Simplest way to get imap authentication with sasldb working?

Raimund Eimann raimund at busy-byte.de
Mon Oct 19 16:51:22 EDT 2009


Hi Dan,

many thanks for your hints. I've found a tool called pluginviewer that
comes with the sasl package which creates this output:


# /usr/sbin/pluginviewer
Installed SASL (server side) mechanisms are:
GSSAPI PLAIN ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
List of server plugins follows
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
        security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features:
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
GSSAPI PLAIN ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 EXTERNAL
List of client plugins follows
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56
        security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS
        features: SERVER_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION

This is what I have in my imapd.conf:

#sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN

As the first line is commented out, I guess all sasl_pwcheck_methods will
be used as you described in your e-mail.



> sasl_pwcheck_method only applies to the simple password based login
> methods:
>
> PLAIN
> LOGIN
> the Login command (rfc 3501, section 6.2.3)
>
> However, if you are using one of those methods to authenticate, be aware
> that cyrus imapd may not allow any login using the methods (without
> SSL/TLS
> or other encryption) if the 'allowplaintext' option (which is disabled by
> default) is not enabled.

Ok, that was missing in my imapd.conf. I've put it in now...

However, things still don't seem to work:

raimund at callisto # /etc/init.d/cyrus restart
Shutting down IMAP/POP3 service (cyrus-imapd)            done
Starting IMAP/POP3 service (cyrus-imapd)                 done

^-Looks ok...

raimund at callisto # netstat -lntp |grep 143
tcp     0   0 0.0.0.0:143    0.0.0.0:*   LISTEN   13298/master

^-Also looks ok...

raimund at callisto # rm /etc/sasldb2
raimund at callisto # saslpasswd2 raimund
Password:
Again (for verification):
raimund at callisto # sasldblistusers2
raimund at callisto: userPassword

^-Looks ok... (?)

raimund at callisto # chown cyrus /etc/sasldb2
raimund at callisto # imtest -u raimund callisto
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
AUTH=LOGIN SASL-IR] callisto Cyrus IMAP4 v2.3.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN cmFpbXVuZEBjYWxsaXN0bwByb290AGJi
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 0
^CC: Q01 LOGOUT
Connection closed.

^- Fail...


Even with -m login it's not working:

# imtest -u raimund -m login callisto
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
AUTH=LOGIN SASL-IR] callisto Cyrus IMAP4 v2.3.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
IDLE X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN root {2}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
^CC: Q01 LOGOUT
Connection closed.


Can you give me another hint about what's going wrong here?

Cheers,
Raimund



More information about the Cyrus-sasl mailing list