Solved

Cannot login to dovecot after renaming mysql root

Posted on 2009-04-05
9
532 Views
Last Modified: 2013-11-10
As part of hardening procedure, I need to rename root account in mysql.user table.
When I do that however, I cannot log in to dovecot. The error was "invalid username or password". Without any changes made, when I revert the username to "root", i could log in to dovecot again.

I am on Solaris 10 and using mysql 5.1.32
0
Comment
Question by:QLJ
  • 4
  • 3
9 Comments
 
LVL 15

Expert Comment

by:oobayly
ID: 24076344
Well, as part of your hardening procedure I'd highly recommend using a dedicated user for dovecot, rather than root (no matter what name you change it to).

You should just have to edit your /etc/dovecot-mysql.conf, and update the db_user parameter
0
 
LVL 1

Author Comment

by:QLJ
ID: 24083229
but the dovecot-mysql.conf is already using a non-root login.

When I tried to execute the query command in mysql using the above-mentioned account credentials, i get a permission error.
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24085195
OK, I had assumed you were using root for dovecot too, as it have stopped working when you changed root's name.

Can you verify that the credentials dovecot is using are correct in the mysql.user table? It sounds like the credentials have been altered somehow.


SELECT user, host, password, (password = PASSWORD('foobar')) AS valid FROM mysql.user WHERE user = 'test';
 
SET PASSWORD FOR 'test'@'%.example.com' = PASSWORD('foobarbaz');

Open in new window

0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:QLJ
ID: 24145600
yup. it is correct. fyi, i am using MD5('foobar') instead of PASSWORD('foobar')

I did a ps -ef and shows 2 related processes:
#  ps -ef |grep sql
    root   468     1   0 15:11:21 ?           0:00 /bin/sh /opt/mysql/mysql/bin/mysqld_safe --datadir=/opt/mysql/mysql/data --user
   mysql   555   468   0 15:11:25 ?           0:05 /opt/mysql/mysql/bin/mysqld --basedir=/opt/mysql/mysql --datadir=/opt/mysql/mys
    root  1124  1117   0 15:54:04 pts/4       0:00 grep sql

the process started by system root.... is it possible that it is trying to do something using the mysql's root acct?
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24146225
I wasn't aware that you could use md5 for hashing mysql user passwords. Can you explain how you've done that as surely the server has to be told to use md5 instead of password when authenticating users.
Also, if you're using md5, why not sha1?

As for the process, the system root and the mysql root accounts are completely different. mysqld_safe runs as root on my account, it then runs mysqld using the linux user mysql. My system runs almost the exact same way.
http://dev.mysql.com/doc/refman/5.1/en/mysqld-safe.html
0
 
LVL 1

Author Comment

by:QLJ
ID: 24146261
because I am using dovecot, i defined the use of plain-md5 in dovecot-sql.conf file.
0
 
LVL 15

Accepted Solution

by:
oobayly earned 80 total points
ID: 24146369
This is where I think there may be a problem, correct me if any of these assumptions are incorrect:
  • You created a database on the MySql server for Dovecot to use
  • You created a MySql user so that Dovecot can login
  • The Dovecot database there is a table that contains the user's detauls: Name, Password, mailbox location etc.
  • You're using MD5 hashing for the mailbox users
I think you're mixing up the mysql.user table with the dovecot.user table, this is how the Dovecot user authentication should work:
  1. User connects to Dovecot, and gives over username & password (Bob & mypass)
  2. Dovecot connects to MySql server using username & password in config file.
  3. MySql authenticates dovcecot using the mysql.user table
  4. Dovecot now can execute the query specified in the config file, passing "Bob" & "mypass" as parameters for the query. This query is not run against the mysql.user table, but on the dovecot.user table
  5. If the server returns a matching record, Dovecot knows the user is valid and lets them access their mailbox
Passwords in mysql.user should be hashed using the Password function as this is the mechanism by which the server authenticates users. Whereas you should hash the password in the dovecot.user table using MD5




0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PHP: Insert Data into MySQL 5 40
when to use sequences in mysql 4 29
ignore other .htaccess 2 45
Migrating php-mysql-jquery application to Microsoft Azure Cloud 7 30
Creating and Managing Databases with phpMyAdmin in cPanel.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question