Problems running CyrAdm

Ken Murchison ken at oceana.com
Fri Apr 18 08:24:34 EDT 2003



Nikola Milutinovic wrote:
> 
> Patrick Welche wrote:
> > On Thu, Apr 17, 2003 at 07:46:17AM +0200, Nikola Milutinovic wrote:
> > ...
> >
> >>QUESTIONS
> >>---------
> >>
> >>While I can accept that maybe Perl 5.8.0-MT is buggy (I've ran all the
> >>tests, but I cannot guarantee),
> >
> >
> > You can take perl out of the list of possibilities by using imtest instead
> > of cyradm...
> 
> > ... so then you can check which mechanisms are used, in other words check
> > the syntax of /etc/imapd.conf, using imtest, possibly with the
> > [ -m mechanism ] flag.
> 
> Now a bit of strangeness:
> -----------------------------------------------------------------------------
> # ./imtest -u root -v -m plain localhost
> S: * OK Legba.ev.co.yu Cyrus IMAP4 v2.1.12 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
> UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=GSSAPI AUTH=OTP
> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
> 
> . LOGIN root root00
> . OK User logged in
> -----------------------------------------------------------------------------
> 
> So, the user/pass that I'm storing in sasl2.db is OK and recognized by the
> server, but "PLAIN" isn't advertised. Is "LOGIN" command of IMAP (the one I used
> to login) the same as "AUTHENTICATE PLAIN"? I know there are "PLAIN" (as being
> plaintext login) and "LOGIN" (unsupported Microsoft propriatery method) methods.
> What exactly is going on here?

The LOGIN that you used is the IMAP LOGIN command which is always
available unless you turn 'allowplaintext' off (in which case you'll see
the LOGINDISABLED capability).  The PLAIN/LOGIN SASL mechs are NOT
advertised unless protected by a security layer like SSL/TLS (per RFC
2595).  Since STARTTLS isn't advertised, you don't have it configured,
but if you did, you could do:

./imtest -u root -v -m plain -t '' localhost


If you don't specify -m <mech>, imtest will pick what it feels is the
most secure mechanism.  In your case, this will probably be GSSAPI or
DIGEST-MD5.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp




More information about the Info-cyrus mailing list