Solved

Cannot login to dovecot after renaming mysql root

Posted on 2009-04-05
9
531 Views
Last Modified: 2013-11-10
As part of hardening procedure, I need to rename root account in mysql.user table.
When I do that however, I cannot log in to dovecot. The error was "invalid username or password". Without any changes made, when I revert the username to "root", i could log in to dovecot again.

I am on Solaris 10 and using mysql 5.1.32
0
Comment
Question by:QLJ
  • 4
  • 3
9 Comments
 
LVL 15

Expert Comment

by:oobayly
ID: 24076344
Well, as part of your hardening procedure I'd highly recommend using a dedicated user for dovecot, rather than root (no matter what name you change it to).

You should just have to edit your /etc/dovecot-mysql.conf, and update the db_user parameter
0
 
LVL 1

Author Comment

by:QLJ
ID: 24083229
but the dovecot-mysql.conf is already using a non-root login.

When I tried to execute the query command in mysql using the above-mentioned account credentials, i get a permission error.
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24085195
OK, I had assumed you were using root for dovecot too, as it have stopped working when you changed root's name.

Can you verify that the credentials dovecot is using are correct in the mysql.user table? It sounds like the credentials have been altered somehow.


SELECT user, host, password, (password = PASSWORD('foobar')) AS valid FROM mysql.user WHERE user = 'test';
 

SET PASSWORD FOR 'test'@'%.example.com' = PASSWORD('foobarbaz');

Open in new window

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:QLJ
ID: 24145600
yup. it is correct. fyi, i am using MD5('foobar') instead of PASSWORD('foobar')

I did a ps -ef and shows 2 related processes:
#  ps -ef |grep sql
    root   468     1   0 15:11:21 ?           0:00 /bin/sh /opt/mysql/mysql/bin/mysqld_safe --datadir=/opt/mysql/mysql/data --user
   mysql   555   468   0 15:11:25 ?           0:05 /opt/mysql/mysql/bin/mysqld --basedir=/opt/mysql/mysql --datadir=/opt/mysql/mys
    root  1124  1117   0 15:54:04 pts/4       0:00 grep sql

the process started by system root.... is it possible that it is trying to do something using the mysql's root acct?
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24146225
I wasn't aware that you could use md5 for hashing mysql user passwords. Can you explain how you've done that as surely the server has to be told to use md5 instead of password when authenticating users.
Also, if you're using md5, why not sha1?

As for the process, the system root and the mysql root accounts are completely different. mysqld_safe runs as root on my account, it then runs mysqld using the linux user mysql. My system runs almost the exact same way.
http://dev.mysql.com/doc/refman/5.1/en/mysqld-safe.html
0
 
LVL 1

Author Comment

by:QLJ
ID: 24146261
because I am using dovecot, i defined the use of plain-md5 in dovecot-sql.conf file.
0
 
LVL 15

Accepted Solution

by:
oobayly earned 80 total points
ID: 24146369
This is where I think there may be a problem, correct me if any of these assumptions are incorrect:
  • You created a database on the MySql server for Dovecot to use
  • You created a MySql user so that Dovecot can login
  • The Dovecot database there is a table that contains the user's detauls: Name, Password, mailbox location etc.
  • You're using MD5 hashing for the mailbox users
I think you're mixing up the mysql.user table with the dovecot.user table, this is how the Dovecot user authentication should work:
  1. User connects to Dovecot, and gives over username & password (Bob & mypass)
  2. Dovecot connects to MySql server using username & password in config file.
  3. MySql authenticates dovcecot using the mysql.user table
  4. Dovecot now can execute the query specified in the config file, passing "Bob" & "mypass" as parameters for the query. This query is not run against the mysql.user table, but on the dovecot.user table
  5. If the server returns a matching record, Dovecot knows the user is valid and lets them access their mailbox
Passwords in mysql.user should be hashed using the Password function as this is the mechanism by which the server authenticates users. Whereas you should hash the password in the dovecot.user table using MD5




0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 43
route 2 traffic streams on single NIC 6 34
Video Streaming 6 54
Error Message during CentOS 7 Minimal Install 3 33
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now