timsieved not offering any auth mechanisms

[Ken Murchison]

Quoting Scott Russell <lnxgeek at us.ibm.com>:

> On Sat, Oct 05, 2002 at 12:53:46PM -0400, Ken Murchison wrote:
> > Quoting Matt Bernstein <mb/cyrus at dcs.qmul.ac.uk>:
> > 
> > > At 09:24 -0400 Ken Murchison wrote:
> > > 
> > > >> Telnet-ing to port 2000 gives me:
> > > >> 
> > > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0"
> > > >> "SIEVE" "fileinto reject envelope vacation imapflags notify
> subaddress
> > > >> relational regex"
> > > >> OK
> > > >> 
> > > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line.
> > > 
> > > >I'm guessing that one of two things is happening:
> > > >
> > > >1. you have allowplaintext:no in imapd.conf
> > > 
> > > nope :) In fact I'd even tried explicitly "allowplaintext: yes".
> > > 
> > > >2. you installed SASL in a non-default location and Cyrus can't find the
> 
> > > >plugins.  If you do:
> > > >
> > > >imtest -t '' -a <user> -u <user> <server>
> > > 
> > > [mangled by pine justifying my middle button paste :)]
> > > 
> > > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready
> > > C: C01 CAPABILITY
> > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> 
> > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
> > > LIST-SUBSCRIBED ANNOTATEMORE
> > > S: C01 OK Completed
> > > C: S01 STARTTLS
> > > S: S01 OK Begin TLS negotiation now
> > > verify error:num=19:self signed certificate in certificate chain
> > > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168
> bits)
> > > C: C01 CAPABILITY
> > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> 
> > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN 
> > > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
> > > S: C01 OK Completed
> > > C: A01 AUTHENTICATE LOGIN
> > > S: + VXNlcm5hbWU6
> > > 
> > > >what mechs are listed?  I'm guessing none.  If this is the case, either
> link
> > > 
> > > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the
> 
> > > >--with-sasl option.  FYI, the reason that IMAP and POP3 both work is
> that
> > > they 
> > > >each have their own plaintext login commands (LOGIN and USER/PASS 
> > > >respectively), which don't depend on SASL plugins.
> > > 
> > > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe
> 
> > > our new accounts to a couple of folders we create.
> > > 
> > > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the
> 
> > > right things.
> > 
> > Hmm.  You shot me down on both common problems.  You only see this problem
> with 
> > timsieved?  What about lmtpd?
> 
> I've been following this thread and have timsieved from cyrus 2.1.9
> working fine myself. A few things nag me about the imtest capture from
> above.
> 
> Previously it was said that only PLAIN and LOGIN mechs are allowed
> based on the imapd.conf line: sasl_mech_list: plain login. But if you
> look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown
> until _after_ the TLS negotiation takes place. To me this indicates
> that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL
> layer.

This is true for imapd and pop3d since they both have their own plaintext login 
commands.  Since timsieved doesn't have a separate command, plaintext SASL 
mechs are always allowed unless they are explcitly turned off.

> I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I
> don't recall but doesn't that exclude PLAIN and LOGIN unless they are
> under SSL/TLS?

Good catch!  I completely missed this the first time around.  Most people don't 
use those sasl options, so it never occured to me to look.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp