Cyrus IMAPd v2.1.15 / SASLv2 v2.1.15 fails
Marc-Christian Petersen
m.c.p at gmx.net
Thu Aug 28 15:23:49 EDT 2003
Hi all,
either I did something completely wrong or there are some heavy problems
within v2.1.15.
x86, Linux, gcc 3.2.3
cyrus2 configure options:
-------------------------
./configure --prefix=/opt/cyrus \
--with-cyrus-prefix=/opt/cyrus \
--sysconfdir=/opt/cyrus/etc \
--with-extraident="Linux-Systeme GmbH" \
--with-openssl \
--enable-murder \
--with-auth=unix \
--enable-netscapehack \
--enable-listext \
--enable-annotatemore \
--with-libwrap \
--with-idle=poll \
--with-cyrus-user=cyrus \
--with-cyrus-group=mail \
--with-syslogfacility=MAIL \
--with-seen-db=skiplist \
--with-mboxlist-db=skiplist \
--with-notify=unix \
--with-ucdsnmp=no \
--enable-fulldirhash \
--with-statedir=/opt/cyrus/var \
--with-tcl \
--with-sasl=/opt/cyrus \
--with-lock=fcntl \
--with-perl=/usr/bin/perl
sasl2 configure options:
------------------------
./configure --prefix=/opt/cyrus \
--with-saslauthd=/opt/cyrus/var/saslauthd \
--with-pwcheck=/opt/cyrus/var/pwcheck \
--enable-cmulocal \
--enable-checkapop \
--enable-cram \
--enable-digest \
--enable-plain \
--enable-anon \
--enable-login \
--enable-alwaystrue \
--disable-otp \
--with-opie=no \
--disable-krb4 \
--with-ldap \
--with-mysql \
--with-plugindir=/opt/cyrus/lib/sasl2 \
--with-dbpath=/etc/sasldb2 \
--enable-auth-sasldb
my imapd.conf and cyrus.conf are attached. With 2.1.14 I can simply login with
PLAIN, LOGIN, CRAM-MD5 and so on. Now with .15 this is no longer possible.
PLAIN and LOGIN are not showed up as valid mechs. See:
root at codeman:[/opt/cyrus/bin] # ./imtest -u mcp -a mcp -w root -m login -v
localhost
S: * OK codeman Cyrus IMAP4 v2.1.15-IPv6 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=DIGEST-MD5
AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
S: C01 OK Completed
C: L01 LOGIN mcp {4}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: generic failure
Authentication failed. generic failure
Security strength factor: 0
during above I see this in my syslog:
Aug 28 21:16:01 codeman cyrus/imapd[7317]: accepted connection
Aug 28 21:16:01 codeman cyrus/imapd[7317]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Aug 28 21:16:01 codeman cyrus/imapd[7317]: cannot connect to saslauthd server:
No such file or directory
Aug 28 21:16:01 codeman cyrus/imapd[7317]: badlogin: localhost[127.0.0.1]
plaintext mcp SASL(-1): generic failure: checkpass failed
1. OTP is disabled. So why the annoying syslogging?
2. Saslauthd is running!! So why it cannot connect to it?!?!
Another question I noticed with 2.1.14: If I login with plain and
autotransition is true, shouldn't it create the needed mech entries in
sasldb2? This was not the case. I had to create them by hand with
saslpasswd2.
What am I doing wrong? :-( ... I don't get it.
This is what I simply want:
1. System users should be able to login with PLAIN/LOGIN
2. After first successfull login, needed sasldb2 entries for CRAM-MD5 and
DIGEST-MD5 should be created automatically
3. The authentication should be against saslauthd (pam).
P.S.: I had this all running with early 2.0.x cyrus/sasl2 versions *shrug*
Thanks in advance.
--
ciao, Marc
-------------- next part --------------
# Debian Cyrus imapd.conf
# See imapd.conf(5) for more information and more options
# Servername
servername: codeman
# Configuration directory
configdirectory: /opt/cyrus/var/lib
# Which partition to use for default mailboxes
defaultpartition: default
partition-default: /opt/cyrus/var/spool/mail
# News setup
partition-news: /opt/cyrus/var/spool/news
newsspool: /var/spool/news
# Alternate namespace
# If enabled, activate the alternate namespace as documented in
# /usr/share/doc/cyrus2-common/html/altnamespace.html, where an user's
# subfolders are in the same level as the INBOX
altnamespace: no
# UNIX Hierarchy Convention
# Set to yes, and cyrus will accept dots in names, and use the forward
# slash "/" to delimit levels of the hierarchy. This is done by converting
# internally all dots to "^", and all "/" to dots. So the "rabbit.holes"
# mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes"
#
# WARNING: This option does NOT apply to admin tools such as cyradm
# (admins ONLY), reconstruct, quota, etc., NOR does it affect LMTP delivery
# of messages directly to mailboxes via plus-addressing.
# See also userprefix and sharedprefix on imapd.conf(5)
unixhierarchysep: no
# Munging illegal characters in headers
# Headers of RFC2882 messages must not have characters with the 8th bit
# set. However, too many badly-written MUAs generate this, including most
# spamware. Disable this if you want Cyrus to leave the crappage untouched
# and you don't care that IMAP SEARCH won't work right anymore.
munge8bit: no
# Forcing recipient user to lowercase
# Cyrus 2.1 is case-sensitive. If all your mail users are in lowercase, it is
# probably a very good idea to set lmtp_downcase_rcpt to true. The default is
# to assume the user knows what he is doing, and not downcase anything.
#lmtp_downcase_rcpt: yes
# Uncomment the following and add the space-separated users who
# have admin rights for all services.
admins: webadmin root
# Space-separated list of users that have lmtp "admin" status (i.e. that
# can deliver email through TCP/IP lmtp) in addition to those in the
# admins: entry above
#lmtp_admins: postman
# Space-separated list of users that have mupdate "admin" status, in
# addition to those in the admins: entry above. Note that mupdate slaves and
# backends in a Murder cluster need to autenticate against the mupdate master
# as admin users.
#mupdate_admins: mupdateman
# Space-separated list of users that have imapd "admin" status, in
# addition to those in the admins: entry above
#imap_admins: cyrus
# Space-separated list of users that have sieve "admin" status, in
# addition to those in the admins: entry above
#sieve_admins: cyrus
# List of users and groups that are allowed to proxy for other users,
# seperated by spaces. Any user listed in this will be allowed to login
# for any other user. Like "admins:" above, you can have imap_proxyservers
# and sieve_proxyservers.
#proxyservers: cyrus
# No anonymous logins
allowanonymouslogin: no
# Minimum time between POP mail fetches in minutes
popminpoll: 0
# If nonzero, normal users may create their own IMAP accounts by creating
# the mailbox INBOX. The user's quota is set to the value if it is positive,
# otherwise the user has unlimited quota.
autocreatequota: 0
# umask used by Cyrus programs
umask: 077
# Sendmail binary location
# DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 3.
# For now, to work around the bug, set this to a wrapper that calls
# /usr/sbin/sendmail -dropcr instead if you use Exim 3. Exim 4 users can
# configure Exim to drop CRs in the Exim config file instead.
# Postfix and sendmail deal well with CRLF EOLs, and need no workarounds.
sendmail: /usr/sbin/sendmail
# If enabled, cyrdeliver will look for Sieve scripts in user's home
# directories: ~user/.sieve.
sieveusehomedir: false
# If sieveusehomedir is false, this directory is searched for Sieve scripts.
sievedir: /var/spool/sieve
# notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL"
# notifications are disabled. Valid methods are: null, log, zephyr
#mailnotifier: zephyr
# notifyd(8) method to use for "SIEVE" notifications. If not set, "SIEVE"
# notifications are disabled. This method is only used when no method is
# specified in the script. Valid methods are null, log, zephyr, mailto
#sievenotifier: zephyr
# DRAC (pop-before-smtp, imap-before-smtp) support
# Set dracinterval to the time in minutes to call DRAC while a user is
# connected to the imap/pop services. Set to 0 to disable DRAC (default)
# Set drachost to the host where the rpc drac service is running
#dracinterval: 0
#drachost: localhost
# If enabled, the partitions will also be hashed, in addition to the hashing
# done on configuration directories. This is recommended if one partition has a
# very bushy mailbox tree.
hashimapspool: true
# Allow plaintext logins by default (SASL PLAIN)
allowplaintext: true
# Timeout
timeout: 30
poptimeout: 10
# Force PLAIN/LOGIN authentication only
# (you need to uncomment this if you are not using an auxprop-based SASL
# mechanism. saslauthd users, that means you!). And pay attention to
# sasl_minimum_layer below, too.
#sasl_mech_list: PLAIN
# The minimum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires some
# amount of encryption.
#sasl_minimum_layer: 0
# The maximum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires some
# amount of encryption.
#sasl_maximum_layer: 256
# List of remote realms whose users may log in using cross-realm
# authentications. Seperate each realm name by a space. A cross-realm
# identity is considered any identity returned by SASL with an "@" in it.
#loginrealms:
#
# SASL library options (these are handled directly by the SASL libraries,
# refer to SASL documentation for an up-to-date list of these)
#
# The mechanism(s) used by the server to verify plaintext passwords. Possible
# values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They
# are tried in order, you can specify more than one, separated by spaces.
#
# Do note that, since sasl will be run as user cyrus, you may have a lot of
# trouble to set this up right.
#sasl_pwcheck_method: auxprop
sasl_pwcheck_method: saslauthd
# What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
# by default, all plugins are tried (which is probably NOT what you want).
#sasl_auxprop_plugin: sasldb
# If enabled, the SASL library will automatically create authentication secrets
# when given a plaintext password. Refer to SASL documentation
sasl_auto_transition: true
#
# SSL/TLS Options
#
# File containing the global certificate used for ALL services (imap, pop3,
# lmtp, sieve)
#tls_cert_file: /etc/ssl/certs/cyrus-global.pem
# File containing the private key belonging to the global server certificate.
#tls_key_file: /etc/ssl/private/cyrus-global.key
# File containing the certificate used for imap. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for imap.
#tls_imap_cert_file: /etc/ssl/certs/cyrus-imap.pem
# File containing the private key belonging to the imap-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for imap.
#tls_imap_key_file: /etc/ssl/private/cyrus-imap.key
# File containing the certificate used for pop3. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for pop3.
#tls_pop3_cert_file: /etc/ssl/certs/cyrus-pop3.pem
# File containing the private key belonging to the pop3-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for pop3.
#tls_pop3_key_file: /etc/ssl/private/cyrus-pop3.key
# File containing the certificate used for lmtp. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for lmtp.
#tls_lmtp_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
# File containing the private key belonging to the lmtp-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for lmtp.
#tls_lmtp_key_file: /etc/ssl/private/cyrus-lmtp.key
# File containing the certificate used for sieve. If not specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS for sieve.
#tls_sieve_cert_file: /etc/ssl/certs/cyrus-sieve.pem
# File containing the private key belonging to the sieve-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for sieve.
#tls_sieve_key_file: /etc/ssl/private/cyrus-sieve.key
# File containing one or more Certificate Authority (CA) certificates.
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
# Path to directory with certificates of CAs.
tls_ca_path: /etc/ssl/certs
# The length of time (in minutes) that a TLS session will be cached for later
# reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will
# disable session caching.
tls_session_timeout: 1440
# The list of SSL/TLS ciphers to allow. The format of the string is described
# in ciphers(1). THIS DISABLES THE WEAK 'FOR EXPORT' CRAP!
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
# Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
#tls_require_cert: false
# Require a client certificate for imap ONLY.
#tls_imap_require_cert: false
# Require a client certificate for pop3 ONLY.
#tls_pop3_require_cert: false
# Require a client certificate for lmtp ONLY.
#tls_lmtp_require_cert: false
# Require a client certificate for sieve ONLY.
#tls_sieve_require_cert: false
#
# Cyrus Murder cluster configuration
#
# Set the following options to the values needed for this server to
# autenticate against the mupdate master server:
# mupdate_server
# mupdate_port
# mupdate_username
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay
##
## KEEP THESE IN SYNC WITH cyrus.conf
##
# Unix domain socket that lmtpd listens on.
lmtpsocket: /opt/cyrus/var/lib/socket/lmtp
# Unix domain socket that idled listens on.
idlesocket: /opt/cyrus/var/lib/socket/idle
# Unix domain socket that the new mail notification daemon listens on.
notifysocket: /opt/cyrus/var/lib/socket/notify
##
## DEBUGGING
##
# Debugging hook. See /usr/share/doc/cyrus21-common/README.Debian.debug
# Keep the hook disabled when it is not in use
#
# gdb Back-traces
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
#
# system-call traces
#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 &
#
# library traces
#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 &
-------------- next part --------------
# Debian defaults for Cyrus IMAP standalone server implementation
# see cyrus.conf(5) for more information
#
# All the tcp services are tcpd-wrapped. see hosts_access(5)
START {
# do not delete this entry!
recover cmd="/opt/cyrus/bin/ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# this is NOT to be enabled right now in Debian builds
#idled cmd="/opt/cyrus/bin/idled"
# this is useful on backend nodes of a Murder cluster
# it causes the backend to syncronize its mailbox list with
# the mupdate master upon startup
#mupdatepush cmd="/opt/cyrus/bin/ctl_mboxlist -m"
# this is recommended if using duplicate delivery suppression
delprune cmd="/opt/cyrus/bin/ctl_deliver -E 3"
# this is recommended if caching TLS sessions
#tlsprune cmd="/opt/cyrus/bin/tls_prune"
}
# UNIX sockets start with a slash and are put into /var/lib/cyrus/socket
# (hmh at debian.org: master.c is broken, the above is not true. Use the full
# path for now until someone fixes it).
# you can use a maxchild=# to limit the maximum number of forks of a service
SERVICES {
# add or remove based on preferences
imap cmd="/opt/cyrus/bin/imapd" listen="imap2" prefork=0 maxchild=100
# imaps cmd="/opt/cyrus/bin/imapd -s" listen="imaps" prefork=0 maxchild=100
pop3 cmd="/opt/cyrus/bin/pop3d" listen="pop-3" prefork=0 maxchild=50
# pop3s cmd="/opt/cyrus/bin/pop3d -s" listen="pop3s" prefork=0 maxchild=50
# useful if you need to give users remote access to sieve
sieve cmd="/opt/cyrus/bin/timsieved" listen="localhost:2625" prefork=0 maxchild=100
# At least one form of LMTP is required for delivery
# (you must keep the socket name in sync with the values in imap.conf)
lmtp cmd="/opt/cyrus/bin/lmtpd" listen="localhost:2626" prefork=0 maxchild=20
lmtpunix cmd="/opt/cyrus/bin/lmtpd" listen="/opt/cyrus/var/lib/socket/lmtp" prefork=0 maxchild=20
# this is only necessary if using notifications
# notify cmd="/opt/cyrus/bin/notifyd" listen="/opt/cyrus/var/lib/socket/notify" proto="udp" prefork=1
# Cyrus Murder
# mupdate cmd="/usr/cyrus/bin/mupdate -m" listen=2004 prefork=1
}
EVENTS {
# this is required
checkpoint cmd="/opt/cyrus/bin/ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="/opt/cyrus/bin/ctl_deliver -E 3" period=1440
# this is only necessary if caching TLS sessions
#tlsprune cmd="/opt/cyrus/bin/tls_prune" period=1440
# Indexing
squatter cmd="/opt/cyrus/bin/squatter -r user" period=1440
}
More information about the Info-cyrus
mailing list