Re: imapd is not talking to saslauthd

[Ken Murchison <murch@xxxxxxxxxxxx>]

Has Cyrus IMAP been restarted since switching to saslauthd?  It doesn't look like Cyrus is even trying to use saslauthd.

On 01/30/2018 06:03 PM, Michael Rüger wrote:

Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line

local6.*   /var/log/local6

root@cyrus3:/var/log # cat local6

Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection

Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection

Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait

Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait

Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done

Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done

Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication

Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication

Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db

Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db

Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db

Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops

Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db

Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops

Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]

Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]

Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

Hmm.

I just switched my dev box to using saslauthd and it just worked.  I'm sure your problem is something simple, but its escaping me at the moment. 

When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)

On 01/30/2018 05:34 PM, Michael Rüger wrote:

Ken, thank you for jumping in!

Some more info: the apps run as the following users and groups

root@cyrus3:~ # ps aux

USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND

root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 /usr/sbin/syslogd -s

root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 /usr/local/sbin/saslauthd -a pam

root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam

root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam

root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam

root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam

cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 /usr/local/cyrus/libexec/master -d

root@cyrus3:~ # su - cyrus

% id

uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)

Am 30.01.2018 um 23:25 schrieb Michael Rüger <michael.g.rueger@xxxxxxxxx>:

root@cyrus3:~ # ls -la /var/run/saslauthd/

total 13

drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .

drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..

srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux

-rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept

-rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid

Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch@xxxxxxxxxxxx>:

Hi Michael,

What are the permissions on the socket that saslauthd is listening on?

On 01/30/2018 05:06 PM, Michael Rüger wrote:

Hi

(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)

I’m trying to set up imapd to use saslauthd for authentication.

I have already a running saslauthd which uses PAM. I can run this

root@cyrus3:/ # testsaslauthd -u mike -p mike

0: OK "Success.“

and if i run

root@cyrus3:/ # testsaslauthd -u mike -p abc

0: NO "authentication failed“

i get that logged in auth.log like this

Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

In imapd.conf i have

sasl_pwcheck_method: saslauthd

Now i’m authenticate against imapd

root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready

C: S01 STARTTLS

S: S01 OK Begin TLS negotiation now

verify error:num=18:self signed certificate

TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

C: C01 CAPABILITY

S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE

S: C01 OK Completed

C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=

S: A01 NO authentication failure

Authentication failed. generic failure

Security strength factor: 256

Nothing is reported in auth.conf

If i do this

root@cyrus3:~ # saslpasswd2 -c mike@xxxxxxxxxxxxxxxxxxxxxxx

…<entering „mike“ twice here>

root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost

S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready

C: S01 STARTTLS

…

Authenticated.

Security strength factor: 256

it is working against local db BUT NOT against saslauthd.

How do i setup imapd to talk to saslauthd?

BTW i’m using 

* cyrus-imapd30-3.0.5

* cyrus-sasl-2.1.26_13

* cyrus-sasl-saslauthd-2.1.26_3

on FreeBSD 11.1

Thank you for any help,

Mike

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

<murch.vcf>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

<murch.vcf>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

null