Allow plaintext and TLS [auf Viren überprüft]

Hans Moser hans.moser at ofd-sth.niedersachsen.de
Tue Apr 4 06:58:40 EDT 2006 

Hi!

Patrick H Radtke schrieb:

> Have you tried imtest?
> imtest -m PLAIN -t ""  hostname
> 
> This should do a CAPABILITY call, AUTH=PLAIN won't be advertised, and 
> then it should to a STARTTLS and then another CAPABILITY call and 
> AUTH=PLAIN will now be advertised since the connection is secure.

When I use
#imtest -a user -v hostname
the mech is DIGEST-MD5 and it works.

When I use
#imtest -t "" -a user -v hostname
the mech is DIGEST-MD5 and it works. IMAPd offers PLAIN after TLS is 
established.
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE 
AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256

When I use
#imtest -a user -v -m plain hostname
IMAPd complains about not using encrytion:
Apr  4 12:42:12 rzhs050 local6:notice imap[21750]: badlogin: 
rzhs050.ofd-h.de [10.49.6.20] PLAIN [SASL(-16): encryption needed to use 
mechanism: security flags do not match required]

When I use
#imtest -t "" -a user -v -m plain hostname
IMAPd says this:
Apr  4 12:39:36 rzhs050 local6:notice imap[21750]: starttls: TLSv1 with 
cipher AES256-SHA (256/256 bits new) no authentication
Apr  4 12:39:42 rzhs050 auth|security:err|error imap[21750]: unknown 
password verifier
Apr  4 12:39:42 rzhs050 auth|security:notice imap[21750]: Password 
verification failed
Apr  4 12:39:42 rzhs050 local6:notice imap[21750]: badlogin: 
rzhs050.ofd-h.de [10.49.6.20] PLAIN [SASL(-4): no mechanism available: 
Password verification failed]
No action on slapd at all!
Why is that, some config error?

# imapd.conf:
configdirectory: /opt/mail/var/imap
partition-default: /opt/mail/var/spool/imap
sievedir: /opt/mail/var/sieve
admins: cyrus root
allowanonymouslogin: no
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_log_level: 5
sasl_pwcheck_method: auxprob
sasl_auxprob_plugin: ldapdb
sasl_ldapdb_uri: ldap://rzhs050.ofd-h.de
sasl_ldapdb_id: human
sasl_ldapdb_pw: nothing
sasl_ldapdb_mech:  PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN
allowplaintext: yes
sasl_minimum_layer: 0
sasl_ldapdb_starttls: Demand
sasl_ldap_search_base: ou=humans,ou=foo,c=de
sasl_ldap_search_filter: uid=%U
lmtp_overquota_perm_failure: no
#
# if you want TLS, you have to generate certificates and keys
#
tls_cert_file: /opt/mail/etc/openldap/ssl/ldapcert.pem
tls_key_file: /opt/mail/etc/openldap/ssl/ldapkey.pem
tls_ca_file: /opt/mail/etc/openldap/ssl/ldapca.pem
tls_ca_path: /opt/mail/etc/openldap/ssl/ca

Hans

More information about the Info-cyrus mailing list