does xfer require murder?

Perry Brown vbperry at hotmail.com
Thu Apr 20 20:55:17 EDT 2006 

I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap

And it got rejected.

C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0


I can not find a tls conf file so I do not thing starttls is set up.

I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: PLAIN

And it gets things furthur along then before

$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1 --auth 
PLAIN
domain.com authorized use only. vbperry at server1 Password:
Password:
IMAP Password:
              server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation

log on source:

Apr 20 17:42:05 server1 imap[1458]: accepted connection
Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com 
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not 
match required]
Apr 20 17:42:14 server1  imap[1458]: login: server1.sub1.domain.com 
[10.12.12.12] cyrus plaintext User logged in
Apr 20 17:42:41 server1  master[27630]: process 32354 exited, status 0
Apr 20 17:42:41 server1  master[2161]: about to exec 
/opt/mail/cyrus-imapd/bin/imapd
Apr 20 17:42:41 server1  imap[2161]: executed
Apr 20 17:42:55 server1  imap[1458]: couldn't authenticate to backend 
server: authentication failure
Apr 20 17:42:55 server1  imap[1458]: Could not move mailbox: user.vbperry, 
Initial backend connect failed



But I'm now at least seeing something on the destination server:

Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com 
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not 
match required]


If I can take a step back (sorry I'm trying to decipher how the previous 
admin had things set up in the environment). The document on how this was 
set up states.


cyrus-sasl was config'ed with

./configure --prefix=/opt/mail/cyrus-sasl \
    --enable-login --enable-plain --enable-cram \
    --enable-digest --with-bdb-incdir=/usr/include/db4 \
    --with-pam --enable-static=yes --enable-sample \
    --disable-java --disable-otp --disable-krb4 \
    --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2

The cyrus-sasl cyrus.conf states:
srvtab: /var/imap/srvtab <<< seems I could remove this since kerberos is 
disabled above.
pwcheck_method: saslauthd


saslauthd is started in with pam support:
root      2060  0.0  0.0  2564 1036 ?        S    Apr14   0:00 
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam

There is /etc/pam.d/imap and pop3 with the following content..
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

Cyrus-imap was compiled with (again what is in the notes from install from 
previoys admin)

  CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/cyrus-imapd 
\
    --with-cyrus-prefix=/opt/mail/cyrus-imapd \
    --with-cyrus-user=cyrimap \
    --with-cyrus-group=mail \
    --with-bdb-incdir=/usr/include/db4 \
    --build=i686-pc-linux-gnu \
    --with-sasl=/opt/mail/cyrus-sasl \
    --with-auth=unix \
    --enable-netscapehack \
    --enable-listext \
    --with-perl=/opt/third-party/bin/perl \
    --disable-murder


I can run a testsaslauthd and it works fine to the local host

server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
0: OK "Success."
1: OK "Success."
2: OK "Success."

It seems I do not need to have a realm defined because we are using pam.
and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist. This not 
seem to be the problem though since saslauthd is using pam. yes?

When I login into cyradm again locally with --auth plain I can do commands 
like listmailbox and such. I  can't seem to be able to run "info" I just go 
back to the prompt on that one.

What should my security flags be? What am I missing?

Thank you
perry



>You need to use tls as well for PLAIN to work.  add -t ""  to your  
>arguments
>
>
>What mechanism do you want to use for connecting between backends? If  its 
>PLAIN then you want
>force_sasl_client_mech: PLAIN
>
>in your imapd.conf file.
>
>Otherwise, the machines will see GSSAPI advertised and will try using  
>that.
>
>-Patrick
>
>
>
>
>
>On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
>
>>
>>
>>
>>>
>>>
>>>
>>>>
>>>>Perry Brown wrote:
>>>>>Thanks for the imtest idea.
>>>>>
>>>>>It looks like I can log in OK.
>>>>>
>>>>>
>>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap  
>>>>>server2.sub2.domain.com
>>>>
>>>>Force imtest to use one of the SASL mechanisms that are listed.   The 
>>>>backends *only* use SASL, not protocol specific login  commands (IMAP 
>>>>LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
>>>>
>>>
>>>I'm sorry I got my dounce cap on today or something.
>>>
>>>Should I change the -m login to -m and one of the AUTH= values  from the 
>>>CAPABILITY output?
>>>ie  -m GSSAPI? or digest-md5 etc...
>>>
>>>Andy Morgan wrote:
>>>Maybe "-m plain"?
>>
>>thank you for the suggestion Andy but no luck.
>>
>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>WARNING: no hostname supplied, assuming localhost
>>
>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>C: C01 CAPABILITY
>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS 
>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  MULTIAPPEND 
>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  ANNOTATEMORE IDLE 
>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR  LISTEXT LIST-SUBSCRIBED 
>>X-NETSCAPE
>>S: C01 OK Completed
>>Please enter your password:
>>C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>>S: A01 NO no mechanism available
>>Authentication failed. generic failure
>>Security strength factor: 0
>>
>>
>>>
>>>I gave this a try with GSSAPI, and got nothing.
>>>
>>>digest-md5,
>>>
>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
>>>WARNING: no hostname supplied, assuming localhost
>>>
>>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>C: C01 CAPABILITY
>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS 
>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  MULTIAPPEND 
>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  ANNOTATEMORE IDLE 
>>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT 
>>>LIST-SUBSCRIBED X-NETSCAPE
>>>S: C01 OK Completed
>>>C: A01 AUTHENTICATE DIGEST-MD5
>>>S:
>>>wkrnfjknf (etc list of characters)
>>>Please enter your password: (I enter passwd for cyrus)
>>>C: dXNlcm5h (another long list of characters)
>>>S: A01 NO user not found
>>>Authentication failed. generic failure
>>>Security strength factor: 128
>>>
>>>
>>>This is what I see in local6.log on server1.sub1
>>>
>>>Apr 20 11:04:32 server1 imap[17729]: accepted connection
>>>Apr 20 11:04:38 server1 imap[17729]: badlogin:  localhost.localdomain 
>>>[127.0.0.1] DIGEST-MD5 [SASL(-13): user not  found: no secret in 
>>>database]
>>>
>>>This is in the auth.log
>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db / 
>>>etc/sasldb2: No such file or directory
>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db / 
>>>etc/sasldb2: No such file or directory
>>>Apr 20 11:06:26 server1 imap[15971]: no secret in database
>>>
>>>
>>>
>>>cram-md5 got me pretty much the same thing.
>>>
>>>Is there a cyrus or sasl command I should/can run to get the auth  for 
>>>digest-md5 working?
>>>
>>>
>>>Perry
>>>
>>>
>>>
>>>>
>>>>>S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>C: C01 CAPABILITY
>>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS 
>>>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  CHILDREN MULTIAPPEND 
>>>>>BINARY SORT THREAD=ORDEREDSUBJECT  THREAD=REFERENCES ANNOTATEMORE IDLE 
>>>>>AUTH=GSSAPI AUTH=DIGEST-MD5  AUTH=CRAM-MD5 SASL-IR LISTEXT 
>>>>>LIST-SUBSCRIBED X-NETSCAPE
>>>>>S: C01 OK Completed
>>>>>Please enter your password:
>>>>>C: L01 LOGIN cyrus {8}
>>>>>S: + go ahead
>>>>>C: <omitted>
>>>>>S: L01 OK User logged in
>>>>>Authenticated.
>>>>>Security strength factor: 0
>>>>>CAPABILITY
>>>
>>>
>>>----
>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>>
>>----
>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>

More information about the Info-cyrus mailing list