Allow plaintext and TLS [auf Viren überprüft]
Hans Moser
hans.moser at ofd-sth.niedersachsen.de
Tue Apr 4 06:58:40 EDT 2006
Hi!
Patrick H Radtke schrieb:
> Have you tried imtest?
> imtest -m PLAIN -t "" hostname
>
> This should do a CAPABILITY call, AUTH=PLAIN won't be advertised, and
> then it should to a STARTTLS and then another CAPABILITY call and
> AUTH=PLAIN will now be advertised since the connection is secure.
When I use
#imtest -a user -v hostname
the mech is DIGEST-MD5 and it works.
When I use
#imtest -t "" -a user -v hostname
the mech is DIGEST-MD5 and it works. IMAPd offers PLAIN after TLS is
established.
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
When I use
#imtest -a user -v -m plain hostname
IMAPd complains about not using encrytion:
Apr 4 12:42:12 rzhs050 local6:notice imap[21750]: badlogin:
rzhs050.ofd-h.de [10.49.6.20] PLAIN [SASL(-16): encryption needed to use
mechanism: security flags do not match required]
When I use
#imtest -t "" -a user -v -m plain hostname
IMAPd says this:
Apr 4 12:39:36 rzhs050 local6:notice imap[21750]: starttls: TLSv1 with
cipher AES256-SHA (256/256 bits new) no authentication
Apr 4 12:39:42 rzhs050 auth|security:err|error imap[21750]: unknown
password verifier
Apr 4 12:39:42 rzhs050 auth|security:notice imap[21750]: Password
verification failed
Apr 4 12:39:42 rzhs050 local6:notice imap[21750]: badlogin:
rzhs050.ofd-h.de [10.49.6.20] PLAIN [SASL(-4): no mechanism available:
Password verification failed]
No action on slapd at all!
Why is that, some config error?
# imapd.conf:
configdirectory: /opt/mail/var/imap
partition-default: /opt/mail/var/spool/imap
sievedir: /opt/mail/var/sieve
admins: cyrus root
allowanonymouslogin: no
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_log_level: 5
sasl_pwcheck_method: auxprob
sasl_auxprob_plugin: ldapdb
sasl_ldapdb_uri: ldap://rzhs050.ofd-h.de
sasl_ldapdb_id: human
sasl_ldapdb_pw: nothing
sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
allowplaintext: yes
sasl_minimum_layer: 0
sasl_ldapdb_starttls: Demand
sasl_ldap_search_base: ou=humans,ou=foo,c=de
sasl_ldap_search_filter: uid=%U
lmtp_overquota_perm_failure: no
#
# if you want TLS, you have to generate certificates and keys
#
tls_cert_file: /opt/mail/etc/openldap/ssl/ldapcert.pem
tls_key_file: /opt/mail/etc/openldap/ssl/ldapkey.pem
tls_ca_file: /opt/mail/etc/openldap/ssl/ldapca.pem
tls_ca_path: /opt/mail/etc/openldap/ssl/ca
Hans
More information about the Info-cyrus
mailing list