[GH-ISSUE #95] Password generation/changing error using dovecot:SHA512-CRYPT #73

Closed
opened 2026-02-26 09:35:38 +03:00 by kerem · 4 comments
Owner

Originally created by @mykelu on GitHub (Jun 14, 2014).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/95

#0 /usr/local/vimbadmin/vendor/opensolutions/oss-framework/src/OSS/Auth/Password.php(90): ViMbAdmin_Dovecot::password('SHA512-CRYPT', 'xxxxxxxx+', 'xxxxxxxx...')
#1 /usr/local/vimbadmin/application/controllers/MailboxController.php(317): OSS_Auth_Password::hash('xxxxxxxx+', Array)
#2 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Action.php(516): MailboxController->addAction()
#3 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Dispatcher/Standard.php(308): Zend_Controller_Action->dispatch('addAction')
#4 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#5 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Application/Bootstrap/Bootstrap.php(101): Zend_Controller_Front->dispatch()
#6 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Application.php(366): Zend_Application_Bootstrap_Bootstrap->run()
#7 /usr/local/vimbadmin/public/index.php(34): Zend_Application->run()
#8 {main}

Originally created by @mykelu on GitHub (Jun 14, 2014). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/95 #0 /usr/local/vimbadmin/vendor/opensolutions/oss-framework/src/OSS/Auth/Password.php(90): ViMbAdmin_Dovecot::password('SHA512-CRYPT', 'xxxxxxxx+', 'xxxxxxxx...') #1 /usr/local/vimbadmin/application/controllers/MailboxController.php(317): OSS_Auth_Password::hash('xxxxxxxx+', Array) #2 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Action.php(516): MailboxController->addAction() #3 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Dispatcher/Standard.php(308): Zend_Controller_Action->dispatch('addAction') #4 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http)) #5 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Application/Bootstrap/Bootstrap.php(101): Zend_Controller_Front->dispatch() #6 /usr/local/vimbadmin/vendor/zendframework/zendframework1/library/Zend/Application.php(366): Zend_Application_Bootstrap_Bootstrap->run() #7 /usr/local/vimbadmin/public/index.php(34): Zend_Application->run() #8 {main}
kerem closed this issue 2026-02-26 09:35:39 +03:00
Author
Owner

@0xFFFFFFFFFFFFFFFF commented on GitHub (Jan 23, 2015):

i also stumble in this problem, i made a work around(My guess is that the user www-data is running php-fpm process, so it does n have permission to run doveadm).

defaults.mailbox.dovecot_pw_binary = "/usr/bin/sudo /opt/doveadm_pw.sh"

/opt/doveadm_pw.sh

#!/bin/bash
/usr/bin/doveadm pw $@

/etc/sudoers
www-data ALL=(root) NOPASSWD: /opt/doveadm_pw.sh

P.S.: I am unaware of the security implications of using this way. Please if anyone knows a more secure way please point out.

<!-- gh-comment-id:71182886 --> @0xFFFFFFFFFFFFFFFF commented on GitHub (Jan 23, 2015): i also stumble in this problem, i made a work around(My guess is that the user www-data is running php-fpm process, so it does n have permission to run doveadm). defaults.mailbox.dovecot_pw_binary = "/usr/bin/sudo /opt/doveadm_pw.sh" /opt/doveadm_pw.sh #!/bin/bash /usr/bin/doveadm pw $@ /etc/sudoers www-data ALL=(root) NOPASSWD: /opt/doveadm_pw.sh P.S.: I am unaware of the security implications of using this way. Please if anyone knows a more secure way please point out.
Author
Owner

@reissmann commented on GitHub (Jul 8, 2015):

Same problem here. I'm not sure what exactly is causing this, yet.

I see this message in the apache2 error logfile:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 98: No matches

Which is this line:

!include conf.d/*.conf    

Even setting the full path there still results in the same error message.

<!-- gh-comment-id:119656933 --> @reissmann commented on GitHub (Jul 8, 2015): Same problem here. I'm not sure what exactly is causing this, yet. I see this message in the apache2 error logfile: ``` doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 98: No matches ``` Which is this line: ``` !include conf.d/*.conf ``` Even setting the full path there still results in the same error message.
Author
Owner

@reissmann commented on GitHub (Jul 8, 2015):

Ok, @0xFFFFFFFFFFFFFFFF is completely right about the permission problem - and I have no better idea to solve it :)

However, as long as you only want to use SHA512-CRYPT, you could just configure this:

defaults.mailbox.password_scheme = "crypt:sha512"
<!-- gh-comment-id:119666028 --> @reissmann commented on GitHub (Jul 8, 2015): Ok, @0xFFFFFFFFFFFFFFFF is completely right about the permission problem - and I have no better idea to solve it :) However, as long as you only want to use SHA512-CRYPT, you could just configure this: ``` php defaults.mailbox.password_scheme = "crypt:sha512" ```
Author
Owner

@sdellenb commented on GitHub (Jul 16, 2015):

In my case, this error was caused by SELinux preventing doveadm to access the files in /etc/dovecot.

sudo -u nginx /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u 'something@somewhere.com' -p 'password'
(the command line that's passed by ViMbAdmin) worked fine, so it had to be something else.

/var/log/audit/audit.log (I always check SELinux last 😛) had entries suggesting that doveadm was called from httpd_t context, and not allowed to access the dovecot_etc_t context of the dovecot config files.
This TE file solved it for me:

# doveadm.te
# This module is required to get ViMbAdmin working correctly with the
# dovecot:SHA512-CRYPT password scheme.
# Since it's being called from a httpd_t context, doveadm cannot access
# the dovecot_etc_t context of the config files.
# See also https://github.com/opensolutions/ViMbAdmin/issues/95

module doveadm 1.0;

require {
        type dovecot_etc_t;
        type httpd_t;
        class file { read getattr open };
        class dir read;
}

#============= httpd_t ==============
allow httpd_t dovecot_etc_t:file { read getattr open };
allow httpd_t dovecot_etc_t:dir read;

Compile and install it with

checkmodule -M -m -o doveadm.mod doveadm.te
semodule_package -o doveadm.pp -m doveadm.mod
semodule -i doveadm.pp

And now it's working!

<!-- gh-comment-id:121966988 --> @sdellenb commented on GitHub (Jul 16, 2015): In my case, this error was caused by **SELinux** preventing doveadm to access the files in /etc/dovecot. `sudo -u nginx /usr/bin/doveadm pw -s 'SHA512-CRYPT' -u 'something@somewhere.com' -p 'password'` (the command line that's passed by ViMbAdmin) worked fine, so it had to be something else. /var/log/audit/audit.log (I always check SELinux last :stuck_out_tongue:) had entries suggesting that doveadm was called from httpd_t context, and not allowed to access the dovecot_etc_t context of the dovecot config files. This TE file solved it for me: ``` # doveadm.te # This module is required to get ViMbAdmin working correctly with the # dovecot:SHA512-CRYPT password scheme. # Since it's being called from a httpd_t context, doveadm cannot access # the dovecot_etc_t context of the config files. # See also https://github.com/opensolutions/ViMbAdmin/issues/95 module doveadm 1.0; require { type dovecot_etc_t; type httpd_t; class file { read getattr open }; class dir read; } #============= httpd_t ============== allow httpd_t dovecot_etc_t:file { read getattr open }; allow httpd_t dovecot_etc_t:dir read; ``` Compile and install it with ``` checkmodule -M -m -o doveadm.mod doveadm.te semodule_package -o doveadm.pp -m doveadm.mod semodule -i doveadm.pp ``` And now it's working!
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ViMbAdmin-opensolutions#73
No description provided.