imapd is not talking to saslauthd

Ken Murchison murch at fastmail.com
Tue Jan 30 18:39:02 EST 2018


You're understanding is correct.  Can you run saslauthd with the -d 
(debug) command line option and see if it sheds any light?



On 01/30/2018 06:31 PM, Michael Rüger wrote:
> Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd 
> is not calling saslauthd at all. I wondered if saslauthd support is 
> even compiled in.
>
> But if i understand the architecture correctly (and please correct me 
> if i’m wrong), imap is using the sasl lib, and the sasl lib should 
> have saslauthd support compiled in. This is as far as i can see 
> configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib 
> myself to verify that
>
> config.h:#define HAVE_SASLAUTHD /**/
>
> is enabled and
>
> root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ # 
> strings /usr/local/lib/libsasl2.so | grep saslauthd
> saslauthd_path
> /var/run/saslauthd
> cannot create socket for saslauthd: %m
> cannot connect to saslauthd server: %m
>
> gives me confidence that it is compiled in.
>
> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s 
> dtrace has some problems inside a jail.
>
> So i guess i miss something tiny but important ;)
>
> Thx again for your support.
> Mike
>
>
>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch at fastmail.com 
>> <mailto:murch at fastmail.com>>:
>>
>> Has Cyrus IMAP been restarted since switching to saslauthd?  It 
>> doesn't look like Cyrus is even trying to use saslauthd.
>>
>>
>> On 01/30/2018 06:03 PM, Michael Rüger wrote:
>>> Struggled with enabling local6. The trick was to touch the new 
>>> syslog output file before restarting syslog with this new line
>>>
>>> local6.*   /var/log/local6
>>>
>>>
>>> root at cyrus3:/var/log # cat local6
>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and 
>>> get auxprops
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and 
>>> get auxprops
>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and 
>>> get auxprops]
>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and 
>>> get auxprops]
>>>
>>>
>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com 
>>>> <mailto:murch at fastmail.com>>:
>>>>
>>>> Hmm.
>>>>
>>>> I just switched my dev box to using saslauthd and it just worked.  
>>>> I'm sure your problem is something simple, but its escaping me at 
>>>> the moment.
>>>>
>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever 
>>>> local6 is logged)
>>>>
>>>>
>>>>
>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>>>> Ken, thank you for jumping in!
>>>>>
>>>>> Some more info: the apps run as the following users and groups
>>>>>
>>>>> root at cyrus3:~ # ps aux
>>>>> USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
>>>>> root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 
>>>>> /usr/sbin/syslogd -s
>>>>> root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root  88718  0.0  0.1  43928 4360  -  IJ 21:40   0:00.01 
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root  88720  0.0  0.1  43928 4276  -  IJ 21:40   0:00.00 
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root  88721  0.0  0.1  43928 4360  -  IJ 21:40   0:00.01 
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> root  88722  0.0  0.1  43928 4276  -  IJ 21:40   0:00.00 
>>>>> /usr/local/sbin/saslauthd -a pam
>>>>> cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 
>>>>> /usr/local/cyrus/libexec/master -d
>>>>>
>>>>> root at cyrus3:~ # su - cyrus
>>>>> % id
>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>>>
>>>>>
>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger 
>>>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>>>
>>>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>>>> total 13
>>>>>> drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
>>>>>> drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
>>>>>> srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
>>>>>> -rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
>>>>>> -rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
>>>>>>
>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <murch at fastmail.com 
>>>>>>> <mailto:murch at fastmail.com>>:
>>>>>>>
>>>>>>> Hi Michael,
>>>>>>>
>>>>>>> What are the permissions on the socket that saslauthd is 
>>>>>>> listening on?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to 
>>>>>>>> introduce myself on googletalk)
>>>>>>>>
>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>>>
>>>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>>>
>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>>>> 0: OK "Success.“
>>>>>>>>
>>>>>>>> and if i run
>>>>>>>>
>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>>>> 0: NO "authentication failed“
>>>>>>>>
>>>>>>>> i get that logged in auth.log like this
>>>>>>>>
>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth   : auth 
>>>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam] 
>>>>>>>> [reason=PAM auth error]
>>>>>>>>
>>>>>>>> In imapd.conf i have
>>>>>>>>
>>>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>>>
>>>>>>>> Now i’m authenticate against imapd
>>>>>>>>
>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>> C: S01 STARTTLS
>>>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>>>> verify error:num=18:self signed certificate
>>>>>>>> TLS connection established: TLSv1.2 with cipher 
>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>>>> C: C01 CAPABILITY
>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten 
>>>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
>>>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH 
>>>>>>>> SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID 
>>>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS 
>>>>>>>> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED 
>>>>>>>> LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN 
>>>>>>>> XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 
>>>>>>>> X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 
>>>>>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN 
>>>>>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE 
>>>>>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>>>> S: C01 OK Completed
>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 
>>>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>>>> S: A01 NO authentication failure
>>>>>>>> Authentication failed. generic failure
>>>>>>>> Security strength factor: 256
>>>>>>>>
>>>>>>>> Nothing is reported in auth.conf
>>>>>>>>
>>>>>>>> If i do this
>>>>>>>>
>>>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me 
>>>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>>>> …<entering „mike“ twice here>
>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>> C: S01 STARTTLS
>>>>>>>>>>>>>>>> Authenticated.
>>>>>>>> Security strength factor: 256
>>>>>>>>
>>>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>>>
>>>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>>>
>>>>>>>> BTW i’m using
>>>>>>>> * cyrus-imapd30-3.0.5
>>>>>>>> * cyrus-sasl-2.1.26_13
>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>>>> on FreeBSD 11.1
>>>>>>>>
>>>>>>>> Thank you for any help,
>>>>>>>> Mike
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Ken Murchison
>>>>>>> Cyrus Development Team
>>>>>>> FastMail US LLC
>>>>>>> <murch.vcf>
>>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Ken Murchison
>>>> Cyrus Development Team
>>>> FastMail US LLC
>>>> <murch.vcf>
>>>
>>
>> -- 
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/2250770a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/2250770a/attachment-0001.vcf>


More information about the Cyrus-sasl mailing list