I'm using a Postifx MTA on CentOS 7 with Cyrus-SASL v 2.1.23 connecting via LMTP to a Cyrus-IMAP server on CentOS 6 with Cyrus-SASL v 2.1.26 using Kerberos. The connection starts by setting up a TLS layer and then tries to authenticate via a Kerberos ticket.
I'm using lmtptest to try to test the connection. Although there is some strange reporting of an expired certificate (not sure where this comes from as I've checked certificates for both systems and they are good and can be validated using openssl) the IMAP server reports:
Dec 21 23:04:31 imap lmtp[14084]: executed
Dec 21 23:04:31 imap lmtp[14084]: Doing a peer verify
Dec 21 23:04:31 imap lmtp[14084]: Doing a peer verify
Dec 21 23:04:31 imap lmtp[14084]: verify error:num=10:certificate has expired
Dec 21 23:04:31 imap lmtp[14084]: cert has expired
Dec 21 23:04:31 imap lmtp[14084]: received server certificate
Dec 21 23:04:31 imap lmtp[14084]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Dec 21 23:09:58 imap lmtp[14093]: accepted connection
Dec 21 23:09:58 imap lmtp[14093]: connection from mx.4test.net [192.168.34.6]
On the client side I see:
[root@mx ~]# lmtptest -t "" imap.4test.net
S: 220 imap.4test.net Cyrus LMTP Murder v2.4.16-Invoca-RPM-2.4.16-1.el6 server ready
C: LHLO lmtptest
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250 IGNOREQUOTA
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
So despite the strange "cert has expired" error, I believe I'm getting a good TLS connection. Then the client tries to authenticate:
C: LHLO lmtptest
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN GSSAPI
S: 250 IGNOREQUOTA
C: AUTH GSSAPI
S: 334
C: YIICbgYJKoZIhvcSAQICAQBuggJdMIICWaAD...
...snip...
DUMz6aI1WeQD6KXI431XpwZQFCrqmHRQg3saZc=
S: 334
C: *
Authentication failed. generic failure
Security strength factor: 256
501 5.5.4 client canceled authentication
In the message log on the client side I see:
Dec 22 05:09:58 mx lmtptest: GSSAPI Error: A required input parameter could not be read (Unknown error)
Reading through mailing list postings I see there was a bug in Fedora relating to the v 2.1.23 and v 2.1.26 of Cyrus-SASL. Are the two versions incompatible and the reason why I'm seeing this error?
I have the exact same setup on another lab configuration that uses CentOS 6 (v 2.1.23) on each end and it works flawlessly.
