Authentication problem
Stephen Liu
satimis at yahoo.com
Mon Jun 9 06:07:45 EDT 2008
--- Simon Matter <simon.matter at invoca.ch> wrote:
- snip -
> > cyrus.conf and imapd.conf are as follows. Those lines, commented
> out,
> > have been deleted to shorten the length of this posting.
>
> OK, since you are using saslauthd you should also post the saslauthd
> and
> related configs (PAM or whatever mech you are using).
$ cat /etc/default/saslauthd
#
# Settings for saslauthd daemon
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific
options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m
/var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
* end *
$ locate pam
/etc/pam.conf
/etc/pam.d
/etc/pam.d/atd
/etc/pam.d/chage
/etc/pam.d/chfn
/etc/pam.d/chsh
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/cron
/etc/pam.d/cupsys
/etc/pam.d/cvs
/etc/pam.d/dovecot
/etc/pam.d/groupadd
/etc/pam.d/groupdel
/etc/pam.d/groupmod
/etc/pam.d/imap
/etc/pam.d/lmtp
/etc/pam.d/login
/etc/pam.d/newusers
/etc/pam.d/other
/etc/pam.d/passwd
/etc/pam.d/pop
/etc/pam.d/ppp
/etc/pam.d/sieve
/etc/pam.d/ssh
/etc/pam.d/su
/etc/pam.d/sudo
/etc/pam.d/useradd
/etc/pam.d/userdel
/etc/pam.d/usermod
/etc/pam.d/vsftpd
....
.....
* end *
$ cat /etc/pam.conf
#
---------------------------------------------------------------------------#
# /etc/pam.conf
#
#
---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to
setup their
# PAM service modules. This file is used only if that directory does
not exist.
#
---------------------------------------------------------------------------#
# Format:
# serv. module ctrl module [path] ...[args..]
#
# name type flag
#
* end *
What other file/files I have to check ? Thanks.
B.R.
Stephen
> > $ cat /etc/cyrus.conf
> > # Debian defaults for Cyrus IMAP server/cluster implementation
> > # see cyrus.conf(5) for more information
> > #
> > # All the tcp services are tcpd-wrapped. see hosts_access(5)
> > # $Id: cyrus.conf 120 2005-05-01 03:23:18Z sven $
> >
> > START {
> > # do not delete this entry!
> > recover cmd="/usr/sbin/ctl_cyrusdb -r"
> >
> > # this is only necessary if using idled for IMAP IDLE
> > # this is NOT to be enabled right now in Debian builds
> > #idled cmd="idled"
> >
> > # this is useful on backend nodes of a Murder cluster
> > # it causes the backend to syncronize its mailbox list with
> > # the mupdate master upon startup
> > #mupdatepush cmd="/usr/sbin/ctl_mboxlist -m"
> >
> > # this is recommended if using duplicate delivery
> suppression
> > delprune cmd="/usr/sbin/ctl_deliver -E 3"
> > # this is recommended if caching TLS sessions
> > tlsprune cmd="/usr/sbin/tls_prune"
> > }
> >
> > # UNIX sockets start with a slash and are absolute paths
> > # you can use a maxchild=# to limit the maximum number of forks of
> a
> > service
> > # you can use babysit=true and maxforkrate=# to keep tight tabs on
> the
> > service
> > # most services also accept -U (limit number of reuses) and -T
> > (timeout)
> > SERVICES {
> > # --- Normal cyrus spool, or Murder backends ---
> > # add or remove based on preferences
> > imap cmd="imapd -U 30" listen="imap" prefork=0
> > maxchild=100
> > imaps cmd="imapd -s -U 30" listen="imaps"
> prefork=0
> > maxchild=100
> > #pop3 cmd="pop3d -U 30" listen="pop3" prefork=0
> > maxchild=50
> > #pop3s cmd="pop3d -s -U 30" listen="pop3s"
> prefork=0
> > maxchild=50
> >
> >
> > #nntp cmd="nntpd -U 30" listen="nntp" prefork=0
> > maxchild=100
> > #nntps cmd="nntpd -s -U 30" listen="nntps"
> prefork=0
> > maxchild=100
> >
> > # At least one form of LMTP is required for delivery
> > # (you must keep the Unix socket name in sync with
> imap.conf)
> > #lmtp cmd="lmtpd" listen="localhost:lmtp"
> prefork=0
> > maxchild=20
> > lmtpunix cmd="lmtpd"
> listen="/var/run/cyrus/socket/lmtp"
> > prefork=0 maxchild=20
> > # ----------------------------------------------
> >
> > # useful if you need to give users remote access to sieve
> > # by default, we limit this to localhost in Debian
> > sieve cmd="timsieved" listen="localhost:sieve"
> > prefork=0 maxchild=100
> >
> > # this one is needed for the notification services
> > notify cmd="notifyd"
> > listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
> >
> > # --- Murder frontends -------------------------
> >
> > - snip -
> >
> >
> > # ----------------------------------------------
> > }
> >
> > EVENTS {
> > # this is required
> > checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
> >
> > # this is only necessary if using duplicate delivery
> > suppression
> >
> >
> > delprune cmd="/usr/sbin/ctl_deliver -E 3" at=0401
> >
> > # this is only necessary if caching TLS sessions
> > tlsprune cmd="/usr/sbin/tls_prune" at=0401
> > }
> >
> > admins: cyrus
> > unixhierarchysep: 1
> > * end *
> >
> >
> >
> > $ cat /etc/imapd.conf
> > # Debian Cyrus imapd.conf
> > # $Id: imapd.conf 229 2005-12-08 23:26:29Z astronut $
> > # See imapd.conf(5) for more information and more options
> >
> > # Configuration directory
> > configdirectory: /var/lib/cyrus
> >
> > # Which partition to use for default mailboxes
> > defaultpartition: default
> > partition-default: /var/spool/cyrus/mail
> >
> > # News setup
> > partition-news: /var/spool/cyrus/news
> > newsspool: /var/spool/news
> >
> > # Alternate namespace
> > # If enabled, activate the alternate namespace as documented in
> > # /usr/share/doc/cyrus-doc-2.2/html/altnamespace.html, where an
> user's
> > # subfolders are in the same level as the INBOX
> > # See also userprefix and sharedprefix on imapd.conf(5)
> > altnamespace: no
> >
> > # UNIX Hierarchy Convention
> > # Set to yes, and cyrus will accept dots in names, and use the
> forward
> > # slash "/" to delimit levels of the hierarchy. This is done by
> > converting
> > # internally all dots to "^", and all "/" to dots. So the
> > "rabbit.holes"
> > # mailbox of user "helmer.fudd" is stored in
> > "user.elmer^fud.rabbit^holes"
> > unixhierarchysep: yes
> >
> >
> > - snip -
> >
> >
> > # Uncomment the following and add the space-separated users who
> > # have admin rights for all services.
> > admins: cyrus
> >
> >
> > - sni -
> >
> >
> > # No anonymous logins
> > #allowanonymouslogin: no
> > allowanonymouslogin: yes
> >
> > # Minimum time between POP mail fetches in minutes
> > popminpoll: 1
> >
> > # If nonzero, normal users may create their own IMAP accounts by
> > creating
> > # the mailbox INBOX. The user's quota is set to the value if it is
> > positive,
> > # otherwise the user has unlimited quota.
> > autocreatequota: 0
> >
> > # umask used by Cyrus programs
> > umask: 077
> >
> > - snip -
> >
> > # If enabled, cyrdeliver will look for Sieve scripts in user's home
> > # directories: ~user/.sieve.
> > sieveusehomedir: false
> >
> > # If sieveusehomedir is false, this directory is searched for Sieve
> > scripts.
> > sievedir: /var/spool/sieve
> >
> >
> > - snip -
> >
> >
> > # If enabled, the partitions will also be hashed, in addition to
> the
> > hashing
> > # done on configuration directories. This is recommended if one
> > partition has a
> > # very bushy mailbox tree.
> > hashimapspool: true
> >
> > # Allow plaintext logins by default (SASL PLAIN)
> > allowplaintext: yes
> >
> > # Force PLAIN/LOGIN authentication only
> > # (you need to uncomment this if you are not using an auxprop-based
> > SASL
> > # mechanism. saslauthd users, that means you!). And pay attention
> to
> > # sasl_minimum_layer and allowapop below, too.
> > #sasl_mech_list: PLAIN
> >
> >
> > - snip -
> >
> >
> > # Do note that, since sasl will be run as user cyrus, you may have
> a
> > lot of
> > # trouble to set this up right.
> > #sasl_pwcheck_method: auxprop
> > sasl_pwcheck_method: saslauthd
> >
> > # What auxpropd plugins to load, if using sasl_pwcheck_method:
> auxprop
> > # by default, all plugins are tried (which is probably NOT what you
> > want).
> > #sasl_auxprop_plugin: sasldb
> >
> > # If enabled, the SASL library will automatically create
> authentication
> > secrets
> > # when given a plaintext password. Refer to SASL documentation
> > sasl_auto_transition: no
> >
> > #
> > # SSL/TLS Options
> > #
> >
> > - snip -
> >
> >
> > # File containing one or more Certificate Authority (CA)
> certificates.
> > #tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
> >
> > # Path to directory with certificates of CAs.
> > tls_ca_path: /etc/ssl/certs
> >
> > # The length of time (in minutes) that a TLS session will be cached
> for
> > later
> > # reuse. The maximum value is 1440 (24 hours), the default. A
> value
> > of 0 will
> > # disable session caching.
> > tls_session_timeout: 1440
> >
> > # The list of SSL/TLS ciphers to allow, in decreasing order of
> > precedence.
> > # The format of the string is described in ciphers(1). The Debian
> > default
> > # selects TLSv1 high-security ciphers only, and removes all
> anonymous
> > ciphers
> > # from the list (because they provide no defense against
> > man-in-the-middle
> > # attacks). It also orders the list so that stronger ciphers come
> > first.
> > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> >
> >
> > - snip -
> >
> >
> > ## KEEP THESE IN SYNC WITH cyrus.conf
> > ##
> > # Unix domain socket that lmtpd listens on.
> > lmtpsocket: /var/run/cyrus/socket/lmtp
> >
> > # Unix domain socket that idled listens on.
> > idlesocket: /var/run/cyrus/socket/idle
> >
> > # Unix domain socket that the new mail notification daemon listens
> on.
> > notifysocket: /var/run/cyrus/socket/notify
> >
> > # Syslog prefix. Defaults to cyrus (so logging is done as
> cyrus/imap
> > etc.)
> > syslog_prefix: cyrus
> >
> >
> > - snip -
> > * end *
> >
> >
> > B.R.
> > Stephen L
Send instant messages to your online friends http://uk.messenger.yahoo.com
More information about the Info-cyrus
mailing list