Hi John,
Note that I'm not a Plesk user or expert, so can't say anything about
that, but I do think you're chasing up the wrong tree.
1) IMAP does NOT allow password changes through the protocol AFAIK. If
you think otherwise, please add a link to some documentation.
2) Dovecot configuration requires *you* (or the plesk setup template) to
configure SQL statements for retrieving the password. However, no
configuration setting exists for a SQL statement to update a password in
the database. There simply is no such thing in Dovecot, as it doesn't
support password changes.
3) If all of this still would be possible, it would only be allowed
after a successful authentication from a known user on your system. I.e.
there should be nothing to block on the outside (IP addresses or
whatnot) as it would be acceptable traffic.
Please show us your dovecot config including SQL configuration,
otherwise it's hard to tell whether dovecot is doing something strange.
Or maybe just file a report at your Plesk provider, and explain them
that their Dovecot setup is conflicting with the SELinux rules.
Kind regards,
Tom
On 03-03-2025 23:41, John Calvert via dovecot wrote:
Thanks, Tom.
Here's an update to the sequence of the issue...
1) For some reason dovecot/auth is repeatedly trying to write to /var/
lib/plesk/mail/auth/passwd.db
I have confirmed that passwd.db is indeed the database that holds
the email account passwords.
Dovecot is doing this about 1-3 times per minute.
2) SELinux blocks these attempts and the denials are stored /var/log/
audit/audit.log as type AVC.
3) The Fedora Project's SETroubleshoot processes runs twice per minute,
and detects the new denial(s) in the audit.log.
4) SETroubleshoot reports "SELinux is preventing /usr/libexec/dovecot/
auth from write access on the file passwd.db." to the /var/log/messages
file.
The question remains, what is causing dovecot/auth to repeatedly try to
write to /var/lib/plesk/mail/auth/passwd.db?
The IMAP protocol does allow a client to change the account password, so
this is a possible reason why dovecot is attempting to write. Is there
any other reason? Can dovecot be configured to disallow this? If these
are password change attempts, how can I determine for which email
account(s)? Can I find associated IPs?
The constant repeated nature of this issue has me baffled. Is there
something cached in dovecot that needs to be cleared out? If so, how? I
have of course tried restarting dovecot and also rebooting, but the
issue persists.
I am seeing no problems with any of my clients' email accounts,
including the clients who are using IMAP.
I see now that I can turn on debugging output for dovecot... I'll try that.
On 3/3/25 11:54 AM, Tom Hendrikx via dovecot wrote:
On 01-03-2025 13:38, jcalvert--- via dovecot wrote:
Greetings,
I'm running dovecot 2.3.21.1 (Plesk says up-to-date) on AlmaLinux
8.10, Plesk Obsidian 18.0.67 #3.
I'm getting this repeated error in /var/log/messages...
"SELinux is preventing /usr/libexec/dovecot/auth from write access on
the file passwd.db."
(I think passwd.db is the one in /var/lib/plesk/mail/auth/)
This causes...
"Activating via systemd: service
name='org.fedoraproject.Setroubleshootd'"
which is taking a lot of CPU.
This error is happening continuously, about 1-3 times per minute.
Am I correct in thinking that an email client or webmail client is
trying to change an email account password via IMAP?
If so, I would like to know how to disable this ability in dovecot.
(I would like to change email account passwords only via Plesk.)
If not, why is dovecot trying to write to the passwd.db file? The
fact that SELinux is blocking this is concerning.
Hi,
Maybe the problem gets clearer when you can show the passwd
configuration in dovecot that Plesk has added.
Normally the passdb should be okay being read-only (see: https://
doc.dovecot.org/2.3/configuration_manual/authentication/sql/ where
SELECT queries are used).
Password changes can't be done through IMAP iirc, but maybe the lookup
query does something weird.
Kind regards,
Tom
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
