how are 'sasl_minimum_layer' & TLS related/dependent?
OpenMacNews
OpenMacNews at speakeasy.net
Sun Oct 9 12:35:29 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
hi mitu,
thx for the detailed reply!
1st, my 'bottom line':
imtest: i CAN login w/ TLS via STARTTLS on port 143
TBird: i CAN login w/ TLS, but no trace of STARTLS and only on port 993
details follow ... here:
>> my understanding was that 'sasl_minimum_layer' >= 64 (128?) was *REQUIRED* for TLS protection ...
> it should be required from the client's point of view and not from the
> server. But sasl_minimum_layer is set up to > 64 even without encryption,
> just with integrity protection (e.g. DIGEST-MD5 without TLS yields an ssf
> of 128).
> here is a snippet of a imtest session:
>
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID >
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR
> S: C01 OK Completed
> C: A01 AUTHENTICATE DIGEST-MD5
> [..]
> S: A01 OK Success (privacy protection)
> Authenticated.
> Security strength factor: 128
> x logout
> * BYE LOGOUT received
> x OK Completed
ok.
with:
imtest -v \
- -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \
- -p imap \
- -m cram-md5 \
- -a testuser at testdomain.com \
- -u testuser at testdomain.com \
- -r mail.testdomain.com\
mail.testdomain.com
and:
sasl_minimum_layer: 128
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
here's a similar snippet of mine:
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED
S: C01 OK Unknown Error Code: -1904809420
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
[..]
SSL_connect:SSLv3 write client hello A
[..]
SSL_connect:SSLv3 read finished A
subject_CN=mail.testdomain.com, issuer_CN=PRESENCE Group .network CA
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
Asking for capabilities again since they might have changed
[..]
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED
[..]
S: C01 OK Unknown Error Code: -1904809420
C: A01 AUTHENTICATE CRAM-MD5
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
with LOG showing:
[..]
Oct 9 08:46:37 devbox DMCYRUS/imap[5319]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits
new) authenticated as mail.testdomain.com
Oct 9 08:46:46 devbox DMCYRUS/imap[5319]: login: devbox.internal.presence-group.net
[172.30.11.5] testuser at testdomain.com CRAM-MD5+TLS User logged in
[..]
ok, LOGGED in with TLS!
> if I set sasl_minimum_layer to 128 then I cannot login with cram-md5 (without
> SSL/TLS), here is the cyrus log:
>
> badlogin: host [10.1.0.3] PLAIN [SASL(-4): no mechanism available: mech CRAM-MD5 is too weak]
> and the imtest response was:
> [...]
> S: C01 OK Completed
> C: A01 AUTHENTICATE CRAM-MD5
> S: A01 NO mechanism too weak for this user
> Authentication failed. generic failure
> Security strength factor: 0
>
> But with SSL involved this works:
> [..]
> S: C01 OK Completed
> C: A01 AUTHENTICATE CRAM-MD5
> S: A01 OK Success (tls protection)
> Authenticated.
> Security strength factor: 256
ok.
withOUT tls:
imtest -v \
-p imap \
-m cram-md5 \
-a testuser at mail.testdomain.com \
-u testuser at mail.testdomain.com \
-r mail.testdomain.com \
mail.testdomain.com
Oct 9 08:49:04 devbox DMCYRUS/imap[5348]: badlogin: devbox.internal.presence-group.net
[172.30.11.5] CRAM-MD5 [SASL(-15): mechanism too weak for this user: mech CRAM-MD5 is too weak]
yup. failed as you explained/suggested. good!
>> what *is* the relationship/dependency of sasl_minimum_layer & TLS?
> TLS increases the SSF (security strength factor) and sasl_minimum_layer
> enforces a minumum SSF.
ok. clear.
> Please note that
> using an authentication mech that provides integrity (such as DIGEST-MD5 or
> GSSAPI) increases the SSF also (see my example on DIGEST-MD5 without SSL/TLS).
did not know that! fwiw, here's an add'l helpful reference:
" SASL Authentication"
http://java.sun.com/products/jndi/tutorial/ldap/security/sasl.html
>> one 'suspect' ... to connect via TLS, TBird *requires* the following setup:
[..]
>> is there, perhaps, an 'issue' with the port993 use defaulting to some minimum_layer strength
>> despite my imapd.conf setting?
> Traditionally port 993 is for imaps (that it IMAP/SSL) in which the client
> starts connects 'directly' over a SSL connection and negotiates encryption,
> it's not like TLS/STARTTLS in which the client starts in plain text the
> connection and chooses to use TLS (and issues a STARTTLS command) or not.
> Try imtest, it always shows you SSF, and try to configure TB on port 143
> to see if it uses STARTTLS to encrypt the connection.
looking at my FIRST result above with 'imtest', i see 'STARTTLS'.
which, if i read you right here, is exactly what i should expect.
> I suspect TB uses IMAPS and always negotiates SSL before atempting to
> issue any IMAP commands and before even authenticating.
hmmmm .... there appears to be a problem, then ...
w/ TB configured as:
Server Type: IMAP Mail Server
Server Name: {mail.testdomain.com}
Port: {993} Default: 993
[x] Use secure connection (SSL)
[x] Use secure authentication
i CAN LOGIN. AND is seems that TLS is *enabled*, but i do NOT SEE (!?) STARTTLS anywhere in my
server capability
my protocol log on connect shows:
39820288[4e64a40]: 25f5800:mail.testdomain.com:NA:CreateNewLineFromSocket: * OK
mail.testdomain.com Cyrus IMAP4 v2.2.12 server ready
39756800[4e62200]: 25eae00:mail.testdomain.com:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4
IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
39756800[4e62200]: 25eae00:mail.testdomain.com:NA:SendData: 2 authenticate CRAM-MD5
39756800[4e62200]: 25eae00:mail.testdomain.com:NA:CreateNewLineFromSocket: 2 OK Success (tls
protection)
38987264[4ec11b0]:
23e5600:mail.testdomain.com:NA:ProcessCurrentURL:imap://testuser%40testdomain%2Ecom@mail.testdomain.com:993/listfolder%3E%5EDrafts:
= currentUrl
- -1610551400[1b06cc0]: queuing @mail.testdomain.com:993/listfolder>^Drafts
with cyrus log:
Oct 9 09:01:04 devbox DMCYRUS/imaps[5396]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits
new) no authentication
Oct 9 09:01:05 devbox DMCYRUS/imaps[5396]: login: tiedgar.presence-group.net [172.30.11.6]
testuser at testdomain.com CRAM-MD5+TLS User logged in
===================
BUT, if i config TB -- changing the connect PORT to 143 -- as:
Server Type: IMAP Mail Server
Server Name: {mail.testdomain.com}
Port: {143} Default: 993
[x] Use secure connection (SSL)
[x] Use secure authentication
my protocol log shows:
- -1610551400[1b06cc0]: failed creating protocol instance to play queued
url:imap://testuser@mail.testdomain.com:993/folderstatus>
39742464[4327de0]: ImapThreadMainLoop entering [this=25eb800]
- -1610551400[1b06cc0]: 25eb800:mail.testdomain.com:NA:SetupWithUrl: clearing
IMAP_CONNECTION_IS_OPEN
39742464[4327de0]: 25eb800:mail.testdomain.com:NA:ProcessCurrentURL: entering
39742464[4327de0]:
25eb800:mail.testdomain.com:NA:ProcessCurrentURL:imap://testuser%40testdomain%2Ecom@mail.testdomain.com:143/select%3E/INBOX:
= currentUrl
[..]
- -1610551400[1b06cc0]: failed creating protocol instance to play queued
url:imap://testuser@testdomain.com@mail.testdomain.com:143/select>/
- -1610551400[1b06cc0]: queuing
and just continuously 'cycles' this last statements ... and i never login/connect
===================
if i config TB -- turning off SSL -- as:
Server Type: IMAP Mail Server
Server Name: {mail.testdomain.com}
Port: {143} Default: 143
[ ] Use secure connection (SSL)
[x] Use secure authentication
i get an error on login attempt:
"You cannot log in to mail.testdomain.com because you have enabled secure authentication and
this server does not support it. To log in, turn off secure authentication for this accounts."
===================
finally, if i config TB as:
Server Type: IMAP Mail Server
Server Name: {mail.testdomain.com}
Port: {143} Default: 143
[ ] Use secure connection (SSL)
[ ] Use secure authentication
i get a login error of:
40109056[41e39a0]: 2668e00:mail.testdomain.com:NA:SendData: Logging suppressed for this command
(it probably contained authentication information)
40109056[41e39a0]: ReadNextLine [stream=4132b88 nb=41 needmore=0]
40109056[41e39a0]: 2668e00:mail.testdomain.com:NA:CreateNewLineFromSocket: 1 NO Login only
available under a layer
##################################################
sooooo, here's the problem:
imtest: i CAN login w/ TLS via STARTTLS on port 143
TBird: i CAN login w/ TLS, but no trace of STARTLS and only on port 993
##################################################
am i seeing a problem with Tbird, Cyrus or me?
thx!
richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iEYEAREDAAYFAkNJRtAACgkQGnqMy4gvZ6FmaQCdEBQHgEeQoLfJP6zGKIatSMxu
8CAAnjbFKzcZGEvyTsJ4TtxUL+VWD+Ff
=11+A
-----END PGP SIGNATURE-----
More information about the Info-cyrus
mailing list