Re: 'PLAIN encryption needed to use mechanism' error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-------- Original Message  --------
Subject: Re: 'PLAIN encryption needed to use mechanism' error
From: Dan White <dwhite@xxxxxxx>
To: Blake Hudson <blake@xxxxxxxx>
Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Date: Wednesday, July 29, 2009 2:49:51 AM
Blake,

What sasl lines do you have in /etc/imapd.conf. Do you have any proxies installed?
my mech list was posted... see below I also have "sasl_pwcheck_method: auxprop", everything else sasl has to do with my sql config. no proxies are present.

"pop3PRTC" in your syslog looks suspicious...:
that's just the name I gave it...

Usually, pop3 and imap will offer the same mechanisms based on this config item:

sasl_mech_list: x x x
as posted initially I have the following mech list line in imapd.conf:
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
imap advertises the full list as specified (see original message)

if this line is commented out, then sasl should attempt to initialize all available mechs.

Be on the lookout for customization like this (which overrides the sasl_mech_list config item):

pop3_mech_list: x x x
imap_mech_list: x x x

good idea, though I don't have these specified.


I see your cyrus server is outputting the full mech list via 110... wonder why mine isn't?

------------YOURS-----
+OK <1114961040.1248853981@neo> neo Cyrus POP3 Murder v2.3.12-Debian-2.3.12-1-5
server ready
auth
+OK List of supported mechanisms follows
CRAM-MD5
PLAIN
GSSAPI
OTP
DIGEST-MD5
LOGIN
.
------------MINE-----
+OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready <163906105530322
97444.1248854211@twinP>
auth
+OK List of supported mechanisms follows
DIGEST-MD5
CRAM-MD5
.


- Dan

Blake Hudson wrote: 
Thanks for the reply Scott. I can auth as you described using the 
User/Pass method (allowplaintext: is already set to 1 and I've also 
tried sasl_minimum_layer: 0 at the same time).

My concern is that over port 110 the server is only advertising CRAM-MD5 
and DIGEST-MD5. POP3s appears to be advertising PLAIN. Why isn't PLAIN 
advertised over both?

--Blake

-------- Original Message  --------
Subject: Re: 'PLAIN encryption needed to use mechanism' error
From: Scott M. Likens <damm@xxxxxxxxx>
To: Blake Hudson <blake@xxxxxxxx>
Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Date: Wednesday, July 29, 2009 1:30:46 AM
  
Hi Blake,

Actually pop3 by default should be using plain, like

damm@desolation> telnet localhost 
pop3                                                                                                                                    
~
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK desolation Cyrus POP3 v2.3.14 server ready 
<8505169291665378509.1248848742@desolation>
user root
+OK Name is a valid mailbox
pass toor
+OK Mailbox locked and ready

However, if you man imapd.conf you will notice there is such an option 
as,

allowplaintext: 0

You may need to change that to 1, in order for plaintext ala pop3 to 
work.

Scott

On Jul 28, 2009, at 10:44 PM, Blake Hudson wrote:

    
-------- Original Message  --------
Subject: 'PLAIN encryption needed to use mechanism' error
From: Blake Hudson <blake@xxxxxxxx>
To: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Date: Wednesday, July 29, 2009 12:13:52 AM
      
I recently setup a new server and everything tested well. However, once
in production I am seeing errors like the following:

pop3PRTC[20896]: badlogin: [204.x.x.x] PLAIN encryption needed to use
mechanism


I wasn't aware that POP utilized other mechanisms? I can login just 
fine
with telnet and tbird, and cannot replicate this error myself. Any 
ideas?

--Blake

        
Looks like the POP side is not advertising LOGIN/PLAIN auth types while
the imap side is. Is this the intended behavior?

In my imapd.conf i have the following mech list defined:
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

---------------------- POP3----------------------
+OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
<173180331313918
17429.1248845988@twinP>
auth
+OK List of supported mechanisms follows
DIGEST-MD5
CRAM-MD5
..
--------------------------------------------
----------------------IMAP----------------------

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
AUTH=LOGIN
AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready

--------------------------------------------

I suppose this is likely a bad client that is not refreshing its mech
list after the server switch, but I'd still like to know how to resolve
the issue server side (if possible).

-Blake
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


!DSPAM:4a6fe485262521931426455!


      


----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux