imapd is not talking to saslauthd

Ken Murchison murch at fastmail.com
Tue Jan 30 18:09:03 EST 2018


Has Cyrus IMAP been restarted since switching to saslauthd?  It doesn't 
look like Cyrus is even trying to use saslauthd.


On 01/30/2018 06:03 PM, Michael Rüger wrote:
> Struggled with enabling local6. The trick was to touch the new syslog 
> output file before restarting syslog with this new line
>
> local6.* /var/log/local6
>
>
> root at cyrus3:/var/log # cat local6
> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and 
> get auxprops
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and 
> get auxprops
> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and 
> get auxprops]
> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and 
> get auxprops]
>
>
>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com 
>> <mailto:murch at fastmail.com>>:
>>
>> Hmm.
>>
>> I just switched my dev box to using saslauthd and it just worked.  
>> I'm sure your problem is something simple, but its escaping me at the 
>> moment.
>>
>> When imtest fails, what is logged in the Cyrus IMAP log (wherever 
>> local6 is logged)
>>
>>
>>
>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>> Ken, thank you for jumping in!
>>>
>>> Some more info: the apps run as the following users and groups
>>>
>>> root at cyrus3:~ # ps aux
>>> USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
>>> root  88686  0.0  0.0  10500 2044  -  SsJ  21:40 0:00.02 
>>> /usr/sbin/syslogd -s
>>> root  88717  0.0  0.1  43928 4360  -  IsJ  21:40 0:00.01 
>>> /usr/local/sbin/saslauthd -a pam
>>> root  88718  0.0  0.1  43928 4360  -  IJ   21:40 0:00.01 
>>> /usr/local/sbin/saslauthd -a pam
>>> root  88720  0.0  0.1  43928 4276  -  IJ   21:40 0:00.00 
>>> /usr/local/sbin/saslauthd -a pam
>>> root  88721  0.0  0.1  43928 4360  -  IJ   21:40 0:00.01 
>>> /usr/local/sbin/saslauthd -a pam
>>> root  88722  0.0  0.1  43928 4276  -  IJ   21:40 0:00.00 
>>> /usr/local/sbin/saslauthd -a pam
>>> cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40 0:00.07 
>>> /usr/local/cyrus/libexec/master -d
>>>
>>> root at cyrus3:~ # su - cyrus
>>> % id
>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>
>>>
>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger 
>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>
>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>> total 13
>>>> drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
>>>> drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
>>>> srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
>>>> -rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
>>>> -rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
>>>>
>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com 
>>>>> <mailto:murch at fastmail.com>>:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> What are the permissions on the socket that saslauthd is listening on?
>>>>>
>>>>>
>>>>>
>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>> Hi
>>>>>>
>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to 
>>>>>> introduce myself on googletalk)
>>>>>>
>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>
>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>
>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>> 0: OK "Success.“
>>>>>>
>>>>>> and if i run
>>>>>>
>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>> 0: NO "authentication failed“
>>>>>>
>>>>>> i get that logged in auth.log like this
>>>>>>
>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth 
>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam] 
>>>>>> [reason=PAM auth error]
>>>>>>
>>>>>> In imapd.conf i have
>>>>>>
>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>
>>>>>> Now i’m authenticate against imapd
>>>>>>
>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>> C: S01 STARTTLS
>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>> verify error:num=18:self signed certificate
>>>>>> TLS connection established: TLSv1.2 with cipher 
>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>> C: C01 CAPABILITY
>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten 
>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH 
>>>>>> SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID 
>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE 
>>>>>> ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS 
>>>>>> LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE 
>>>>>> SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH 
>>>>>> URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>> AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE 
>>>>>> X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE 
>>>>>> X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>> S: C01 OK Completed
>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 
>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>> S: A01 NO authentication failure
>>>>>> Authentication failed. generic failure
>>>>>> Security strength factor: 256
>>>>>>
>>>>>> Nothing is reported in auth.conf
>>>>>>
>>>>>> If i do this
>>>>>>
>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me 
>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>> …<entering „mike“ twice here>
>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>> C: S01 STARTTLS
>>>>>>>>>>>> Authenticated.
>>>>>> Security strength factor: 256
>>>>>>
>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>
>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>
>>>>>> BTW i’m using
>>>>>> * cyrus-imapd30-3.0.5
>>>>>> * cyrus-sasl-2.1.26_13
>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>> on FreeBSD 11.1
>>>>>>
>>>>>> Thank you for any help,
>>>>>> Mike
>>>>>>
>>>>>
>>>>> -- 
>>>>> Ken Murchison
>>>>> Cyrus Development Team
>>>>> FastMail US LLC
>>>>> <murch.vcf>
>>>>
>>>
>>
>> -- 
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/61dfe3bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/61dfe3bb/attachment-0001.vcf>


More information about the Cyrus-sasl mailing list