From tomhans18 at gmail.com Mon Jan 6 02:37:59 2020 From: tomhans18 at gmail.com (Tom Hans) Date: Mon, 6 Jan 2020 08:37:59 +0100 Subject: Sasl client SMTP AUTH PLAIN syntax Message-ID: Hello there, I have a tricky issue and cannot find any solution for it. The issue looks like the following: I have a postfix server which relays all emails to another mail server. The postfix server have to use AUTH PLAIN for authorization, TLS is enforfec for security. Therefore I configured postfix with cyrus sasl. I can see that my configuration is working and cyrus generates the correct base64 string for authorization and postfix uses this too by sending the following line: AUTH PLAIN AG5zc0RTaFRYL2krc25jdjA= The receiving server response with: 500 syntax error Because of this I tested the communication manually using openssl and I was able to find the main issue, the receiving server needs to have the following dialog: (C: Postix, S: receiving instance): C: AUTH PLAIN S: 334 C: AG5zc0RTaFRYL2krc25jdjA= Is it possible to use this longer syntax by doing some changes in cyrus? Thanks for your help, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From murch at fastmail.com Mon Jan 6 07:24:17 2020 From: murch at fastmail.com (Ken Murchison) Date: Mon, 6 Jan 2020 07:24:17 -0500 Subject: Sasl client SMTP AUTH PLAIN syntax In-Reply-To: References: Message-ID: On 1/6/20 2:37 AM, Tom Hans wrote: > Hello there, > > I have a tricky issue and cannot find any solution for it. > The issue looks like the following: > I have a postfix server which relays all emails to another mail server. > The postfix server have to use AUTH PLAIN for authorization, TLS is > enforfec for security. > Therefore I configured postfix with cyrus sasl. > > I can see that my configuration is working and cyrus generates?the > correct base64 string for authorization and postfix uses this too by > sending the following line: > > AUTH PLAIN?AG5zc0RTaFRYL2krc25jdjA= > > The receiving server response with: 500 syntax error > Because of this I tested?the communication manually using openssl and > I was able to find the main issue, the receiving server needs to have > the following dialog: (C: Postix, S: receiving instance): > C: AUTH PLAIN > S: 334 > C:?AG5zc0RTaFRYL2krc25jdjA= First off, the receiving SMTP server is buggy if it doesn't support the initial response after the SASL mechanism name, per RFC 4954. > > Is it possible to use this longer syntax by doing some changes?in cyrus? It is up to the client application (Postfix) to tell determine whether the protocol (SMTP) and/or the SASL mechanism (PLAIN) supports an initial client response and call sasl_client_start() with the appropriate clientout parameter.? For this buggy SMTP server, Postfix should either use a NULL value for clientout, or NOT send the generated value with the AUTH command and wait for an empty server challenge. The bottom line is that Cyrus SASL knows nothing about the application protocol and simply does what the application asks it to do. -- Ken Murchison Cyrus Development Team Fastmail US LLC From momphh at gmail.com Fri Jan 17 19:45:57 2020 From: momphh at gmail.com (Hugo Boss) Date: Fri, 17 Jan 2020 20:45:57 -0400 Subject: sasl troubleshooting Message-ID: Hello I try to setup a cyrus murder stack and I have issues to move mailboxes between my 2 backends : My stack : 2 frontends 1 mupdate 2 backends When I try to move a mailbox between my 2 backends, I have a issue with this message : "sasl no worthy mechs found" "Frontend couldn't authenticate to backend server" The cyrus-sasl-plain has been installed. I can move mailboxes in the same backend partitions Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From momphh at gmail.com Fri Jan 17 20:37:37 2020 From: momphh at gmail.com (Hugo Boss) Date: Fri, 17 Jan 2020 21:37:37 -0400 Subject: sasl issues Message-ID: Hello I try to setup a cyrus murder stack and I have issues to move mailboxes between my 2 backends : My stack : 2 frontends 1 mupdate 2 backends When I try to move a mailbox between my 2 backends, I have a issue with this message : "sasl no worthy mechs found" "Frontend couldn't authenticate to backend server" The cyrus-sasl-plain has been installed. I can move mailboxes in the same backend partitions. In the backends: sasl_pwcheck_method: saslauthd Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aio.sasl at aio.nu Fri Jan 24 08:03:00 2020 From: aio.sasl at aio.nu (AiO) Date: Fri, 24 Jan 2020 14:03:00 +0100 (CET) Subject: Pull-request with kerberos token delegation option In-Reply-To: References: Message-ID: On Tue, 10 Dec 2019, Simo Sorce wrote: > On Mon, 2019-12-09 at 10:26 +0100, AiO wrote: >> Hi all, >> >> Just wanted to spread the knowledge of a pull-request I've made with some >> nice server-side improvments on GSSAPI and Kerberos token options to use a >> credentials cache to store user's tokens. This enables CyrusSASL to not >> just be an authentication end-point, but also allows for single-sign-on to >> other services server-side. >> >> Check it (#586) out - hope it's good-enough for the feature-set addressed. > > I made a review. I have made a few more commits with various fixes - the only thing remaining (if i'm ever gonna fix it) is fallback to [libdefaults] default_ccache_name and maybe even DEFCCNAME. However... I think i solved most of your very good comments. I ran into a a bit of a problem with some other commits breaking client-side credentials loading, however #591 will fix these issues (Thanks @hrs-allbsd !! Well spotted!). I have another question tho: the Travis C.I. seems very flimsy - It seems to sometimes (almost always) break on one of the jobs. The MacOSX job... Who is handling Travis? And... Who is responsible for getting pull-requests onto master in this project? Because both #591 and #586 are needed in tandem to get master to work. Kind regards, /AiO From quanah at symas.com Fri Jan 24 12:57:05 2020 From: quanah at symas.com (Quanah Gibson-Mount) Date: Fri, 24 Jan 2020 09:57:05 -0800 Subject: Pull-request with kerberos token delegation option In-Reply-To: References: Message-ID: <44A4C85ABF7C122CCDCE69D4@[192.168.1.144]> --On Friday, January 24, 2020 2:03 PM +0100 AiO wrote: > And... Who is responsible for getting pull-requests onto master in this > project? Because both #591 and #586 are needed in tandem to get master to > work. I'm hoping to start working on getting commits integrated to cyrus-sasl fairly soon, although I need to discuss policy & procedures with the rest of the people in the project. Right now I have a couple major commitments to another project I need to get finished first. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: From simo at redhat.com Mon Jan 27 04:50:51 2020 From: simo at redhat.com (Simo Sorce) Date: Mon, 27 Jan 2020 04:50:51 -0500 Subject: Pull-request with kerberos token delegation option In-Reply-To: <44A4C85ABF7C122CCDCE69D4@[192.168.1.144]> References: <44A4C85ABF7C122CCDCE69D4@[192.168.1.144]> Message-ID: <2846e18af25ca63966b3af86b9f213a2a6d3fd29.camel@redhat.com> I will take a second look next week, currently too busy. On Fri, 2020-01-24 at 09:57 -0800, Quanah Gibson-Mount wrote: > > --On Friday, January 24, 2020 2:03 PM +0100 AiO wrote: > > > And... Who is responsible for getting pull-requests onto master in this > > project? Because both #591 and #586 are needed in tandem to get master to > > work. > > I'm hoping to start working on getting commits integrated to cyrus-sasl > fairly soon, although I need to discuss policy & procedures with the rest > of the people in the project. Right now I have a couple major commitments > to another project I need to get finished first. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > >