-------- Original Message -------- Subject: Re: 'PLAIN encryption needed to use mechanism' error From: Dan White <dwhite@xxxxxxx> To: Blake Hudson <blake@xxxxxxxx> Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx Date: Wednesday, July 29, 2009 3:20:08 AM > Blake Hudson wrote: >> -------- Original Message -------- >> Subject: Re: 'PLAIN encryption needed to use mechanism' error >> From: Dan White <dwhite@xxxxxxx> <mailto:dwhite@xxxxxxx> >> To: Blake Hudson <blake@xxxxxxxx> <mailto:blake@xxxxxxxx> >> Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx >> <mailto:info-cyrus@xxxxxxxxxxxxxxxxxxxx> >> Date: Wednesday, July 29, 2009 2:49:51 AM >> > >> >> I see your cyrus server is outputting the full mech list via 110... >> wonder why mine isn't? >> >> ------------YOURS----- >> +OK <1114961040.1248853981@neo> neo Cyrus POP3 Murder >> v2.3.12-Debian-2.3.12-1-5 >> server ready >> auth >> +OK List of supported mechanisms follows >> CRAM-MD5 >> PLAIN >> GSSAPI >> OTP >> DIGEST-MD5 >> LOGIN > > All of these are explicitly set in my sasl_mech_list. > > GSSAPI and OTP require SASL library configuration. The others, > including PLAIN/LOGIN should not. >> . >> ------------MINE----- >> +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready >> <163906105530322 >> 97444.1248854211@twinP> >> auth >> +OK List of supported mechanisms follows >> DIGEST-MD5 >> CRAM-MD5 >> . > > Do you have either of the following specified? > sasl_minimum_layer: X > sasl_maximum_layer: X I tried specifying the minimum to 0, but it did not make a difference. > > Have you specified a '-p xxx' within cyrus.conf for imap but not pop3? no -p option anywhere. > > Are you using TLS/SSL when connecting via IMAP but not POP3? Sounds > like your telnetting, so that's probably not the case. just telnet. Here's the output of pop3test util: ------------ NO SSL ------------ root@twinp src]# pop3test -m PLAIN -a xxx mail.xxx.com S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready <12408582082392233762.1248855924@twinP> C: CAPA S: +OK List of capabilities follows S: SASL DIGEST-MD5 CRAM-MD5 S: STLS S: EXPIRE NEVER S: LOGIN-DELAY 0 S: TOP S: UIDL S: PIPELINING S: RESP-CODES S: AUTH-RESP-CODE S: USER S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5 S: . Please enter your password: C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw== S: -ERR [AUTH] authenticating: encryption needed to use mechanism Authentication failed. generic failure Security strength factor: 0 quit +OK Connection closed. ------------ SSL ------------ [root@twinp src]# pop3test -s -m PLAIN -a xxxmail.xxx.com verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready <832124781731685216.1248855943@twinP> C: CAPA S: +OK List of capabilities follows S: SASL DIGEST-MD5 LOGIN PLAIN CRAM-MD5 S: EXPIRE NEVER S: LOGIN-DELAY 0 S: TOP S: UIDL S: PIPELINING S: RESP-CODES S: AUTH-RESP-CODE S: USER S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5 S: . Please enter your password: C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw== S: +OK Mailbox locked and ready Authenticated. Security strength factor: 256 quit +OK Connection closed. ------------------------- It sure seems like pop is picking up on different sasl security settings (such as the sasl_minimum_layer or the noplaintextwithouttls option). However, IMAP seems to obey these just fine as configured with the same config file. > > Setting "sasl_log_level: 7" in imapd.conf might provide more > information in your syslog. I'll try that, but it will have to wait till later. I'm also thinking of trying a newer version, though nothing about this is listed in the changelog. > >>>>> >>>>>> Looks like the POP side is not advertising LOGIN/PLAIN auth types >>>>>> while >>>>>> the imap side is. Is this the intended behavior? >>>>>> >>>>>> In my imapd.conf i have the following mech list defined: >>>>>> sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 >>>>>> >>>>>> ---------------------- POP3---------------------- >>>>>> +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready >>>>>> <173180331313918 >>>>>> 17429.1248845988@twinP> >>>>>> auth >>>>>> +OK List of supported mechanisms follows >>>>>> DIGEST-MD5 >>>>>> CRAM-MD5 >>>>>> .. >>>>>> -------------------------------------------- >>>>>> ----------------------IMAP---------------------- >>>>>> >>>>>> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS >>>>>> AUTH=DIGEST-MD5 >>>>>> AUTH=LOGIN >>>>>> AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4 >>>>>> v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready >>>>>> >>>>>> -------------------------------------------- >>>>>> >>>>>> I suppose this is likely a bad client that is not refreshing its >>>>>> mech >>>>>> list after the server switch, but I'd still like to know how to >>>>>> resolve >>>>>> the issue server side (if possible). >>>>>> >>>>>> -Blake ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
