imapd is not talking to saslauthd

Ken Murchison murch at fastmail.com
Tue Jan 30 17:41:51 EST 2018


Hmm.

I just switched my dev box to using saslauthd and it just worked.  I'm 
sure your problem is something simple, but its escaping me at the moment.

When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 
is logged)



On 01/30/2018 05:34 PM, Michael Rüger wrote:
> Ken, thank you for jumping in!
>
> Some more info: the apps run as the following users and groups
>
> root at cyrus3:~ # ps aux
> USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
> root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 
> /usr/sbin/syslogd -s
> root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 
> /usr/local/sbin/saslauthd -a pam
> root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 
> /usr/local/sbin/saslauthd -a pam
> root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 
> /usr/local/sbin/saslauthd -a pam
> root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 
> /usr/local/sbin/saslauthd -a pam
> root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 
> /usr/local/sbin/saslauthd -a pam
> cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 
> /usr/local/cyrus/libexec/master -d
>
> root at cyrus3:~ # su - cyrus
> % id
> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>
>
>> Am 30.01.2018 um 23:25 schrieb Michael Rüger 
>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>
>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>> total 13
>> drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
>> drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
>> srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
>> -rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
>> -rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
>>
>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com 
>>> <mailto:murch at fastmail.com>>:
>>>
>>> Hi Michael,
>>>
>>> What are the permissions on the socket that saslauthd is listening on?
>>>
>>>
>>>
>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>> Hi
>>>>
>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to 
>>>> introduce myself on googletalk)
>>>>
>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>
>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>
>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>> 0: OK "Success.“
>>>>
>>>> and if i run
>>>>
>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>> 0: NO "authentication failed“
>>>>
>>>> i get that logged in auth.log like this
>>>>
>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth 
>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM 
>>>> auth error]
>>>>
>>>> In imapd.conf i have
>>>>
>>>> sasl_pwcheck_method: saslauthd
>>>>
>>>> Now i’m authenticate against imapd
>>>>
>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>> C: S01 STARTTLS
>>>> S: S01 OK Begin TLS negotiation now
>>>> verify error:num=18:self signed certificate
>>>> TLS connection established: TLSv1.2 with cipher 
>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>> C: C01 CAPABILITY
>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA 
>>>> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT 
>>>> CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY 
>>>> SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT 
>>>> THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 
>>>> METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA 
>>>> WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE 
>>>> DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 
>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN 
>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE 
>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>> S: C01 OK Completed
>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 
>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>> S: A01 NO authentication failure
>>>> Authentication failed. generic failure
>>>> Security strength factor: 256
>>>>
>>>> Nothing is reported in auth.conf
>>>>
>>>> If i do this
>>>>
>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me 
>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>> …<entering „mike“ twice here>
>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>> C: S01 STARTTLS
>>>>>>>> Authenticated.
>>>> Security strength factor: 256
>>>>
>>>> it is working against local db BUT NOT against saslauthd.
>>>>
>>>> How do i setup imapd to talk to saslauthd?
>>>>
>>>> BTW i’m using
>>>> * cyrus-imapd30-3.0.5
>>>> * cyrus-sasl-2.1.26_13
>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>> on FreeBSD 11.1
>>>>
>>>> Thank you for any help,
>>>> Mike
>>>>
>>>
>>> -- 
>>> Ken Murchison
>>> Cyrus Development Team
>>> FastMail US LLC
>>> <murch.vcf>
>>
>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/1eae5819/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/1eae5819/attachment.vcf>


More information about the Cyrus-sasl mailing list