Make cyradm use plain+tls

Perry Brown vbperry at hotmail.com
Tue May 2 16:19:43 EDT 2006 

>
>On May 2, 2006, at 3:24 PM, Perry Brown wrote:
>
>>I log into imtest:
>>
>>/opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u cyrus -a cyrus -m  plain
>>
>>Run
>>C: XFER user.vbperry server2.sub2.domain.com
>>
>>and get
>>C: NO Server(s) unavailable to complete operation
>>
>>
>>
>>Am I using the right auth mode? should the imtest connect or xfer  command 
>>be formatted differently? I looking in the archives and  could not locate 
>>the thread you mentioned, was that on list?
>
>No, our discussion was off list.
>
>What does syslog say (on both servers)?

We have cyrus logging to local6 so I'll assume that is what you are 
interested in.

On source server:
May  2 13:11:42 server1 imap[5927]: starttls: TLSv1 with cipher AES256-SHA 
(256/256 bits new) no authentication
May  2 13:11:46 server1 imap[5927]: login: localhost.localdomain [127.0.0.1] 
cyrimap PLAIN+TLS User logged in
May  2 13:12:12 server1 imap[5927]: couldn't authenticate to backend server: 
generic failure
May  2 13:12:12 server1 imap[5927]: Could not move mailbox: user.vbperry, 
Initial backend connect failed

On Destination server:
May  2 13:12:12 server2 master[6574]: about to exec 
/opt/mail/cyrus-imapd/bin/imapd
May  2 13:12:12 server2 imap[6574]: executed



>
>Can you log in with imtest to the 2nd server?

Yes

server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u cyrus -a 
cyrus -m plain server2.sub2
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED 
X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN 
AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:   <<enter passwd for cyrus account
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256

>
>Do you allow other SASL mechanisms? I think what we tried with  Richard may 
>have only worked since PLAIN is the only mechanism his  2nd server offered.
>
>What other mechanism does your secondary server offer? it should be  part 
>of the CAPABILITY response when imtest logs in.


It's offering
AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5


Should the connect use plain since it is the first available? How can I 
disbale the other AUTH mechanisms?


Thank you
Perry

More information about the Info-cyrus mailing list