does xfer require murder?
Perry Brown
vbperry at hotmail.com
Tue Apr 25 19:27:07 EDT 2006
I create a cert on both servers per the Install-configure.html and can run
imtest to either host.
>From server1 to server2 for example:
/opt/mail/cyrus-imapd/bin/imtest -t "" -m plain -a cyrus -u cyrus -p imap -v
server2.sub2
after much output at the end it lists
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
I can see in the logs on server2
Apr 25 16:08:28 server2 imap[10683]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Apr 25 16:08:33 server2 imap[10683]: login: server1.sub1.domain.com
[10.248.176.34] cyrus PLAIN+TLS User logged in
So imtest looks good.
I log in to do the xfer and I get the same error from before.
/opt/mail/cyrus-imapd/bin/cyradm --user cyrus --auth plain server1
Password:
IMAP Password:
server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation
I see in the log on the source server it was auth with PLAIN not PLAIN+TLS
like listed from imtest.
The connection to the remote host also lists PLAIN and not PLAIN+TLS.
Is there away to force the tls part?
Here is imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: plain login
tls_cert_file: /local/imap/server1.sub1.domain.com.pem
tls_key_file: /local/imap/server1.sub1.domain.com.pem
Thank you for any help
Perry
>Bascially:
>
>Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.
>The SASL mechanism you are using is PLAIN (I don't think LOGIN is a SASL
>mechanism, its a imap specific)
>PLAIN requires TLS
>TLS requires certificates.
>You don't have certificates.
>
>if
>imtest -t "" -m PLAIN -a cyrus -u cyrus servername
>
>does not work, then xfer never will.
>
>
>Get a cert! :)
>
>-Patrick
>On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:
>
>>Sorry to keep bugging everyone on this but it seems I am close I'm just
>>over looking something obvious.
>>
>>I looked through the config on the hosts and we are using pam.
>>
>>
>>I changed the imapd.conf a little
>>defaultpartition: imap1
>>configdirectory: /var/imap
>>partition-imap1: /var/spool/imap1
>>admins: cyrus support
>>srvtab: /var/imap/srvtab
>>quotawarn: 85
>>popminpoll: 0
>>autocreatequota: 30000
>>sasl_pwcheck_method: saslauthd
>>lmtp_over_quota_perm_failure: 1
>>allowusermoves: yes
>>proxy_authname: cyrus
>>proxy_password: password
>>force_sasl_client_mech: LOGIN PLAIN
>>
>>
>>Imtest looks to work Ok with Login
>>
>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
>>WARNING: no hostname supplied, assuming localhost
>>
>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>C: C01 CAPABILITY
>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
>>X-NETSCAPE
>>S: C01 OK Completed
>>Please enter your password:
>>C: L01 LOGIN cyrus {8}
>>S: + go ahead
>>C: <omitted>
>>S: L01 OK User logged in
>>Authenticated.
>>Security strength factor: 0
>>
>>This works to the localhost as well as to server2.
>>
>>I try the xfer from server1 to server2:
>>
>>server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus -- server
>>server1.sub1 --auth login
>>IMAP Password:
>> server1.sub1.domain.com>
>>server1.sub1.domain.com> xfer user.vbperry server2.sub2
>>xfermailbox: Server(s) unavailable to complete operation
>>
>>the log from server2 shows:
>>Apr 21 12:56:31 server2 imap[27408]: badlogin: server1.sub1.domain.com
>>[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
>>not match required]
>>
>>/etc/sysconfig/saslauthd
>>MECH=pam
>>FLAGS=${FLAGS:=}
>>
>>Is there a doc on the sysconfig/saslauthd flags? I looked through the
>>docs that came with cyrus-imap and cyrus-sasl and did not find anything.
>>
>>>From server1 I can log into server2 with imtest, testsaslauthd works OK
>>>as
>>well. What security flags do not match? Is there a way to kick up the
>>verbosity of the logging to see if that would give a clue?
>>
>>
>>Perry
>>
>>>
>>>I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>>
>>>And it got rejected.
>>>
>>>C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>>>S: A01 NO no mechanism available
>>>Authentication failed. generic failure
>>>Security strength factor: 0
>>>
>>>
>>>I can not find a tls conf file so I do not thing starttls is set up.
>>>
>>>I added the entry mentioned to imapd.conf
>>>$ cat /etc/imapd.conf
>>>defaultpartition: imap1
>>>configdirectory: /var/imap
>>>partition-imap1: /var/spool/imap1
>>>admins: cyrus support
>>>srvtab: /var/imap/srvtab
>>>quotawarn: 85
>>>popminpoll: 0
>>>autocreatequota: 30000
>>>sasl_pwcheck_method: saslauthd
>>>lmtp_over_quota_perm_failure: 1
>>>allowusermoves: yes
>>>proxy_authname: cyrus
>>>proxy_password: password
>>>force_sasl_client_mech: PLAIN
>>>
>>>And it gets things furthur along then before
>>>
>>>$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1
>>>--auth PLAIN
>>>domain.com authorized use only. vbperry at server1 Password:
>>>Password:
>>>IMAP Password:
>>> server1.sub1.domain.com>
>>>server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
>>>xfermailbox: Server(s) unavailable to complete operation
>>>
>>>log on source:
>>>
>>>Apr 20 17:42:05 server1 imap[1458]: accepted connection
>>>Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com
>>>[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
>>>not match required]
>>>Apr 20 17:42:14 server1 imap[1458]: login: server1.sub1.domain.com
>>>[10.12.12.12] cyrus plaintext User logged in
>>>Apr 20 17:42:41 server1 master[27630]: process 32354 exited, status 0
>>>Apr 20 17:42:41 server1 master[2161]: about to exec /opt/mail/
>>>cyrus-imapd/bin/imapd
>>>Apr 20 17:42:41 server1 imap[2161]: executed
>>>Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to backend
>>>server: authentication failure
>>>Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox:
>>>user.vbperry, Initial backend connect failed
>>>
>>>
>>>
>>>But I'm now at least seeing something on the destination server:
>>>
>>>Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com
>>>[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
>>>not match required]
>>>
>>>
>>>If I can take a step back (sorry I'm trying to decipher how the previous
>>>admin had things set up in the environment). The document on how this
>>>was set up states.
>>>
>>>
>>>cyrus-sasl was config'ed with
>>>
>>>./configure --prefix=/opt/mail/cyrus-sasl \
>>> --enable-login --enable-plain --enable-cram \
>>> --enable-digest --with-bdb-incdir=/usr/include/db4 \
>>> --with-pam --enable-static=yes --enable-sample \
>>> --disable-java --disable-otp --disable-krb4 \
>>> --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2
>>>
>>>The cyrus-sasl cyrus.conf states:
>>>srvtab: /var/imap/srvtab <<< seems I could remove this since kerberos is
>>>disabled above.
>>>pwcheck_method: saslauthd
>>>
>>>
>>>saslauthd is started in with pam support:
>>>root 2060 0.0 0.0 2564 1036 ? S Apr14 0:00 /
>>>usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>>
>>>There is /etc/pam.d/imap and pop3 with the following content..
>>>#%PAM-1.0
>>>auth required /lib/security/pam_stack.so service=system- auth
>>>account required /lib/security/pam_stack.so service=system- auth
>>>
>>>Cyrus-imap was compiled with (again what is in the notes from install
>>>from previoys admin)
>>>
>>> CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/
>>>cyrus-imapd \
>>> --with-cyrus-prefix=/opt/mail/cyrus-imapd \
>>> --with-cyrus-user=cyrimap \
>>> --with-cyrus-group=mail \
>>> --with-bdb-incdir=/usr/include/db4 \
>>> --build=i686-pc-linux-gnu \
>>> --with-sasl=/opt/mail/cyrus-sasl \
>>> --with-auth=unix \
>>> --enable-netscapehack \
>>> --enable-listext \
>>> --with-perl=/opt/third-party/bin/perl \
>>> --disable-murder
>>>
>>>
>>>I can run a testsaslauthd and it works fine to the local host
>>>
>>>server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
>>>0: OK "Success."
>>>1: OK "Success."
>>>2: OK "Success."
>>>
>>>It seems I do not need to have a realm defined because we are using pam.
>>>and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist. This
>>>not seem to be the problem though since saslauthd is using pam. yes?
>>>
>>>When I login into cyradm again locally with --auth plain I can do
>>>commands like listmailbox and such. I can't seem to be able to run
>>>"info" I just go back to the prompt on that one.
>>>
>>>What should my security flags be? What am I missing?
>>>
>>>Thank you
>>>perry
>>>
>>>
>>>
>>>>You need to use tls as well for PLAIN to work. add -t "" to your
>>>>arguments
>>>>
>>>>
>>>>What mechanism do you want to use for connecting between backends? If
>>>>its PLAIN then you want
>>>>force_sasl_client_mech: PLAIN
>>>>
>>>>in your imapd.conf file.
>>>>
>>>>Otherwise, the machines will see GSSAPI advertised and will try using
>>>>that.
>>>>
>>>>-Patrick
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>Perry Brown wrote:
>>>>>>>>Thanks for the imtest idea.
>>>>>>>>
>>>>>>>>It looks like I can log in OK.
>>>>>>>>
>>>>>>>>
>>>>>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
>>>>>>>>server2.sub2.domain.com
>>>>>>>
>>>>>>>Force imtest to use one of the SASL mechanisms that are listed.
>>>>>>>The backends *only* use SASL, not protocol specific login commands
>>>>>>>(IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
>>>>>>>
>>>>>>
>>>>>>I'm sorry I got my dounce cap on today or something.
>>>>>>
>>>>>>Should I change the -m login to -m and one of the AUTH= values from
>>>>>>the CAPABILITY output?
>>>>>>ie -m GSSAPI? or digest-md5 etc...
>>>>>>
>>>>>>Andy Morgan wrote:
>>>>>>Maybe "-m plain"?
>>>>>
>>>>>thank you for the suggestion Andy but no luck.
>>>>>
>>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
>>>>>WARNING: no hostname supplied, assuming localhost
>>>>>
>>>>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>C: C01 CAPABILITY
>>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
>>>>>AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
>>>>>LIST-SUBSCRIBED X-NETSCAPE
>>>>>S: C01 OK Completed
>>>>>Please enter your password:
>>>>>C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
>>>>>S: A01 NO no mechanism available
>>>>>Authentication failed. generic failure
>>>>>Security strength factor: 0
>>>>>
>>>>>
>>>>>>
>>>>>>I gave this a try with GSSAPI, and got nothing.
>>>>>>
>>>>>>digest-md5,
>>>>>>
>>>>>>server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
>>>>>>WARNING: no hostname supplied, assuming localhost
>>>>>>
>>>>>>S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>>C: C01 CAPABILITY
>>>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
>>>>>>NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
>>>>>>BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
>>>>>>IDLE AUTH=GSSAPI AUTH=DIGEST- MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT
>>>>>>LIST-SUBSCRIBED X-NETSCAPE
>>>>>>S: C01 OK Completed
>>>>>>C: A01 AUTHENTICATE DIGEST-MD5
>>>>>>S:
>>>>>>wkrnfjknf (etc list of characters)
>>>>>>Please enter your password: (I enter passwd for cyrus)
>>>>>>C: dXNlcm5h (another long list of characters)
>>>>>>S: A01 NO user not found
>>>>>>Authentication failed. generic failure
>>>>>>Security strength factor: 128
>>>>>>
>>>>>>
>>>>>>This is what I see in local6.log on server1.sub1
>>>>>>
>>>>>>Apr 20 11:04:32 server1 imap[17729]: accepted connection
>>>>>>Apr 20 11:04:38 server1 imap[17729]: badlogin: localhost.localdomain
>>>>>>[127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: no secret in
>>>>>>database]
>>>>>>
>>>>>>This is in the auth.log
>>>>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
>>>>>>etc/sasldb2: No such file or directory
>>>>>>Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
>>>>>>etc/sasldb2: No such file or directory
>>>>>>Apr 20 11:06:26 server1 imap[15971]: no secret in database
>>>>>>
>>>>>>
>>>>>>
>>>>>>cram-md5 got me pretty much the same thing.
>>>>>>
>>>>>>Is there a cyrus or sasl command I should/can run to get the auth
>>>>>>for digest-md5 working?
>>>>>>
>>>>>>
>>>>>>Perry
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>>S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
>>>>>>>>C: C01 CAPABILITY
>>>>>>>>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
>>>>>>>>REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
>>>>>>>>MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
>>>>>>>>ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST- MD5 AUTH=CRAM-MD5
>>>>>>>>SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>>>>>>>>S: C01 OK Completed
>>>>>>>>Please enter your password:
>>>>>>>>C: L01 LOGIN cyrus {8}
>>>>>>>>S: + go ahead
>>>>>>>>C: <omitted>
>>>>>>>>S: L01 OK User logged in
>>>>>>>>Authenticated.
>>>>>>>>Security strength factor: 0
>>>>>>>>CAPABILITY
>>>>>>
>>>>>>
>>>>>>----
>>>>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>
>>>>>
>>>>>----
>>>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>
>>>
>>>
>>>----
>>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>>
>>----
>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
More information about the Info-cyrus
mailing list