starred/modoboa-modoboa
1
0
Fork 0
mirror of https://github.com/modoboa/modoboa.git synced 2026-04-26 09:26:00 +03:00
Code Issues 60 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #2084] Default password scheme list is empty #1520

New issue
Closed
opened 2026-02-27 11:17:32 +03:00 by kerem · 10 comments
kerem commented 2026-02-27 11:17:32 +03:00
Owner
Copy link

Originally created by @bosgold on GitHub (Nov 20, 2020).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/2084

Originally assigned to: @tonioo on GitHub.

Impacted versions

  • OS Type: Debian/Ubuntu
  • OS Version: Ubuntu 18.04
  • Modoboa: 1.17.0
  • Webserver: Nginx
  • Dovecot: 2.3.11.3

Current behavior

Modoboa -> Parameters -> General
Default passwort scheme drop down list is empty but "This field is required".

root # doveadm pw -l
SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5

modobao # doveadm pw -l
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 18: ssl_key: Can't open file /etc/dovecot/private/dovecot.key.pem: Permission denied

/etc/dovecot/conf.d/10-ssl.conf
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.

Thus when sticking to the advice by Dovecot the command "doveadm pw -l" won't work for the modoboa user. And the "default password scheme" list stays empty.

Originally created by @bosgold on GitHub (Nov 20, 2020). Original GitHub issue: https://github.com/modoboa/modoboa/issues/2084 Originally assigned to: @tonioo on GitHub. # Impacted versions * OS Type: Debian/Ubuntu * OS Version: Ubuntu 18.04 * Modoboa: 1.17.0 * Webserver: Nginx * Dovecot: 2.3.11.3 # Current behavior Modoboa -> Parameters -> General Default passwort scheme drop down list is empty but "This field is required". root # doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 modobao # doveadm pw -l doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 18: ssl_key: Can't open file /etc/dovecot/private/dovecot.key.pem: Permission denied /etc/dovecot/conf.d/10-ssl.conf `# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before` `# dropping root privileges, so keep the key file unreadable by anyone but` `# root.` Thus when sticking to the advice by Dovecot the command "doveadm pw -l" won't work for the modoboa user. And the "default password scheme" list stays empty.
kerem 2026-02-27 11:17:32 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@tonioo commented on GitHub (Dec 4, 2020):

@bosgold How did you install Modoboa? You need some sudo configuration to make this work.

<!-- gh-comment-id:738655222 --> @tonioo commented on GitHub (Dec 4, 2020): @bosgold How did you install Modoboa? You need some sudo configuration to make this work.
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@fyryNy commented on GitHub (Dec 16, 2020):

Hi, I had the same problem on Ubuntu 20.10, so if someone is struggling with this, this is what I did to fix it:

Edit "/etc/dovecot/dovecot-sql.conf.ext"
Find and uncomment #default_pass_scheme = MD5 and change to "default_pass_scheme = CRYPT" (or just add this line to config file)
Restart services.

It worked for me, so I hope it would work for someone else.

<!-- gh-comment-id:745917138 --> @fyryNy commented on GitHub (Dec 16, 2020): Hi, I had the same problem on Ubuntu 20.10, so if someone is struggling with this, this is what I did to fix it: Edit "/etc/dovecot/dovecot-sql.conf.ext" Find and uncomment #default_pass_scheme = MD5 and change to "default_pass_scheme = CRYPT" (or just add this line to config file) Restart services. It worked for me, so I hope it would work for someone else.
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@bosgold commented on GitHub (Dec 16, 2020):

@bosgold How did you install Modoboa? You need some sudo configuration to make this work.

Installation was using the modoboa-installer. Sometime in 2018.
This problem came however only up when upgrading from Modoboa 1.15 to 1.17. Not sure when I've been the last time on the "Parameters - configure Modoboa" page, maybe not with version 1.15 but surely no later than 1.13 or 1.14. And back than it still worked.

Follwing runs as a crontab

Operations on mailboxes

  •   *       *       *       *       vmail   $PYTHON $INSTANCE/manage.py handle_mailbox_operations

"The cron script must be executed by the system user owning the mailboxes." -> system user: vmail

<!-- gh-comment-id:747096438 --> @bosgold commented on GitHub (Dec 16, 2020): > @bosgold How did you install Modoboa? You need some sudo configuration to make this work. Installation was using the modoboa-installer. Sometime in 2018. This problem came however only up when upgrading from Modoboa 1.15 to 1.17. Not sure when I've been the last time on the "Parameters - configure Modoboa" page, maybe not with version 1.15 but surely no later than 1.13 or 1.14. And back than it still worked. Follwing runs as a crontab # Operations on mailboxes * * * * * vmail $PYTHON $INSTANCE/manage.py handle_mailbox_operations "The cron script must be executed by the system user owning the mailboxes." -> system user: vmail
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@tonioo commented on GitHub (Jan 27, 2021):

@bosgold Have you tried to run sudo doveadm pw -l as modoboa user?

<!-- gh-comment-id:768373948 --> @tonioo commented on GitHub (Jan 27, 2021): @bosgold Have you tried to run ``sudo doveadm pw -l`` as modoboa user?
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@reesing322 commented on GitHub (Feb 6, 2021):

As I have the same problem, I can answer this:

modoboa@mail:~$ sudo doveadm pw -l
[sudo] password for modoboa:
Sorry, user modoboa is not allowed to execute '/usr/bin/doveadm pw -l' as root on .

In the modoboa sudoers file is only this:

# This file was automatically installed on 2021-02-02T18:16:57.800271
modoboa ALL=(vmail) NOPASSWD: /usr/bin/doveadm

This is on a rather fresh install, I've used the installer to install modoboa on a clean latest Ubuntu Server.
I think after the installation, when I was first checkout out the website, I've seen 2 options (plain and one of the crypts),
but since I've added a first domain, the 'default password scheme' remains empty, and prevents saves to the parameters section.

<!-- gh-comment-id:774518808 --> @reesing322 commented on GitHub (Feb 6, 2021): As I have the same problem, I can answer this: > modoboa@mail:~$ sudo doveadm pw -l > [sudo] password for modoboa: > Sorry, user modoboa is not allowed to execute '/usr/bin/doveadm pw -l' as root on <host>. In the modoboa sudoers file is only this: > \# This file was automatically installed on 2021-02-02T18:16:57.800271 > modoboa ALL=(vmail) NOPASSWD: /usr/bin/doveadm This is on a rather fresh install, I've used the installer to install modoboa on a clean latest Ubuntu Server. I think after the installation, when I was first checkout out the website, I've seen 2 options (plain and one of the crypts), but since I've added a first domain, the 'default password scheme' remains empty, and prevents saves to the parameters section.
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@bosgold commented on GitHub (Feb 7, 2021):

Same result for me as @reesing322 when I try
modoboa@mail:~$ sudo doveadm pw -l

Also the same /etc/sudoers.d/modoboa content. And this brought me to the idea to try

modoboa@mail:~$ sudo -u vmail doveadm pw -l
doveadm(vmail): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5

At least now without asking for a password.
And when adding the user vmail to the group doveadm the error

doveadm(vmail): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

is no more showing up.

But this does nothing change about the fact that the key file has to be readable by anyone to work.

-rw-r--r-- /etc/dovecot/private/dovecot.key.pem

and not

-rw------- /etc/dovecot/private/dovecot.key.pem

as suggested.

For this the the modobao sudoers file should read

modoboa ALL=(ALL) NOPASSWD: /usr/bin/doveadm

and with this the command

modoboa@mail:~$ sudo doveadm pw -l

will work as effectively eqivalent with

modoboa@mail:~$ sudo -u root doveadm pw -l

<!-- gh-comment-id:774573923 --> @bosgold commented on GitHub (Feb 7, 2021): Same result for me as @reesing322 when I try modoboa@mail:~$ sudo doveadm pw -l Also the same /etc/sudoers.d/modoboa content. And this brought me to the idea to try > modoboa@mail:~$ sudo -u vmail doveadm pw -l doveadm(vmail): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA RPA DES-CRYPT CRYPT SSHA MD5-CRYPT SKEY PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 LANMAN SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 NTLM MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5 At least now without asking for a password. And when adding the user vmail to the group doveadm the error > doveadm(vmail): Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied is no more showing up. But this does nothing change about the fact that the key file has to be readable by anyone to work. > -rw-r--r-- /etc/dovecot/private/dovecot.key.pem and not > -rw------- /etc/dovecot/private/dovecot.key.pem as suggested. For this the the modobao sudoers file should read > modoboa ALL=(ALL) NOPASSWD: /usr/bin/doveadm and with this the command > modoboa@mail:~$ sudo doveadm pw -l will work as effectively eqivalent with > modoboa@mail:~$ sudo -u root doveadm pw -l
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@reesing322 commented on GitHub (Feb 7, 2021):

@bosgold @tonioo
Indeed, the solution by Bosgold works. The issue with the empty "Default password scheme list" for me is solved by adding vmail to the dovecot group.

@bosgold Your solution for the 'permission denied' issue with the stats-writer might work, however, accessing the private key should not be necessary in this case. I have implemented the solution given here:
https://github.com/postfixadmin/postfixadmin/issues/381
The config reader will no longer fail over the permission issue, and you private key still has the same level of protection.

<!-- gh-comment-id:774696481 --> @reesing322 commented on GitHub (Feb 7, 2021): @bosgold @tonioo Indeed, the solution by Bosgold works. The issue with the empty "Default password scheme list" for me is solved by adding vmail to the dovecot group. @bosgold Your solution for the 'permission denied' issue with the stats-writer might work, however, accessing the private key should not be necessary in this case. I have implemented the solution given here: [https://github.com/postfixadmin/postfixadmin/issues/381](https://github.com/postfixadmin/postfixadmin/issues/381) The config reader will no longer fail over the permission issue, and you private key still has the same level of protection.
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@greatpilaf commented on GitHub (Apr 29, 2021):

I had the same error, with the next enviroment:

OS Type: Debian
OS Version: Debian Bullseye
Modoboa: 1.17.0
Webserver: Nginx/1.18.0
Dovecot: 2.3.13
Certificates: self-signed located on /etc/ssl/cert.crt and /etc/ssl/private/cert.key

So, in the modoboa web app, parameters tab, the default password scheme appeared empty, when i was trying to execute:

doveadm pw -l as modoboa user, gave me the error Can't open file /etc/ssl/private/cert.key: Permission denied.

So, i added the modoboa user to the group ssl-cert, after that the modoboa user was able to read the key, but the next error was: Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied, then i added the modoboa user to the dovecot group too, after that and restart the services, the default password scheme showed all available options.

Maybe this can help.

<!-- gh-comment-id:829418863 --> @greatpilaf commented on GitHub (Apr 29, 2021): I had the same error, with the next enviroment: OS Type: Debian OS Version: Debian Bullseye Modoboa: 1.17.0 Webserver: Nginx/1.18.0 Dovecot: 2.3.13 Certificates: self-signed located on /etc/ssl/cert.crt and /etc/ssl/private/cert.key So, in the modoboa web app, parameters tab, the default password scheme appeared empty, when i was trying to execute: `doveadm pw -l` as modoboa user, gave me the error `Can't open file /etc/ssl/private/cert.key: Permission denied`. So, i added the modoboa user to the group `ssl-cert`, after that the modoboa user was able to read the key, but the next error was: `Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied`, then i added the modoboa user to the `dovecot `group too, after that and restart the services, the default password scheme showed all available options. Maybe this can help.
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@fpiccinali commented on GitHub (Nov 26, 2021):

For ubuntu 20.04:

apt install python3-crypto

<!-- gh-comment-id:980138595 --> @fpiccinali commented on GitHub (Nov 26, 2021): For ubuntu 20.04: apt install python3-crypto
kerem commented 2026-02-27 11:17:33 +03:00
Author
Owner
Copy link

@MrGeneration commented on GitHub (Apr 13, 2022):

For anyone else bumping their head for like an hour like me.
If you followed above hints and solved the permission issues, make sure to restart Modoboas application handler (like e.g. uwsgi).

<!-- gh-comment-id:1098235277 --> @MrGeneration commented on GitHub (Apr 13, 2022): For anyone else bumping their head for like an hour like me. If you followed above hints and solved the permission issues, make sure to restart Modoboas application handler (like e.g. `uwsgi`).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/sievefilters-allow-email-in-rule-name
dependabot/npm_and_yarn/frontend/axios-1.15.0
translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP
translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP
fix/login-issue-3995
fix/sievefilters-issues
add-vitepress-openapi
2974-dmarc-empty-email
2.3.x
updated-doc-2.3.0
feature/OIDC
delete-all-alarms
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca
1.x
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK
1.8.x
1.7.x
1.6.x
1.4.x
1.3.x
1.2.x
2.8.2
2.8.1
2.8.0
2.7.2
2.7.1
2.7.0
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.1
2.5.0
2.4.11
2.4.10
2.4.9
2.4.8
2.4.7
2.4.6
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.3.0-beta.4
2.3.0-beta.3
2.3.0-beta.2
2.3.0-beta.1
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.2
2.1.1
2.1.0
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
2.0.0-beta.3
2.0.0-beta.2
2.0.0-beta.1
1.17.0
1.16.1
1.16.0
1.15.0
1.14.0
1.13.1
1.13.0
1.12.2
1.12.1
1.12.0
1.11.1
1.11.0
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1
1.5.0
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.5
1.3.4
1.2.2
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2.0
1.2.0-rc2
1.2.0-rc1
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.1
1.0.0
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8.8
0.8.7
0.8.6.1
0.8.6
0.8.5
0.8.4
0.8.3
0.8.3-rc1
0.8.2
0.8.1
0.8
0.8-rc2
0.8-rc1
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5
0.3
0.2
0.1
Labels
Clear labels   
bug

   
bug

   
dependencies

   
design

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
feedback-needed

   
help-needed

   
help-needed

   
installer

   
invalid

   
looking-for-sponsors

   
modoboa-contacts

   
new-ui

   
new-ui

   
pr

   
pull-request

Mirrored from GitHub Pull Request

  
pyconfr

   
python

   
question

   
security

   
stale

   
webmail

   
wontfix
No labels
bug
bug
dependencies
design
documentation
duplicate
enhancement
enhancement
enhancement
feedback-needed
help-needed
help-needed
installer
invalid
looking-for-sponsors
modoboa-contacts
new-ui
new-ui
pr
pull-request
pyconfr
python
question
security
stale
webmail
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1520
No description provided.