Make cyradm use plain+tls

Patrick Radtke phr2101 at columbia.edu
Tue May 2 16:35:58 EDT 2006


On May 2, 2006, at 4:19 PM, Perry Brown wrote:

>
>>
>> On May 2, 2006, at 3:24 PM, Perry Brown wrote:
>>
>>> I log into imtest:
>>>
>>> /opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u cyrus -a cyrus - 
>>> m  plain
>>>
>>> Run
>>> C: XFER user.vbperry server2.sub2.domain.com
>>>
>>> and get
>>> C: NO Server(s) unavailable to complete operation
>>>
>>>
>>>
>>> Am I using the right auth mode? should the imtest connect or  
>>> xfer  command be formatted differently? I looking in the archives  
>>> and  could not locate the thread you mentioned, was that on list?
>>
>> No, our discussion was off list.
>>
>> What does syslog say (on both servers)?
>
> We have cyrus logging to local6 so I'll assume that is what you are  
> interested in.
>
> On source server:
> May  2 13:11:42 server1 imap[5927]: starttls: TLSv1 with cipher  
> AES256-SHA (256/256 bits new) no authentication
> May  2 13:11:46 server1 imap[5927]: login: localhost.localdomain  
> [127.0.0.1] cyrimap PLAIN+TLS User logged in
> May  2 13:12:12 server1 imap[5927]: couldn't authenticate to  
> backend server: generic failure
> May  2 13:12:12 server1 imap[5927]: Could not move mailbox:  
> user.vbperry, Initial backend connect failed
>
> On Destination server:
> May  2 13:12:12 server2 master[6574]: about to exec /opt/mail/cyrus- 
> imapd/bin/imapd
> May  2 13:12:12 server2 imap[6574]: executed
>
>
>
>>
>> Can you log in with imtest to the 2nd server?
>
> Yes
>
> server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u  
> cyrus -a cyrus -m plain server2.sub2
> S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- 
> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  
> MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  
> ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM- 
> MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> C: S01 STARTTLS
> S: S01 OK Begin TLS negotiation now
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256  
> bits)
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- 
> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  
> MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  
> ANNOTATEMORE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5  
> AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> S: C01 OK Completed
> Please enter your password:   <<enter passwd for cyrus account
> C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
> S: A01 OK Success (tls protection)
> Authenticated.
> Security strength factor: 256
>
>>
>> Do you allow other SASL mechanisms? I think what we tried with   
>> Richard may have only worked since PLAIN is the only mechanism  
>> his  2nd server offered.
>>
>> What other mechanism does your secondary server offer? it should  
>> be  part of the CAPABILITY response when imtest logs in.
>
>
> It's offering
> AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
>
>
> Should the connect use plain since it is the first available? How  
> can I disbale the other AUTH mechanisms?

Its not the first available though. If you look at the first  
capability call, PLAIN isn't offered. Its only get seen after the  
STARTTLS when the CAPABILITY called is offered again.
To remove the other Auth mechanisms (I'm assuming you don't use them),

put
sasl_mech_list: PLAIN

in your imapd.conf file on the second machines.

-Patrick


-Patrick


More information about the Info-cyrus mailing list