does xfer require murder?

Patrick Radtke phr2101 at columbia.edu
Fri Apr 21 16:50:34 EDT 2006


Bascially:

Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.
The SASL mechanism you are using is PLAIN (I don't think LOGIN is a  
SASL mechanism, its a imap specific)
PLAIN requires TLS
TLS requires certificates.
You don't have certificates.

if
imtest -t "" -m PLAIN -a cyrus -u cyrus servername

does not work, then xfer never will.


Get a cert! :)

-Patrick
On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:

> Sorry to keep bugging everyone on this but it seems I am close I'm  
> just over looking something obvious.
>
> I looked through the config on the hosts and we are using pam.
>
>
> I changed the imapd.conf a little
> defaultpartition: imap1
> configdirectory: /var/imap
> partition-imap1: /var/spool/imap1
> admins: cyrus support
> srvtab: /var/imap/srvtab
> quotawarn: 85
> popminpoll: 0
> autocreatequota: 30000
> sasl_pwcheck_method: saslauthd
> lmtp_over_quota_perm_failure: 1
> allowusermoves: yes
> proxy_authname: cyrus
> proxy_password: password
> force_sasl_client_mech: LOGIN PLAIN
>
>
> Imtest looks to work Ok with Login
>
> server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
> WARNING: no hostname supplied, assuming localhost
>
> S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- 
> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  
> MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  
> ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR  
> LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN cyrus {8}
> S: + go ahead
> C: <omitted>
> S: L01 OK User logged in
> Authenticated.
> Security strength factor: 0
>
> This works to the localhost as well as to server2.
>
> I try the xfer from server1 to server2:
>
> server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus -- 
> server server1.sub1 --auth login
> IMAP Password:
>              server1.sub1.domain.com>
> server1.sub1.domain.com> xfer user.vbperry server2.sub2
> xfermailbox: Server(s) unavailable to complete operation
>
> the log from server2 shows:
> Apr 21 12:56:31  server2 imap[27408]: badlogin:  
> server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism  
> available: security flags do not match required]
>
> /etc/sysconfig/saslauthd
> MECH=pam
> FLAGS=${FLAGS:=}
>
> Is there a doc on the sysconfig/saslauthd flags? I looked through  
> the docs that came with cyrus-imap and cyrus-sasl and did not find  
> anything.
>
>> From server1 I can log into server2 with imtest, testsaslauthd  
>> works OK as
> well. What security flags do not match? Is there a way to kick up  
> the verbosity of the logging to see if that would give a clue?
>
>
> Perry
>
>>
>> I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>
>> And it got rejected.
>>
>> C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>> S: A01 NO no mechanism available
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>>
>> I can not find a tls conf file so I do not thing starttls is set up.
>>
>> I added the entry mentioned to imapd.conf
>> $ cat /etc/imapd.conf
>> defaultpartition: imap1
>> configdirectory: /var/imap
>> partition-imap1: /var/spool/imap1
>> admins: cyrus support
>> srvtab: /var/imap/srvtab
>> quotawarn: 85
>> popminpoll: 0
>> autocreatequota: 30000
>> sasl_pwcheck_method: saslauthd
>> lmtp_over_quota_perm_failure: 1
>> allowusermoves: yes
>> proxy_authname: cyrus
>> proxy_password: password
>> force_sasl_client_mech: PLAIN
>>
>> And it gets things furthur along then before
>>
>> $ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server  
>> server1 --auth PLAIN
>> domain.com authorized use only. vbperry at server1 Password:
>> Password:
>> IMAP Password:
>>              server1.sub1.domain.com>
>> server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
>> xfermailbox: Server(s) unavailable to complete operation
>>
>> log on source:
>>
>> Apr 20 17:42:05 server1 imap[1458]: accepted connection
>> Apr 20 17:42:07 server1 imap[1458]: badlogin:  
>> server1.ssub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no  
>> mechanism available: security flags do not match required]
>> Apr 20 17:42:14 server1  imap[1458]: login:  
>> server1.sub1.domain.com [10.12.12.12] cyrus plaintext User logged in
>> Apr 20 17:42:41 server1  master[27630]: process 32354 exited,  
>> status 0
>> Apr 20 17:42:41 server1  master[2161]: about to exec /opt/mail/ 
>> cyrus-imapd/bin/imapd
>> Apr 20 17:42:41 server1  imap[2161]: executed
>> Apr 20 17:42:55 server1  imap[1458]: couldn't authenticate to  
>> backend server: authentication failure
>> Apr 20 17:42:55 server1  imap[1458]: Could not move mailbox:  
>> user.vbperry, Initial backend connect failed
>>
>>
>>
>> But I'm now at least seeing something on the destination server:
>>
>> Apr 20 17:42:52 server2 imap[24375]: badlogin:  
>> server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no  
>> mechanism available: security flags do not match required]
>>
>>
>> If I can take a step back (sorry I'm trying to decipher how the  
>> previous admin had things set up in the environment). The document  
>> on how this was set up states.
>>
>>
>> cyrus-sasl was config'ed with
>>
>> ./configure --prefix=/opt/mail/cyrus-sasl \
>>    --enable-login --enable-plain --enable-cram \
>>    --enable-digest --with-bdb-incdir=/usr/include/db4 \
>>    --with-pam --enable-static=yes --enable-sample \
>>    --disable-java --disable-otp --disable-krb4 \
>>    --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2
>>
>> The cyrus-sasl cyrus.conf states:
>> srvtab: /var/imap/srvtab <<< seems I could remove this since  
>> kerberos is disabled above.
>> pwcheck_method: saslauthd
>>
>>
>> saslauthd is started in with pam support:
>> root      2060  0.0  0.0  2564 1036 ?        S    Apr14   0:00 / 
>> usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>
>> There is /etc/pam.d/imap and pop3 with the following content..
>> #%PAM-1.0
>> auth       required     /lib/security/pam_stack.so service=system- 
>> auth
>> account    required     /lib/security/pam_stack.so service=system- 
>> auth
>>
>> Cyrus-imap was compiled with (again what is in the notes from  
>> install from previoys admin)
>>
>>  CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/ 
>> cyrus-imapd \
>>    --with-cyrus-prefix=/opt/mail/cyrus-imapd \
>>    --with-cyrus-user=cyrimap \
>>    --with-cyrus-group=mail \
>>    --with-bdb-incdir=/usr/include/db4 \
>>    --build=i686-pc-linux-gnu \
>>    --with-sasl=/opt/mail/cyrus-sasl \
>>    --with-auth=unix \
>>    --enable-netscapehack \
>>    --enable-listext \
>>    --with-perl=/opt/third-party/bin/perl \
>>    --disable-murder
>>
>>
>> I can run a testsaslauthd and it works fine to the local host
>>
>> server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
>> 0: OK "Success."
>> 1: OK "Success."
>> 2: OK "Success."
>>
>> It seems I do not need to have a realm defined because we are  
>> using pam.
>> and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist.  
>> This not seem to be the problem though since saslauthd is using  
>> pam. yes?
>>
>> When I login into cyradm again locally with --auth plain I can do  
>> commands like listmailbox and such. I  can't seem to be able to  
>> run "info" I just go back to the prompt on that one.
>>
>> What should my security flags be? What am I missing?
>>
>> Thank you
>> perry
>>
>>
>>
>>> You need to use tls as well for PLAIN to work.  add -t ""  to  
>>> your  arguments
>>>
>>>
>>> What mechanism do you want to use for connecting between  
>>> backends? If  its PLAIN then you want
>>> force_sasl_client_mech: PLAIN
>>>
>>> in your imapd.conf file.
>>>
>>> Otherwise, the machines will see GSSAPI advertised and will try  
>>> using  that.
>>>
>>> -Patrick
>>>
>>>
>>>
>>>
>>>
>>> On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Perry Brown wrote:
>>>>>>> Thanks for the imtest idea.
>>>>>>>
>>>>>>> It looks like I can log in OK.
>>>>>>>
>>>>>>>
>>>>>>> server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p  
>>>>>>> imap  server2.sub2.domain.com
>>>>>>
>>>>>> Force imtest to use one of the SASL mechanisms that are  
>>>>>> listed.   The backends *only* use SASL, not protocol specific  
>>>>>> login  commands (IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO  
>>>>>> USER/PASS).
>>>>>>
>>>>>
>>>>> I'm sorry I got my dounce cap on today or something.
>>>>>
>>>>> Should I change the -m login to -m and one of the AUTH= values   
>>>>> from the CAPABILITY output?
>>>>> ie  -m GSSAPI? or digest-md5 etc...
>>>>>
>>>>> Andy Morgan wrote:
>>>>> Maybe "-m plain"?
>>>>
>>>> thank you for the suggestion Andy but no luck.
>>>>
>>>> server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>>> WARNING: no hostname supplied, assuming localhost
>>>>
>>>> S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>> C: C01 CAPABILITY
>>>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  
>>>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  
>>>> CHILDREN  MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT  
>>>> THREAD=REFERENCES  ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5  
>>>> AUTH=CRAM-MD5 SASL-IR  LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>>>> S: C01 OK Completed
>>>> Please enter your password:
>>>> C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>>>> S: A01 NO no mechanism available
>>>> Authentication failed. generic failure
>>>> Security strength factor: 0
>>>>
>>>>
>>>>>
>>>>> I gave this a try with GSSAPI, and got nothing.
>>>>>
>>>>> digest-md5,
>>>>>
>>>>> server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
>>>>> WARNING: no hostname supplied, assuming localhost
>>>>>
>>>>> S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>> C: C01 CAPABILITY
>>>>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  
>>>>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  
>>>>> CHILDREN  MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT  
>>>>> THREAD=REFERENCES  ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST- 
>>>>> MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>>>>> S: C01 OK Completed
>>>>> C: A01 AUTHENTICATE DIGEST-MD5
>>>>> S:
>>>>> wkrnfjknf (etc list of characters)
>>>>> Please enter your password: (I enter passwd for cyrus)
>>>>> C: dXNlcm5h (another long list of characters)
>>>>> S: A01 NO user not found
>>>>> Authentication failed. generic failure
>>>>> Security strength factor: 128
>>>>>
>>>>>
>>>>> This is what I see in local6.log on server1.sub1
>>>>>
>>>>> Apr 20 11:04:32 server1 imap[17729]: accepted connection
>>>>> Apr 20 11:04:38 server1 imap[17729]: badlogin:   
>>>>> localhost.localdomain [127.0.0.1] DIGEST-MD5 [SASL(-13): user  
>>>>> not  found: no secret in database]
>>>>>
>>>>> This is in the auth.log
>>>>> Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley  
>>>>> db / etc/sasldb2: No such file or directory
>>>>> Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley  
>>>>> db / etc/sasldb2: No such file or directory
>>>>> Apr 20 11:06:26 server1 imap[15971]: no secret in database
>>>>>
>>>>>
>>>>>
>>>>> cram-md5 got me pretty much the same thing.
>>>>>
>>>>> Is there a cyrus or sasl command I should/can run to get the  
>>>>> auth  for digest-md5 working?
>>>>>
>>>>>
>>>>> Perry
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>> S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>>> C: C01 CAPABILITY
>>>>>>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  
>>>>>>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT   
>>>>>>> CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT   
>>>>>>> THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST- 
>>>>>>> MD5  AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>>>>>>> S: C01 OK Completed
>>>>>>> Please enter your password:
>>>>>>> C: L01 LOGIN cyrus {8}
>>>>>>> S: + go ahead
>>>>>>> C: <omitted>
>>>>>>> S: L01 OK User logged in
>>>>>>> Authenticated.
>>>>>>> Security strength factor: 0
>>>>>>> CAPABILITY
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>
>>>>
>>>> ----
>>>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>
>>
>>
>> ----
>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html



More information about the Info-cyrus mailing list