auth.log: pam_unix(dovecot:auth): authentication failure

Lately I stumpled upon a lot errormessages in my auth.log that were caused from my webmail and other IMAP-based tools:

less /var/log/auth.log
...
...
Aug 22 20:54:28 vhost335290 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 22 20:54:28 vhost335290 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=<EMAILADDRESS> rhost=<IPADDRESS>
...
...

My Webmail, IMAP, dovecot is fully operational and I can login without errors, but at the same time there seems to be an authentication error as seen in auth.log.

First check dovecot config:

dovecot -n

The result is

...
...
passdb {
  driver = pam
}
passdb {
  args = scheme=SHA1 /etc/dovecot/users.conf
  driver = passwd-file
}
...
...
userdb {
  driver = passwd
}
userdb {
  args = uid=5000 gid=5000 home=/home/vmail/%d/%n/Maildir allow_all_users=yes
  driver = static
}
...
...

I was having 2 passdb and userdb sections. As passdb pam was used as well my passwd-file in /etc/dovecot/users.conf dovecot was trying to authenticate using pam first, then my users.conf.

The first failed obviously and generated the error, the second (against users.conf) was successful and my IMAP-clients where fully functional - despite the auth.log entry.

Let’s dig into the dovecot-configuration, where is this other passdb set?

grep ^passdb /etc/dovecot/conf.d/*

the result is

/etc/dovecot/conf.d/99-custom.conf:passdb {
/etc/dovecot/conf.d/auth-checkpassword.conf.ext:passdb {
/etc/dovecot/conf.d/auth-deny.conf.ext:passdb {
/etc/dovecot/conf.d/auth-ldap.conf.ext:passdb {
/etc/dovecot/conf.d/auth-master.conf.ext:passdb {
/etc/dovecot/conf.d/auth-passwdfile.conf.ext:passdb {
/etc/dovecot/conf.d/auth-sql.conf.ext:passdb {
/etc/dovecot/conf.d/auth-system.conf.ext:passdb {
/etc/dovecot/conf.d/auth-vpopmail.conf.ext:passdb {

99-custom.conf is mine. It seems auth-system.conf.ext is it. Let’s secure it first before messing around

cp /etc/dovecot/conf.d/auth-system.conf.ext /etc/dovecot/conf.d/auth-system.conf.ext.original

and now comment out the passdb and userdb settings as I got my own 99-custom.conf configfile with all the settings I need in one place…

vim /etc/dovecot/conf.d/auth-system.conf.ext

...
...
# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
#passdb {
#  driver = pam
#  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
#  # [cache_key=<key>] [<service name>]
#  #args = dovecot
#}
...
...
# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
#userdb {
#  # <doc/wiki/AuthDatabase.Passwd.txt>
#  driver = passwd
#  # [blocking=no]
#  #args =
#
#  # Override fields from passwd
#  #override_fields = home=/home/virtual/%u
#}

and restart dovecot

/etc/init.d/dovecot restart

Tail on the auth logfile for further errors:

tail -F /var/log/auth.log

when simultaneously working with IMAP, webmail, mailclients, etc. No new entries? OK, we’re done here.

BTW: Webmail/IMAP seems to be faster too.