This is solved by creating self-signed CA (certificate authority) and certificate+private key bundle. The essential detail is that when generating the certificate you need to specify Common Name (CN) as a fully qualified domain name (hostA.localdoman or hostA.imapsite.net, etc.). This must be done for each host involved, and each certificate should have that host's FQDN specified as CN. Once the certs were in place and the service restarted sync_client has been able to login without any problems. On Wed, Jul 20, 2011 at 4:56 PM, Ivan Lezhnjov Jr. <ivan.lezhnjov.jr@xxxxxxxxx> wrote: > I've said before that I fixed the issue with authentication from > Master<->Replica in a basic two-host setup in a mysterious way. Funny > thing is that I've managed to successfully replicate from M to R and > vice versa, swapping the roles of the hosts as many times as I wanted. > Everything worked as expected. > > Then I set out to repeat this success on a set of two other machines, > and reached another dead end with a slightly different problem. > > This message attempts to describe the issue that I'm battling with and > what has been tried thus far to win this fight :) > > This is a basic two-host setup, host A is Master, host B is Replica. > > When replication is attempted in automatic mode it fails. > Incidentally, it fails in manual mode too. > > ------------------- Replica > Jul 20 15:29:24 clone-machine-target syncserver[3630]: accepted connection > Jul 20 15:29:24 clone-machine-target syncserver[3630]: cmdloop(): startup > Jul 20 15:29:24 clone-machine-target syncserver[3630]: imapd:Loading > hard-coded DH parameters > Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept() > incomplete -> wait > Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept() > succeeded -> done > Jul 20 15:29:24 clone-machine-target syncserver[3630]: starttls: TLSv1 > with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authent > ication > > ------------------- Master > Jul 20 15:29:00 clone-machine sync_client[3638]: Doing a peer verify > Jul 20 15:29:00 clone-machine sync_client[3638]: verify > error:num=19:self signed certificate in certificate chain > Jul 20 15:29:00 clone-machine sync_client[3638]: received server certificate > Jul 20 15:29:00 clone-machine sync_client[3638]: starttls: TLSv1 with > cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authen > tication > Jul 20 15:29:00 clone-machine sync_client[3638]: couldn't authenticate > to backend server: no mechanism available > Jul 20 15:29:00 clone-machine sync_client[3638]: Can not connect to > server '10.10.0.178' > > The interesting fact is that I can successfully authenticate with > synctest from Master to Replica like this: > > [root@clone-machine ~]# synctest -a cyrus -u cyrus -m plain -t "" > replica.localdomain > S: * SASL PLAIN LOGIN > S: * STARTTLS > S: * COMPRESS DEFLATE > S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1 > C: STARTTLS > S: OK Begin TLS negotiation now > verify error:num=19:self signed certificate in certificate chain > TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) > S: * SASL PLAIN LOGIN > S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1 > Please enter your password: > C: AUTHENTICATE PLAIN Y3lydXMAY3lydXMAY3lydXNhZG1pbnJlcGxpY2E= > S: OK Success (tls protection) > Authenticated. > Security strength factor: 256 > > but /usr/lib/cyrus-imapd/sync_client -r fails to. > > > > SITE CONFIGURATION > > > ------------------- Master > [root@clone-machine ~]# cat /etc/imapd.conf > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > sasl_minimum_layer: 0 > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem > tls_ca_file: /etc/pki/tls/certs/cacert.pem > guid_mode: sha1 > delete_mode: immediate > sync_host: 10.10.0.178 > sync_authname: cyrus > syncpassword: xxxxxxxxxxxxx > sync_log: 1 > allowplaintext: 1 > tcp_keepalive: 1 > > [root@clone-machine ~]# cat /etc/cyrus.conf |grep -v \# > > START { > recover cmd="ctl_cyrusdb -r" > > idled cmd="idled" > > syncclient cmd="/usr/lib/cyrus-imapd/sync_client -r" > } > > SERVICES { > imap cmd="imapd" listen="imap" prefork=5 provide_uuid=1 > imaps cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1 > > > lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 > provide_uuid=1 > > } > > EVENTS { > checkpoint cmd="ctl_cyrusdb -c" period=30 > > delprune cmd="cyr_expire -D 7 -E 3 -X 7" at=0400 > > tlsprune cmd="tls_prune" at=0400 > } > > > > ------------------- Replica > [root@clone-machine-target ~]# cat /etc/imapd.conf > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > sasl_pwcheck_method: saslauthd > sasl_mech_list: PLAIN > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem > tls_ca_file: /etc/pki/tls/certs/cacert.pem > allowplaintext: 1 > tcp_keepalive: 1 > > [root@clone-machine-target ~]# cat /etc/cyrus.conf |grep -v \# > > START { > recover cmd="ctl_cyrusdb -r" > > idled cmd="idled" > > } > > SERVICES { > imap cmd="imapd" listen="imap" prefork=5 provide_uuid=1 > imaps cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1 > > > lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 > provide_uuid=1 > > > syncserver cmd="/usr/lib/cyrus-imapd/sync_server" listen="csync" > } > > EVENTS { > checkpoint cmd="ctl_cyrusdb -c" period=30 > > delprune cmd="cyr_expire -D 7 -E 3 -X 7" at=0400 > > tlsprune cmd="tls_prune" at=0400 > } > > Using my own self-signed certificates and my own CA on both machines. > CN points to a hosts FQDNs defined in /etc/hosts as master.localdomain > and replica.localdomain. > > > PAM configuration: > > [root@clone-machine ~]# cat /etc/pam.d/{csync,imap,lmtp} > #%PAM-1.0 > auth required pam_nologin.so > auth include system-auth > account include system-auth > session include system-auth > #%PAM-1.0 > auth required pam_nologin.so > auth include system-auth > account include system-auth > session include system-auth > #%PAM-1.0 > auth required pam_nologin.so > auth include system-auth > account include system-auth > session include system-auth > > > selinux disabled > iptables disabled > > I've tried the following options with no success and positive changes > in regard to replication: > - sasl_minimum_layer: 0 > - syncserver cmd="/usr/lib/cyrus-imapd/sync_server -p 1" listen="csync" > - removing sasl_mech_list completely while setting allowplaintext to false > > > SOFTWARE INSTALLED > [root@clone-machine ~]# yum list installed |grep cyrus > cyrus-imapd.x86_64 2.4.10-1 installed > cyrus-imapd-debuginfo.x86_64 2.4.10-1 installed > cyrus-imapd-devel.x86_64 2.4.10-1 installed > cyrus-imapd-perl.x86_64 2.4.10-1 installed > cyrus-imapd-utils.x86_64 2.4.10-1 installed > cyrus-sasl.x86_64 2.1.22-4 installed > cyrus-sasl-devel.x86_64 2.1.22-4 installed > cyrus-sasl-lib.x86_64 2.1.22-4 installed > cyrus-sasl-plain.x86_64 2.1.22-4 installed > > using a Kolab SRPM for cyrus-imapd as divulged in synctest output. I > also tried Invoca SRPM (same tests only running Invoca build). > > I'm hoping to get any help because I've spent most of the day reading > mailing list archives, trying to find at least a hint but nothing > seems to help. I need your fresh look at this whole setup people. > > Thanks in advance for your time. > ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/