Re: Murder, couldn't authenticate to backend server: no mechanism available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Mickael,

thank you very much.
That's work.

I am now blocked in autocreating user on backend, but it's another problem ;-)

Thanks again,

Ismaël Tanguy

Le 07/03/2019 à 11:55, Michael Menge a écrit :
Hi,


I suspect, lmtp it trying to proxy auth, which is not possible with the PLAIN mech,
(but e.g. with LOGIN). So as only PLAIN is availble "No worthy mechs found".

You can try not to set "mupdate_username: murder" in the frontend imapd.conf.
But keep "mupdate_authname: murder". This should result in normal PLAIN authentication
as user "murder".

Even if you enable the LOGIN mech, setting mupdate_username can cause some problems.
I can't remember which problems, but I reminded myself not to set mupdate_username
with a comment in my own imapd.conf

Regards

   Michael Menge


Quoting Ismaël Tanguy <ismael.tanguy@xxxxxxxxxxxxx>:

Hello,

I'm stucked in configuring a murder cluster with one frontend and one backend.
LMTP between frontend and backend doesn't work, the logs says that no mechanism is available.
I'm using sasl plain.
When turning saslauthd in debug mode, mta connection to frontend is OK, but there's no request for the connection between frontend and backend.
lmtptest -t "" -a murder backend is OK and goes over TLS.
Here's the debug log:

### /var/log/maillog -> frontend cyrus

frontend cyrus/lmtp[19541]: accepted connection
frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: STARTTLS
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS User logged in
frontend cyrus/lmtp[19541]: command: MAIL FROM:<mail@domain> SIZE=576
frontend cyrus/lmtp[19541]: command: RCPT TO:<mail@domain>
frontend cyrus/lmtp[19541]: command: DATA
frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932 sys: 0.017066
frontend cyrus/lmtp[19537]: accepted connection
frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19537]: command: STARTTLS
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL) tls_server_ca_file=/etc/ssl/certs/wildcard.ca
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19537]: received client certificate
frontend cyrus/lmtp[19537]: subject=***********************************************
frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as *.domain
frontend cyrus/lmtp[19541]: received server certificate
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no authentication
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: couldn't authenticate to backend server: no mechanism available
frontend cyrus/lmtp[19537]: command: QUIT
frontend cyrus/lmtp[19541]: command: QUIT


### saslauthd -d -a pam  >> cyrus is lmtpuser from mta, murder is lmtpuser for the backend,
### lmtp connection to the backend doesn't go to saslauthd
saslauthd[19525] :rel_accept_lock : released accept lock
saslauthd[19527] :get_accept_lock : acquired accept lock
saslauthd[19525] :do_auth         : auth success: [user=cyrus] [service=lmtp] [realm=] [mech=pam]
saslauthd[19525] :do_request      : response: OK


### /var/log/messages
frontend cyrus/lmtp[19563]: No worthy mechs found
frontend cyrus/lmtp[19563]: No worthy mechs found

### /var/log/maillog -> mta postfix
mta postfix/smtpd[7678]: connect from client_test
mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>, size=576, nrcpt=1 (queue active)
mta postfix/smtpd[7678]: disconnect from client_test
mta postfix/lmtp[7683]: Untrusted TLS connection established to frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>, relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3, status=deferred (host frontend said: 451 4.4.3 Remote server unavailable (in reply to end of DATA command))


### /etc/imapd.conf -> frontend
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
mupdate_server: cyrus-murder.univ-brest.fr
mupdate_username: murder
mupdate_authname: murder
mupdate_password: password
backend_password: password
proxy_authname: murder


### /etc/cyrus.conf -> frontend
START {
  recover       cmd="ctl_cyrusdb -r"
}
SERVICES {
  # add or remove based on preferences
  mupdate       cmd="mupdate" listen=3905 prefork=1
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=0
  nntp          cmd="nntpd" listen="nntp" prefork=3
  lmtp          cmd="lmtpd" listen="lmtp" prefork=0
}
EVENTS {
  checkpoint    cmd="ctl_cyrusdb -c" period=30
  delprune      cmd="cyr_expire -E 3" at=0400
  tlsprune      cmd="tls_prune" at=0400
}
DAEMON {
  idled         cmd="idled"
}

### /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam

### lmtptest frontend -> backend
(frontend)# lmtptest -t "" -a murder backend
S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora server ready
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
Please enter your password:
C: AUTH PLAIN ***************************************
S: 235 Authenticated!
Authenticated.
Security strength factor: 256


It seems I miss something in imapd.conf to tell LMTP to use sasl plain but I didn't find the way.
Any help would be greatly appreciated.

Thanks


Ismaël TANGUY
Université de Bretagne Occidentale
Brest - France

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus



--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail: michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübingen

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux