Solved

Cannot login to dovecot after renaming mysql root

Posted on 2009-04-05
9
529 Views
Last Modified: 2013-11-10
As part of hardening procedure, I need to rename root account in mysql.user table.
When I do that however, I cannot log in to dovecot. The error was "invalid username or password". Without any changes made, when I revert the username to "root", i could log in to dovecot again.

I am on Solaris 10 and using mysql 5.1.32
0
Comment
Question by:QLJ
  • 4
  • 3
9 Comments
 
LVL 15

Expert Comment

by:oobayly
ID: 24076344
Well, as part of your hardening procedure I'd highly recommend using a dedicated user for dovecot, rather than root (no matter what name you change it to).

You should just have to edit your /etc/dovecot-mysql.conf, and update the db_user parameter
0
 
LVL 1

Author Comment

by:QLJ
ID: 24083229
but the dovecot-mysql.conf is already using a non-root login.

When I tried to execute the query command in mysql using the above-mentioned account credentials, i get a permission error.
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24085195
OK, I had assumed you were using root for dovecot too, as it have stopped working when you changed root's name.

Can you verify that the credentials dovecot is using are correct in the mysql.user table? It sounds like the credentials have been altered somehow.


SELECT user, host, password, (password = PASSWORD('foobar')) AS valid FROM mysql.user WHERE user = 'test';
 

SET PASSWORD FOR 'test'@'%.example.com' = PASSWORD('foobarbaz');

Open in new window

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:QLJ
ID: 24145600
yup. it is correct. fyi, i am using MD5('foobar') instead of PASSWORD('foobar')

I did a ps -ef and shows 2 related processes:
#  ps -ef |grep sql
    root   468     1   0 15:11:21 ?           0:00 /bin/sh /opt/mysql/mysql/bin/mysqld_safe --datadir=/opt/mysql/mysql/data --user
   mysql   555   468   0 15:11:25 ?           0:05 /opt/mysql/mysql/bin/mysqld --basedir=/opt/mysql/mysql --datadir=/opt/mysql/mys
    root  1124  1117   0 15:54:04 pts/4       0:00 grep sql

the process started by system root.... is it possible that it is trying to do something using the mysql's root acct?
0
 
LVL 15

Expert Comment

by:oobayly
ID: 24146225
I wasn't aware that you could use md5 for hashing mysql user passwords. Can you explain how you've done that as surely the server has to be told to use md5 instead of password when authenticating users.
Also, if you're using md5, why not sha1?

As for the process, the system root and the mysql root accounts are completely different. mysqld_safe runs as root on my account, it then runs mysqld using the linux user mysql. My system runs almost the exact same way.
http://dev.mysql.com/doc/refman/5.1/en/mysqld-safe.html
0
 
LVL 1

Author Comment

by:QLJ
ID: 24146261
because I am using dovecot, i defined the use of plain-md5 in dovecot-sql.conf file.
0
 
LVL 15

Accepted Solution

by:
oobayly earned 80 total points
ID: 24146369
This is where I think there may be a problem, correct me if any of these assumptions are incorrect:
  • You created a database on the MySql server for Dovecot to use
  • You created a MySql user so that Dovecot can login
  • The Dovecot database there is a table that contains the user's detauls: Name, Password, mailbox location etc.
  • You're using MD5 hashing for the mailbox users
I think you're mixing up the mysql.user table with the dovecot.user table, this is how the Dovecot user authentication should work:
  1. User connects to Dovecot, and gives over username & password (Bob & mypass)
  2. Dovecot connects to MySql server using username & password in config file.
  3. MySql authenticates dovcecot using the mysql.user table
  4. Dovecot now can execute the query specified in the config file, passing "Bob" & "mypass" as parameters for the query. This query is not run against the mysql.user table, but on the dovecot.user table
  5. If the server returns a matching record, Dovecot knows the user is valid and lets them access their mailbox
Passwords in mysql.user should be hashed using the Password function as this is the mechanism by which the server authenticates users. Whereas you should hash the password in the dovecot.user table using MD5




0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL (http://www.experts-exchange.com/articles/201/Handling-Date-and-Time-in-PHP-and-MySQL.html) several years ago, it seemed like now was a good time to updat…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now