Dovecot fails to authenticate for some users

Question

I've the typical Dovecot + Postfix setup, with Apache and Roundcube (in a VPS). Yesterday I set up everything, and it went smooth. Right, but today I woke up with the surprise that some users simply can't login. Clients give a message like this (roundcube case):

Login failed for $user from $ip. AUTHENTICATE PLAIN: Authentication failed.

The worst of all is that some other users can log in, which is weird, since authentication methods, etc are global. I searched all over the internet for solutions, but nothing. I read the Dovecot wiki about password schemes, password databases, authentications mechanisms, etc. Whenever I try to login using telnet/openssl, I get:

$ openssl s_client -connect imap.domain.tld:143 -starttls imap
a login $user $password
a NO [AUTHENTICATIONFAILED] Authentication failed.

And the most insane part is that passwords are correct! passdb and userdb are correctly set up (they worked in previous servers I had, and confirmed it with doveadm user and doveadm user). And if that was not much, the logs do not say anything!! (even with the most verbose configuration, debugging enabled, etc.)

Here is my dovecot configuration:

$ dovecot -n
# 2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: Linux 4.9.155-gnu-0-lts x86_64  
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login cram-md5
auth_verbose = yes
auth_verbose_passwords = yes
mail_location = maildir:~/Maildir
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character         vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/passwd-file
  auth_verbose = yes
  driver = passwd-file
}
plugin {
  quota = maildir:Cuota de usuario
  quota_warning = storage=95%% quota-warning 95 %u
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap pop3 sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
  user = root
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_protocols = TLSv1.2 TLSv1.1 !SSLv3
userdb {
  args = /etc/passwd-file
  auth_verbose = yes
  driver = passwd-file
}
verbose_ssl = yes
protocol imap {
  mail_plugins = " quota imap_quota imap_sieve"
  ssl_cert = </etc/letsencrypt/live/server/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
protocol pop3 {
  ssl_cert = </etc/letsencrypt/live/server/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
protocol sieve {
  ssl_cert = </etc/letsencrypt/live/server/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
protocol lmtp {
  mail_plugins = " quota sieve"
}

Please help me, this is getting me mad :/

Answer 1

So the problem was that the domain was pointing to a different IPv4 address, which was from another server with similar setup (that's why I thought it was the same server that I was talking about). This other server had a cronjob to automatically update the IPv4 address for my domains from my CloudFlare DNS (because I had a dynamic IP address in this server).