Permissions of user/password file of Dovecot for password plugin?

[StorWalle]

Hi!

I am using Roundcube with Dovecot/Postfix on Ubuntu 20.4 and all in general is working very well. Trying to get the Password plugin to work in Roundcube has gone well, until I try to change password through the web page. It let's me know that the change could not be saved.

Looking into the Roundcube error log shows me this:
[29-Jan-2022 11:48:59 UTC] PHP Warning:  file_put_contents(/etc/dovecot/users): failed to open stream: Permission denied in /var/www/server.domain.tld/plugins/password/drivers/dovecot_passwdfile.php on line 72
[29-Jan-2022 11:48:59 +0000]: <9207hcof> PHP Error: Password plugin: Failed to save file /etc/dovecot/users. in /var/www/server.domain.tld/plugins/password/drivers/dovecot_passwdfile.php on line 83 (POST /?_task=settings&_action=plugin.password-save)

This tells me that there is a permission problem with the user/password file I have for Dovecot. Today only the user 'root' has access to it. Since it is 'www-data' (?) as a user that is trying to open and change this file, should I include that user in the 'root' group and add permissions to 'root' group to be allowed to change the file?

Or is there another solution to the problem?

Kind regards
Michael

[StorWalle]

Continuing my trials while waiting for more competent answers...

Doing
chown root:www-data
and
chmod 770
on the password file made Roundcube capable of changing the file, but it didn't add
{CRAM-MD5}PASSWORDHASH
to the line of the user, the rest was correct with regards to user ID and file path to mail storage.

...

So question now is:
1. Is it a bad idea to have the user/password file with above user:group and permissions?
2. What is wrong when it doesn't add the hashed password with encryption method?

With regards to 2. I read another post that had bot 'sql' and 'dovecot' as active drivers. I have only 'dovecot' active and configured.

3. Is the driver 'sql' needed for hashing etc alongside with Dovecot driver?

Kind regards
Michael

[JohnDoh]

2. What is wrong when it doesn't add the hashed password with encryption method?

Have you set `password_algorithm_prefix` in your config?

[StorWalle]

Thanks so much for helping out!!

2. What is wrong when it doesn't add the hashed password with encryption method?

Have you set `password_algorithm_prefix` in your config?

Yes, I have and everything actually works in terms of Password Plugin opening the passed/userdb file, copies the user row, but between the colons where "{CRAM-MD5}PASSWDHASH" should be there is nothing.

That leads me to believe that doveadm pw command does not work. So that leads me to think of the given path to doveadm. In the config file it is defined as:
// Path for dovecotpw/doveadm-pw (if not in the $PATH).
// Used for password_algorithm = 'dovecot'.
$config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
//$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x

But in /usr/local/sbin there is no doveadm. When I use doveadm to hash passwords manually I can do it from anywhere in the command line.

So the new question would be:
What should I configure the path line to?

[StorWalle]

Found the solution by traditional trial and error...

If I configure it like:
// Path for dovecotpw/doveadm-pw (if not in the $PATH).
// Used for password_algorithm = 'dovecot'.
//$config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
$config['password_dovecotpw'] = 'doveadm pw'; // for dovecot-2.x
//$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x

It magically worked!