Search code examples
postfix-mtadovecot

postfixadmin update now cant login with admin account


I recently discovered postfixadmin needs to update database and everything so i tried doing that but i couldnt login nor could i create a superuser admin.

these are my logs.

/var/log/nginx/postfixadmin_error.log

2022/02/25 16:31:08 [error] 2094#2094: *5 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw -r 5 ... stderr: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/letsencrypt/live/mail.pihosting.ca/privkey.pem: Permission denied
, password:  PHP message: Error while trying to call pacrypt()PHP message: Exception: /usr/bin/doveadm pw -r 5 failed, see error log for details in /usr/share/postfixadmin/functions.inc.php:1059
Stack trace:
#0 /usr/share/postfixadmin/functions.inc.php(1274): _pacrypt_dovecot()
#1 /usr/share/postfixadmin/model/Login.php(36): pacrypt()
#2 /usr/share/postfixadmin/public/login.php(63): Login->login()
#3 {main}PHP message: PostfixAdmin admin login failed (username: [email protected], ip_address: 209.15.158.30)" while reading response header from upstream, client: 209.15.158.30, server: pfa.pihosting.ca, request: "POST /login.php HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "pfa.pihosting.ca", referrer: "https://pfa.pihosting.ca/login.php"

I figured this was a simple permission issue so i checked the permissions for the file in question.

root@mail:~# ls -l /etc/letsencrypt/live/mail.pihosting.ca/privkey.pem
lrwxrwxrwx 1 root root 44 Jan 21 00:01 /etc/letsencrypt/live/mail.pihosting.ca/privkey.pem -> ../../archive/mail.pihosting.ca/privkey6.pem

Cool so full privs for everyone( i know i shouldnt but i cant remember why i had it set this way.)

odd so i figured i should explore the groups.

root@mail:~# groups dovecot
dovecot : dovecot mail certbot

then i checked for www-data

root@mail:~# groups www-data
www-data : www-data certbot

I tried setting it up again and changed my setup_password updated the file logged in and it brings me to login.php. I tried loggin in ut says email or password wrong when i know its right.

Only warnings i see is this

Warnings
⚠ Database - PostgreSQL (pdo_pgsql) extension not found
⚠ Database support - SQLite (pdo_sqlite) extension not found

Everything else has green checks.

im not an expert so im still learning.

Can someone point me to the right direction?

If you needs logs that hasnt been included let me know.

nothing has been changed and the roundcube mail i use still allows me to login and is working as intended.

Check this for some more logs and permissions.

https://pastebin.com/35L3Ph1s


Solution

  • We had a highly similar issue with a previously working postfixadmin install on RHEL9.1 with the very latest versions of dovecot/postfix/php-fpm/php/postfixadmin etc. (so also think late versions of Centos/Fedora etc.).

    We got this message in error log for postfixadmin:

    2023/02/10 10:16:13 [error] 20541#20541: *1313 FastCGI sent in stderr: "PHP message: Failed to read password from /usr/bin/doveadm pw -r 12 ... stderr: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 15: ssl_key: Can't open file / etc/letsencrypt/live/foo.com/privkey.pem: Permission denied 30 , password: ; PHP message: Error while trying to call pacrypt(); PHP message: Exception: /usr/bin/doveadm pw -r 12 failed, see error log for details in /usr/share/nginx/postfixadmin/functions.inc.php:1066 31 Stack trace:

    The issue was that there is a symlink between the letsencrypt file (in our case privkey.pem) and the letsencrypt archive folder where the link leads too. Permissions seemed OK. So why the failure? Symlink permissions must match at both ends, of course. So we had to ensure that both the symlink for privkey.pem and the actual key, in our case, .../archive/privkey8.pem had been chmodded the same way.

    Thus we ran the commands:

    $chmod 644 /path to/foo.com/privkey.pem AND $chmod 644 /path to/archive/privkey8.pem (you will likely have a slightly different privkey name in the archive directory.

    Often these files are set to '400' - what is important is that the chmod values match.

    Tip: Many terminal programs (like good old Putty) highlight symlinks differently depending on their status. Our fullchain.pem link was in one color (and working) and the privkey link was in another color ... and not working. A great clue especially if you are new to the game.