PLAIN authentication in Cyrus IMAPd

Torsten Schlabach TSchlabach at gmx.net
Tue Dec 22 10:20:27 EST 2009 

Hi Ken!

> What works?  SASL PLAIN, or IMAP LOGIN command?

You got me ... I think I was not aware of the difference between the LOGIN and AUTHENTICATE IMAP commands. I'll do my RFC reading. In the meanwhile, here is what works:

# imtest -a murder -u murder 192.168.6.11
S: * OK v611 Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE MUPDATE=mupdate://192.168.9.10/
S: C01 OK Completed
Please enter your password: 
C: L01 LOGIN murder {6}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0

Obviously this is the LOGIN command. You're right!

I need to say; I was of the possibly wrong impression that LOGIN is a SASL mechanism as well, next to PLAIN, partically because of this here:

/usr/lib/sasl2/liblogin.so

Now trying to fource SASL PLAIN:

# imtest -a murder -u murder -m PLAIN 192.168.6.11
S: * OK v611 Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+b3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE MUPDATE=mupdate://192.168.9.10/ AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR
S: C01 OK Completed
Please enter your password: 
C: A01 AUTHENTICATE PLAIN bXVyZGVyAG11cmRlcgBNdXJkZXI=
S: A01 NO encryption needed to use mechanism
Authentication failed. generic failure
Security strength factor: 0

So I guess the mechanism isn't advertised despite the plugin is there because I am not using an encrypted connection.

So what would I do to make the "encryption needed to use mechanism" go away? Obviously AUTHENTICATE does care while LOGIN doesn't?

The line

sasl_minimum_layer: 0

doesn't do the trick!

Bonus question: Can I tell a Murder backend what mechanism to use to make a connection to a different backend, for example when attempting a mailbox move?

Regards,
Torsten


-------- Original-Nachricht --------
> Datum: Tue, 22 Dec 2009 09:21:13 -0500
> Von: Ken Murchison <murch at andrew.cmu.edu>
> An: Torsten Schlabach <TSchlabach at gmx.net>
> CC: cyrus-devel at lists.andrew.cmu.edu
> Betreff: Re: PLAIN authentication in Cyrus IMAPd

> 
> 
> Torsten Schlabach wrote:
> > Hi Ken, Hi David!
> > 
> >> I think you have to set "allowplaintext: 1" in your imapd.conf
> > 
> > My apologies; i had that, I just forgot to mention.
> > 
> > Also making some more experiments, I found that my problem is *not* that
> PLAIN is not enabled. The problem seems to be that it's not accounced in
> the CAPABILITY. It actually does work, even when it's not announced.
> 
> What works?  SASL PLAIN, or IMAP LOGIN command?  I find it hard to 
> believe that PLAIN would work if not advertised.
> 
> Is the SASL PLAIN plugin installed?
> 
> -- 
> Kenneth Murchison
> Systems Programmer
> Carnegie Mellon University

More information about the Cyrus-devel mailing list