Nothing authenticates with cyrus IMAP -- may be cyrus-sasl problem
Bud Roth
budroth at obitori.net
Sun Jun 12 08:51:24 EDT 2005
PROBLEM: IMAP and cyrus-sasl does not authenticate anybody. I am trying to
build a postfix virtual domain email server with squirrelmail web access and
a mysql back end. Authentication is via cyrus-sasl and it runs a cyrus imap
server. I using this how-to verbatim:
http://www.wistful.net/~moon/my_freebsd_virtual_mail_howto.html#cyrus-sasl
Numerous programs (smtpd, imap, etc.) are giving authentication errors and
plug-in authentication errors.
CONTENTS
I. saslfinger -c
II. saslfinger -s
III. telnet sessions to ports 143, 25, 110
IV. /var/log/messages errors
V. Session with saslpasswd2 and cyradm
I. OUTPUT FOR SASLFINGER -C
salmon# saslfinger -c
saslfinger - postfix Cyrus sasl configuration Sat Jun 11 20:57:17 EDT 2005
version: 0.9.9.1
mode: client-side SMTP AUTH
-- basics --
Postfix: 2.2.3
System: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004
Welcome to FreeBSD!
-- smtp is linked to --
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280bf000)
-- active SMTP AUTH and TLS parameters for smtp --
relayhost = outbound.mailhop.org:10025
smtp_tls_note_starttls_offer = no
smtp_use_tls = yes
-- listing of /usr/local/lib/sasl2 --
total 708
drwxr-xr-x 2 root wheel 1024 May 24 13:52 .
drwxr-xr-x 30 root wheel 28672 May 25 17:50 ..
-rw-r--r-- 1 root wheel 26 May 22 15:45 Sendmail.conf
-rw-r--r-- 1 root wheel 12064 May 22 15:42 libanonymous.a
-rwxr-xr-x 1 root wheel 15171 May 22 15:42 libanonymous.so
-rwxr-xr-x 1 root wheel 15171 May 22 15:42 libanonymous.so.2
-rw-r--r-- 1 root wheel 14522 May 22 15:42 libcrammd5.a
-rwxr-xr-x 1 root wheel 17701 May 22 15:42 libcrammd5.so
-rwxr-xr-x 1 root wheel 17701 May 22 15:42 libcrammd5.so.2
-rw-r--r-- 1 root wheel 43376 May 22 15:42 libdigestmd5.a
-rwxr-xr-x 1 root wheel 46049 May 22 15:42 libdigestmd5.so
-rwxr-xr-x 1 root wheel 46049 May 22 15:42 libdigestmd5.so.2
-rw-r--r-- 1 root wheel 21200 May 22 15:42 libgssapiv2.a
-rwxr-xr-x 1 root wheel 25146 May 22 15:42 libgssapiv2.so
-rwxr-xr-x 1 root wheel 25146 May 22 15:42 libgssapiv2.so.2
-rw-r--r-- 1 root wheel 12494 May 22 15:42 liblogin.a
-rwxr-xr-x 1 root wheel 15662 May 22 15:42 liblogin.so
-rwxr-xr-x 1 root wheel 15662 May 22 15:42 liblogin.so.2
-rw-r--r-- 1 root wheel 28268 May 22 15:42 libntlm.a
-rwxr-xr-x 1 root wheel 31858 May 22 15:42 libntlm.so
-rwxr-xr-x 1 root wheel 31858 May 22 15:42 libntlm.so.2
-rw-r--r-- 1 root wheel 18366 May 22 15:42 libotp.a
-rwxr-xr-x 1 root wheel 22143 May 22 15:42 libotp.so
-rwxr-xr-x 1 root wheel 22143 May 22 15:42 libotp.so.2
-rw-r--r-- 1 root wheel 12430 May 22 15:42 libplain.a
-rwxr-xr-x 1 root wheel 15464 May 22 15:42 libplain.so
-rwxr-xr-x 1 root wheel 15464 May 22 15:42 libplain.so.2
-rw-r--r-- 1 root wheel 18652 May 22 15:42 libsasldb.a
-rwxr-xr-x 1 root wheel 19779 May 22 15:42 libsasldb.so
-rwxr-xr-x 1 root wheel 19779 May 22 15:42 libsasldb.so.2
-rw-r--r-- 1 root wheel 17328 May 22 15:42 libsql.a
-rwxr-xr-x 1 root wheel 20984 May 22 15:42 libsql.so
-rwxr-xr-x 1 root wheel 20984 May 22 15:42 libsql.so.2
-rw-r--r-- 1 root wheel 338 May 24 13:52 smtpd.conf
Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!
II OUTPUT FOR SASLFINGER -S
salmon# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sat Jun 11 20:57:30 EDT 2005
version: 0.9.9.1
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.2.3
System: FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Nov 5 04:19:18 UTC 2004
Welcome to FreeBSD!
-- smtpd is linked to --
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280c6000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/salmon.cert
smtpd_tls_key_file = /usr/local/etc/postfix/salmon.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
-- listing of /usr/local/lib/sasl2 --
total 708
drwxr-xr-x 2 root wheel 1024 May 24 13:52 .
drwxr-xr-x 30 root wheel 28672 May 25 17:50 ..
-rw-r--r-- 1 root wheel 26 May 22 15:45 Sendmail.conf
-rw-r--r-- 1 root wheel 12064 May 22 15:42 libanonymous.a
-rwxr-xr-x 1 root wheel 15171 May 22 15:42 libanonymous.so
-rwxr-xr-x 1 root wheel 15171 May 22 15:42 libanonymous.so.2
-rw-r--r-- 1 root wheel 14522 May 22 15:42 libcrammd5.a
-rwxr-xr-x 1 root wheel 17701 May 22 15:42 libcrammd5.so
-rwxr-xr-x 1 root wheel 17701 May 22 15:42 libcrammd5.so.2
-rw-r--r-- 1 root wheel 43376 May 22 15:42 libdigestmd5.a
-rwxr-xr-x 1 root wheel 46049 May 22 15:42 libdigestmd5.so
-rwxr-xr-x 1 root wheel 46049 May 22 15:42 libdigestmd5.so.2
-rw-r--r-- 1 root wheel 21200 May 22 15:42 libgssapiv2.a
-rwxr-xr-x 1 root wheel 25146 May 22 15:42 libgssapiv2.so
-rwxr-xr-x 1 root wheel 25146 May 22 15:42 libgssapiv2.so.2
-rw-r--r-- 1 root wheel 12494 May 22 15:42 liblogin.a
-rwxr-xr-x 1 root wheel 15662 May 22 15:42 liblogin.so
-rwxr-xr-x 1 root wheel 15662 May 22 15:42 liblogin.so.2
-rw-r--r-- 1 root wheel 28268 May 22 15:42 libntlm.a
-rwxr-xr-x 1 root wheel 31858 May 22 15:42 libntlm.so
-rwxr-xr-x 1 root wheel 31858 May 22 15:42 libntlm.so.2
-rw-r--r-- 1 root wheel 18366 May 22 15:42 libotp.a
-rwxr-xr-x 1 root wheel 22143 May 22 15:42 libotp.so
-rwxr-xr-x 1 root wheel 22143 May 22 15:42 libotp.so.2
-rw-r--r-- 1 root wheel 12430 May 22 15:42 libplain.a
-rwxr-xr-x 1 root wheel 15464 May 22 15:42 libplain.so
-rwxr-xr-x 1 root wheel 15464 May 22 15:42 libplain.so.2
-rw-r--r-- 1 root wheel 18652 May 22 15:42 libsasldb.a
-rwxr-xr-x 1 root wheel 19779 May 22 15:42 libsasldb.so
-rwxr-xr-x 1 root wheel 19779 May 22 15:42 libsasldb.so.2
-rw-r--r-- 1 root wheel 17328 May 22 15:42 libsql.a
-rwxr-xr-x 1 root wheel 20984 May 22 15:42 libsql.so
-rwxr-xr-x 1 root wheel 20984 May 22 15:42 libsql.so.2
-rw-r--r-- 1 root wheel 338 May 24 13:52 smtpd.conf
-- content of /usr/local/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sql
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_hostnames: localhost
sql_database: postfix
sql_select: SELECT password FROM mailbox WHERE username='%u@%r' AND
active='1'
sql_verbose: yes
sql_engine: mysql
mech_list: plain
minimum_layer: 0
auto_transition: no
password_format: crypt
-- active services in /usr/local/etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/local/cyrus/bin/deliver -e -r ${sender} -m ${extension}
${user}@{nexthop}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-- mechanisms on localhost --
NOTE: The above is not a paste error. There is no mechanisms listed after
the "-- mechanisms on localhost--".
III TELNET SESSIONS FOR PORTS 143, 25, 110
salmon# ps ax |grep sasl
615 ?? Is 0:00.01 /usr/local/sbin/saslauthd -a pam
626 ?? I 0:00.00 /usr/local/sbin/saslauthd -a pam
627 ?? I 0:00.00 /usr/local/sbin/saslauthd -a pam
628 ?? I 0:00.00 /usr/local/sbin/saslauthd -a pam
629 ?? I 0:00.00 /usr/local/sbin/saslauthd -a pam
2514 p2 RV 0:00.00 grep sasl (csh)
salmon#
bud at potomac ~ $ telnet salmon.lake 143
Trying 10.1.1.50...
Connected to salmon.lake.
Escape character is '^]'.
* OK obitori.net Cyrus IMAP4 v2.2.12 server ready
0001 login bud bud
0001 NO Login failed: user not found
00001 login bud at obitori.net bud
00001 NO Login failed: user not found
00001 login cyrus cyrus
00001 NO Login failed: user not found
00001 login bobby at obitori.net bobby
00001 NO Login failed: user not found
00001 login bud at salmon.lake bud
00001 NO Login failed: authentication failure
00002 logout
* BYE LOGOUT received
00002 OK Completed
Connection closed by foreign host.
bud at potomac ~ $ telnet salmon.lake 25
Trying 10.1.1.50...
Connected to salmon.lake.
Escape character is '^]'.
220 salmon.lake ESMTP Exim (3.2.1-r2)
ehlo dog.org
250-salmon.lake
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
AUTH PLAIN 999990999909999
538 Encryption required for requested authentication mechanism
quit
221 Bye
Connection closed by foreign host.
bud at potomac ~ $ telnet salmon 110
Trying 10.1.1.50...
Connected to salmon.
Escape character is '^]'.
+OK obitori.net Cyrus POP3 v2.2.12 server ready
<3438053538.1118539687 at obitori.net>
USER cyrus
+OK Name is a valid mailbox
PASS cyrus
RR [AUTH] Invalid login
list
-ERR Unrecognized command
LIST
-ERR Unrecognized command
PASS
-ERR Missing argument
PASS
-ERR Missing argument
PASS cyrus
-ERR [AUTH] Must give USER command
USER admin
+OK Name is a valid mailbox
PASS admin
-ERR [AUTH] Invalid login
quit
+OK
Connection closed by foreign host.
bud at potomac ~ $
IV. OUTPUT OF CAT /VAR/LOG/MESSAGES
Jun 11 20:29:25 salmon perl: No worthy mechs found
Jun 11 20:29:28 salmon imap[2309]: sql plugin: no result found
Jun 11 20:29:28 salmon imap[2309]: sql plugin: no result found
Jun 11 20:29:28 salmon imap[2309]: badlogin: localhost [::1] plaintext root
SASL(-13): user not found: checkpass failed
Jun 11 20:29:44 salmon perl: No worthy mechs found
Jun 11 20:29:47 salmon imap[2309]: badlogin: localhost [::1] plaintext cyrus
SASL(-13): authentication failure: checkpass failed
Jun 11 20:41:52 salmon imap[2281]: badlogin: localhost [::1] plaintext cyrus
SASL(-13): authentication failure: checkpass failed
Jun 11 20:42:06 salmon imap[2281]: badlogin: localhost [::1] plaintext bud
SASL(-13): authentication failure: checkpass failed
Jun 11 20:42:39 salmon imap[2281]: badlogin: localhost [::1] plaintext cyrus
SASL(-13): authentication failure: checkpass failed
Jun 11 20:42:52 salmon imap[2281]: sql plugin: no result found
Jun 11 20:42:52 salmon last message repeated 2 times
Jun 11 20:42:52 salmon imap[2281]: badlogin: localhost [::1] plaintext admin
SASL(-13): user not found: checkpass failed
Jun 11 20:44:09 salmon imap[2281]: badlogin: localhost [::1] plaintext
bud at salmon.lake SASL(-13): authentication failure: checkpass failed
Jun 11 20:47:09 salmon imap[2365]: TLS server engine: cannot load CA data
Jun 11 20:47:09 salmon imap[2365]: TLS server engine: No CA file specified.
Client side certs may not work
Jun 11 20:47:09 salmon imap[2365]: starttls: TLSv1 with cipher RC4-MD5
(128/128 bits new) no authentication
Jun 11 20:47:09 salmon imap[2365]: badlogin: [10.1.1.70] plaintext
bud at salmon.lake SASL(-13): authentication failure: checkpass failed
Jun 11 20:48:51 salmon imap[2366]: TLS server engine: cannot load CA data
Jun 11 20:48:51 salmon imap[2366]: TLS server engine: No CA file specified.
Client side certs may not work
Jun 11 20:48:51 salmon imap[2366]: starttls: TLSv1 with cipher RC4-MD5
(128/128 bits new) no authentication
Jun 11 20:48:51 salmon imap[2366]: badlogin: [10.1.1.70] plaintext
bud at salmon.lake SASL(-13): authentication failure: checkpass failed
Jun 11 20:49:23 salmon ctl_cyrusdb[2367]: checkpointing cyrus databases
Jun 11 20:49:23 salmon ctl_cyrusdb[2367]: done checkpointing cyrus databases
Jun 11 20:54:38 salmon sudo: bud : TTY=ttyp2 ;
PWD=/usr/home/bud/saslfinger-0.9.9.1 ; USER=root ; COMMAND=/usr/bin/su -
Jun 11 21:13:49 salmon sasldblistusers2: sql_select option missing
Jun 11 21:13:49 salmon sasldblistusers2: auxpropfunc error no mechanism
available
Jun 11 21:19:23 salmon ctl_cyrusdb[2579]: checkpointing cyrus databases
Jun 11 21:19:23 salmon ctl_cyrusdb[2579]: done checkpointing cyrus databases
Jun 11 21:21:43 salmon saslpasswd2: sql_select option missing
Jun 11 21:21:43 salmon saslpasswd2: auxpropfunc error no mechanism available
Jun 11 21:21:49 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:21:49 salmon saslpasswd2: Could not open db for write
Jun 11 21:21:49 salmon saslpasswd2: setpass succeeded for bud
Jun 11 21:21:49 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:21:49 salmon saslpasswd2: Could not open db for write
Jun 11 21:21:49 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:21:49 salmon saslpasswd2: Could not open db for write
Jun 11 21:21:49 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:21:49 salmon saslpasswd2: Could not open db for write
Jun 11 21:22:01 salmon saslpasswd2: sql_select option missing
Jun 11 21:22:01 salmon saslpasswd2: auxpropfunc error no mechanism available
Jun 11 21:22:04 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:22:04 salmon saslpasswd2: Could not open db for write
Jun 11 21:22:04 salmon saslpasswd2: setpass succeeded for bud at obitori.net
Jun 11 21:22:04 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:22:04 salmon saslpasswd2: Could not open db for write
Jun 11 21:22:04 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:22:04 salmon saslpasswd2: Could not open db for write
Jun 11 21:22:04 salmon saslpasswd2: SASL error opening password file. Do you
have write permissions?
Jun 11 21:22:04 salmon saslpasswd2: Could not open db for write
Jun 11 21:22:14 salmon imap[2799]: badlogin: localhost [::1] plaintext
bud at salmon.lake SASL(-13): authentication failure: checkpass failed
Jun 11 21:22:23 salmon imap[2799]: badlogin: localhost [::1] plaintext bud
SASL(-13): authentication failure: checkpass failed
Jun 11 21:22:27 salmon imap[2799]: badlogin: localhost [::1] plaintext bud
SASL(-13): authentication failure: checkpass failed
Jun 11 21:22:28 salmon imap[2800]: badlogin: localhost [::1] plaintext bud
SASL(-13): authentication failure: checkpass failed
Jun 11 21:25:32 salmon imap[2816]: sql plugin: no result found
Jun 11 21:25:32 salmon imap[2816]: sql plugin: no result found
Jun 11 21:25:32 salmon imap[2816]: badlogin: [10.1.1.70] plaintext bud at lake
SASL(-13): user not found: checkpass failed
Jun 11 21:25:49 salmon imap[2816]: sql plugin: no result found
Jun 11 21:25:49 salmon last message repeated 3 times
Jun 11 21:25:49 salmon imap[2816]: badlogin: [10.1.1.70] plaintext bud
SASL(-13): user not found: checkpass failed
Jun 11 21:26:06 salmon imap[2816]: sql plugin: no result found
Jun 11 21:26:06 salmon last message repeated 3 times
Jun 11 21:26:06 salmon imap[2816]: badlogin: [10.1.1.70] plaintext cyrus at lake
SASL(-13): user not found: checkpass failed
Jun 11 21:26:19 salmon imap[2816]: sql plugin: no result found
Jun 11 21:26:19 salmon last message repeated 3 times
Jun 11 21:26:19 salmon imap[2816]: badlogin: [10.1.1.70] plaintext bobby
SASL(-13): user not found: checkpass failed
Jun 11 21:26:33 salmon imap[2816]: badlogin: [10.1.1.70] plaintext
bud at salmon.lake SASL(-13): authentication failure: checkpass failed
Jun 11 21:28:40 salmon pop3[2818]: sql plugin: no result found
Jun 11 21:28:40 salmon pop3[2818]: sql plugin: no result found
Jun 11 21:28:40 salmon pop3[2818]: badlogin: [10.1.1.70] plaintext cyrus at lake
SASL(-13): user not found: checkpass failed
Jun 11 21:29:35 salmon pop3[2818]: sql plugin: no result found
Jun 11 21:29:35 salmon last message repeated 3 times> salmon#
Jun 11 21:29:35 salmon pop3[2818]: badlogin: [10.1.1.70] plaintext admin at lake
SASL(-13): user not found: checkpass failed
Jun 11 21:36:52 salmon sudo: bud : TTY=ttyp0 ; PWD=/usr/home/bud ;
USER=root ; COMMAND=/usr/bin/su -
salmon# cat /var/log/messages | grep postfix
Jun 10 21:31:50 salmon postfix/smtpd[751]: sql plugin couldn't connect to any
host
Jun 10 21:31:50 salmon postfix/smtpd[751]: sql plugin could not connect to
host localhost
Jun 10 21:31:50 salmon postfix/smtpd[751]: sql plugin couldn't connect to any
host
Jun 10 21:36:13 salmon postfix/smtpd[751]: sql plugin could not connect to
host localhost
Jun 10 21:36:13 salmon postfix/smtpd[751]: sql plugin couldn't connect to any
host
Jun 10 21:36:13 salmon postfix/smtpd[751]: sql plugin could not connect to
host localhost
Jun 10 21:36:13 salmon postfix/smtpd[751]: sql plugin couldn't connect to any
host
Jun 10 21:36:13 salmon postfix/smtpd[751]: sql plugin could not connect to
host localhost
V. SASLPASSWD2 AND CYRADM SESSIONS:
salmon# saslpasswd2 -c dog
Password:
Again (for verification):
salmon# saslpasswd2 -c dog at obitori.net
Password:
Again (for verification):
salmon# cyradm
cyradm> server localhost
IMAP Password:
Login failed: user not found
at /usr/local/lib/perl5/site_perl/5.8.5/mach/Cyrus/IMAP/Admin.pm line 118
server: localhost: cannot authenticate
localhost> localhost> login
IMAP Password:
Login failed: user not found
at /usr/local/lib/perl5/site_perl/5.8.5/mach/Cyrus/IMAP/Admin.pm line 118
authenticate: authentication to server localhost failed
localhost> localhost> login -mechanism PLAIN bud
Password:
IMAP Password:
cyrusLogin failed: authentication failure
at /usr/local/lib/perl5/site_perl/5.8.5/mach/Cyrus/IMAP/Admin.pm line 118
authenticate: authentication to server localhost failed
localhost> ^R
localhost> login cyrus
IMAP Password:
Login failed: authentication failure
at /usr/local/lib/perl5/site_perl/5.8.5/mach/Cyrus/IMAP/Admin.pm line 118
authenticate: authentication to server localhost failed
localhost> quit
Now, I am not particularly adept at running either of these utilities, so I
could be making mistakes that produce other errors.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list