Murder and Backend Authentication

Fri Jan 31 16:34:24 EST 2003

Hank Beatty wrote:
> 
> OK. That makes sense. Are there any SASL mechs that can use PAM?

Like Rob said, just PLAIN, which will require you to use STARTTLS, which
is only in 2.2.  That being said, since you will likely only have one or
two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5.

> 
> ----- Original Message -----
> From: "Rob Siemborski" <rjs3 at andrew.cmu.edu>
> To: "Hank Beatty" <hbeatty.lists at earthlink.net>
> Cc: "Cyrus-Info" <info-cyrus at lists.andrew.cmu.edu>
> Sent: Friday, January 31, 2003 3:18 PM
> Subject: Re: Murder and Backend Authentication
> 
> > You aren't offering any SASL mechanisms.  I believe the 2.2 code even
> > supports STARTTLS (and therefore PLAIN).
> >
> > You need to support a SASL mechanism that allows proxy authentication.
> > The regular IMAP login command isn't good enough.
> >
> > -Rob
> >
> > On Fri, 31 Jan 2003, Hank Beatty wrote:
> >
> > > And when I use imtest:
> > >
> > > [root at draco root]# imtest -u hbeatty -a hbeatty localhost
> > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready
> > > C: C01 CAPABILITY
> > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
> > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
> > > MUPDATE=mupdate://zeus.email.starband.net/
> > > S: C01 OK Completed
> > > Please enter your password:
> > > C: L01 LOGIN hbeatty {4}
> > > S: + go ahead
> > > C: <omitted>
> > > S: L01 OK User logged in
> > > Authenticated.
> > > Security strength factor: 0
> > >
> > > ----- Original Message -----
> > > From: "Rob Siemborski" <rjs3 at andrew.cmu.edu>
> > > To: "Hank Beatty" <hbeatty.lists at earthlink.net>
> > > Cc: "Cyrus-Info" <info-cyrus at lists.andrew.cmu.edu>
> > > Sent: Friday, January 31, 2003 2:29 PM
> > > Subject: Re: Murder and Backend Authentication
> > >
> > >
> > > > What SASL mechanism are you using between your frontend and backends?
> > > >
> > > > Or rather, what mechanisms are your backends advertising?
> > > >
> > > > -Rob
> > > >
> > > > On Fri, 31 Jan 2003, Hank Beatty wrote:
> > > >
> > > > > I'm working on getting a Murder setup and I can authenticate and
> pull
> > > mail
> > > > > directly from the backend server.
> > > > >
> > > > > However, when I try to proxy the connection I get this in
> > > /var/log/messages
> > > > > on the proxy/master:
> > > > >
> > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241]
> hbeatty
> > > > > plaintext
> > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend
> > > server: no
> > > > > mechanism available
> > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend
> server
> > > > >
> > > > > I get this in /var/log/imapd.log on the backend server:
> > > > >
> > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection
> > > > > Jan 31 13:45:01 draco master[32724]: about to exec
> /usr/cyrus/bin/pop3d
> > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0
> > > > > Jan 31 13:45:01 draco pop3[32724]: executed
> > > > >
> > > > > With this in mind it would seem that when using the proxy the
> > > authentication
> > > > > method is different somehow. Is this correct?
> > > > >
> > > > >
> > > > >
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> > > > Research Systems Programmer * /usr/contributed Gatekeeper
> > > >
> > >
> > >
> > >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> > Research Systems Programmer * /usr/contributed Gatekeeper
> >

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp