2.2.13 authentication problems?

Wesley Craig wes at umich.edu
Fri Aug 15 15:24:52 EDT 2008

On 15 Aug 2008, at 14:07, Michael Loftis wrote:
> Our 2.2.13 frontends seem to have some...weird authentication  
> problems with our (one remaining) 2.1 backend.  after some  
> indeterminate amount of time or transactions they can no longer  
> authenticate to the backends, but ONLY the imap proxyd's.  The  
> error sent tot he client is Server(s) unavailable, and the frontend  
> logs couldn't authenticate to backend server: bad protocol / cancel  
> -- the backend doesn't appear to see any auth attempt, jsut a  
> STARTTLS ... after that I can't follow since it's TLS.

There are tools that will decrypt the session.  See wireshark,  
ettercap, etc.  Without doing an exhaustive search, I expect most do.

> Please note everything was working until we brought other 2.2  
> backends into production, so I'm thinking some bug wherein the  
> frontends are not resetting the SASL state or something, and after  
> communicating with a 2.2 backend, have trouble (somehow??)  
> communicating with our 2.1 backend.

That's a good guess.  I've recently found a place in the 2.3 code  
where the protocol structure for IMAP was being edited during  
connection establishment.  Since my proxyd was communicating with  
several different backend versions, the (incorrect) change to the  
IMAP protocol description was causing a core dump.

> As a complete side note let me reregister an old gripe of mine --  
> the TLS/SSL/etc requirement with PLAIN is still one of the most  
> silly things.

"allowplaintext: yes" doesn't work for you?  I never ran 2.1, and  
haven't run 2.2 in years, so maybe that option is newer....


More information about the Cyrus-devel mailing list