Problem
When creating a new shared mailbox the following error is appearing in the listener.log file:
doveadm(Administrator): Error: User doesn't exist
12.09.24 11:44:13.474 LISTENER ( ERROR ) : dovecot-shared-folder: Failed to set ACLs '['myACL all', 'dovecotadmin none']' on mailbox 'INBOX' for 'folder@dom.ain'.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/univention/mail/dovecot_shared_folder.py", line 425, in imap_set_mailbox_acls
imap.login("%s*%s" % (mb_owner, master_name), master_pw)
File "/usr/lib/python3.7/imaplib.py", line 598, in login
raise self.error(dat[-1])
imaplib.IMAP4.error: b'[AUTHENTICATIONFAILED] Authentication failed.'
12.09.24 11:44:13.474 LISTENER ( ERROR ) : dovecot-shared-folder: Failed setting ACLs on new shared mailbox 'folder@dom.ain': b'[AUTHENTICATIONFAILED] Authentication failed.'
Investigation
The relevant message from the log is the following:
doveadm(Administrator): Error: User doesn't exist
So, Dovecot does not find the user Administrator. A test with the Dovecot tool doveadm confirms this:
$ doveadm user Administrator
field value
userdb lookup: user Administrator doesn't exist
So we can clearly see now that Dovecot doesn’t know the user Administrator and we have to dig deeper, why that’s the case. So let’s take a look at the Traceback again, to see which command is used to login at the mailbox that throws the authentication error:
imap.login("%s*%s" % (mb_owner, master_name), master_pw)
We can execute this manually to see if we can reproduce the error. For that we create a new file imaplogin.py with the following content:
#!/usr/bin/python3
import imaplib
imap = imaplib.IMAP4("localhost")
imap.login("%s*%s" % ("folder@dom.ain", "dovecotadmin"), "password")
You can find the admin (in this case it’s dovecotadmin) and the corresponding password in the file /etc/dovecot/master-users.
Now if we execute the script with python3 imaplogin.py we can see the same authentication error. But why is the admin+pw combination from the master-users file not working? So let’s take a look at the logfile /var/log/dovecot.log, right after executing the script:
Oct 2 17:04:51 primary dovecot: auth: Debug: passwd-file(dovecotadmin@test.dom.ain,::1,master,<sN9+wn8j5scAAAAAAAAAAAAAAAAAAAAB>): Master user lookup for login: folder@dom.ain
It looks like the imap.login command is using the account dovecotadmin@test.dom.ain and not simply dovecotadmin like it is written in the master-users file. The culprit for that is the option auth_default_realm in the file /etc/dovecot/conf.d/10-auth.conf:
auth_default_realm = test.dom.ain
This results in Dovecot appending the value from auth_default_realm to the dovecotadmin user when authenticating.
Solution
Make sure that the auth_default_realm is correctly set. In this case, we had to comment/remove the auth_default_realm line from the file /etc/dovecot/conf.d/10-auth.conf. After the change a reload of the service is necessary to reflect the change:
service dovecot reload
Now the imaplogin.py script works and Dovecot is able to authenticate again with the Administrator account (dovecotadmin) and hence the creation of a shared mailbox throws no ACL error anymore.