Bascially:
Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.
The SASL mechanism you are using is PLAIN (I don't think LOGIN is a
SASL mechanism, its a imap specific)
PLAIN requires TLS
TLS requires certificates.
You don't have certificates.
if
imtest -t "" -m PLAIN -a cyrus -u cyrus servername
does not work, then xfer never will.
Get a cert! :)
-Patrick
On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:
Sorry to keep bugging everyone on this but it seems I am close I'm
just over looking something obvious.
I looked through the config on the hosts and we are using pam.
I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN
Imtest looks to work Ok with Login
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
This works to the localhost as well as to server2.
I try the xfer from server1 to server2:
server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --
server server1.sub1 --auth login
IMAP Password:
server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation
the log from server2 shows:
Apr 21 12:56:31 server2 imap[27408]: badlogin:
server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism
available: security flags do not match required]
/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}
Is there a doc on the sysconfig/saslauthd flags? I looked through
the docs that came with cyrus-imap and cyrus-sasl and did not find
anything.
From server1 I can log into server2 with imtest, testsaslauthd
works OK as
well. What security flags do not match? Is there a way to kick up
the verbosity of the logging to see if that would give a clue?
Perry
I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
And it got rejected.
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I can not find a tls conf file so I do not thing starttls is set up.
I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: PLAIN
And it gets things furthur along then before
$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server
server1 --auth PLAIN
domain.com authorized use only. vbperry@server1 Password:
Password:
IMAP Password:
server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation
log on source:
Apr 20 17:42:05 server1 imap[1458]: accepted connection
Apr 20 17:42:07 server1 imap[1458]: badlogin:
server1.ssub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no
mechanism available: security flags do not match required]
Apr 20 17:42:14 server1 imap[1458]: login:
server1.sub1.domain.com [10.12.12.12] cyrus plaintext User logged in
Apr 20 17:42:41 server1 master[27630]: process 32354 exited,
status 0
Apr 20 17:42:41 server1 master[2161]: about to exec /opt/mail/
cyrus-imapd/bin/imapd
Apr 20 17:42:41 server1 imap[2161]: executed
Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to
backend server: authentication failure
Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox:
user.vbperry, Initial backend connect failed
But I'm now at least seeing something on the destination server:
Apr 20 17:42:52 server2 imap[24375]: badlogin:
server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no
mechanism available: security flags do not match required]
If I can take a step back (sorry I'm trying to decipher how the
previous admin had things set up in the environment). The document
on how this was set up states.
cyrus-sasl was config'ed with
./configure --prefix=/opt/mail/cyrus-sasl \
--enable-login --enable-plain --enable-cram \
--enable-digest --with-bdb-incdir=/usr/include/db4 \
--with-pam --enable-static=yes --enable-sample \
--disable-java --disable-otp --disable-krb4 \
--with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2
The cyrus-sasl cyrus.conf states:
srvtab: /var/imap/srvtab <<< seems I could remove this since
kerberos is disabled above.
pwcheck_method: saslauthd
saslauthd is started in with pam support:
root 2060 0.0 0.0 2564 1036 ? S Apr14 0:00 /
usr/sbin/saslauthd -m /var/run/saslauthd -a pam
There is /etc/pam.d/imap and pop3 with the following content..
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-
auth
account required /lib/security/pam_stack.so service=system-
auth
Cyrus-imap was compiled with (again what is in the notes from
install from previoys admin)
CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/
cyrus-imapd \
--with-cyrus-prefix=/opt/mail/cyrus-imapd \
--with-cyrus-user=cyrimap \
--with-cyrus-group=mail \
--with-bdb-incdir=/usr/include/db4 \
--build=i686-pc-linux-gnu \
--with-sasl=/opt/mail/cyrus-sasl \
--with-auth=unix \
--enable-netscapehack \
--enable-listext \
--with-perl=/opt/third-party/bin/perl \
--disable-murder
I can run a testsaslauthd and it works fine to the local host
server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
0: OK "Success."
1: OK "Success."
2: OK "Success."
It seems I do not need to have a realm defined because we are
using pam.
and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist.
This not seem to be the problem though since saslauthd is using
pam. yes?
When I login into cyradm again locally with --auth plain I can do
commands like listmailbox and such. I can't seem to be able to
run "info" I just go back to the prompt on that one.
What should my security flags be? What am I missing?
Thank you
perry
You need to use tls as well for PLAIN to work. add -t "" to
your arguments
What mechanism do you want to use for connecting between
backends? If its PLAIN then you want
force_sasl_client_mech: PLAIN
in your imapd.conf file.
Otherwise, the machines will see GSSAPI advertised and will try
using that.
-Patrick
On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
Perry Brown wrote:
Thanks for the imtest idea.
It looks like I can log in OK.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p
imap server2.sub2.domain.com
Force imtest to use one of the SASL mechanisms that are
listed. The backends *only* use SASL, not protocol specific
login commands (IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO
USER/PASS).
I'm sorry I got my dounce cap on today or something.
Should I change the -m login to -m and one of the AUTH= values
from the CAPABILITY output?
ie -m GSSAPI? or digest-md5 etc...
Andy Morgan wrote:
Maybe "-m plain"?
thank you for the suggestion Andy but no luck.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I gave this a try with GSSAPI, and got nothing.
digest-md5,
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-
MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S:
wkrnfjknf (etc list of characters)
Please enter your password: (I enter passwd for cyrus)
C: dXNlcm5h (another long list of characters)
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128
This is what I see in local6.log on server1.sub1
Apr 20 11:04:32 server1 imap[17729]: accepted connection
Apr 20 11:04:38 server1 imap[17729]: badlogin:
localhost.localdomain [127.0.0.1] DIGEST-MD5 [SASL(-13): user
not found: no secret in database]
This is in the auth.log
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley
db / etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley
db / etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: no secret in database
cram-md5 got me pretty much the same thing.
Is there a cyrus or sasl command I should/can run to get the
auth for digest-md5 working?
Perry
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-
MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html