Cyrus-IMAP: trouble with servername and plain authentication
Dan White
dwhite at olp.net
Mon Feb 6 14:50:51 EST 2012
I'm CCing the list.
On 02/06/12 21:23 +0200, T T wrote:
>Thanks for a quick reply, Dan!
>
>I have added the user with the FQDN to sasldb:
>saslpasswd2 -u mail.example.com tom
'-u' should not be necessary, considering you do not have virtdomains
configured in /etc/imapd.conf.
>Then it worked with the following settings in imapd.conf
>sasl_pwcheck_method: auxprop
>sasl_auxprop_plugin: sasldb
>
>Well, not the most intuitive thing I've seen in my life, but it works
>after re-reading man saslpasswd2 :). Man imapd.conf, though, is asking
>for an improvement, as, quote:
>"servername: <none>
> This is the hostname visible in the greeting messages of
>the POP, IMAP and LMTP daemons. If it is unset, then the result
>returned from gethostname(2) is used."
>
>... doesn't give much hint in that regard.
hostname is not a standard configuration option in cyrus sasl, and is
usually set programmatically or via an option exposed by the calling
application (as with imapd). The only places that I see a mention of it in
the documentation are:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/gssapi.php
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php
>I'm out of luck with saslauthd, though. When imapd.conf was limited to
>that, only GSSAPI worked. No success with sasldb option in
>/etc/default/saslauthd. Any suggestions?
saslauthd should not be used to query sasldb in most cases. By default,
saslauthd is not compiled with the sasldb backend (though your distro may
include it). If you want to use sasldb, a typical configuration would be:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
To verify which backends your saslauthd was compiled with, do:
~# saslauthd -v
saslauthd 2.1.25
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
You might instead want to use saslauthd for it's kerberos5 backend to
simplify password state, but by doing so you'll lose support for the shared
secret mechanisms, such as digest-md5. In that case, your imapd.conf config
should be:
sasl_pwcheck_method: saslauthd
And in /etc/default/saslauthd:
MECHANISMS="kerberos5"
If you choose to use saslauthd, you should use 'testsaslauthd' to trouble
shoot it and/or run saslauthd in debug mode.
>From the mail.log:
>Feb 6 20:58:50 mail cyrus/imap[4517]: badlogin: mail.example.com
>[172.16.3.9] plaintext tom at mail.example.com SASL(-1): generic failure:
>checkpass failed
>
>/etc/default/saslauthd:
>
>START=no
>DESC="SASL Authentication Daemon"
>NAME="saslauthd"
>MECHANISMS="sasldb"
>MECH_OPTIONS=""
>THREADS=5
>OPTIONS="-c -m /var/run/saslauthd"
>
>/etc/imapd.conf:
>
>sasl_keytab: /etc/imap.keytab
>servername: mail.example.com
>loginrealms: EXAMPLE.COM
>configdirectory: /var/lib/cyrus
>defaultpartition: default
>partition-default: /var/spool/cyrus/mail
>partition-news: /var/spool/cyrus/news
>newsspool: /var/spool/news
>altnamespace: yes
>unixhierarchysep: yes
>lmtp_downcase_rcpt: yes
>admins: cyrus
>imap_admins: cyrus
>sieve_admins: cyrus
>allowanonymouslogin: no
>popminpoll: 1
>autocreatequota: 0
>umask: 077
>sieveusehomedir: false
>sievedir: /var/spool/sieve
>hashimapspool: true
>allowplaintext: yes
>sasl_mech_list: PLAIN LOGIN GSSAPI
>sasl_minimum_layer: 0
>sasl_pwcheck_method: saslauthd
>sasl_auto_transition: no
>tls_ca_path: /etc/ssl/certs
>tls_session_timeout: 1440
>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>lmtpsocket: /var/spool/postfix/public/lmtp
>idlemethod: poll
>idlesocket: /var/run/cyrus/socket/idle
>notifysocket: /var/run/cyrus/socket/notify
>syslog_prefix: cyrus
--
Dan White
More information about the Cyrus-sasl
mailing list