Cyrus Imap plaintext authentication with saslauth & PAM

Simon Matter simon.matter at invoca.ch
Fri Apr 24 03:42:37 EDT 2009 

> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <font size="-1"><font face="Arial">Hello everyone!<br>
> <br>
> I'm new to this mailing list, actually, this is the first mailing list
> I've ever subscribed. :) So greetings to all from Hungary! (And excuse
> my really bad english, please)<br>

Hi,

allow me to give you two suggestions first:

1) Please configure your mailer to send mail in clear text, not html.
Otherwise configure it to send woth, text and html. Html only mails may
have problems for some users to get read and some people are annoyed by
html mails.

2)
Always use the "reply" or "reply all" function of your mailer when
replying to the list - and don't change the Subject of the mail. That way
people can follow the thread of the discussion.

> <br>
> I'm not sure if I can ask for help here, but I didn't find any answer
> elsewhere, so trying this out.<br>
> <br>
> I have a postfix relay server and a (local) cyrus imap server on the
> same machine. Everything was fine until I thought, I change the imap
> authentication from sasldb to saslauth, to have global authentication
> on postfix and cyrus.<br>
> Postfix uses saslauthd, which is configured for PAM. It works
> perfectly, with plain/login/cram/digest mechanisms, with or without
> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
> obviously.<br>
> So I decided to use this with cyrus imap too. Set it to use the same
> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.<br>
> Since then, I can not login with plain or login mechs, because they
> aren't being offered at all by cyrus imapd. I can login with cram or
> digest fine.<br>
> I understand that plain login isn't offered by default, only after a
> successfull tls session setup, but if I understand correctly, the
> "allowplaintext: yes" option should still force imapd to offer plain
> logins. But it doesn't. I tried it with different sasl_min|max_levels,
> to no avail.<br>

"allowplaintext: 1" should indeed enable plain. At least that works well
for me. I expect you are using the packages from a distribution, maybe
they have added some kind of "security" patches to make things more safe?
Could you try with the following line in your cyrus config:

sasl_mech_list: PLAIN

Regards,
Simon

More information about the Info-cyrus mailing list