Hi,
I suspect, lmtp it trying to proxy auth, which is not possible with
the PLAIN mech,
(but e.g. with LOGIN). So as only PLAIN is availble "No worthy mechs found".
You can try not to set "mupdate_username: murder" in the frontend imapd.conf.
But keep "mupdate_authname: murder". This should result in normal
PLAIN authentication
as user "murder".
Even if you enable the LOGIN mech, setting mupdate_username can cause
some problems.
I can't remember which problems, but I reminded myself not to set
mupdate_username
with a comment in my own imapd.conf
Regards
Michael Menge
Quoting Ismaël Tanguy <ismael.tanguy@xxxxxxxxxxxxx>:
Hello,
I'm stucked in configuring a murder cluster with one frontend and
one backend.
LMTP between frontend and backend doesn't work, the logs says that
no mechanism is available.
I'm using sasl plain.
When turning saslauthd in debug mode, mta connection to frontend is
OK, but there's no request for the connection between frontend and
backend.
lmtptest -t "" -a murder backend is OK and goes over TLS.
Here's the debug log:
### /var/log/maillog -> frontend cyrus
frontend cyrus/lmtp[19541]: accepted connection
frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: STARTTLS
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS
User logged in
frontend cyrus/lmtp[19541]: command: MAIL FROM:<mail@domain> SIZE=576
frontend cyrus/lmtp[19541]: command: RCPT TO:<mail@domain>
frontend cyrus/lmtp[19541]: command: DATA
frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932 sys: 0.017066
frontend cyrus/lmtp[19537]: accepted connection
frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19537]: command: STARTTLS
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL)
tls_server_ca_file=/etc/ssl/certs/wildcard.ca
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19537]: received client certificate
frontend cyrus/lmtp[19537]:
subject=***********************************************
frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as
*.domain
frontend cyrus/lmtp[19541]: received server certificate
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no
authentication
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: couldn't authenticate to backend server:
no mechanism available
frontend cyrus/lmtp[19537]: command: QUIT
frontend cyrus/lmtp[19541]: command: QUIT
### saslauthd -d -a pam >> cyrus is lmtpuser from mta, murder is
lmtpuser for the backend,
### lmtp connection to the backend doesn't go to saslauthd
saslauthd[19525] :rel_accept_lock : released accept lock
saslauthd[19527] :get_accept_lock : acquired accept lock
saslauthd[19525] :do_auth : auth success: [user=cyrus]
[service=lmtp] [realm=] [mech=pam]
saslauthd[19525] :do_request : response: OK
### /var/log/messages
frontend cyrus/lmtp[19563]: No worthy mechs found
frontend cyrus/lmtp[19563]: No worthy mechs found
### /var/log/maillog -> mta postfix
mta postfix/smtpd[7678]: connect from client_test
mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>, size=576,
nrcpt=1 (queue active)
mta postfix/smtpd[7678]: disconnect from client_test
mta postfix/lmtp[7683]: Untrusted TLS connection established to
frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits)
mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>,
relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3,
status=deferred (host frontend said: 451 4.4.3 Remote server
unavailable (in reply to end of DATA command))
### /etc/imapd.conf -> frontend
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
mupdate_server: cyrus-murder.univ-brest.fr
mupdate_username: murder
mupdate_authname: murder
mupdate_password: password
backend_password: password
proxy_authname: murder
### /etc/cyrus.conf -> frontend
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
# add or remove based on preferences
mupdate cmd="mupdate" listen=3905 prefork=1
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
nntp cmd="nntpd" listen="nntp" prefork=3
lmtp cmd="lmtpd" listen="lmtp" prefork=0
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
DAEMON {
idled cmd="idled"
}
### /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam
### lmtptest frontend -> backend
(frontend)# lmtptest -t "" -a murder backend
S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora server ready
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
Please enter your password:
C: AUTH PLAIN ***************************************
S: 235 Authenticated!
Authenticated.
Security strength factor: 256
It seems I miss something in imapd.conf to tell LMTP to use sasl
plain but I didn't find the way.
Any help would be greatly appreciated.
Thanks
Ismaël TANGUY
Université de Bretagne Occidentale
Brest - France
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübingen
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
