Thanks for your information. Now i can understand better about new version
of IMAP, SASL...
Thank you very much and have a nice day,
--
***********************************
EVERYTHING HAS JUST BEGUN...
On Tue, 22 Mar 2011 08:47:29 -0500, Dan White <dwhite@xxxxxxx> wrote:
> On 22/03/11Â20:32Â+0700, Nguyen, Quoc Khanh wrote:
>> I can not authenticate with user LDAP. Here is the messeage:
>>
>>
>> root@ubuntu:/usr/local/bin# ./imtest -a khanhnq -m login localhost
>> S: *
>>OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE LOGINDISABLED
AUTH=DIGEST-MD5
>>AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] ubuntu Cyrus IMAP v2.4.6 server ready
>> C:
>>C01 CAPABILITY
>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL
>>RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>>UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT
>>SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
>>LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY
>>LOGINDISABLED AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR
>>COMPRESS=DEFLATE IDLE
>> S: C01 OK Completed
>> Please enter your password:
>> C:
>>L01 LOGIN khanhnq {6}
>> S: L01 NO Login only available under a layer
>>
>>Authentication failed. generic failure
>> Security strength factor: 0
>>
>> My
>>/etc/imapd.comf is:
>>configdirectory: /var/imap
>>partition-default:
>>/var/spool/imap
>>admins: cyrus
>>sasl_pwcheck_method: saslauthd
>>
>>The sasl
>>authenticated with user LDAP is OK.
>
> In recent versions of imapd, cleartext-over-the-network authentication
is
> not allowed by default.
>
> The 'LOGINDISABLED' capability means that the server will not allow
> traditional (rfc3501 6.2.3.) imap logins, nor will it support SASL
> PLAIN/LOGIN authentications, since they are not advertised.
>
> You could authenticate using DIGEST-MD5 or CRAM-MD5, but those are not
> compatible with saslauthd.
>
> Assuming you understand the security consequences, the simplest fix is
to
> add this to your imapd.conf:
>
> allowplaintext: yes
> # Disallow shared secret mechanisms:
> sasl_mech_list: plain login gssapi external
>
> Alternatively, you could implement TLS instead of enabling
allowplaintext.
