Cyrus Murder SASL Authentication Problem

Xue, Chongjie "Jack" xue at marshall.edu
Sat Apr 29 01:56:29 EDT 2006 

We are planning to migrate an OpenVMS email server to "Linux" (RHEL4) running Postfix and Cyrus-IMAP. I have setup up a single node Cyrus-IMAP backend and use Postfix to feed email into the server. 

The version of Cyrus-IMAP I am using is 2.2.12 distributed in latest RHEL4 RPM format (from http://www.invoca.ch/). 

This week I made adaptations to have a Cyrus-IMAP Murder setup. 

Here are my murder settings:
 
-----------------------------------------
1 cyrus backend servers (called mailbox1)
1 mupdate master server 
2 cyrus frontend servers each running Postfix, Cyrus LMTPProxy and Proxyd
-----------------------------------------

I am using saslauthd authentication (with PLAIN mechanism) against Linux PAM modules (nss_ldap and pam_krb5) which then switch over against our windows Active Directory server. This scheme is working fine under a single Cyrus-IMAP setup to authenticate our users.  

The _problem_ I am having _now_ with murder is I cannot make either LMTPProxy or IMAP (Proxyd) services running on my frontends to authenticate through specified proxy_servers to the backend node. 

I can see mupdate is running and updating user mailbox information, I can connect to my backend directly, but I cannot deliver or read email from my frontend nodes. 

Here are the logs on the Cyrus Murder frontend nodes showing the error:

a. IMAP Error
imap[12766]: Doing a peer verify
imap[12766]: verify error:num=18:self signed certificate
imap[12766]: received server certificate
imap[12766]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
imap[12766]: couldn't authenticate to backend server: authentication failure

b. LMTP Error
lmtp[10495]: couldn't authenticate to backend server: no mechanism available
lmtp[10854]: couldn't authenticate to backend server: no mechanism available
postfix/lmtp[10851]: 
272CD1D0003: to=<xue at aaaa.marshall.edu>, relay=/var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp], delay=10304, status=deferred 
(host /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp] said: 451 4.4.3 Remote server unavailable (in reply to end of DATA command))
lmtp[10854]: couldn't authenticate to backend server: no mechanism available

Here are the logs on the Backend node when the frontend connects through LMTP and IMAP: 

mailbox1 lmtp[29392]: connection from [10.101.4.251] preauth'd as postman
mailbox1 lmtp[29402]: executed
mailbox1 lmtp[29392]: accepted connection
mailbox1 lmtp[29392]: connection from [10.101.4.251] preauth'd as postman

mailbox1 imap[29381]: accepted connection
mailbox1 imap[29381]: mydelete: starting txn 2147483730
mailbox1 imap[29381]: mydelete: committing txn 2147483730
mailbox1 imap[29381]: mystore: starting txn 2147483731
mailbox1 imap[29381]: mystore: committing txn 2147483731
mailbox1 imap[29381]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
mailbox1 imap[29381]: badlogin: [10.101.4.251] PLAIN [SASL(-13): authentication failure: user cyrus_murder is not allowed to proxy]

Here are my configuration files: 
--------Frontend Configuration------
#---cyrus.conf---#
SERVICES {
  # add or remove based on preferences
 imap          cmd="proxyd" listen="imap" prefork=5
 imaps         cmd="proxyd -s" listen="imaps" prefork=1
 pop3          cmd="pop3d" listen="pop3" prefork=3
 pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
 sieve         cmd="timsieved" listen="sieve" prefork=0
 mupdate       cmd="/usr/lib/cyrus-imapd/mupdate" listen=3905 prefork=1
 lmtpunix      cmd="lmtpproxyd" listen="/var/lib/imap/socket/lmtp" prefork=1

 proto="udp" prefork=1
}

#---imapd.conf---#
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: mailadmin
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
mupdate_port: 3905
mupdate_server: imapproxy
mupdate_username: admin
mupdate_authname: admin
mupdate_password: xxxxxx
proxy_authname: cyrus_murder
mailbox1_password: xxxxxxx


--------Backend Configuration------
#---cyrus.conf---# 
SERVICES {
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=1
  lmtp          cmd="lmtpd -a" listen="lmtp" prefork=1
  proto="udp" prefork=1
}

#---imapd.conf---# 
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: admin
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
altnamespace: false
berkeley_cachesize: 4096
mupdate_server: imapproxy
mupdate_username: admin
mupdate_authname: admin
mupdate_password: xxxxxxxxx
proxy_servers: cyrus_murder   

I know Cyrus-SASL is causing the problem on the Proxy Level and I need suggestions on how to setup SASL-Authentication for my murder Frontend nodes. 

Thanks. 

--------------------------------
Jack C. Xue
Computing Services Systems Group
Marshall University
Drinko Library 423C
1 John Marshall Drive
Huntington, WV 25755-5320
E-mail: xue at marshall.edu
Phone: (304)696-6396 

More information about the Info-cyrus mailing list