Cyrus-IMAP: trouble with servername and plain authentication

Dan White dwhite at olp.net
Mon Feb 6 11:13:22 EST 2012


On 02/06/12 16:01 +0200, T T wrote:
>Hello List,
>
>I've set up a cyrus-imap server on a virtual machine. Initially, I've
>configured it to authenticate using GSSAPI/Kerberos V. Worked fine.
>Then, as the "real" end-users are not "Kerberised", I've decided to to
>switch for simple auxprop/sasldb authentication for the time being.
>
>The first idea was to set up two mechanisms, so that a "kerberised"
>user can enjoy SSO, and the rest would use login/password. My
>/etc/imapd.conf is below. It didn't work, so I've limited the
>mechanisms to auxprop only, stopped the saslauthd, and tried again. It
>didn't work. The telnet sessions:

Choice of pwcheck_method (saslauthd or auxprop) should be orthogonal to the
gssapi mechanism. The same is true of auxprop and gssapi.

gssapi should work independently of how you have the other two
configured... however the sasl_hostname option will affect gssapi.

>root at mail:~# telnet mail.example.com 143
>Trying 172.16.3.9...
>Connected to mail.example.com.
>Escape character is '^]'.
>* OK mail.example.com Cyrus IMAP4 v2.2.13-Debian-2.2.13-19+squeeze3 server ready
>01 login tom ********
>01 NO Login failed: generic failure

Check your syslog output (auth facility) for further details, such as which
mechanism is being used.

>root at mail:~# telnet localhost 143
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>* OK mail.example.com Cyrus IMAP4 v2.2.13-Debian-2.2.13-19+squeeze3 server ready
>01 login tom ********
>01 NO Login failed: generic failure
>
>Then I've commented out servername: mail.example.com, and then the
>simple authentication started to work.

Your client may be choosing a mechanism that makes use of the hostname
(digest-md5?).

>I'm obviously missing something elementary here, but I'm out of my
>wits. My questions are:
>
>1. Is it possible to set up BOTH GSSAPI and sasldb authentication
>working at the same time, and if yes, then how?

By specifying:

sasl_mech_list: <list of mechnisms>

which includes 'gssapi'. Although not specifying that option in your
imapd.conf will attempt to initialize all available mechanisms, which
includes gssapi.

Also, 'sasl_keytab' and 'sasl_hostname' can affect how gssapi operates.

With no 'sasl_hostname' specified, gssapi and other mechanisms will attempt
to determine the local fqdn via some OS call. What ever the resultant fqdn
is will determine which identity to look for in your keytab, e.g.:

imap/mail.example.com

>2. Why just specifying a hosts FQDN plain login stops working?

Not sure, but try explicitly specifying a restrictive mech_list:

sasl_mech_list: gssapi plain login

and if saslauthd is working like you want, then just:

sasl_pwcheck_method: saslauthd

should be good. However, be aware that most other mechanisms require the
use of auxprop (including digest-md5 and cram-md5). If you require the use
of those mechanisms, then you'll need to do:

sasl_pwcheck_method: auxprop

>The /etc/imapd.conf
>
>sasl_keytab: /etc/imap.keytab
>servername: mail.example.com
>loginrealms: EXAMPLE.COM
>configdirectory: /var/lib/cyrus
>defaultpartition: default
>partition-default: /var/spool/cyrus/mail
>partition-news: /var/spool/cyrus/news
>newsspool: /var/spool/news
>altnamespace: yes
>unixhierarchysep: yes
>lmtp_downcase_rcpt: yes
>admins: cyrus
>imap_admins: cyrus
>sieve_admins: cyrus
>allowanonymouslogin: no
>popminpoll: 1
>autocreatequota: 0
>umask: 077
>sieveusehomedir: false
>sievedir: /var/spool/sieve
>hashimapspool: true
>allowplaintext: yes
>sasl_pwcheck_method: auxprop saslauthd

This means to attempt to authenticate a plain text login (plain, login, '01
login tom *****') with auxprop, and then with saslauthd. I'd just pick one
or the other unless you have some exotic authentication environment.

>sasl_auxprop_plugin: sasldb
>sasl_auto_transition: no
>tls_ca_path: /etc/ssl/certs
>tls_session_timeout: 1440
>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>lmtpsocket: /var/spool/postfix/public/lmtp
>idlemethod: poll
>idlesocket: /var/run/cyrus/socket/idle
>notifysocket: /var/run/cyrus/socket/notify
>syslog_prefix: cyrus
>
>Thanks in advance!
>
>Toomas
>

-- 
Dan White


More information about the Cyrus-sasl mailing list