On 7/22/11 2:53 PM, Dan White wrote: > On 22/07/11 12:49 -0700, Maria McKinley wrote: >> I am having a weirdness in my cyrus installation. I am getting messages >> in the logs: >> >> Jul 22 08:41:59 ella cyrus/imaps[29387]: Fatal error: >> tls_start_servertls() failed >> >> Weirdly, this does not seem to actually affect performance, so maybe I >> shouldn't even be worrying about this. But, I did try to do some >> troubleshooting. I used imtest and found this: >> >> ella:~# imtest -m plain -u cyrus -a cyrus -s localhost >> verify error:num=19:self signed certificate in certificate chain >> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) >> S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready >> C: C01 CAPABILITY >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID >> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT >> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN >> AUTH=LOGIN SASL-IR >> S: C01 OK Completed >> Please enter your password: >> C: A01 AUTHENTICATE PLAIN <cut> >> S: A01 NO authentication failure >> Authentication failed. generic failure >> Security strength factor: 256 >> ^C^CC: Q01 LOGOUT >> Connection closed. >> >> This appears to be a username/password problem, rather than an >> installation problem, since things work fine for postmaster: >> >> ella:~# imtest -m plain -u postmaster -a postmaster -s localhost >> >> SASLPASSWD2(8) >> >> verify error:num=19:self signed certificate in certificate chain >> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) >> S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready >> C: C01 CAPABILITY >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID >> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT >> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN >> AUTH=LOGIN SASL-IR >> S: C01 OK Completed >> Please enter your password: >> C: A01 AUTHENTICATE PLAIN <cut> >> S: A01 OK Success (tls protection) >> Authenticated. >> Security strength factor: 256 >> ^CC: Q01 LOGOUT >> Connection closed. >> >> So I did a check of users, and thought I had figured out the problem. >> cyrus was tied to an old hostname: >> >> ella:~# sasldblistusers2 >> postmaster@ella: userPassword >> cyrus@montoya: userPassword >> >> But, when I created cyrus@ella, and deleted cyrus@montoya using >> saslpasswd2, this did not solve the problem. Both are listed in >> imapd.conf as admins. Any ideas about what could be going on? I have a >> memory that I am not using imaps port, but instead using a secure >> connection over the imap port, but the error message still bugs me, and >> I would like to get to the bottom of it. I'm afraid that with that last >> sentence it becomes obvious I haven't looked at this in a while, and >> have probably forgotten some key points about cyrus configuration. Some >> hints about where to go hunting would be most appreciated. > > What is your sasl configuration in imapd.conf? (grep for sasl) > sasl_mech_list: PLAIN LOGIN sasl_pwcheck_method: saslauthd sasl_auto_transition: no > If pwcheck_method does not include 'auxprop' in your configuration, then > you are not using sasldb2 to authenticate. Your admin accounts should be > using the same authentication database as your normal users, which could be > PAM, for instance, if you're configured to use saslauthd. Hmm, I am using PAM for other things, maybe I should be using PAM here too? It appears I am not now. > > Also, be aware that the 'A01 AUTHENTICATE PLAIN ...' strings you included > in your original email contain the uuencoded form of your password, and can > be trivially reversed. If your server is publicly accessible, you may want > to change your admin passwords. > Oops, meant to delete that. Changing passwords now... thanks, maria ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
