I am experiencing an issue where Dovecot seems to be re-authenticating using an old password, which results in an "Invalid verification code" error.
Observations: The user can successfully log in with a Google Authenticator code the first time.
After about 30 seconds, authentication fails with an "Invalid verification code" error.
It seems that Dovecot is either re-authenticating automatically or the session is expiring and causing a re-authentication attempt using an old OTP (which is no longer valid).
Logs:
Mar 28 14:37:08 testingtech dovecot(pam_google_authenticator)[2600424]: Invalid verification code for tejas
Mar 28 14:37:08 testingtech dovecot[2600327]: auth-worker(2600424): Debug: conn unix:auth-worker (pid=2600423,uid=97): auth-worker<8>: pam(tejas,192.168.1.45,<8mcgZWMxoN/AqAEt>): #1/1 style=1 msg=Password:
Mar 28 14:37:08 testingtech auth[2600424]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=tejas rhost=192.168.1.45 user=tejas
Mar 28 14:37:10 testingtech dovecot[2600327]: auth-worker(2600424): conn unix:auth-worker (pid=2600423,uid=97): auth-worker<8>: pam(tejas,192.168.1.45,<8mcgZWMxoN/AqAEt>): pam_authenticate() failed: Authentication failure (Password mismatch?) (given password: testing833952)
Mar 28 14:37:10 testingtech dovecot[2600327]: auth: Debug: pam(tejas.ghadi,192.168.1.45,<8mcgZWMxoN/AqAEt>): Finished passdb lookup
Mar 28 14:37:10 testingtech dovecot[2600327]: auth: Debug: auth(tejas.ghadi,192.168.1.45,<8mcgZWMxoN/AqAEt>): Auth request finished
Mar 28 14:37:10 testingtech dovecot[2600327]: auth-worker(2600424): Debug: conn unix:auth-worker (pid=2600423,uid=97): auth-worker<8>: pam(tejas,192.168.1.45,<8mcgZWMxoN/AqAEt>): Finished passdb lookup
Mar 28 14:37:10 testingtech dovecot[2600327]: auth-worker(2600424): Debug: conn unix:auth-worker (pid=2600423,uid=97): auth-worker<8>: Finished: password_mismatch
Mar 28 14:37:12 testingtech dovecot[2600327]: auth: Debug: client passdb out: FAIL 1 user=tejas.ghadi
Mar 28 14:37:12 testingtech dovecot[2600327]: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 4 secs): user=<tejas>, method=PLAIN, rip=192.168.1.45, lip=192.168.1.45, secured, session=<8mcgZWMxoN/AqAEt>
Mar 28 14:37:12 testingtech dovecot[2600327]: auth: Debug: auth client connected (pid=2600570)
Mar 28 14:37:12 testingtech dovecot[2600327]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=uI1cZWMxdMPAqAEt lip=192.168.1.45 rip=192.168.1.45 lport=143 rport=50036 resp=mFzLmdoYWRpAFQzakAkQHRlc3Q4MzM5NTI= (previous base64 data may contain sensitive data)
Mar 28 14:37:12 testingtech dovecot[2600327]: auth: Debug: auth client connected (pid=2600571)
Mar 28 14:37:12 testingtech dovecot[2600327]: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=lCpdZWMxeMPAqAEt lip=192.168.1.45 rip=192.168.1.45 lport=143 rport=50040 resp=mFzLmdoYWRpAFQzakAkQHRlc3Q4MzM5NTI= (previous base64 data may contain sensitive data)
Configuration: /etc/pam.d/dovecot Below is the current configuration of /etc/pam.d/dovecot:
auth required pam_google_authenticator.so nullok forward_pass debug grace_period=3600 account required pam_unix.so
Possible Causes:
- Session expiration: Does Dovecot require a reauthentication within a short time, causing OTP-based authentication to fail?
- Password caching: Is Dovecot caching and reusing an old OTP instead of prompting for a new one?
- Misconfiguration: Could there be an issue with PAM (Pluggable Authentication Module) or Google Authenticator settings?
Request for Help:
- How can I prevent Dovecot from reauthenticating with an expired OTP?
- Are there specific configuration changes required to ensure MFA works correctly?
- Is there a way to keep the user logged in for at least a few hours or until they manually log out?
Any guidance would be greatly appreciated!
- How can I prevent Dovecot from reauthenticating with an expired OTP?
- Are there specific configuration changes required to ensure MFA works correctly?
- Is there a way to keep the user logged in for at least a few hours or until they manually log out?