iPentec.com  /  Document  /  カテゴリ: Linux  /  タグ:  Linux Dovecot

目次

DovecotのPOP/IMAPの認証に時間がかかる "pam_unix(dovecot:auth): authentication failure;","pam_succeed_if(dovecot:auth): error retrieving information "エラーがsecureログに出力される

目次

DovecotのConfigファイルを編集して(Passwordファイル認証などに変更し)使い始めるとPOP/IMAPの認証に時間がかかることがあります。
また、/var/log/secureログファイルに

Jan DD HH:MM:SS post dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=nnn.nnn.nnn.nnn

といったエラーメッセージや

May DD HH:MM:SS post dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user xxx@abcdefg.com
といったエラーメッセージが記録されることがあります。

エラーが発生する原因はいくつかありますが、PAM認証が有効になっていることが原因の一つとして挙げられます。Passwordファイルによる認証をしている場合はPAM認証を無効にする必要があります。

エラーが発生していない場合でも、PAM認証を無効にすることで、認証速度の動作改善がみられる場合もあります。

Dovecot2のコード例 (/etc/dovecot/conf.d/10-auth.conf)

pam認証を無効化する場合は、10-auth.confファイルの下部の

修正前

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

を以下に変更します。

修正後

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

とします。(!include auth-system.conf.extをコメントアウトします。)

Dovecot1のコード例 (/etc/dovecot.conf)

修正前

  # PAM authentication. Preferred nowadays by most systems. 
  # Note that PAM can only be used to verify if user's password is correct,
  # so it can't be used as userdb. If you don't want to use a separate user
  # database (passwd usually), you can use static userdb.
  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
  # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
  passdb pam {
    # [blocking=yes] [session=yes] [setcred=yes]
    # [cache_key=<key>] [<service name>]
    #
    # By default a new process is forked from dovecot-auth for each PAM lookup.
    # Setting blocking=yes uses the alternative way: dovecot-auth worker
    # processes do the PAM lookups.
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # doc/wiki/Variables.txt) which must match for the cached data to be used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    # 
    # If service name is "*", it means the authenticating service name
    # is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
    #
    # Some examples:
    #   args = session=yes *
    #   args = cache_key=%u dovecot
    #args = dovecot
  }

修正後

passdb pam{
...
}

の部分をすべてコメントアウトしPAM認証を無効にします。

  # PAM authentication. Preferred nowadays by most systems. 
  # Note that PAM can only be used to verify if user's password is correct,
  # so it can't be used as userdb. If you don't want to use a separate user
  # database (passwd usually), you can use static userdb.
  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
  # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
  #passdb pam {
    # [blocking=yes] [session=yes] [setcred=yes]
    # [cache_key=<key>] [<service name>]
    #
    # By default a new process is forked from dovecot-auth for each PAM lookup.
    # Setting blocking=yes uses the alternative way: dovecot-auth worker
    # processes do the PAM lookups.
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # doc/wiki/Variables.txt) which must match for the cached data to be used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    # 
    # If service name is "*", it means the authenticating service name
    # is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
    #
    # Some examples:
    #   args = session=yes *
    #   args = cache_key=%u dovecot
    #args = dovecot
  #}

設定後

/etc/rc.d/init.d/dovecot restart
コマンドを実行し、Dovecotを再起動します。

AuthorPortraitAlt
著者
ジョニー
iPentecのプログラマー、最近はAIの積極的な活用にも取り組み中。
とっても恥ずかしがり。
作成日: 2011-05-30

関連するページ

ドキュメント
新着記事一覧
タグ一覧
ドキュメント トップ
SNSコンテンツ
YouTube
Instagram
Pinterest
X
iPentec
iPentecについて
プライバシー
お問い合わせ
Copyright © 1995–2025 iPentec all rights reserverd.