Cyrus, SASL, sasldb

28/05/2006, 21h49

Hi.

I just tried to install Cyrus imapd with authentication via sasldb
(and auxprop), but it don't work, I can't authenticate anyone.

System: Debian etch [testing]
Cyrus: Debian packages, tried 2.1.18 and 2.2.13.
SASL: sasl2-bin libsasl2 libsasl2-modules

,----[ imapd.conf ]
| servername: ....
|
| configdirectory: /var/lib/cyrus
| defaultpartition: default
| partition-default: /var/spool/cyrus/mail
|
| altnamespace: no
| unixhierarchysep: no
| lmtp_downcase_rcpt: yes
|
| hashimapspool: true
|
| allowanonymouslogin: no
| allowplaintext: no
| allowplainwithouttls: no
| sasl_mech_list: plain login cram-md5 digest-md5
| sasl_pwcheck_method: auxprop
| sasl_auxprop_plugin: sasldb
|
| virtdomains: userid
| defaultdomain: my-domain
|
| lmtpsocket: /var/run/cyrus/socket/lmtp
| #idlesocket: /var/run/cyrus/socket/idle
| #notifysocket: /var/run/cyrus/socket/notify
| syslog_prefix: cyrus
`----

I added a testuser to /etc/sasldb2:

saslpasswd2 -c -u my-domain testuser
saslpasswd2 -c testuser

All these tests faild:

imtest -v -w xxxx -a testuser localhost
imtest -v -w xxxx -a testuser@my-domain localhost
imtest -v -w xxxx -a testuser -r my-domain localhost

Cyrus' imapd says:

,----
| S: * OK Dovecot ready.
| C: C01 CAPABILITY
| S: * CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS QUOTA STARTTLS AUTH=PLAIN
| S: C01 OK Capability completed.
| C: A01 AUTHENTICATE PLAIN
| S: +
| C: ...........................
| S: A01 NO Authentication failed.
| Authentication failed. generic failure
| Security strength factor: 0
| C: Q01 LOGOUT
| * BYE Logging out
| Q01 OK Logout completed.
| Connection closed.
`----

Why is only AUTH=PLAIN announced -- I've installed all standard
modules and for example postfix offers me more methods (I also
configured postfix to use auxprop and sasldb). Something seems to go
wrong, I assume cyrmaster/imapd don't use the right authentication
mechanism but I have no idea how to debug and where to look. After 5
hours of testing, searching and reading I really would appreciate any
kind of hints or tips.

BTW: One thing I'm wondering about is, that cyrus offer quite
different capabilities if I use "imtest ... hostname" instead of
localhost.

--
Stefan.

29/05/2006, 10h24

Stefan Nobis <snobis@gmx.de> writes:

> I just tried to install Cyrus imapd with authentication via sasldb
> (and auxprop), but it don't work, I can't authenticate anyone.

Problem solved: double check /etc/hosts! Somehow the host IP got wrong
and after i corrected this (and remembered to use -t "" and -a with
imtest), everything works fine.

--
Stefan.

29/05/2006, 14h57

Stefan Nobis <snobis@gmx.de> writes:

> Stefan Nobis <snobis@gmx.de> writes:

>> I just tried to install Cyrus imapd with authentication via sasldb
>> (and auxprop), but it don't work, I can't authenticate anyone.

> Problem solved: double check /etc/hosts!

And also check domain names and settings!

I'm a little bit confused. The man page said defaultdomain in
imapd.conf has no influence on imap/pop3 but it seems this setting is
also very important for imap/pop3 also.

If I set "defaultdomain: my-domain" with "servername: xy.my-domain"
and have a user named "user@my-domain" in sasldb2, then the login will
fail. In this case it seems I need "user@my-domain" and
"user@xy.my-domain" in sasldb2 and the password is taken from the last
mentioned account.

If I leave defaultdomain empty, everything seems to work as expected
(user "user@domain" in sasldb can authenticate with its password just
fine).

I also found a note in an example inetd.conf and in the manpage
loginrealms is said to be necessary for multiple virtual domains on
one interface/IP. But I was able to login with an account like
"user@other-domain" without loginreamls, only setting "virtdomains:
userid", so I assume the documentation is not quite right on this.

Is this all correct or am I missing something still (and everything
works so far out of sheer luck)?

--
Stefan.

31/05/2006, 21h52

Yizhar Hurwitz <yizhar@mail.dot.com> writes:

> Have you noticed, that the imap server is *Dovecot* and not Cyrus???

Yes, after quite some time I realised it -- a wrong entry in
/etc/hosts so with "imtest ... hostname" I didn't connect to my local
Cyrus server but to a foreign imapd (in this case Dovecot).

There are always many hints if you make some mistakes but also these
hints are quite easy to ignore...

--
Stefan.

31/05/2006, 21h56

Stefan Nobis wrote:
>
> Cyrus' imapd says:
>
> ,----
> | S: * OK Dovecot ready.

HI.

Have you noticed, that the imap server is *Dovecot* and not Cyrus???

Yizhar Hurwitz
http://yizhar.mvps.org

28/05/2006, 21h49	#1
Stefan Nobis Messages: n/a Hébergeur:	Cyrus, SASL, sasldb Hi. I just tried to install Cyrus imapd with authentication via sasldb (and auxprop), but it don't work, I can't authenticate anyone. System: Debian etch [testing] Cyrus: Debian packages, tried 2.1.18 and 2.2.13. SASL: sasl2-bin libsasl2 libsasl2-modules ,----[ imapd.conf ] \| servername: .... \| \| configdirectory: /var/lib/cyrus \| defaultpartition: default \| partition-default: /var/spool/cyrus/mail \| \| altnamespace: no \| unixhierarchysep: no \| lmtp_downcase_rcpt: yes \| \| hashimapspool: true \| \| allowanonymouslogin: no \| allowplaintext: no \| allowplainwithouttls: no \| sasl_mech_list: plain login cram-md5 digest-md5 \| sasl_pwcheck_method: auxprop \| sasl_auxprop_plugin: sasldb \| \| virtdomains: userid \| defaultdomain: my-domain \| \| lmtpsocket: /var/run/cyrus/socket/lmtp \| #idlesocket: /var/run/cyrus/socket/idle \| #notifysocket: /var/run/cyrus/socket/notify \| syslog_prefix: cyrus `---- I added a testuser to /etc/sasldb2: saslpasswd2 -c -u my-domain testuser saslpasswd2 -c testuser All these tests faild: imtest -v -w xxxx -a testuser localhost imtest -v -w xxxx -a testuser@my-domain localhost imtest -v -w xxxx -a testuser -r my-domain localhost Cyrus' imapd says: ,---- \| S: * OK Dovecot ready. \| C: C01 CAPABILITY \| S: * CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS QUOTA STARTTLS AUTH=PLAIN \| S: C01 OK Capability completed. \| C: A01 AUTHENTICATE PLAIN \| S: + \| C: ........................... \| S: A01 NO Authentication failed. \| Authentication failed. generic failure \| Security strength factor: 0 \| C: Q01 LOGOUT \| * BYE Logging out \| Q01 OK Logout completed. \| Connection closed. `---- Why is only AUTH=PLAIN announced -- I've installed all standard modules and for example postfix offers me more methods (I also configured postfix to use auxprop and sasldb). Something seems to go wrong, I assume cyrmaster/imapd don't use the right authentication mechanism but I have no idea how to debug and where to look. After 5 hours of testing, searching and reading I really would appreciate any kind of hints or tips. BTW: One thing I'm wondering about is, that cyrus offer quite different capabilities if I use "imtest ... hostname" instead of localhost. -- Stefan.

29/05/2006, 10h24	#2
Stefan Nobis Messages: n/a Hébergeur:	Re: Cyrus, SASL, sasldb Stefan Nobis <snobis@gmx.de> writes: > I just tried to install Cyrus imapd with authentication via sasldb > (and auxprop), but it don't work, I can't authenticate anyone. Problem solved: double check /etc/hosts! Somehow the host IP got wrong and after i corrected this (and remembered to use -t "" and -a with imtest), everything works fine. -- Stefan.

29/05/2006, 14h57	#3
Stefan Nobis Messages: n/a Hébergeur:	Re: Cyrus, SASL, sasldb Stefan Nobis <snobis@gmx.de> writes: > Stefan Nobis <snobis@gmx.de> writes: >> I just tried to install Cyrus imapd with authentication via sasldb >> (and auxprop), but it don't work, I can't authenticate anyone. > Problem solved: double check /etc/hosts! And also check domain names and settings! I'm a little bit confused. The man page said defaultdomain in imapd.conf has no influence on imap/pop3 but it seems this setting is also very important for imap/pop3 also. If I set "defaultdomain: my-domain" with "servername: xy.my-domain" and have a user named "user@my-domain" in sasldb2, then the login will fail. In this case it seems I need "user@my-domain" and "user@xy.my-domain" in sasldb2 and the password is taken from the last mentioned account. If I leave defaultdomain empty, everything seems to work as expected (user "user@domain" in sasldb can authenticate with its password just fine). I also found a note in an example inetd.conf and in the manpage loginrealms is said to be necessary for multiple virtual domains on one interface/IP. But I was able to login with an account like "user@other-domain" without loginreamls, only setting "virtdomains: userid", so I assume the documentation is not quite right on this. Is this all correct or am I missing something still (and everything works so far out of sheer luck)? -- Stefan.

31/05/2006, 21h52	#4
Stefan Nobis Messages: n/a Hébergeur:	Re: Cyrus, SASL, sasldb Yizhar Hurwitz <yizhar@mail.dot.com> writes: > Have you noticed, that the imap server is Dovecot and not Cyrus??? Yes, after quite some time I realised it -- a wrong entry in /etc/hosts so with "imtest ... hostname" I didn't connect to my local Cyrus server but to a foreign imapd (in this case Dovecot). There are always many hints if you make some mistakes but also these hints are quite easy to ignore... -- Stefan.

31/05/2006, 21h56	#5
Yizhar Hurwitz Messages: n/a Hébergeur:	Re: Cyrus, SASL, sasldb Stefan Nobis wrote: > > Cyrus' imapd says: > > ,---- > \| S: * OK Dovecot ready. HI. Have you noticed, that the imap server is Dovecot and not Cyrus??? Yizhar Hurwitz http://yizhar.mvps.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email