imapd is not talking to saslauthd

Ken Murchison murch at fastmail.com
Tue Jan 30 19:29:32 EST 2018


OK.  Major brain fart, since I'm trying to do 5 things at once. 
saslauthd will only be using for verifying plaintext passwords -- 
meaning its only used for plaintext authentication methods.  Your imtest 
is trying to use SCRAM by default.

Add '-m plain' to your imtest and see what happens.

If you want to do your auth using only PAM, you will have to disable 
non-plaintext SASL mechs for Cyrus.  Add the following to imapd.conf:

sasl_mech_list: PLAIN LOGIN



On 01/30/2018 06:51 PM, Michael Rüger wrote:
> After enabling debug and restarting saslauthd and retrigger imtest, 
> saslauthd gets no request.
>
> root at cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart
> Stopping saslauthd.
> Waiting for PIDS: 88717.
> Starting saslauthd.
> saslauthd[90858] :main            : num_procs  : 5
> saslauthd[90858] :main            : mech_option: NULL
> saslauthd[90858] :main            : run_path   : /var/run/saslauthd
> saslauthd[90858] :main            : auth_mech  : pam
> saslauthd[90858] :ipc_init        : using accept lock file: 
> /var/run/saslauthd/mux.accept
> saslauthd[90858] :detach_tty      : master pid is: 0
> saslauthd[90858] :ipc_init        : listening on socket: 
> /var/run/saslauthd/mux
> saslauthd[90858] :main            : using process model
> saslauthd[90858] :have_baby       : forked child: 90859
> saslauthd[90859] :get_accept_lock : acquired accept lock
> saslauthd[90858] :have_baby       : forked child: 90860
> saslauthd[90858] :have_baby       : forked child: 90861
> saslauthd[90858] :have_baby       : forked child: 90862
>
>
>> Am 31.01.2018 um 00:39 schrieb Ken Murchison <murch at fastmail.com 
>> <mailto:murch at fastmail.com>>:
>>
>> You're understanding is correct.  Can you run saslauthd with the -d 
>> (debug) command line option and see if it sheds any light?
>>
>>
>>
>> On 01/30/2018 06:31 PM, Michael Rüger wrote:
>>> Yes, Ken. The whole jail is freshly fired up. Yes it seems that 
>>> imapd is not calling saslauthd at all. I wondered if saslauthd 
>>> support is even compiled in.
>>>
>>> But if i understand the architecture correctly (and please correct 
>>> me if i’m wrong), imap is using the sasl lib, and the sasl lib 
>>> should have saslauthd support compiled in. This is as far as i can 
>>> see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib 
>>> myself to verify that
>>>
>>> config.h:#define HAVE_SASLAUTHD /**/
>>>
>>> is enabled and
>>>
>>> root at cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ 
>>> # strings /usr/local/lib/libsasl2.so | grep saslauthd
>>> saslauthd_path
>>> /var/run/saslauthd
>>> cannot create socket for saslauthd: %m
>>> cannot connect to saslauthd server: %m
>>>
>>> gives me confidence that it is compiled in.
>>>
>>> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s 
>>> dtrace has some problems inside a jail.
>>>
>>> So i guess i miss something tiny but important ;)
>>>
>>> Thx again for your support.
>>> Mike
>>>
>>>
>>>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <murch at fastmail.com 
>>>> <mailto:murch at fastmail.com>>:
>>>>
>>>> Has Cyrus IMAP been restarted since switching to saslauthd?  It 
>>>> doesn't look like Cyrus is even trying to use saslauthd.
>>>>
>>>>
>>>> On 01/30/2018 06:03 PM, Michael Rüger wrote:
>>>>> Struggled with enabling local6. The trick was to touch the new 
>>>>> syslog output file before restarting syslog with this new line
>>>>>
>>>>> local6.*   /var/log/local6
>>>>>
>>>>>
>>>>> root at cyrus3:/var/log # cat local6
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher 
>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user 
>>>>> and get auxprops
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user 
>>>>> and get auxprops
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user 
>>>>> and get auxprops]
>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] 
>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user 
>>>>> and get auxprops]
>>>>>
>>>>>
>>>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <murch at fastmail.com 
>>>>>> <mailto:murch at fastmail.com>>:
>>>>>>
>>>>>> Hmm.
>>>>>>
>>>>>> I just switched my dev box to using saslauthd and it just 
>>>>>> worked.  I'm sure your problem is something simple, but its 
>>>>>> escaping me at the moment.
>>>>>>
>>>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever 
>>>>>> local6 is logged)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote:
>>>>>>> Ken, thank you for jumping in!
>>>>>>>
>>>>>>> Some more info: the apps run as the following users and groups
>>>>>>>
>>>>>>> root at cyrus3:~ # ps aux
>>>>>>> USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
>>>>>>> root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02 
>>>>>>> /usr/sbin/syslogd -s
>>>>>>> root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01 
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01 
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00 
>>>>>>> /usr/local/sbin/saslauthd -a pam
>>>>>>> cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07 
>>>>>>> /usr/local/cyrus/libexec/master -d
>>>>>>>
>>>>>>> root at cyrus3:~ # su - cyrus
>>>>>>> % id
>>>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
>>>>>>>
>>>>>>>
>>>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger 
>>>>>>>> <michael.g.rueger at gmail.com <mailto:michael.g.rueger at gmail.com>>:
>>>>>>>>
>>>>>>>> root at cyrus3:~ # ls -la /var/run/saslauthd/
>>>>>>>> total 13
>>>>>>>> drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
>>>>>>>> drwxr-xr-x  6 root wheel     15 Jan 30 21:40 ..
>>>>>>>> srwxrwxrwx  1 root saslauth   0 Jan 30 21:40 mux
>>>>>>>> -rw-------  1 root saslauth   0 Jan 30 21:40 mux.accept
>>>>>>>> -rw-------  1 root saslauth   6 Jan 30 21:40 saslauthd.pid
>>>>>>>>
>>>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison 
>>>>>>>>> <murch at fastmail.com <mailto:murch at fastmail.com>>:
>>>>>>>>>
>>>>>>>>> Hi Michael,
>>>>>>>>>
>>>>>>>>> What are the permissions on the socket that saslauthd is 
>>>>>>>>> listening on?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to 
>>>>>>>>>> introduce myself on googletalk)
>>>>>>>>>>
>>>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication.
>>>>>>>>>>
>>>>>>>>>> I have already a running saslauthd which uses PAM. I can run this
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p mike
>>>>>>>>>> 0: OK "Success.“
>>>>>>>>>>
>>>>>>>>>> and if i run
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:/ # testsaslauthd -u mike -p abc
>>>>>>>>>> 0: NO "authentication failed“
>>>>>>>>>>
>>>>>>>>>> i get that logged in auth.log like this
>>>>>>>>>>
>>>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth   : auth 
>>>>>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam] 
>>>>>>>>>> [reason=PAM auth error]
>>>>>>>>>>
>>>>>>>>>> In imapd.conf i have
>>>>>>>>>>
>>>>>>>>>> sasl_pwcheck_method: saslauthd
>>>>>>>>>>
>>>>>>>>>> Now i’m authenticate against imapd
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>> S: S01 OK Begin TLS negotiation now
>>>>>>>>>> verify error:num=18:self signed certificate
>>>>>>>>>> TLS connection established: TLSv1.2 with cipher 
>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>>>>>>>> C: C01 CAPABILITY
>>>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten 
>>>>>>>>>> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME 
>>>>>>>>>> UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE 
>>>>>>>>>> ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID 
>>>>>>>>>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS 
>>>>>>>>>> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED 
>>>>>>>>>> LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN 
>>>>>>>>>> XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 
>>>>>>>>>> X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 
>>>>>>>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN 
>>>>>>>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE 
>>>>>>>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
>>>>>>>>>> S: C01 OK Completed
>>>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 
>>>>>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
>>>>>>>>>> S: A01 NO authentication failure
>>>>>>>>>> Authentication failed. generic failure
>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>
>>>>>>>>>> Nothing is reported in auth.conf
>>>>>>>>>>
>>>>>>>>>> If i do this
>>>>>>>>>>
>>>>>>>>>> root at cyrus3:~ # saslpasswd2 -c mike at cyrus3.intern.rueger.me 
>>>>>>>>>> <mailto:mike at cyrus3.intern.rueger.me>
>>>>>>>>>> …<entering „mike“ twice here>
>>>>>>>>>> root at cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS 
>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 
>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me 
>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
>>>>>>>>>> C: S01 STARTTLS
>>>>>>>>>>>>>>>>>>>> Authenticated.
>>>>>>>>>> Security strength factor: 256
>>>>>>>>>>
>>>>>>>>>> it is working against local db BUT NOT against saslauthd.
>>>>>>>>>>
>>>>>>>>>> How do i setup imapd to talk to saslauthd?
>>>>>>>>>>
>>>>>>>>>> BTW i’m using
>>>>>>>>>> * cyrus-imapd30-3.0.5
>>>>>>>>>> * cyrus-sasl-2.1.26_13
>>>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3
>>>>>>>>>> on FreeBSD 11.1
>>>>>>>>>>
>>>>>>>>>> Thank you for any help,
>>>>>>>>>> Mike
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Ken Murchison
>>>>>>>>> Cyrus Development Team
>>>>>>>>> FastMail US LLC
>>>>>>>>> <murch.vcf>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Ken Murchison
>>>>>> Cyrus Development Team
>>>>>> FastMail US LLC
>>>>>> <murch.vcf>
>>>>>
>>>>
>>>> -- 
>>>> Ken Murchison
>>>> Cyrus Development Team
>>>> FastMail US LLC
>>>> <murch.vcf>
>>>
>>
>> -- 
>> Ken Murchison
>> Cyrus Development Team
>> FastMail US LLC
>> <murch.vcf>
>

-- 
Ken Murchison
Cyrus Development Team
FastMail US LLC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/e42d33be/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20180130/e42d33be/attachment-0001.vcf>


More information about the Cyrus-sasl mailing list