DovecotのPOP/IMAPの認証に時間がかかる "pam_unix(dovecot:auth): authentication failure;","pam_succeed_if(dovecot:auth): error retrieving information "エラーがsecureログに出力される
DovecotのConfigファイルを編集して(Passwordファイル認証などに変更し)使い始めるとPOP/IMAPの認証に時間がかかることがあります。
また、/var/log/secureログファイルに
Jan DD HH:MM:SS post dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=nnn.nnn.nnn.nnn
といったエラーメッセージや
May DD HH:MM:SS post dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user xxx@abcdefg.com
といったエラーメッセージが記録されることがあります。
エラーが発生する原因はいくつかありますが、PAM認証が有効になっていることが原因の一つとして挙げられます。Passwordファイルによる認証をしている場合はPAM認証を無効にする必要があります。
エラーが発生していない場合でも、PAM認証を無効にすることで、認証速度の動作改善がみられる場合もあります。
Dovecot2のコード例 (/etc/dovecot/conf.d/10-auth.conf)
pam認証を無効化する場合は、10-auth.confファイルの下部の
修正前
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
を以下に変更します。
修正後
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
とします。(!include auth-system.conf.extをコメントアウトします。)
Dovecot1のコード例 (/etc/dovecot.conf)
修正前
# PAM authentication. Preferred nowadays by most systems.
# Note that PAM can only be used to verify if user's password is correct,
# so it can't be used as userdb. If you don't want to use a separate user
# database (passwd usually), you can use static userdb.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb pam {
# [blocking=yes] [session=yes] [setcred=yes]
# [cache_key=<key>] [<service name>]
#
# By default a new process is forked from dovecot-auth for each PAM lookup.
# Setting blocking=yes uses the alternative way: dovecot-auth worker
# processes do the PAM lookups.
#
# session=yes makes Dovecot open and immediately close PAM session. Some
# PAM plugins need this to work, such as pam_mkhomedir.
#
# setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
# need that. They aren't ever deleted though, so this isn't enabled by
# default.
#
# cache_key can be used to enable authentication caching for PAM
# (auth_cache_size also needs to be set). It isn't enabled by default
# because PAM modules can do all kinds of checks besides checking password,
# such as checking IP address. Dovecot can't know about these checks
# without some help. cache_key is simply a list of variables (see
# doc/wiki/Variables.txt) which must match for the cached data to be used.
# Here are some examples:
# %u - Username must match. Probably sufficient for most uses.
# %u%r - Username and remote IP address must match.
# %u%s - Username and service (ie. IMAP, POP3) must match.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
#
# Some examples:
# args = session=yes *
# args = cache_key=%u dovecot
#args = dovecot
}
修正後
passdb pam{
...
}
の部分をすべてコメントアウトしPAM認証を無効にします。
# PAM authentication. Preferred nowadays by most systems.
# Note that PAM can only be used to verify if user's password is correct,
# so it can't be used as userdb. If you don't want to use a separate user
# database (passwd usually), you can use static userdb.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
#passdb pam {
# [blocking=yes] [session=yes] [setcred=yes]
# [cache_key=<key>] [<service name>]
#
# By default a new process is forked from dovecot-auth for each PAM lookup.
# Setting blocking=yes uses the alternative way: dovecot-auth worker
# processes do the PAM lookups.
#
# session=yes makes Dovecot open and immediately close PAM session. Some
# PAM plugins need this to work, such as pam_mkhomedir.
#
# setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
# need that. They aren't ever deleted though, so this isn't enabled by
# default.
#
# cache_key can be used to enable authentication caching for PAM
# (auth_cache_size also needs to be set). It isn't enabled by default
# because PAM modules can do all kinds of checks besides checking password,
# such as checking IP address. Dovecot can't know about these checks
# without some help. cache_key is simply a list of variables (see
# doc/wiki/Variables.txt) which must match for the cached data to be used.
# Here are some examples:
# %u - Username must match. Probably sufficient for most uses.
# %u%r - Username and remote IP address must match.
# %u%s - Username and service (ie. IMAP, POP3) must match.
#
# If service name is "*", it means the authenticating service name
# is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
#
# Some examples:
# args = session=yes *
# args = cache_key=%u dovecot
#args = dovecot
#}
設定後
/etc/rc.d/init.d/dovecot restart
コマンドを実行し、Dovecotを再起動します。
著者
iPentecのプログラマー、最近はAIの積極的な活用にも取り組み中。
とっても恥ずかしがり。
