how to proxy for a user [was Re: Geographically Redundant mail stores]

Marco Colombo marco at esi.it
Wed Mar 19 04:41:00 EST 2003 

On Wed, 19 Mar 2003, Luca Olivetti wrote:

> Ken Murchison wrote:
> 
> > When you authenticate, you need to use a SASL mech which supports
> > proxying.  Look at doc/mechanisms.html in the SASL distro for a complete
> > list.  In your case, you should be able to use at least PLAIN (you can
> > use others if using OpenLDAP 2.2's auxprop plugin).  Here's how you'd
> > authenticate as 'cyrus' and login as 'test' using imtest and cyradm:
> 
> I'm using saslauthd (readme.html says that PLAIN uses saslauthd), 
> mechanisms.html says that PLAIN can proxy, I have in my imapd.conf
> 
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> 
> 
> but
> 
> > 
> > imtest -a cyrus -u test -m plain localhost
> 
> tells me that plain is not available:
> 
> $ imtest -a cyrus -u luca -m plain localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk 
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> C: A01 AUTHENTICATE PLAIN
> S: A01 NO no mechanism available
> Authentication failed. generic failure
> Security strength factor: 0
> 

There's no AUTH=xxx entry, so there are *no* available mechs at this
point. AFAIK, unsafe mechs (the ones that send passwords in cleartext
over the net) are disabled by default. There're enabled if the client
requests a TLS connection via STARTTLS.

Here's the output of similar commands here (this is a test installation
so don't be surprised by the number of available mechs B-)):

$ imtest -m plain -a cyrus -u marco devel
S: * OK devel.ESI Cyrus IMAP4 v2.1.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=SRP AUTH=OTP AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=GSSAPI X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.

But, with SSL/TLS:

$ imtest -s -m plain -a cyrus -u marco devel
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
S: * OK devel.ESI Cyrus IMAP4 v2.1.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=SRP AUTH=PLAIN AUTH=LOGIN AUTH=OTP AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=GSSAPI X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE PLAIN
S: + 
Please enter your password: 
C: bWFyY28AY3lydXMAY3lydXM=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 168
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.


The password I typed was the one of 'cyrus' (which is listed in admins:
in this test installation), but the user who logged in was 'marco':

Mar 19 10:27:05 devel imapd[31837]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168 bits new) no authentication
Mar 19 10:27:08 devel imapd[31837]: login: devel.ESI[127.0.0.1] marco PLAIN+TLS User logged in


> Note that if I omit the "-m plain" it will logs me in as user cyrus (so 
> no proxy):
> 
> $ imtest -a cyrus -u luca localhost
> S: * OK saturn.wetron.local Cyrus IMAP4 v2.1.12-Mandrake-RPM-2.1.12-1mdk 
> server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT 
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT 
> LIST-SUBSCRIBED ANNOTATEMORE X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyrus {7}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0

That was the LOGIN command, not AUTHENTICATE. I think it bypasses
SASL checks in some ways.

> > cyradm --user cyrus --authz test --auth plain localhost
> 
> Will log me in as user cyrus (no proxy) (I gave the same password for 
> user cyrus to both prompts):
> 
> $ cyradm --user cyrus --authz luca --auth plain localhost
> Password:
> IMAP Password:
> localhost.localdomain> lm INBOX
> localhost.localdomain> lm user.luca
> user.luca (\HasChildren)
> localhost.localdomain>

$ cyradm --authz marco --user cyrus localhost
Password: 
devel.ESI> lm
INBOX (\HasChildren)          INBOX.test2 (\HasNoChildren)  
INBOX.test (\HasNoChildren)   
devel.ESI> quit

Again, the password I typed was the one of 'cyrus', yet:

Mar 19 10:36:07 devel imapd[31845]: login: devel.ESI[127.0.0.1] marco SRP User logged in

I wasn't able to test PLAIN, because I don't know how to tell cyradm
to use TLS.

.TM.
-- 
      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/		       Colombo at ESI.it

More information about the Info-cyrus mailing list