|
Hi Mickael,
thank you very much.
That's work.
I am now blocked in autocreating user on backend, but it's
another problem ;-)
Thanks again,
Ismaël Tanguy
Le 07/03/2019 à 11:55, Michael Menge a
écrit :
Hi,
I suspect, lmtp it trying to proxy auth, which is not possible
with the PLAIN mech,
(but e.g. with LOGIN). So as only PLAIN is availble "No worthy
mechs found".
You can try not to set "mupdate_username: murder" in the frontend
imapd.conf.
But keep "mupdate_authname: murder". This should result in normal
PLAIN authentication
as user "murder".
Even if you enable the LOGIN mech, setting mupdate_username can
cause some problems.
I can't remember which problems, but I reminded myself not to set
mupdate_username
with a comment in my own imapd.conf
Regards
Michael Menge
Quoting Ismaël Tanguy <ismael.tanguy@xxxxxxxxxxxxx>:
Hello,
I'm stucked in configuring a murder cluster with one frontend
and one backend.
LMTP between frontend and backend doesn't work, the logs says
that no mechanism is available.
I'm using sasl plain.
When turning saslauthd in debug mode, mta connection to frontend
is OK, but there's no request for the connection between
frontend and backend.
lmtptest -t "" -a murder backend is OK and goes over TLS.
Here's the debug log:
### /var/log/maillog -> frontend cyrus
frontend cyrus/lmtp[19541]: accepted connection
frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: STARTTLS
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus
PLAIN+TLS User logged in
frontend cyrus/lmtp[19541]: command: MAIL
FROM:<mail@domain> SIZE=576
frontend cyrus/lmtp[19541]: command: RCPT TO:<mail@domain>
frontend cyrus/lmtp[19541]: command: DATA
frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932
sys: 0.017066
frontend cyrus/lmtp[19537]: accepted connection
frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19537]: command: STARTTLS
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL)
tls_server_ca_file=/etc/ssl/certs/wildcard.ca
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19537]: received client certificate
frontend cyrus/lmtp[19537]:
subject=***********************************************
frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as
*.domain
frontend cyrus/lmtp[19541]: received server certificate
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no
authentication
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: couldn't authenticate to backend
server: no mechanism available
frontend cyrus/lmtp[19537]: command: QUIT
frontend cyrus/lmtp[19541]: command: QUIT
### saslauthd -d -a pam >> cyrus is lmtpuser from mta,
murder is lmtpuser for the backend,
### lmtp connection to the backend doesn't go to saslauthd
saslauthd[19525] :rel_accept_lock : released accept lock
saslauthd[19527] :get_accept_lock : acquired accept lock
saslauthd[19525] :do_auth : auth success: [user=cyrus]
[service=lmtp] [realm=] [mech=pam]
saslauthd[19525] :do_request : response: OK
### /var/log/messages
frontend cyrus/lmtp[19563]: No worthy mechs found
frontend cyrus/lmtp[19563]: No worthy mechs found
### /var/log/maillog -> mta postfix
mta postfix/smtpd[7678]: connect from client_test
mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>,
size=576, nrcpt=1 (queue active)
mta postfix/smtpd[7678]: disconnect from client_test
mta postfix/lmtp[7683]: Untrusted TLS connection established to
frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
(256/256 bits)
mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>,
relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02,
dsn=4.4.3, status=deferred (host frontend said: 451 4.4.3 Remote
server unavailable (in reply to end of DATA command))
### /etc/imapd.conf -> frontend
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
mupdate_server: cyrus-murder.univ-brest.fr
mupdate_username: murder
mupdate_authname: murder
mupdate_password: password
backend_password: password
proxy_authname: murder
### /etc/cyrus.conf -> frontend
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
# add or remove based on preferences
mupdate cmd="mupdate" listen=3905 prefork=1
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
nntp cmd="nntpd" listen="nntp" prefork=3
lmtp cmd="lmtpd" listen="lmtp" prefork=0
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
DAEMON {
idled cmd="idled"
}
### /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam
### lmtptest frontend -> backend
(frontend)# lmtptest -t "" -a murder backend
S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora
server ready
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok
SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok
SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
Please enter your password:
C: AUTH PLAIN ***************************************
S: 235 Authenticated!
Authenticated.
Security strength factor: 256
It seems I miss something in imapd.conf to tell LMTP to use sasl
plain but I didn't find the way.
Any help would be greatly appreciated.
Thanks
Ismaël TANGUY
Université de Bretagne Occidentale
Brest - France
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info:
http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübingen
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info:
http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
|
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
