Cyrus Imap plaintext authentication with saslauth & PAM

Fri Apr 24 04:14:51 EDT 2009

Simon Matter írta:
>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>> <html>
>> <head>
>> </head>
>> <body bgcolor="#ffffff" text="#000000">
>> <font size="-1"><font face="Arial">Hello everyone!<br>
>> <br>
>> I'm new to this mailing list, actually, this is the first mailing list
>> I've ever subscribed. :) So greetings to all from Hungary! (And excuse
>> my really bad english, please)<br>
>>     
>
> Hi,
>
> allow me to give you two suggestions first:
>
> 1) Please configure your mailer to send mail in clear text, not html.
> Otherwise configure it to send woth, text and html. Html only mails may
> have problems for some users to get read and some people are annoyed by
> html mails.
>
> 2)
> Always use the "reply" or "reply all" function of your mailer when
> replying to the list - and don't change the Subject of the mail. That way
> people can follow the thread of the discussion.
>
>   
Thanks, will do!
>> <br>
>> I'm not sure if I can ask for help here, but I didn't find any answer
>> elsewhere, so trying this out.<br>
>> <br>
>> I have a postfix relay server and a (local) cyrus imap server on the
>> same machine. Everything was fine until I thought, I change the imap
>> authentication from sasldb to saslauth, to have global authentication
>> on postfix and cyrus.<br>
>> Postfix uses saslauthd, which is configured for PAM. It works
>> perfectly, with plain/login/cram/digest mechanisms, with or without
>> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
>> obviously.<br>
>> So I decided to use this with cyrus imap too. Set it to use the same
>> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.<br>
>> Since then, I can not login with plain or login mechs, because they
>> aren't being offered at all by cyrus imapd. I can login with cram or
>> digest fine.<br>
>> I understand that plain login isn't offered by default, only after a
>> successfull tls session setup, but if I understand correctly, the
>> "allowplaintext: yes" option should still force imapd to offer plain
>> logins. But it doesn't. I tried it with different sasl_min|max_levels,
>> to no avail.<br>
>>     
>
> "allowplaintext: 1" should indeed enable plain. At least that works well
> for me. I expect you are using the packages from a distribution, maybe
> they have added some kind of "security" patches to make things more safe?
> Could you try with the following line in your cyrus config:
>
> sasl_mech_list: PLAIN
>
> Regards,
> Simon
>
>   
yes, the server is running ubuntu 7.04 i386, 2.6.20-17-generic, and 
postfix and cyrus are installed via the ubuntu repositiories.

ok, first, this is what I get with sasl_mech_list=plain login cram-md5 
digest-md5:

imtest localhost
S: * OK some-server Cyrus IMAP4 v2.2.13-Debian-2.2.13-10ubuntu2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE 
STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9uY2U9IjNpZnh<snip>09bWQ1LXNlc3M=
Please enter your password:
C: dXNlcm5hbWU9<snip>ZDg5YzA0ZGYDE0YmI5YjQ=
S: + cnNwYXV0aD<snip>RjYmQ5N2JjOA==
C:
S: A01 OK Success (privacy protection)
Authenticated.
Security strength factor: 128
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.

syslog says:

Apr 24 09:56:27 localhost cyrus/imap[7030]: login: localhost [127.0.0.1] user DIGEST-MD5 User logged in

and this is with only PLAIN mech:

imtest localhost
S: * OK piller-server Cyrus IMAP4 v2.2.13-Debian-2.2.13-10ubuntu2 server 
ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE 
STARTTLS
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN user {7}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: generic failure
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.

Apr 24 10:02:25 localhost cyrus/imap[7147]: badlogin: localhost [127.0.0.1] plaintext user SASL(-1): generic failure: checkpass failed