs and drops to the `www-data` user then. My inclination would be to configure sudo to that your config becomes something like: ``` defaults.mailbox.dovecot_pw_binary = "/usr/bin/sudo /usr/bin/doveadm pw" ``` and your (for example) `/etc/sudoers.d/vimbadmin` might have **(untested, read the docs)**: ``` www-data ALL = (ALL) NOPASSWD: /usr/bin/doveadm pw * ```
Author
Owner

@huddx01 commented on GitHub (Feb 19, 2021):

@barryo

Yes, there are ne issues with LE certs for SSL...

So, i completly renewed the Le Cert for the vimbadmin domain. After this, still didnt work...

But i followed your good Idea to add the www-data User into the sudoers for the doveadm command.
And it works now!

Ok - its a workaround for now. Thank you so far.
But something seems to be weird...

I will reinstall the vimbadmin stuff completely. Maybe in a few days...

<!-- gh-comment-id:782456702 --> @huddx01 commented on GitHub (Feb 19, 2021): @barryo Yes, there are ne issues with LE certs for SSL... So, i completly renewed the Le Cert for the vimbadmin domain. After this, still didnt work... But i followed your good Idea to add the www-data User into the sudoers for the doveadm command. And it works now! Ok - its a workaround for now. Thank you so far. But something seems to be weird... I will reinstall the vimbadmin stuff completely. Maybe in a few days...
Author
Owner

@sdellenb commented on GitHub (Oct 23, 2021):

The problem is that doveadm loads the full dovecot configuration, but is unable to load the certificates specified, because they're (correctly) only accessible by root. They are not needed for doveadm functionality.

I tried overriding doveadm parameters with -o ssl=no -o ssl_cert='' as per the man page, but they were ignored.

A better solution would be to do this: https://github.com/postfixadmin/postfixadmin/issues/398#issuecomment-843124406

<!-- gh-comment-id:950158036 --> @sdellenb commented on GitHub (Oct 23, 2021): The problem is that doveadm loads the full dovecot configuration, but is unable to load the certificates specified, because they're (correctly) only accessible by root. They are not needed for doveadm functionality. I tried overriding doveadm parameters with `-o ssl=no -o ssl_cert=''` as per the man page, but they were ignored. A better solution would be to do this: https://github.com/postfixadmin/postfixadmin/issues/398#issuecomment-843124406
Author
Owner

@mulderij commented on GitHub (Mar 6, 2022):

An alternative I use with postfixadmin is through php_crypt and then modify the Dovecot password query against MariaDB. This could be possible with ViMbAdmin

/etc/postfixadmin/config.local.php

$CONF['encrypt'] = 'php_crypt:SHA512';

/etc/dovecot/dovecot-sql.conf.ext

password_query = \
  SELECT \
  CASE \
    WHEN LEFT(password,4) = '$2y$' THEN CONCAT('{CRYPT}', password) \
    WHEN LEFT(password,3) = '$6$' THEN CONCAT('{SHA512-CRYPT}', password) \
    WHEN LEFT(password,3) = '$5$' THEN CONCAT('{SHA256-CRYPT}', password) \
    WHEN LEFT(password,3) = '$1$' THEN CONCAT('{MD5-CRYPT}', password) \
  END AS password \
  FROM mailbox \
  WHERE username='%u'

This doesn't add the the string for the encryption method in the database, but adds it in the result returned to Dovecot. For some unclear reason Dovecot needs this (the \<code> should have been enough). Of course if you are only using sha512 not all rewrite cases are necessary, but they don't hurt...

<!-- gh-comment-id:1059997381 --> @mulderij commented on GitHub (Mar 6, 2022): An alternative I use with postfixadmin is through php_crypt and then modify the Dovecot password query against MariaDB. This could be possible with ViMbAdmin */etc/postfixadmin/config.local.php* ``` $CONF['encrypt'] = 'php_crypt:SHA512'; ``` */etc/dovecot/dovecot-sql.conf.ext* ``` password_query = \ SELECT \ CASE \ WHEN LEFT(password,4) = '$2y$' THEN CONCAT('{CRYPT}', password) \ WHEN LEFT(password,3) = '$6$' THEN CONCAT('{SHA512-CRYPT}', password) \ WHEN LEFT(password,3) = '$5$' THEN CONCAT('{SHA256-CRYPT}', password) \ WHEN LEFT(password,3) = '$1$' THEN CONCAT('{MD5-CRYPT}', password) \ END AS password \ FROM mailbox \ WHERE username='%u' ``` This doesn't add the the string for the encryption method in the database, but adds it in the result returned to Dovecot. For some unclear reason Dovecot needs this (the $\<code>$ should have been enough). Of course if you are only using sha512 not all rewrite cases are necessary, but they don't hurt...
Author
Owner

@barryo commented on GitHub (Apr 1, 2022):

Time out closing on this - please reopen if help still required.

<!-- gh-comment-id:1086286138 --> @barryo commented on GitHub (Apr 1, 2022): Time out closing on this - please reopen if help still required.
Author
Owner

@s-a-s-k-i-a commented on GitHub (Apr 17, 2023):

Is this fixed in vimbadmin 3.4.x?
As I am seeing this currently in my Vimbadmin 3.3.1 installation and I have not implemented any workaround yet.

<!-- gh-comment-id:1511148127 --> @s-a-s-k-i-a commented on GitHub (Apr 17, 2023): Is this fixed in vimbadmin 3.4.x? As I am seeing this currently in my Vimbadmin 3.3.1 installation and I have not implemented any workaround yet.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ViMbAdmin-opensolutions#227
No description provided.