Hallo all
I am trying to set up cyrus-imap in order to - ultimately - use it as a caldav/carddav server on a private server.
I have an openldap instance running in a standard configuration and would like to use the "auxprop-hashed" pwcheck method along with the "ldapdb" sasl module.
This seems not to be as simple as it sounds. Most probably, I am doing something wrong.
Is there any chance, somebody could have a look and suggest fixes or - actually even preferred - point me to a working example of such a configuration?
I have search near and far and read hundreads of documentation and source files, but I fail to make sense of those log lines:
badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism available: unable to canonify user and get auxprops]
and (or)
badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available: Password verification failed]
I do not understand, how, why and by which process they are exactly logged. And, most importantly, can not figure out, what the underlying problem is, actually? :-) I have tried many tweaks to the config. Plain password, "auxprop" instead of "auxprop-hashed" pwcheck, and more, all to no avail.
This is an up-to-date internet-connected ubuntu-20.04-minimal-cloudimg-amd64.img currently running in a quemu-vm on MacOS 11.6 (BigSur, 2nd-latest).
Any help is much appreciated.
Patrick
So far, I have:
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
START {
recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
delprune cmd="/usr/sbin/cyrus expire -E 3"
tlsprune cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
imaps cmd="imapd -s -U 30" listen="nexus:imaps" prefork=0 maxchild=100
imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30" listen="localhost:imap" prefork=0 maxchild=100
https cmd="httpd -s -U 30" listen="8443" prefork=0 maxchild=100
lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=0 maxchild=20
sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
notify cmd="notifyd" listen="/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401
tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401
deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28" at=0430
expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28" at=0445
}
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf configdirectory: /var/lib/cyrus proc_path: /run/cyrus/proc mboxname_lockpath: /run/cyrus/lock defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no lmtp_downcase_rcpt: yes allowanonymouslogin: no popminpoll: 1 autocreate_quota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve httpmodules: caldav carddav hashimapspool: true allowplaintext: yes sasl_pwcheck_method: auxprop-hashed sasl_auxprop_plugin: ldapdb @include: /etc/imapd-ldap.conf sasl_auto_transition: no tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key tls_client_ca_dir: /etc/ssl/certs tls_session_timeout: 1440 lmtpsocket: /run/cyrus/socket/lmtp idlesocket: /run/cyrus/socket/idle notifysocket: /run/cyrus/socket/notify syslog_prefix: cyrus
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf ldap_base: ou=people,dc=patrickpfeifer,dc=net ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net ldap_filter: (mail=%u) ldap_password: xxxx ldap_scope: one ldap_uri: ldapi:/// ldap_version: 3
And:
$ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w xxxx -b 'ou=people,dc=patrickpfeifer,dc=net' '(mail=patrick@xxxxxxxxxxxxxxxxxx)' # extended LDIF # # LDAPv3 # base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree # filter: (mail=patrick@xxxxxxxxxxxxxxxxxx) # requesting: ALL # # patrick, people, patrickpfeifer.net dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net cn: Patrick Pfeifer objectClass: inetOrgPerson objectClass: top objectClass: person uid: patrick mail: patrick@xxxxxxxxxxxxxxxxxx sn: Pfeifer userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ= = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
However:
$ /usr/lib/cyrus/bin/imtest -s -u patrick@xxxxxxxxxxxxxxxxxx -w xxxxx nexus verify error:num=18:self signed certificate TLS connection established: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5 AUTH=NTLM AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus IMAP 3.0.13-Debian-3.0.13-5 server ready C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9IixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= C: dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhdHJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTVHM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3MmRjYjBhNDk0MmJhYzA0OA== S: A01 NO no mechanism available Authentication failed. generic failure Security strength factor: 256 ^CC: Q01 LOGOUT Connection closed.
And:
ubuntu@nexus:~$ journalctl -f -- Logs begin at Mon 2020-12-28 21:20:09 UTC. -- ... Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/service cyrus-imapd start Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0) Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons. Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session closed for user root Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean shutdown file missing, updating recovery stamp Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus databases Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus databases Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged 0 out of 0 messages from 2 mailboxes Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: pruning back 3.00 days Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: purged 0 out of 0 entries Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out of 38 entries Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to imaps/ipv6 socket: Invalid argument Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus databases Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing cyrus databases Nov 03 21:55:14 nexus imtest[9170]: ldapdb Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on sasl_canonuser_init Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid parameter supplied Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded DH parameters Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No client CA certs specified. Client side certs may not work Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 parse_server_challenge() Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2 Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info() Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 make_client_response() Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify user and get auxprops Nov 03 21:55:14 nexus cyrus/imaps[9171]: badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism available: unable to canonify user and get auxprops]
If I change the "imtest" command line to use then PLAIN mech, I get:
$ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u patrick@xxxxxxxxxxxxxxxxxx -w xxxxx nexus Nov 03 22:14:45 nexus imtest[9303]: ldapdb Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on sasl_canonuser_init Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid parameter supplied Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded DH parameters Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No client CA certs specified. Client side certs may not work Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password verifier(s) auxprop-hashed Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification failed Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available: Password verification failed]
More Info:
ubuntu@nexus:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl ii cyrus-admin 3.0.13-5 ii cyrus-caldav 3.0.13-5 ii cyrus-clients 3.0.13-5 ii cyrus-common 3.0.13-5 ii cyrus-imapd 3.0.13-5 ii libcyrus-imap-perl:amd64 3.0.13-5 ii libsasl2-2:amd64 2.1.27+dfsg-2 ii libsasl2-modules:amd64 2.1.27+dfsg-2 ii libsasl2-modules-db:amd64 2.1.27+dfsg-2 ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2 ii sasl2-bin 2.1.27+dfsg-2
