Solved

Cannot login to dovecot after renaming mysql root

Posted on 2009-04-05
9
535 Views
Last Modified: 2013-11-10
As part of hardening procedure, I need to rename root account in mysql.user table.
When I do that however, I cannot log in to dovecot. The error was "invalid username or password". Without any changes made, when I revert the username to "root", i could log in to dovecot again.

I am on Solaris 10 and using mysql 5.1.32
0
Comment
Question by:QLJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 15

Expert Comment

by:oobayly
ID: 24076344
Well, as part of your hardening procedure I'd highly recommend using a dedicated user for dovecot, rather than root (no matter what name you change it to).

You should just have to edit your /etc/dovecot-mysql.conf, and update the db_user parameter
0
 
LVL 1

Author Comment

by:QLJ
ID: 24083229
but the dovecot-mysql.conf is already using a non-root login.

When I tried to execute the query command in mysql using the above-mentioned account credentials, i get a permission error.
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24085195
OK, I had assumed you were using root for dovecot too, as it have stopped working when you changed root's name.

Can you verify that the credentials dovecot is using are correct in the mysql.user table? It sounds like the credentials have been altered somehow.


SELECT user, host, password, (password = PASSWORD('foobar')) AS valid FROM mysql.user WHERE user = 'test';
 
SET PASSWORD FOR 'test'@'%.example.com' = PASSWORD('foobarbaz');

Open in new window

0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:QLJ
ID: 24145600
yup. it is correct. fyi, i am using MD5('foobar') instead of PASSWORD('foobar')

I did a ps -ef and shows 2 related processes:
#  ps -ef |grep sql
    root   468     1   0 15:11:21 ?           0:00 /bin/sh /opt/mysql/mysql/bin/mysqld_safe --datadir=/opt/mysql/mysql/data --user
   mysql   555   468   0 15:11:25 ?           0:05 /opt/mysql/mysql/bin/mysqld --basedir=/opt/mysql/mysql --datadir=/opt/mysql/mys
    root  1124  1117   0 15:54:04 pts/4       0:00 grep sql

the process started by system root.... is it possible that it is trying to do something using the mysql's root acct?
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24146225
I wasn't aware that you could use md5 for hashing mysql user passwords. Can you explain how you've done that as surely the server has to be told to use md5 instead of password when authenticating users.
Also, if you're using md5, why not sha1?

As for the process, the system root and the mysql root accounts are completely different. mysqld_safe runs as root on my account, it then runs mysqld using the linux user mysql. My system runs almost the exact same way.
http://dev.mysql.com/doc/refman/5.1/en/mysqld-safe.html
0
 
LVL 1

Author Comment

by:QLJ
ID: 24146261
because I am using dovecot, i defined the use of plain-md5 in dovecot-sql.conf file.
0
 
LVL 15

Accepted Solution

by:
oobayly earned 80 total points
ID: 24146369
This is where I think there may be a problem, correct me if any of these assumptions are incorrect:
  • You created a database on the MySql server for Dovecot to use
  • You created a MySql user so that Dovecot can login
  • The Dovecot database there is a table that contains the user's detauls: Name, Password, mailbox location etc.
  • You're using MD5 hashing for the mailbox users
I think you're mixing up the mysql.user table with the dovecot.user table, this is how the Dovecot user authentication should work:
  1. User connects to Dovecot, and gives over username & password (Bob & mypass)
  2. Dovecot connects to MySql server using username & password in config file.
  3. MySql authenticates dovcecot using the mysql.user table
  4. Dovecot now can execute the query specified in the config file, passing "Bob" & "mypass" as parameters for the query. This query is not run against the mysql.user table, but on the dovecot.user table
  5. If the server returns a matching record, Dovecot knows the user is valid and lets them access their mailbox
Passwords in mysql.user should be hashed using the Password function as this is the mechanism by which the server authenticates users. Whereas you should hash the password in the dovecot.user table using MD5




0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Creating and Managing Databases with phpMyAdmin in cPanel.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question