SASL auth failing in 2 of 6 imtest cases. why?

OpenMacNews openmacnews at speakeasy.net
Fri Oct 7 16:38:26 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

hi all,

i'm having a problem with SASL AUTH, using cyrus-imap's "imtest".


in summary, i've created two users in sasldb2.

testing imtest connection to each, imtest AUTH fails in 2 of 6 cases:

  (1) OK:      from LOCALHOST box on LOCALHOST svr intfc, as user1
  (2) OK:      from LOCALHOST box on LOCALHOST svr intfc, as user2
  (3) OK:      from LOCALHOST box on LOCALHOST svr intfc, proxy user2 w/ user1 AUTH creds
  (4) FAIL:    from EXTERNAL  box on EXTERNAL  svr intfc, as user1
  (5) OK:      from EXTERNAL  box on EXTERNAL  svr intfc, as user2
  (6) FAIL:    from EXTERNAL  box on EXTERNAL  svr intfc, proxy user2 w/ user1 AUTH creds

the simple question is, why do (4) & (6) FAIL?

thx for any help!

richard

details follow HERE:
========================================


my install is:

    name       : Cyrus IMAPD
    version    : v2.2.12 2005/02/14 16:43:51
    vendor     : Project Cyrus
    support-url: http://asg.web.cmu.edu/cyrus
    os         : Darwin
    os-version : 8.2.0
    environment: Built w/Cyrus SASL 2.1.22
         Running w/Cyrus SASL 2.1.22
         Built w/Sleepycat Software: Berkeley DB 4.3.28: (July 20, 2005)
         Running w/Sleepycat Software: Berkeley DB 4.3.28: (July 20, 2005)
         Built w/OpenSSL 0.9.7g 11 Apr 2005
         Running w/OpenSSL 0.9.7g 11 Apr 2005
         CMU Sieve 2.2
         mmap = shared
         lock = fcntl
         nonblock = fcntl
         auth = unix
         idle = idled

on

    Darwin devbox 8.2.0 Darwin Kernel Version 8.2.0: Fri Jun 24 17:46:54 PDT 2005;
root:xnu-792.2.4.obj~3/RELEASE_PPC Power Macintosh powerpc

and, my imapd.conf includes:

    admins:                 my.admin
    sasl_minimum_layer:     0
    allowplaintext:         no
    sasl_mech_list:         PLAIN
    virtdomains:            on
    defaultdomain:          mail.testdomain.com
    servername:             mail.testdomain.com
    loginrealms:            localhost mail.testdomain.com

first, i construct my userDB:

rm USERS/sasldb2

    # create user(1) in top level, for realm = mail.testdomain.com
        saslpasswd2 -f USERS/sasldb2 -c -u mail.testdomain.com my.admin

    # create user(2) in virtual domain, for realm = mail.testdomain.com
        saslpasswd2 -f USERS/sasldb2 -c -u mail.testdomain.com my.user at testdomain.com

    # verify existence of users
        sasldblistusers2 -f USERS/sasldb2
            my.admin at mail.testdomain.com: userPassword
            my.user at testdomain.com: userPassword


next i check each user's login with imtest:


(1) SUCCEED

from LOCALHOST box on LOCALHOST intfc, as user(1)

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.admin at mail.testdomain.com \
   -u my.admin at mail.testdomain.com \
   -r mail.testdomain.com\
   localhost

log:     -->
login: localhost [127.0.0.1] my.admin at mail.testdomain.com PLAIN+TLS User logged in

console: -->
S: A01 OK Success (tls protection)
Authenticated.

is OK.


(2) SUCCEED

from LOCALHOST box on LOCALHOST intfc, as user(2)

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.user at testdomain.com \
   -u my.user at testdomain.com \
   -r mail.testdomain.com \
   localhost


log:     -->
login: localhost [127.0.0.1] my.user at testdomain.com PLAIN+TLS User logged in

console: -->
S: A01 OK Success (tls protection)
Authenticated.

is OK.


(3) SUCCEED

from LOCALHOST box on LOCALHOST intfc, proxy as user(2) w/ user(1) AUTH creds

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.admin at mail.testdomain.com \
   -u my.user at testdomain.com \
   -r mail.testdomain.com \
   localhost


log:     -->
login: localhost [127.0.0.1] my.user at testdomain.com PLAIN+TLS User logged in

console: -->
S: A01 OK Success (tls protection)
Authenticated.

(4) FAIL

from EXTERNAL box on EXTERNAL intfc, as user(1)

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.admin at mail.testdomain.com \
   -u my.admin at mail.testdomain.com \
   -r mail.testdomain.com\
   mail.testdomain.com

log:     -->
badlogin: pb1.testdomain.com [10.0.0.6] PLAIN [SASL(-13): user not found: Password verification
failed]

console: -->
S: A01 NO user not found
Authentication failed. generic failure

(5) SUCCEED

from EXTERNAL box on EXTERNAL intfc, as user(2)

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.user at testdomain.com \
   -u my.user at testdomain.com \
   -r mail.testdomain.com\
   mail.testdomain.com

log:     -->
login: pb1.testdomain.com [10.0.0.6] my.user at testdomain.com PLAIN+TLS User logged in

console: -->
S: A01 OK Success (tls protection)
Authenticated.


(6) FAIL

from EXTERNAL box on EXTERNAL intfc, proxy user(2) w/ user(1) AUTH creds

   imtest -v \
   -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
   -p imap \
   -m plain \
   -a my.admin at mail.testdomain.com \
   -u my.user at testdomain.com \
   -r mail.testdomain.com\
   mail.testdomain.com

log:     -->
badlogin: tiedgar.presence-group.net [172.30.11.6] PLAIN [SASL(-13): user not found: Password
verification failed]

console: -->
S: A01 NO user not found
Authentication failed. generic failure


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkNG3MEACgkQGnqMy4gvZ6GUaACeOD/mVxL/C5JW/XgJrJZ2S7kR
XKQAn0zTarGFXK5zSaMEfHwTLqbtks6b
=fhMJ
-----END PGP SIGNATURE-----

More information about the Cyrus-sasl mailing list