imapd is not talking to saslauthd

Michael Rüger michael.g.rueger at gmail.com
Tue Jan 30 18:03:45 EST 2018 

Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line

local6.*   /var/log/local6


root at cyrus3:/var/log # cat local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]


> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com>:
> 
> Hmm.
> 
> I just switched my dev box to using saslauthd and it just worked.  I'm sure your problem is something simple, but its escaping me at the moment.  
> When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
> 
> 
> 
> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>> Ken, thank you for jumping in!
>> 
>> Some more info: the apps run as the following users and groups
>> 
>> root at cyrus3:~ # ps aux
>> USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
>> root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 /usr/sbin/syslogd -s
>> root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
>> root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
>> root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam
>> root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 /usr/local/sbin/saslauthd -a pam
>> root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 /usr/local/sbin/saslauthd -a pam
>> cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 /usr/local/cyrus/libexec/master -d
>> 
>> root at cyrus3:~ # su - cyrus
>> % id
>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>> 
>> 
>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>> 
>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>> total 13
>>> drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
>>> drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
>>> srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
>>> -rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
>>> -rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
>>> 
>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>> 
>>>> Hi Michael,
>>>> 
>>>> What are the permissions on the socket that saslauthd is listening on?
>>>> 
>>>> 
>>>> 
>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>> Hi
>>>>> 
>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
>>>>> 
>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>> 
>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>> 
>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>> 0: OK "Success.“
>>>>> 
>>>>> and if i run
>>>>> 
>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>> 0: NO "authentication failed“
>>>>> 
>>>>> i get that logged in auth.log like this
>>>>> 
>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>>>>> 
>>>>> In imapd.conf i have
>>>>> 
>>>>> sasl_pwcheck_method: saslauthd
>>>>> 
>>>>> Now i’m authenticate against imapd
>>>>> 
>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>> C: S01 STARTTLS
>>>>> S: S01 OK Begin TLS negotiation now
>>>>> verify error:num=18:self signed certificate
>>>>> TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>> C: C01 CAPABILITY
>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>> S: C01 OK Completed
>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>> S: A01 NO authentication failure
>>>>> Authentication failed. generic failure
>>>>> Security strength factor: 256
>>>>> 
>>>>> Nothing is reported in auth.conf
>>>>> 
>>>>> If i do this
>>>>> 
>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me <mailto:mike at cyrus3.intern.rueger.me>
>>>>> …<entering „mike“ twice here>
>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>> C: S01 STARTTLS
>>>>>>>>>> Authenticated.
>>>>> Security strength factor: 256
>>>>> 
>>>>> it is working against local db BUT NOT against saslauthd.
>>>>> 
>>>>> How do i setup imapd to talk to saslauthd?
>>>>> 
>>>>> BTW i’m using 
>>>>> * cyrus-imapd30-3.0.5
>>>>> * cyrus-sasl-2.1.26_13
>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>> on FreeBSD 11.1
>>>>> 
>>>>> Thank you for any help,
>>>>> Mike
>>>>> 
>>>> 
>>>> -- 
>>>> Ken Murchison
>>>> Cyrus Development Team
>>>> FastMail US LLC
>>>> <murch.vcf>
>>> 
>> 
> 
> -- 
> Ken Murchison
> Cyrus Development Team
> FastMail US LLC
> <murch.vcf>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180131/f1459304/attachment-0001.html>

More information about the Cyrus-sasl mailing list