version 2.1.23 incompatible with 2.1.26?

Stephen Ingram sbingram at gmail.com
Mon Dec 22 00:19:34 EST 2014


I'm using a Postifx MTA on CentOS 7 with Cyrus-SASL v 2.1.23 connecting via
LMTP to a Cyrus-IMAP server on CentOS 6 with Cyrus-SASL v 2.1.26 using
Kerberos. The connection starts by setting up a TLS layer and then tries to
authenticate via a Kerberos ticket.

I'm using lmtptest to try to test the connection. Although there is some
strange reporting of an expired certificate (not sure where this comes from
as I've checked certificates for both systems and they are good and can be
validated using openssl) the IMAP server reports:

Dec 21 23:04:31 imap lmtp[14084]: executed
Dec 21 23:04:31 imap lmtp[14084]: Doing a peer verify
Dec 21 23:04:31 imap lmtp[14084]: Doing a peer verify
Dec 21 23:04:31 imap lmtp[14084]: verify error:num=10:certificate has
expired
Dec 21 23:04:31 imap lmtp[14084]: cert has expired
Dec 21 23:04:31 imap lmtp[14084]: received server certificate
Dec 21 23:04:31 imap lmtp[14084]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Dec 21 23:09:58 imap lmtp[14093]: accepted connection
Dec 21 23:09:58 imap lmtp[14093]: connection from mx.4test.net
[192.168.34.6]

On the client side I see:

[root at mx ~]# lmtptest -t "" imap.4test.net
S: 220 imap.4test.net Cyrus LMTP Murder v2.4.16-Invoca-RPM-2.4.16-1.el6
server ready
C: LHLO lmtptest
S: 250-imap.4test.net
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250 IGNOREQUOTA
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits)

So despite the strange "cert has expired" error, I believe I'm getting a
good TLS connection. Then the client tries to authenticate:

C: LHLO lmtptest
S: 250-imap.4test.net
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN GSSAPI
S: 250 IGNOREQUOTA
C: AUTH GSSAPI
S: 334
C: YIICbgYJKoZIhvcSAQICAQBuggJdMIICWaAD...
...snip...
DUMz6aI1WeQD6KXI431XpwZQFCrqmHRQg3saZc=
S: 334
C: *
Authentication failed. generic failure
Security strength factor: 256
501 5.5.4 client canceled authentication

In the message log on the client side I see:

Dec 22 05:09:58 mx lmtptest: GSSAPI Error: A required input parameter could
not be read (Unknown error)

Reading through mailing list postings I see there was a bug in Fedora
relating to the v 2.1.23 and v 2.1.26 of Cyrus-SASL. Are the two versions
incompatible and the reason why I'm seeing this error?

I have the exact same setup on another lab configuration that uses CentOS 6
(v 2.1.23) on each end and it works flawlessly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20141221/f49d4f5e/attachment-0001.html 


More information about the Cyrus-sasl mailing list