sieve with tls sasl mech list empty

Andreas Winkelmann ml at awinkelmann.de
Tue Sep 12 07:49:22 EDT 2006 

Am Tuesday 12 September 2006 12:03 schrieb Rudy Gevaert:

> >sasl_minimum_layer: 1
> >
> >in imapd.conf.
>
> having put:
> allowplaintext: 0
> sasl_minimum_layer: 1
> sasl_mech_list: PLAIN
>
> still gives me that error.
>
> allowplaintext: 1
> sasl_minimum_layer: 1
> sasl_mech_list: PLAIN
>
> gives it to me too :(
>
>
> I did some test with sivtest and managesieve (output is shown below).
> Summary:
>
> sivtest:
>                                                               no
> tls       tls
> plaintext:1, no sasl_minimum_layer     login ok     login ok
> plaintext:1, sasl_minimum_layer :1      login nok   login ok
> plaintext:0, no sasl_minimum_layer     login nok   login ok
> plaintext:0, sasl_minimum_layer :1      login nok  login ok
>
> I did my test with a script (see below) that calls managesieve too:
>
> plaintext:1, no sasl_minimum_layer      no errors  *
> plaintext:1, sasl_minimum_layer :1       sasl mech list empty
> plaintext:0, no sasl_minimum_layer      sasl mech list empty
> plaintext:0, sasl_minimum_layer :1       sasl mech list empty
>
> (*) How do I know it actually uses tls?  I used  tcpdump  -A port 2000
> and can see this passing by:
> AUTHENTICATE "PLAIN" {88+}.  So this is using tls, otherwise I should
> see the password?

No, the first and only Command of the Client that you would see is STARTTLS. 
This will establish a secure/crypted session. From this moment on, you will 
not see any readable data with tcpdump.

The Data behind the AUTHENTICATE PLAIN is not really crypted. It is only 
base64 encoded. You can decode this at any time with for example mimetools.

Because you see this AUTHENTICATE PLAIN, this is a sign, the TLS-Session is 
not established.

allowplaintext:0 disables Plaintext Authentification completely. This is 
something, you don't want.

sasl_minimum_layer only offers Authentication Support on the given Layer. 0 
means everytime. 1 and above would mean an crypted SSL/TLS-Session. This is 
what you want.

> Thanks in advance!
>
> ------------
>
> allowplaintext: 1
> #sasl_minimum_layer: 1

> ----------------------------------
> allowplaintext: 1
> sasl_minimum_layer: 1
>
> mailadm at chestnut:/tmp$ sivtest  -a rudy.gevaert2 at mail.ugent.be  -u
> rudy.gevaert2 at mail.ugent.be  mail2.ugent.be
> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
> imapflags notify envelope relational regex subaddress copy"
> S: "STARTTLS"
> S: OK
> Authentication failed. generic failure
> Security strength factor: 0

Fine, no SSL/TLS-Session, no Authentification.

> mailadm at chestnut:/tmp$ sivtest -t ""  -a rudy.gevaert2 at mail.ugent.be  -u
> rudy.gevaert2 at mail.ugent.be  mail2.ugent.be
> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
> imapflags notify envelope relational regex subaddress copy"
> S: "STARTTLS"
> S: OK

The Server offers no Authentification-Support. Only STARTTLS. That's fine.

> C: STARTTLS
> S: OK "Begin TLS negotiation now"
> verify error:num=20:unable to get local issuer certificate
> verify error:num=27:certificate not trusted
> verify error:num=21:unable to verify the first certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)

The CLient establishes a SSL/TLS-Session.

> C: CAPABILITY
> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7"
> S: "SASL" "PLAIN"

And then you can see the SASL-Capabilities.

> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
> imapflags notify envelope relational regex subaddress copy"
> S: OK
> Please enter your password:
> C: AUTHENTICATE "PLAIN" {88+}
> cnVkeS5nZXZhZXJ0MkBtYWlsLnVnZW50LmJlAHJ1ZHkuZ2V2YWVydDJAbWFpbC51Z2VudC5iZQB
>0ZXN0dXNlcjE= S: OK
> Authenticated.
> Security strength factor: 256

Authentification complete, Server waits for Commands.

Looks fine, as expected.

> managesieve: not ok!

What means that?

> ---------------

> my perl script:
>
> #!/usr/bin/perl -w
>
> use strict;
> use Cyrus::SIEVE::managesieve;
> use Data::Dumper;
>
> my ($server, $username, $password) = ("mail2.ugent.be",
> 'rudy.gevaert2 at mail.ugent.be', "xxxx");
>
> my $handle = sieve_get_handle($server,
>                                   sub {$username},
>                                   sub {$username},
>                                   sub {$password},
>                                   sub {""});
>
> unless (defined $handle) {
>     die "$server: ", sieve_get_global_error();
> }
>
> my %list = ();
> my $res = sieve_list($handle, sub {$list{$_[0]} = $_[1]});
>     die("script_list: ", sieve_get_error($handle))
>     unless $res == 0;
> print Dumper  \%list;
>
> --------------------------------------

Oh, you mean your script does not work with "managesieve not ok"?

Hmm, seems that the Perl-Interface/Lib does not support TLS/SSL. Then it will 
fail with "sasl_minimum_layer: 1" of course.

I don't know if this is on the TODO List. Maybe someone of the Developers can 
say something about that.

-- 
	Andreas

More information about the Info-cyrus mailing list