imapd is not talking to saslauthd
Ken Murchison
murch at fastmail.com
Tue Jan 30 18:09:03 EST 2018
Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't
look like Cyrus is even trying to use saslauthd.
On 01/30/2018 06:03 PM, Michael Rüger wrote:
> Struggled with enabling local6. The trick was to touch the new syslog
> output file before restarting syslog with this new line
>
> local6.* /var/log/local6
>
>
> root at cyrus3:/var/log # cat local6
> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and
> get auxprops
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and
> get auxprops
> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
> get auxprops]
> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
> get auxprops]
>
>
>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com
>> <mailto:murch at fastmail.com>>:
>>
>> Hmm.
>>
>> I just switched my dev box to using saslauthd and it just worked.
>> I'm sure your problem is something simple, but its escaping me at the
>> moment.
>>
>> When imtest fails, what is logged in the Cyrus IMAP log (wherever
>> local6 is logged)
>>
>>
>>
>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>> Ken, thank you for jumping in!
>>>
>>> Some more info: the apps run as the following users and groups
>>>
>>> root at cyrus3:~ # ps aux
>>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
>>> root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02
>>> /usr/sbin/syslogd -s
>>> root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01
>>> /usr/local/sbin/saslauthd -a pam
>>> root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>> /usr/local/sbin/saslauthd -a pam
>>> root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>> /usr/local/sbin/saslauthd -a pam
>>> root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01
>>> /usr/local/sbin/saslauthd -a pam
>>> root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00
>>> /usr/local/sbin/saslauthd -a pam
>>> cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07
>>> /usr/local/cyrus/libexec/master -d
>>>
>>> root at cyrus3:~ # su - cyrus
>>> % id
>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>
>>>
>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger
>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>
>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>> total 13
>>>> drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
>>>> drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
>>>> srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
>>>> -rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
>>>> -rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
>>>>
>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com
>>>>> <mailto:murch at fastmail.com>>:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> What are the permissions on the socket that saslauthd is listening on?
>>>>>
>>>>>
>>>>>
>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>> Hi
>>>>>>
>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to
>>>>>> introduce myself on googletalk)
>>>>>>
>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>
>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>
>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>> 0: OK "Success.“
>>>>>>
>>>>>> and if i run
>>>>>>
>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>> 0: NO "authentication failed“
>>>>>>
>>>>>> i get that logged in auth.log like this
>>>>>>
>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth
>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam]
>>>>>> [reason=PAM auth error]
>>>>>>
>>>>>> In imapd.conf i have
>>>>>>
>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>
>>>>>> Now i’m authenticate against imapd
>>>>>>
>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>> C: S01 STARTTLS
>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>> verify error:num=18:self signed certificate
>>>>>> TLS connection established: TLSv1.2 with cipher
>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>> C: C01 CAPABILITY
>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH
>>>>>> SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE
>>>>>> ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS
>>>>>> LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE
>>>>>> SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH
>>>>>> URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>> AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE
>>>>>> X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
>>>>>> X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>> S: C01 OK Completed
>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1
>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>> S: A01 NO authentication failure
>>>>>> Authentication failed. generic failure
>>>>>> Security strength factor: 256
>>>>>>
>>>>>> Nothing is reported in auth.conf
>>>>>>
>>>>>> If i do this
>>>>>>
>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me
>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>> …<entering „mike“ twice here>
>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>> C: S01 STARTTLS
>>>>>> …
>>>>>> Authenticated.
>>>>>> Security strength factor: 256
>>>>>>
>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>
>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>
>>>>>> BTW i’m using
>>>>>> * cyrus-imapd30-3.0.5
>>>>>> * cyrus-sasl-2.1.26_13
>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>> on FreeBSD 11.1
>>>>>>
>>>>>> Thank you for any help,
>>>>>> Mike
>>>>>>
>>>>>
>>>>> --
>>>>> Ken Murchison
>>>>> Cyrus Development Team
>>>>> FastMail US LLC
>>>>> <murch.vcf>
>>>>
>>>
>>
>> --
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/61dfe3bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/61dfe3bb/attachment-0001.vcf>
More information about the Cyrus-sasl
mailing list