cyrus sasl realm problem

Georg Gell georg_1 at
Mon Oct 3 09:57:38 EDT 2005

brad schrieb:
> On Sat, 2005-10-01 at 13:25 +0200, Georg Gell wrote:
>>I have an old server with about 50 mail users, which uses cyrus imapd
>>with sasl and pam_mysql. The server settings are:
>>unixhierarchysep: no
>>virtdomains: no
>>On the new server, I want users to be able to log in with their email
>>addresses as username, but I want to let the old users use their old
>>username/password combinations. So I set
>>unixhierarchysep: yes
>>virtdomains: yes
>>sasl_pwcheck_method: auxprop
>>sasl_sql_engine: mysql
>>sasl_sql_select: SELECT password FROM accountuser WHERE username = '%u@%r'
>>This works well. But I want to migrate the old account to the new
>>machine. As I understand the docs, this should work, because username
>>without realm are used with defaultdomain as result. But this doesn't
>>happen for sasl authentication.
>>Let's say I have user georg with password georgpass on the old server. I
>>thought on the new server, I would leave the mailbox on cyrus like
>>user/georg, and for auth in the mysql database I would just add to each
>>username the, so that if the default domain
>>is added to the username we should be able to log in.
>>But something else happens (trying to use the pop server):
>>If I log in from a remote computer, reading the debug log, I see that
>>the user is being tested with as realm (username:
>>georg at
>>But if I log in from localhost, no realm is added(username: georg).
>>What I don't understand after spending much time reading the docs is this:
>>Who adds the realm, imapd or sasl? And why are they different depending
>>on the location from where I try to log in? And whatever adds the realm,
>>how is it decided what to use? And finally, how can I change it?
>>Thanks in advance!
>>Best regards
> With virtdomains turned on then cyrus will use the domain sent with the
> username if the user logs in fully qualified.  Otherwise cyrus does a
> reverse lookup on the IP that the user logged in on uses the domain from
> that lookup as the user's domain.  The lookup can be either from DNS or
> hosts file or any other means.
> Hope that helps,
Thanks for the quick reply. Sadly this is not true on my system.
trying imtest:
moritz> imtest -a georg localhost (on
Oct  3 15:46:21 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at';_ is the fqdn of my sever.

moritz> imtest -a georg (on
Oct  3 15:49:23 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at';_

notebook> imtest -a georg (from home dial up)
Oct  3 15:49:23 [imap] sql plugin doing query SELECT password FROM
accountuser WHERE username = 'georg at';_

Where does the realm part come from? If I connect to localhost, it uses
the server's fqdn (which is also the defaultdomain in my imapd.conf),
that's what I'd expect. If I connect from the same machine to the
external IP, I have as realm. Why? And even worse from my
dial-up ip (reverse lookup looks like, I
have also as realm. So the realm cannot be related to the ip
of the logged in user, or am I missing something?



More information about the Info-cyrus mailing list