2.2.13 authentication problems?
Michael Loftis
mloftis at wgops.com
Fri Aug 15 15:54:50 EDT 2008
--On August 15, 2008 3:24:52 PM -0400 Wesley Craig <wes at umich.edu> wrote:
> On 15 Aug 2008, at 14:07, Michael Loftis wrote:
>> Our 2.2.13 frontends seem to have some...weird authentication
>> problems with our (one remaining) 2.1 backend. after some
>> indeterminate amount of time or transactions they can no longer
>> authenticate to the backends, but ONLY the imap proxyd's. The
>> error sent tot he client is Server(s) unavailable, and the frontend
>> logs couldn't authenticate to backend server: bad protocol / cancel
>> -- the backend doesn't appear to see any auth attempt, jsut a
>> STARTTLS ... after that I can't follow since it's TLS.
>
> There are tools that will decrypt the session. See wireshark, ettercap,
> etc. Without doing an exhaustive search, I expect most do.
>
>> Please note everything was working until we brought other 2.2
>> backends into production, so I'm thinking some bug wherein the
>> frontends are not resetting the SASL state or something, and after
>> communicating with a 2.2 backend, have trouble (somehow??)
>> communicating with our 2.1 backend.
>
> That's a good guess. I've recently found a place in the 2.3 code where
> the protocol structure for IMAP was being edited during connection
> establishment. Since my proxyd was communicating with several different
> backend versions, the (incorrect) change to the IMAP protocol description
> was causing a core dump.
Can you point me to any code lines so maybe I can start looking? Might be
it's just not causing a core dump in my version but it's still causing auth
issues "somehow".
>> As a complete side note let me reregister an old gripe of mine --
>> the TLS/SSL/etc requirement with PLAIN is still one of the most
>> silly things.
>
> "allowplaintext: yes" doesn't work for you? I never ran 2.1, and haven't
> run 2.2 in years, so maybe that option is newer....
Nope, never did as far as I know. It'll allow PLAIN but *ONLY* in
conjunction with TLS or SSL. Otherwise it won't present the mechanism and
will refuse it if tried. It *WILL* work with IMAP LOGIN or POP3 USER+PASS
commands w/o TLS/SSL though. W/o that PLAIN won't be accepted at all.
Atleast this is the behavior I've observed in 2.2 and 2.1.
>
> :wes
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
More information about the Cyrus-devel
mailing list