2.2.13 authentication problems?
wes at umich.edu
Fri Aug 15 15:24:52 EDT 2008
On 15 Aug 2008, at 14:07, Michael Loftis wrote:
> Our 2.2.13 frontends seem to have some...weird authentication
> problems with our (one remaining) 2.1 backend. after some
> indeterminate amount of time or transactions they can no longer
> authenticate to the backends, but ONLY the imap proxyd's. The
> error sent tot he client is Server(s) unavailable, and the frontend
> logs couldn't authenticate to backend server: bad protocol / cancel
> -- the backend doesn't appear to see any auth attempt, jsut a
> STARTTLS ... after that I can't follow since it's TLS.
There are tools that will decrypt the session. See wireshark,
ettercap, etc. Without doing an exhaustive search, I expect most do.
> Please note everything was working until we brought other 2.2
> backends into production, so I'm thinking some bug wherein the
> frontends are not resetting the SASL state or something, and after
> communicating with a 2.2 backend, have trouble (somehow??)
> communicating with our 2.1 backend.
That's a good guess. I've recently found a place in the 2.3 code
where the protocol structure for IMAP was being edited during
connection establishment. Since my proxyd was communicating with
several different backend versions, the (incorrect) change to the
IMAP protocol description was causing a core dump.
> As a complete side note let me reregister an old gripe of mine --
> the TLS/SSL/etc requirement with PLAIN is still one of the most
> silly things.
"allowplaintext: yes" doesn't work for you? I never ran 2.1, and
haven't run 2.2 in years, so maybe that option is newer....
More information about the Cyrus-devel