timsieved not offering any auth mechanisms

Scott Russell lnxgeek at us.ibm.com
Sat Oct 5 19:09:34 EDT 2002 

On Sat, Oct 05, 2002 at 12:53:46PM -0400, Ken Murchison wrote:
> Quoting Matt Bernstein <mb/cyrus at dcs.qmul.ac.uk>:
> 
> > At 09:24 -0400 Ken Murchison wrote:
> > 
> > >> Telnet-ing to port 2000 gives me:
> > >> 
> > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0"
> > >> "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress
> > >> relational regex"
> > >> OK
> > >> 
> > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line.
> > 
> > >I'm guessing that one of two things is happening:
> > >
> > >1. you have allowplaintext:no in imapd.conf
> > 
> > nope :) In fact I'd even tried explicitly "allowplaintext: yes".
> > 
> > >2. you installed SASL in a non-default location and Cyrus can't find the 
> > >plugins.  If you do:
> > >
> > >imtest -t '' -a <user> -u <user> <server>
> > 
> > [mangled by pine justifying my middle button paste :)]
> > 
> > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
> > LIST-SUBSCRIBED ANNOTATEMORE
> > S: C01 OK Completed
> > C: S01 STARTTLS
> > S: S01 OK Begin TLS negotiation now
> > verify error:num=19:self signed certificate in certificate chain
> > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> > C: C01 CAPABILITY
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN 
> > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
> > S: C01 OK Completed
> > C: A01 AUTHENTICATE LOGIN
> > S: + VXNlcm5hbWU6
> > 
> > >what mechs are listed?  I'm guessing none.  If this is the case, either link
> > 
> > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the 
> > >--with-sasl option.  FYI, the reason that IMAP and POP3 both work is that
> > they 
> > >each have their own plaintext login commands (LOGIN and USER/PASS 
> > >respectively), which don't depend on SASL plugins.
> > 
> > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe 
> > our new accounts to a couple of folders we create.
> > 
> > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the 
> > right things.
> 
> Hmm.  You shot me down on both common problems.  You only see this problem with 
> timsieved?  What about lmtpd?

I've been following this thread and have timsieved from cyrus 2.1.9
working fine myself. A few things nag me about the imtest capture from
above.

Previously it was said that only PLAIN and LOGIN mechs are allowed
based on the imapd.conf line: sasl_mech_list: plain login. But if you
look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown
until _after_ the TLS negotiation takes place. To me this indicates
that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL
layer.

I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I
don't recall but doesn't that exclude PLAIN and LOGIN unless they are
under SSL/TLS?

It might be interesting to see if timesieved shows a SASL line after
TLS/SSL negotiation is done. Or try setting sasl_minimum_layer: 0 and
see if the SASL line shows up in timesieved prior to TLS/SSL
negotiation.

Just some wild thoughts.

-- 
  Scott Russell (lnxgeek at us.ibm.com)
  Linux Technology Center, System Admin, RHCE.
  Dial 877-735-8200 then ask for 919-543-9289 (TTY)

More information about the Info-cyrus mailing list