Problems with frontend to backend authentication in murder 2.3.12

Nic Bernstein <nic@xxxxxxxxxxx> · Tue, 30 Sep 2008 08:31:17 -0500

Greetings list,
I would like to start out by thanking all of the developers for a truly 
great bundle of software.  I have been using Cyrus IMAP for over a 
decade and think it one of the best packages of software around.

I have recently had occasion to put together a murder, and thought to 
start out with a simple "standard" configuration with a mupdate master, 
"postman," a backend, "mail.wi" and a frontend, "imap.wi."  The problem 
I am having is one which I see frequently mentioned on the list, but the 
solution has evaded me; frontend authentication. 

Here are the details:
    * LDAP authentication via saslauthd
    * Linux (Fedora 6 and 8) with Invoca (2.3.12p2-1) rpms

There is no problem with mailboxes.db propagation from backend to master 
to frontend -- that is fine.  The problems come when trying to access 
mailboxes using the frontend.  Here are configuration files (trimmed):

backend "mail.wi" imapd.conf:
---------------------------------------------------
admins: cyrus cyradmin
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN PLAIN+TLS
servername: mail.wi
mupdate_admins: murder
mupdate_server: postman
mupdate_username: becyradmin
mupdate_authname: becyradmin
mupdate_password: password
mupdate_config: standard
allowusermoves: true
proxyservers: murder
proxy_authname: murder
proxy_password: password
tls_cert_file: /etc/pki/cyrus-imapd/mail.wi.crt
tls_key_file: /etc/pki/cyrus-imapd/mail.wi.key
tls_ca_file: /etc/pki/cyrus-imapd/ca.crt
-----------------------------------------------------

Here is the frontend "imap.wi" imapd.conf:
-----------------------------------------------------
admins: cyrus cyradmin
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN PLAIN+TLS
servername: imap.wi.occinc.com
mupdate_server: postman
mupdate_username: fecyradmin
mupdate_authname: fecyradmin
mupdate_password: password
mupdate_config: standard
allowusermoves: true
proxy_authname: murder
mail_wi_password: password
mail_wi_mechs: PLAIN+TLS
imap_tls_cert_file: /etc/pki/cyrus-imapd/imap.wi.pem
imap_tls_key_file: /etc/pki/cyrus-imapd/imap.wi.pem
tls_ca_file: /etc/pki/cyrus-imapd/imap.wi.pem
-----------------------------------------------------

I am able to authenticate from imap.wi to mail.wi via imtest with 
START_TLS, thusly:

-----------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a murder mail.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ STARTTLS AUTH=PLAIN SASL-IR] mail.wi Cyrus 
IMAP Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA 
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE 
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABtdXJkZXIARWltOFVpdGg=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk 
\*)] 
* 20 EXISTS
* 0 RECENT
* OK [UNSEEN 15] 
* OK [UIDVALIDITY 1112292825] 
* OK [UIDNEXT 90] 
* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox
* OK [URLMECH INTERNAL]
. OK [READ-WRITE] Completed
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------
The successful login is recorded thusly in the logs on mail.wi:
-----------------------------------------------------
Sep 30 08:16:23 localhost imap[19059]: accepted connection
Sep 30 08:16:23 localhost master[19759]: about to exec 
/usr/lib/cyrus-imapd/imapd
Sep 30 08:16:23 localhost imap[19759]: executed
Sep 30 08:16:23 localhost imap[19059]: imapd:Loading hard-coded DH 
parameters
Sep 30 08:16:23 localhost imap[19059]: SSL_accept() incomplete -> wait
Sep 30 08:16:23 localhost imap[19059]: SSL_accept() succeeded -> done
Sep 30 08:16:23 localhost imap[19059]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:16:28 localhost imap[19059]: login: imap.wi [192.168.190.226] 
onlight PLAIN+TLS User logged in
Sep 30 08:16:36 localhost imap[19059]: skiplist: recovered 
/var/lib/imap/user/o/onlight.seen (2 records, 15316 bytes) in 0 seconds
Sep 30 08:16:36 localhost imap[19059]: seen_db: user onlight opened 
/var/lib/imap/user/o/onlight.seen
Sep 30 08:16:36 localhost imap[19059]: open: user onlight opened inbox
Sep 30 08:18:10 localhost master[19037]: process 19059 exited, status 0
-----------------------------------------------------

But, when I try the same, as the actual user, via imap.wi, I am unable 
to select the inbox:
-----------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a onlight imap.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ STARTTLS AUTH=PLAIN SASL-IR] imap.wi Cyrus 
IMAP Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA 
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE 
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABvbmxpZ2h0AG9od2ViNG9G
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
. NO Server(s) unavailable to complete operation
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------

Again, the log output from mail.wi:
-----------------------------------------------------
Sep 30 08:20:34 localhost imap[19052]: accepted connection
Sep 30 08:20:34 localhost master[19762]: about to exec 
/usr/lib/cyrus-imapd/imapd
Sep 30 08:20:34 localhost imap[19762]: executed
Sep 30 08:20:34 localhost imap[19052]: imapd:Loading hard-coded DH 
parameters
Sep 30 08:20:34 localhost imap[19052]: SSL_accept() incomplete -> wait
Sep 30 08:20:34 localhost imap[19052]: SSL_accept() succeeded -> done
Sep 30 08:20:34 localhost imap[19052]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:21:51 localhost master[19037]: process 19052 exited, status 0
-----------------------------------------------------

And from imap.wi:
-----------------------------------------------------
Sep 30 08:21:57 inside2 imap[17661]: accepted connection
Sep 30 08:21:57 inside2 master[27691]: about to exec 
/usr/lib/cyrus-imapd/proxyd
Sep 30 08:21:57 inside2 imap[27691]: executed
Sep 30 08:21:58 inside2 imap[17661]: imapd:Loading hard-coded DH parameters
Sep 30 08:21:58 inside2 imap[17661]: SSL_accept() succeeded -> done
Sep 30 08:21:58 inside2 imap[17661]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:22:02 inside2 imap[17661]: login: imap.wi [192.168.190.226] 
onlight PLAIN+TLS User logged in
Sep 30 08:22:06 inside2 imap[17661]: Doing a peer verify
Sep 30 08:22:06 inside2 imap[17661]: verify error:num=19:self signed 
certificate in certificate chain
Sep 30 08:22:06 inside2 imap[17661]: received server certificate
Sep 30 08:22:06 inside2 imap[17661]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Sep 30 08:22:06 inside2 imap[17661]: couldn't authenticate to backend 
server: no mechanism available
Sep 30 08:24:09 inside2 master[17627]: process 17661 exited, status 0
-----------------------------------------------------

I have seen much discussion of the "no mechanism available" issue, but 
the answer typically is "install certificates," or "Use START_TLS" or 
the like.  Well, I have certificates, I have START_TLS, and I still have 
this problem.  How do I get the frontend to use PLAIN+TLS??

Please, any guidance would be appreciated.  I have already sunk way too 
much time into this and don't even have a working testbed to show for 
it.  I have spent two days pouring over the archives and cannot find a 
parallel situation to mine.

Best regards, and thanks in advance,
    -nic

-- 
Nic Bernstein                             nic@xxxxxxxxxxx
Onlight llc.                              www.onlight.com
2266 North Prospect Avenue #610	          v. 414.272.4477
Milwaukee, Wisconsin  53202-6306          f. 414.290.0335

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html