Problems getting Cyrus Imapd to with with SASL (PostgreSQL engine)

Patrick Nelson pnelson at neatech.com
Tue Apr 12 01:53:42 EDT 2005 

Jesper K. Pedersen wrote:

>I have been wanting to upgrade our small mail server to use a
>PostgreSQL database to authenticate users.
>
>As the server needed a full overhaul I have installed a test server with
>Slackware 10.1
>Downloaded Cyrus SASL 2.1.20, Cyrus IMAPD 2.2.12
>
>I already have my postgres server running without a problem.
>
>I also have SASL compiled for supporting the PostgreSQL database via the
>auxprop, and finally also have compiled Imapd and have it all running.
>
>I have created a couple of test users in the sql database with cleartext
>passwords.
>
>I am not able to successfully run the imtest:
>An example run:
>Command: imtest -s -a mailman at solnet localhost
>Result:
>verify error:num=18:self signed certificate
>TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
>S: * OK vega Cyrus IMAP4 v2.2.12 server ready
>C: C01 CAPABILITY
>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>AUTH=PLAIN SASL-IR S: C01 OK Completed
>Please enter your password: 
>C: A01 AUTHENTICATE PLAIN AG1haWxtYW5Ac29sbmV0AGFkbWluMjAwNQ==
>S: A01 NO authentication failure
>Authentication failed. generic failure
>Security strength factor: 256
>C: Q01 LOGOUT
>Connection closed.
>
>
>My imapd log says the following (please note I made my own self signing
>SSL certificate so I could test using TLS/SSL):
>------------------------
>Apr 11 21:32:59 vega imaps[5666]: starttls: TLSv1 with cipher AES256-SHA
>	(256/256 bits new) no authentication 
>Apr 11 21:33:02 vega imaps[5666]: Password verification failed
>Apr 11 21:33:02 vega imaps[5666]: badlogin: localhost [127.0.0.1] PLAIN
>	[SASL(-13): authentication failure: Password verification
>	failed]
>------------------------
>
>
>Postgres database log:
>------------------------
>LOG:  connection received: host=127.0.0.1 port=32870
>LOG:  connection authorized: user=/*removed*/ database=emaildb
>LOG:  statement: BEGIN;
>LOG:  statement: select clearpw from users where email =
>	'mailman at solnet'; 
>LOG:  statement: select clearpw from users where email =
>	'mailman at solnet'; 
>LOG:  statement: COMMIT;
>------------------------
>
>Doing the SQL query manually using pgsql command line interface to
>PostgreSQL gives me the expected password in the field "clearpw".
>
>
>(cyrus imapd) imapd.conf:
>------------------------
>configdirectory: /var/imap
>partition-default: /var/spool/imap
>
>admins: mailman at solnet mailman
>
>virtdomains: yes
>defaultdomain: solnet
>
>sasl_pwcheck_method: auxprop
>sasl_mech_list: plain
>sasl_auxprop_plugin: sql
>sasl_sql_engine: pgsql
>sasl_sql_hostnames: localhost
>sasl_sql_user: /*removed*/
>sasl_sql_passwd: /*removed*/
>sasl_sql_database: emaildb
>sasl_sql_select: select clearpw from users where email = '%u@%r'
>sasl_sql_verbose: yes
>
>tls_key_file: /var/imap/certs/cyrus-global.pem
>tls_ca_file: /var/imap/certs/cyrus-global.pem
>tls_cert_file: /var/imap/certs/cyrus-global.pem
>
>sendmail: /usr/sbin/sendmail
>
>lmtp_downcase_rcpt: yes
>------------------------
>
>
>cyrus.conf:
>------------------------
>START {
>  recover       cmd="ctl_cyrusdb -r"
>
>  # this is only necessary if using idled for IMAP IDLE
>  #  idled              cmd="idled"
>}
>
># UNIX sockets start with a slash and are put into /var/imap/socket
>SERVICES {
>  # add or remove based on preferences
>  imap          cmd="imapd" listen="imap" prefork=0
>  imaps         cmd="imapd -s" listen="imaps" prefork=0
>  pop3          cmd="pop3d" listen="pop3" prefork=0
>  #  pop3s              cmd="pop3d -s" listen="pop3s" prefork=0
>  sieve         cmd="timsieved" listen="sieve" prefork=0
>
>  smmapd        cmd="smmapd" listen="/var/imap/socket/smmapd" prefork=1
>
>  # these are only necessary if receiving/exporting usenet via NNTP
>  #  nntp               cmd="nntpd" listen="nntp" prefork=0
>  #  nntps              cmd="nntpd -s" listen="nntps" prefork=0
>
>  # at least one LMTP is required for delivery
>  #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
>  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
>
>  # this is only necessary if using notifications
>  #  notify     cmd="notifyd" listen="/var/imap/socket/notify"
>proto="udp" prefork=1}
>
>EVENTS {
>  squatter      cmd="squatter" period=300
>  # this is required
>
>  checkpoint    cmd="ctl_cyrusdb -c" period=30
>  delprune      cmd="cyr_expire -E 3" at=0400
>  tlsprune      cmd="tls_prune" at=0400
>}
>------------------------
>
>
>/usr/lib/sasl2/imapd.conf :
>------------------------
>pwcheck_method: auxprop
>mech_list: plain
>auxprop_plugin: sql
>sql_engine: pgsql
>sql_hostnames: localhost
>sql_user: /*removed*/
>sql_passwd: /*removed*/
>sql_database: emaildb
>sql_select: select clearpw from users where email = '%u@%r'
>sql_verbose: yes
>------------------------
>
>
>Anyone with any ideas of what I am doing wrong, or how I could debug
>this further?
>Any hints are greatly appreciated.
>  
>
 I use PAM-PgSql (on http://sourceforge.net/projects/pam-pgsql/) to 
utilize my Postgresql system.  The only problem is that it isn't being 
actively developed but it does work with the my cyrus-imap 2.2.10 setup 
great.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list