2.2.13 authentication problems?

Michael Loftis mloftis at wgops.com
Fri Aug 15 15:54:50 EDT 2008

--On August 15, 2008 3:24:52 PM -0400 Wesley Craig <wes at umich.edu> wrote:

> On 15 Aug 2008, at 14:07, Michael Loftis wrote:
>> Our 2.2.13 frontends seem to have some...weird authentication
>> problems with our (one remaining) 2.1 backend.  after some
>> indeterminate amount of time or transactions they can no longer
>> authenticate to the backends, but ONLY the imap proxyd's.  The
>> error sent tot he client is Server(s) unavailable, and the frontend
>> logs couldn't authenticate to backend server: bad protocol / cancel
>> -- the backend doesn't appear to see any auth attempt, jsut a
>> STARTTLS ... after that I can't follow since it's TLS.
> There are tools that will decrypt the session.  See wireshark, ettercap,
> etc.  Without doing an exhaustive search, I expect most do.
>> Please note everything was working until we brought other 2.2
>> backends into production, so I'm thinking some bug wherein the
>> frontends are not resetting the SASL state or something, and after
>> communicating with a 2.2 backend, have trouble (somehow??)
>> communicating with our 2.1 backend.
> That's a good guess.  I've recently found a place in the 2.3 code where
> the protocol structure for IMAP was being edited during connection
> establishment.  Since my proxyd was communicating with several different
> backend versions, the (incorrect) change to the IMAP protocol description
> was causing a core dump.

Can you point me to any code lines so maybe I can start looking?  Might be 
it's just not causing a core dump in my version but it's still causing auth 
issues "somehow".

>> As a complete side note let me reregister an old gripe of mine --
>> the TLS/SSL/etc requirement with PLAIN is still one of the most
>> silly things.
> "allowplaintext: yes" doesn't work for you?  I never ran 2.1, and haven't
> run 2.2 in years, so maybe that option is newer....

Nope, never did as far as I know.  It'll allow PLAIN but *ONLY* in 
conjunction with TLS or SSL.  Otherwise it won't present the mechanism and 
will refuse it if tried.  It *WILL* work with IMAP LOGIN or POP3 USER+PASS 
commands w/o TLS/SSL though.  W/o that PLAIN won't be accepted at all. 
Atleast this is the behavior I've observed in 2.2 and 2.1.

> :wes

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

More information about the Cyrus-devel mailing list