Cyrus-Imapd 2.1.9 and trouble authenticating.

sddf dsfdfdf libolt4 at yahoo.com
Sun Sep 1 15:16:17 EDT 2002 

I'm attempting to setup cyrus-imapd 2.1.9 with
cyrus-sasl 2.1.6 on a Debian Sid based linux
distribution.  I've installed everything via packages
and attempted to configure sasl and imapd but have run
into some problems.  The MTA is Postfix. 

When I try to test the imap server with imtest as
follows, I get an error:

imtest -a cyrus -m login server

S: * OK libolt.net Cyrus IMAP4 v2.1.9-Debian2.1.9-1
server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE LISTEXT
LIST-SUBSCRIBED ANNOTATEMORE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {5}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0

/var/log/auth.log reports:

Sep  1 12:11:43 server saslauthd[11026]: AUTHFAIL:
user=cyrus service=imap realm=

/var/log/mail.log reports:

Sep  1 12:11:43 server cyrus/imapd[11189]: badlogin:
server.libolt.net[192.168.0.86] plaintext cyrus
SASL(-13): authentication failure: checkpass failed

According to sasldblistusers2 I've got the following
accounts setup, which seem correct to me.

cyrus at server.libolt.net: userPassword
libolt at server: userPassword
cyrus at server: userPassword
root at server: userPassword
cyrus at libolt.net: userPassword


The following is the output of my imapd.conf:

# Debian Cyrus imapd.conf
# See imapd.conf(5) for more information and more
options

# Configuration directory
configdirectory: /var/lib/cyrus

# Which partition to use for default mailboxes
defaultpartition: default
partition-default: /var/spool/cyrus/mail

# News setup
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news

servername: libolt.net

# Alternate namespace
# If enabled, activate the alternate namespace as
documented in
# /usr/share/doc/cyrus2-common/html/altnamespace.html,
where an user's
# subfolders are in the same level as the INBOX
altnamespace: yes

# UNIX Hierarchy Convention
# Set to yes, and cyrus will accept dots in names, and
use the forward
# slash "/" to delimit levels of the hierarchy. This
is done by converting
# internally all dots to "^", and all "/" to dots. So
the "rabbit.holes"
# mailbox of user "helmer.fudd" is stored in
"user.elmer^fud.rabbit^holes"
#
# WARNING: This option does NOT apply to admin tools
such as cyradm
# (admins ONLY), reconstruct, quota, etc., NOR does it
affect LMTP delivery
# of messages directly to mailboxes via
plus-addressing.
# See also userprefix and sharedprefix on
imapd.conf(5)
unixhierarchysep: yes

# Munging illegal characters in headers
# Headers of RFC2882 messages must not have characters
with the 8th bit
# set. However, too many badly-written MUAs generate
this, including most
# spamware.  Disable this if you want Cyrus to leave
the crappage untouched
# and you don't care that IMAP SEARCH won't work right
anymore.
#munge8bit: no

# Uncomment the following and add the space-separated
users who
# have admin rights. Note that mupdate slaves and
backends in a Murder
# cluster need to autenticate against the mupdate
master as admin users.
admins: cyrus libolt root

# List of users and groups that are allowed to proxy
for other users,
# seperated by spaces.  Any user listed in this will
be allowed to login
# for any other user
#proxyservers: cyrus

# No anonymous logins
allowanonymouslogin: no

# Minimum time between POP mail fetches in minutes
popminpoll: 1

# If nonzero, normal users may create their own IMAP
accounts by creating
# the mailbox INBOX.  The user's quota is set to the
value if it is positive,
# otherwise the user has unlimited quota.
autocreatequota: 0

# umask used by Cyrus programs
umask: 077

# Sendmail binary location (used by sieve)
sendmail: /usr/sbin/sendmail

# If enabled, cyrdeliver will look for Sieve scripts
in user's home
# directories: ~user/.sieve.
sieveusehomedir: false

# If sieveusehomedir is false, this directory is
searched for Sieve scripts.
sievedir: /var/spool/sieve

# notifyd(8) method to use for "MAIL" notifications. 
If not set, "MAIL"
# notifications are disabled.  Valid methods are:
null, log, zephyr
#mailnotifier: zephyr

# notifyd(8) method to use for "SIEVE" notifications. 
If not set, "SIEVE"
# notifications are disabled.  This method is only
used when no method is
# specified in the script.  Valid methods are null,
log, zephyr, mailto
#sievenotifier: zephyr

# DRAC (pop-before-smtp, imap-before-smtp) support
# Set dracinterval to the time in minutes to call DRAC
while a user is
# connected to the imap/pop services. Set to 0 to
disable DRAC (default)
# Set drachost to the host where the rpc drac service
is running
#dracinterval: 0
#drachost: localhost

# If enabled, the partitions will also be hashed, in
addition to the hashing
# done on configuration directories. This is
recommended if one partition has a
# very bushy mailbox tree.
hashimapspool: true

# Allow plaintext logins by default (SASL PLAIN)
allowplaintext: yes

# Force PLAIN/LOGIN authentication only
# (you need to uncomment this if you are not using an
auxprop-based SASL
# mechanism.  saslauthd users, that means you!). And
pay attention to
# sasl_minimum_layer below, too.
sasl_mech_list: PLAIN

# The minimum SSF that the server will allow a client
to negotiate. A
# value of 1 requires integrity protection; any higher
value requires some
# amount of encryption.
sasl_minimum_layer: 0

# The maximum SSF that the server will allow a client
to negotiate. A
# value of 1 requires integrity protection; any higher
value requires some
# amount of encryption.
sasl_maximum_layer: 256

# List of remote realms whose users may log in using
cross-realm
# authentications.  Seperate each realm name by a
space. A cross-realm
# identity is considered any identity returned by SASL
with an "@" in it.
#loginrealms:

#
# SASL library options (these are handled directly by
the SASL libraries,
# refer to SASL documentation for an up-to-date list
of these)
#

# The mechanism used by the server to verify plaintext
passwords.  Possible
# values are "saslauthd", "auxprop", "pwcheck" and
"alwaystrue".
#
# Do note that, since sasl will be run as user cyrus,
you may have a lot of
# trouble to set this up right.
sasl_pwcheck_method: saslauthd

# If enabled, the SASL library will automatically
create authentication secrets
# when given a plaintext password. Refer to SASL
documentation
sasl_auto_transition: no

#
# SSL/TLS Options
#

# File containing the global certificate used for ALL
services (imap, pop3,
# lmtp, sieve)
#tls_cert_file: /etc/ssl/certs/cyrus-global.pem

# File containing the private key belonging to the
global server certificate.
#tls_key_file: /etc/ssl/private/cyrus-global.key

# File containing the certificate used for imap. If
not specified, the global
# certificate is used.  A value of "disabled" will
disable SSL/TLS for imap.
#tls_imap_cert_file: /etc/ssl/certs/cyrus-imap.pem

# File containing the private key belonging to the
imap-specific server
# certificate.  If not specified, the global private
key is used.  A value of
# "disabled" will disable SSL/TLS for imap.
#tls_imap_key_file: /etc/ssl/private/cyrus-imap.key

# File containing the certificate used for pop3. If
not specified, the global
# certificate is used.  A value of "disabled" will
disable SSL/TLS for pop3.
#tls_pop3_cert_file: /etc/ssl/certs/cyrus-pop3.pem

# File containing the private key belonging to the
pop3-specific server
# certificate.  If not specified, the global private
key is used.  A value of
# "disabled" will disable SSL/TLS for pop3.
#tls_pop3_key_file: /etc/ssl/private/cyrus-pop3.key

# File containing the certificate used for lmtp. If
not specified, the global
# certificate is used.  A value of "disabled" will
disable SSL/TLS for lmtp.
#tls_lmtp_cert_file: /etc/ssl/certs/cyrus-lmtp.pem

# File containing the private key belonging to the
lmtp-specific server
# certificate.  If not specified, the global private
key is used.  A value of
# "disabled" will disable SSL/TLS for lmtp.
#tls_lmtp_key_file: /etc/ssl/private/cyrus-lmtp.key

# File containing the certificate used for sieve. If
not specified, the global
# certificate is used.  A value of "disabled" will
disable SSL/TLS for sieve.
#tls_sieve_cert_file: /etc/ssl/certs/cyrus-sieve.pem

# File containing the private key belonging to the
sieve-specific server
# certificate.  If not specified, the global private
key is used.  A value of
# "disabled" will disable SSL/TLS for sieve.
#tls_sieve_key_file: /etc/ssl/private/cyrus-sieve.key

# File containing one or more Certificate Authority
(CA) certificates.
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem

# Path to directory with certificates of CAs.
tls_ca_path: /etc/ssl/certs

# The length of time (in minutes) that a TLS session
will be cached for later
# reuse.  The maximum value is 1440 (24 hours), the
default.  A value of 0 will
# disable session caching.
tls_session_timeout: 1440

# The list of SSL/TLS ciphers to allow.  The format of
the string is described
# in ciphers(1). THIS DISABLES THE WEAK 'FOR EXPORT'
CRAP!
tls_cipher_list:
TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

# Require a client certificate for ALL services (imap,
pop3, lmtp, sieve).
#tls_require_cert: false

# Require a client certificate for imap ONLY.
#tls_imap_require_cert: false

# Require a client certificate for pop3 ONLY.
#tls_pop3_require_cert: false

# Require a client certificate for lmtp ONLY.
#tls_lmtp_require_cert: false

# Require a client certificate for sieve ONLY.
#tls_sieve_require_cert: false

#
# Cyrus Murder cluster configuration
#
# Set the following options to the values needed for
this server to
# autenticate against the mupdate master server:
# mupdate_server
# mupdate_port
# mupdate_username
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay

##
## KEEP THESE IN SYNC WITH cyrus.conf
##
# Unix domain socket that lmtpd listens on.
lmtpsocket: /var/run/cyrus/socket/lmtp

# Unix domain socket that idled listens on.
idlesocket: /var/run/cyrus/socket/idle

# Unix domain socket that the new mail notification
daemon listens on.
notifysocket: /var/run/cyrus/socket/notify

##
## DEBUGGING
##
# Debugging hook. See
/usr/share/doc/cyrus21-common/README.Debian.debug
# Keep the hook disabled when it is not in use
#
# gdb Back-traces
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x
/usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s
%d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
#
# system-call traces
#debug_command: /usr/bin/strace -tt -o
/tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 &
#
# library traces
#debug_command: /usr/bin/ltrace -tt -n 2 -o
/tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 &


Any help is greatly appreciated.

Mike

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

More information about the Info-cyrus mailing list