• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

Cannot login to dovecot after renaming mysql root

As part of hardening procedure, I need to rename root account in mysql.user table.
When I do that however, I cannot log in to dovecot. The error was "invalid username or password". Without any changes made, when I revert the username to "root", i could log in to dovecot again.

I am on Solaris 10 and using mysql 5.1.32
0
QLJ
Asked:
QLJ
  • 4
  • 3
1 Solution
 
oobaylyCommented:
Well, as part of your hardening procedure I'd highly recommend using a dedicated user for dovecot, rather than root (no matter what name you change it to).

You should just have to edit your /etc/dovecot-mysql.conf, and update the db_user parameter
0
 
QLJAuthor Commented:
but the dovecot-mysql.conf is already using a non-root login.

When I tried to execute the query command in mysql using the above-mentioned account credentials, i get a permission error.
0
 
oobaylyCommented:
OK, I had assumed you were using root for dovecot too, as it have stopped working when you changed root's name.

Can you verify that the credentials dovecot is using are correct in the mysql.user table? It sounds like the credentials have been altered somehow.


SELECT user, host, password, (password = PASSWORD('foobar')) AS valid FROM mysql.user WHERE user = 'test';
 
SET PASSWORD FOR 'test'@'%.example.com' = PASSWORD('foobarbaz');

Open in new window

0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
QLJAuthor Commented:
yup. it is correct. fyi, i am using MD5('foobar') instead of PASSWORD('foobar')

I did a ps -ef and shows 2 related processes:
#  ps -ef |grep sql
    root   468     1   0 15:11:21 ?           0:00 /bin/sh /opt/mysql/mysql/bin/mysqld_safe --datadir=/opt/mysql/mysql/data --user
   mysql   555   468   0 15:11:25 ?           0:05 /opt/mysql/mysql/bin/mysqld --basedir=/opt/mysql/mysql --datadir=/opt/mysql/mys
    root  1124  1117   0 15:54:04 pts/4       0:00 grep sql

the process started by system root.... is it possible that it is trying to do something using the mysql's root acct?
0
 
oobaylyCommented:
I wasn't aware that you could use md5 for hashing mysql user passwords. Can you explain how you've done that as surely the server has to be told to use md5 instead of password when authenticating users.
Also, if you're using md5, why not sha1?

As for the process, the system root and the mysql root accounts are completely different. mysqld_safe runs as root on my account, it then runs mysqld using the linux user mysql. My system runs almost the exact same way.
http://dev.mysql.com/doc/refman/5.1/en/mysqld-safe.html
0
 
QLJAuthor Commented:
because I am using dovecot, i defined the use of plain-md5 in dovecot-sql.conf file.
0
 
oobaylyCommented:
This is where I think there may be a problem, correct me if any of these assumptions are incorrect:
  • You created a database on the MySql server for Dovecot to use
  • You created a MySql user so that Dovecot can login
  • The Dovecot database there is a table that contains the user's detauls: Name, Password, mailbox location etc.
  • You're using MD5 hashing for the mailbox users
I think you're mixing up the mysql.user table with the dovecot.user table, this is how the Dovecot user authentication should work:
  1. User connects to Dovecot, and gives over username & password (Bob & mypass)
  2. Dovecot connects to MySql server using username & password in config file.
  3. MySql authenticates dovcecot using the mysql.user table
  4. Dovecot now can execute the query specified in the config file, passing "Bob" & "mypass" as parameters for the query. This query is not run against the mysql.user table, but on the dovecot.user table
  5. If the server returns a matching record, Dovecot knows the user is valid and lets them access their mailbox
Passwords in mysql.user should be hashed using the Password function as this is the mechanism by which the server authenticates users. Whereas you should hash the password in the dovecot.user table using MD5




0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now