dovecot-auth error but pop login works


When users on my system logs in using pop, they are able to log to system and check emails. But /var/log/secure has following entries for any users

2011-02-01T21:20:29.545660+05:18 linode dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
2011-02-01T21:20:29.545733+05:18 linode dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot rhost=

Are there multiple login validations happening?

I am on centos 5,ISPConfig 3, Dovecot

4 Replies


Are there multiple login validations happening?

Probably - Dovecot can be set up for multiple password databases, and if the user succeeds against any of the specified dbs then they are authenticated. Check to see if you have multiple passdb entries in your dovecot.conf.

See here

Yes yes. Thank you for the hint.

i can see see

  passdb pam {
    # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
    # [cache_key=<key>] [<service name="">]
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    # max_requests specifies how many PAM lookups to do in one process before
    # recreating the process. The default is 100, because many PAM plugins
    # leak memory.
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # doc/wiki/Variables.txt) which must match for the cached data to be used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    # The service name can contain variables, for example %Ls expands to
    # pop3 or imap.
    # Some examples:
    #   args = session=yes %Ls
    #   args = cache_key=%u dovecot
    #args = dovecot

I want to know if this module is causing the problem?

Just below it

  passdb sql {
    # Path for SQL configuration file, see doc/dovecot-sql-example.conf
    args = /etc/dovecot-sql.conf

I think sql module isused for user email password validation.

I want to remove entries from secure log because fail2ban is creating problem for such users.

Thanks for all your help.


Yes - dovecot is checking pam first, and when that fails it drops down to the next one on the list.

The pam entry is there to allow system accounts to log in - it should be safe to comment it out if you only use the accounts defined in the sql tables. I think you also might be able to re-order them so that it checks sql first.

Done …

Removed pam authentication as I do not have system users.. all virtual

Thanks for all your help.



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct