I'm CCing the list.
On 02/06/12 21:23 +0200, T T wrote:
Thanks for a quick reply, Dan!
I have added the user with the FQDN to sasldb:
saslpasswd2 -u mail.example.com tom
'-u' should not be necessary, considering you do not have virtdomains
configured in /etc/imapd.conf.
Then it worked with the following settings in imapd.conf
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
Well, not the most intuitive thing I've seen in my life, but it works
after re-reading man saslpasswd2 :). Man imapd.conf, though, is asking
for an improvement, as, quote:
"servername: <none>
This is the hostname visible in the greeting messages of
the POP, IMAP and LMTP daemons. If it is unset, then the result
returned from gethostname(2) is used."
... doesn't give much hint in that regard.
hostname is not a standard configuration option in cyrus sasl, and is
usually set programmatically or via an option exposed by the calling
application (as with imapd). The only places that I see a mention of it in
the documentation are:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/gssapi.php
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php
I'm out of luck with saslauthd, though. When imapd.conf was limited to
that, only GSSAPI worked. No success with sasldb option in
/etc/default/saslauthd. Any suggestions?
saslauthd should not be used to query sasldb in most cases. By default,
saslauthd is not compiled with the sasldb backend (though your distro may
include it). If you want to use sasldb, a typical configuration would be:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
To verify which backends your saslauthd was compiled with, do:
~# saslauthd -v
saslauthd 2.1.25
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
You might instead want to use saslauthd for it's kerberos5 backend to
simplify password state, but by doing so you'll lose support for the shared
secret mechanisms, such as digest-md5. In that case, your imapd.conf config
should be:
sasl_pwcheck_method: saslauthd
And in /etc/default/saslauthd:
MECHANISMS="kerberos5"
If you choose to use saslauthd, you should use 'testsaslauthd' to trouble
shoot it and/or run saslauthd in debug mode.
From the mail.log:
Feb 6 20:58:50 mail cyrus/imap[4517]: badlogin: mail.example.com
[172.16.3.9] plaintext tom@xxxxxxxxxxxxxxxx SASL(-1): generic failure:
checkpass failed
/etc/default/saslauthd:
START=no
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
/etc/imapd.conf:
sasl_keytab: /etc/imap.keytab
servername: mail.example.com
loginrealms: EXAMPLE.COM
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: yes
unixhierarchysep: yes
lmtp_downcase_rcpt: yes
admins: cyrus
imap_admins: cyrus
sieve_admins: cyrus
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: yes
sasl_mech_list: PLAIN LOGIN GSSAPI
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/spool/postfix/public/lmtp
idlemethod: poll
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
--
Dan White
