On Thu, 15 Apr 2010, Simon Beale wrote: > Hi > > I'm trying to set up a cyrus murder set of boxes on 2.3.16 to eventually > replace our single creaking dovecot server, and am currently failing to > get a working configuration. > > My current intention is to have > switch-101 (frontend + murder master) > switch-102 (frontend) > store-101 (backend) > store-102 (backend) > with user authentication being done via saslauthd against pam (which in > turn looks at ldap). > > On the frontend + murder master box, I've got the following imapd.conf > (sanitized): > > ======================== > admins: cyrus cyrus-frontend > allowplaintext: false > allowusermoves: true > configdirectory: /var/lib/imap > delete_mode: delayed > duplicate_db: skiplist > expunge_mode: delayed > force_sasl_client_mech: plain > hashimapspool: true > improved_mboxlist_sort: true > lmtp_downcase_rcpt: true > mupdate_config: unified > normalizeuid: true > partition-default: /var/spool/imap > proxy_authname: cyrus-frontend > proxyd_disable_mailbox_referrals: true > proxy_password: ******** > ptscache_db: skiplist > sasl_mech_list: DIGEST-MD5 PLAIN LOGIN > sasl_pwcheck_method: saslauthd auxprop > serverlist: store-101 > sieve_allowreferrals: false > sievedir: /var/lib/imap/sieve > statuscache_db: skiplist > tlscache_db: skiplist > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > tls_cert_file: /etc/pki/tls/certs/wildcard.pem > tls_key_file: /etc/pki/tls/certs/wildcard.pem > unix_group_enable: false > ======================== > > And on the backend boxes I have: > ======================== > admins: cyrus cyrus-frontend > allowallsubscribe: true > allowplaintext: false > allowusermoves: true > configdirectory: /var/lib/imap > delete_mode: delayed > duplicate_db: skiplist > expunge_mode: delayed > hashimapspool: true > improved_mboxlist_sort: true > lmtp_downcase_rcpt: true > mupdate_authname: cyrus-frontend > mupdate_password: ******** > mupdate_server: switch-101 > mupdate_username: cyrus-frontend > normalizeuid: true > partition-default: /var/spool/imap > proxyservers: cyrus-frontend > ptscache_db: skiplist > sasl_mech_list: DIGEST-MD5 PLAIN LOGIN > sasl_pwcheck_method: auxprop > sievedir: /var/lib/imap/sieve > statuscache_db: skiplist > tlscache_db: skiplist > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > tls_cert_file: /etc/pki/tls/certs/wildcard.pem > tls_key_file: /etc/pki/tls/certs/wildcard.pem > unix_group_enable: false > ===================== > > These configs do let me log in on the frontend and do a LIST, but when I > try and do a SELECT it fails: > > from switch-101: couldn't authenticate to backend server: authentication > failure > from store-101: badlogin: switch-101 [10.10.10.37] PLAIN [SASL(-16): > encryption needed to use mechanism: security flags do not match required > > Is there something obvious that I'm missing in my configuration? Or could > I ask for some kind soul to send me a known-good sample murder > configuration set of imapd.conf files that I can at least start from? On your backend server, set: allowplaintext: true and I think it will work. That's how I have it configured at my site. Frontends do not allow plaintext (unencrypted) logins, but the backends do. I'm not sure how to configure the frontends to use TLS/SSL when proxying to the backends. Andy ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
