I have a problem with my local installation of dovecot

Hi all. Since the update, I have a problem with my local installation of dovecot.

The error message is reported below; exploring the AppArmor files, I discovered that I have a new file:

 /etc/apparmor.d > ls -l *doveco*auth                              
-rw-r--r-- 1 root root 1623 Feb  7 09:26 usr.lib.dovecot.auth
-rw-r--r-- 1 root root 1089 Feb 27 20:04 usr.lib.dovecot.dovecot-auth

…and I have the suspicion that I should have just one of them. The new one is missing

 @{run}/dovecot/auth-master rw,
  @{run}/dovecot/auth-userdb rw,
  @{run}/dovecot/auth-worker rw,
  @{run}/dovecot/login/login rw,
  @{run}/dovecot/auth-token-secret.dat{,.tmp} rw,
  @{run}/dovecot/old-stats-user w,
  @{run}/dovecot/stats-user rw,
  @{run}/dovecot/anvil-auth-penalty rw,

  /var/spool/postfix/private/auth rw,

among other things. Have anyone experimented something similar?

Logs below

Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.722:276): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/run/faillock/romano" pid=11735 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1153
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.722:277): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/bin/unix_chkpwd" pid=11737 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.722:278): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/bin/unix_chkpwd" pid=11738 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.722:279): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/proc/11735/loginuid" pid=11735 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.726:280): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/run/faillock/romano" pid=11735 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1153
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.726:281): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/run/faillock/romano" pid=11735 comm="auth" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=1153
Feb 27 20:11:38 ramoth auth[11735]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=romano rhost=127.0.0.1  user=romano
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.726:282): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/run/faillock/romano" pid=11736 comm="auth" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=1153
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.726:283): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/bin/unix_chkpwd" pid=11739 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 27 20:11:38 ramoth auth[11736]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=romano rhost=127.0.0.1  user=romano
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.729:284): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/bin/unix_chkpwd" pid=11740 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Feb 27 20:11:38 ramoth kernel: audit: type=1400 audit(1709061098.729:285): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/proc/11736/loginuid" pid=11736 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 27 20:11:42 ramoth auth[11735]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=romano rhost=127.0.0.1  user=romano
Feb 27 20:11:42 ramoth auth[11736]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=romano rhost=127.0.0.1  user=romano

Notice: removing the new file usr.lib.dovecot.dovecot-auth and issuing aa-complain /etc/apparmor.d/usr.lib.dovecot.auth makes the dovecot login work again. But that’s not clearly a good solution…

All I can tell you for now is that both of those files are provided by the apparmor package.

1 Like

And next time dovecot is update - you have the issue again - never change system files - they will be overwritten or re-added on next sync.

You will have to consult the documentation to know what you should do with the new file.

yes, I know… :flushed: this is why I mentioned that it was not a solution. So; I restored the strange double profile (will try to check with dovecot what’s happening). For now, setting to complain mode both profiles is doing the trick, but clearly it’s not a good solution either.

I see that there are (void) profiles in /etc/apparmor.d/local/, I suppose I can safely add things there? They will probably generate some .pacnew files but they should be there to allow local changes, don’t they?

I have never configured a local instance of dovecot - perhaps you can find help at these locations

Dovecot - ArchWiki
https://wiki2.dovecot.org/

I have possibly used dovecot when I used a Synology NAS and self-hosted my mail-service but that was done using the Synology DSM web interface.

1 Like

Thanks!

I think that the problem here is more an AppArmor one than a dovecot one… I’ll try to look for info there.

If I find a better solution than putting everything in complain mode, I’ll post it here.

Thanks again.

For now, the NOT RECOMMENDED solution is (with sudo):

aa-complain /etc/apparmor.d/usr.lib.dovecot.auth
aa-complain /etc/apparmor.d/usr.lib.dovecot.dovecot-auth

and, if needed,

aa-complain /etc/apparmor.d/usr.lib.dovecot.imap

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.