Am Tuesday 12 September 2006 12:03 schrieb Rudy Gevaert: > >sasl_minimum_layer: 1 > > > >in imapd.conf. > > having put: > allowplaintext: 0 > sasl_minimum_layer: 1 > sasl_mech_list: PLAIN > > still gives me that error. > > allowplaintext: 1 > sasl_minimum_layer: 1 > sasl_mech_list: PLAIN > > gives it to me too :( > > > I did some test with sivtest and managesieve (output is shown below). > Summary: > > sivtest: > no > tls tls > plaintext:1, no sasl_minimum_layer login ok login ok > plaintext:1, sasl_minimum_layer :1 login nok login ok > plaintext:0, no sasl_minimum_layer login nok login ok > plaintext:0, sasl_minimum_layer :1 login nok login ok > > I did my test with a script (see below) that calls managesieve too: > > plaintext:1, no sasl_minimum_layer no errors * > plaintext:1, sasl_minimum_layer :1 sasl mech list empty > plaintext:0, no sasl_minimum_layer sasl mech list empty > plaintext:0, sasl_minimum_layer :1 sasl mech list empty > > (*) How do I know it actually uses tls? I used tcpdump -A port 2000 > and can see this passing by: > AUTHENTICATE "PLAIN" {88+}. So this is using tls, otherwise I should > see the password? No, the first and only Command of the Client that you would see is STARTTLS. This will establish a secure/crypted session. From this moment on, you will not see any readable data with tcpdump. The Data behind the AUTHENTICATE PLAIN is not really crypted. It is only base64 encoded. You can decode this at any time with for example mimetools. Because you see this AUTHENTICATE PLAIN, this is a sign, the TLS-Session is not established. allowplaintext:0 disables Plaintext Authentification completely. This is something, you don't want. sasl_minimum_layer only offers Authentication Support on the given Layer. 0 means everytime. 1 and above would mean an crypted SSL/TLS-Session. This is what you want. > Thanks in advance! > > ------------ > > allowplaintext: 1 > #sasl_minimum_layer: 1 > ---------------------------------- > allowplaintext: 1 > sasl_minimum_layer: 1 > > mailadm@chestnut:/tmp$ sivtest -a rudy.gevaert2@xxxxxxxxxxxxx -u > rudy.gevaert2@xxxxxxxxxxxxx mail2.ugent.be > S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7" > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > imapflags notify envelope relational regex subaddress copy" > S: "STARTTLS" > S: OK > Authentication failed. generic failure > Security strength factor: 0 Fine, no SSL/TLS-Session, no Authentification. > mailadm@chestnut:/tmp$ sivtest -t "" -a rudy.gevaert2@xxxxxxxxxxxxx -u > rudy.gevaert2@xxxxxxxxxxxxx mail2.ugent.be > S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7" > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > imapflags notify envelope relational regex subaddress copy" > S: "STARTTLS" > S: OK The Server offers no Authentification-Support. Only STARTTLS. That's fine. > C: STARTTLS > S: OK "Begin TLS negotiation now" > verify error:num=20:unable to get local issuer certificate > verify error:num=27:certificate not trusted > verify error:num=21:unable to verify the first certificate > TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) The CLient establishes a SSL/TLS-Session. > C: CAPABILITY > S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7" > S: "SASL" "PLAIN" And then you can see the SASL-Capabilities. > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > imapflags notify envelope relational regex subaddress copy" > S: OK > Please enter your password: > C: AUTHENTICATE "PLAIN" {88+} > cnVkeS5nZXZhZXJ0MkBtYWlsLnVnZW50LmJlAHJ1ZHkuZ2V2YWVydDJAbWFpbC51Z2VudC5iZQB >0ZXN0dXNlcjE= S: OK > Authenticated. > Security strength factor: 256 Authentification complete, Server waits for Commands. Looks fine, as expected. > managesieve: not ok! What means that? > --------------- > my perl script: > > #!/usr/bin/perl -w > > use strict; > use Cyrus::SIEVE::managesieve; > use Data::Dumper; > > my ($server, $username, $password) = ("mail2.ugent.be", > 'rudy.gevaert2@xxxxxxxxxxxxx', "xxxx"); > > my $handle = sieve_get_handle($server, > sub {$username}, > sub {$username}, > sub {$password}, > sub {""}); > > unless (defined $handle) { > die "$server: ", sieve_get_global_error(); > } > > my %list = (); > my $res = sieve_list($handle, sub {$list{$_[0]} = $_[1]}); > die("script_list: ", sieve_get_error($handle)) > unless $res == 0; > print Dumper \%list; > > -------------------------------------- Oh, you mean your script does not work with "managesieve not ok"? Hmm, seems that the Perl-Interface/Lib does not support TLS/SSL. Then it will fail with "sasl_minimum_layer: 1" of course. I don't know if this is on the TODO List. Maybe someone of the Developers can say something about that. -- Andreas ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html