Authentication problem
Simon Matter
simon.matter at invoca.ch
Mon Jun 9 07:06:46 EDT 2008
>
> --- Simon Matter <simon.matter at invoca.ch> wrote:
>
> - snip -
>
>
>> > cyrus.conf and imapd.conf are as follows. Those lines, commented
>> out,
>> > have been deleted to shorten the length of this posting.
>>
>> OK, since you are using saslauthd you should also post the saslauthd
>> and
>> related configs (PAM or whatever mech you are using).
>
>
> $ cat /etc/default/saslauthd
> #
> # Settings for saslauthd daemon
> #
>
> # Should saslauthd run automatically on startup? (default: no)
> START=yes
>
> # Which authentication mechanisms should saslauthd use? (default: pam)
> #
> # Available options in this Debian package:
> # getpwent -- use the getpwent() library function
> # kerberos5 -- use Kerberos 5
> # pam -- use PAM
> # rimap -- use a remote IMAP server
> # shadow -- use the local shadow password file
> # sasldb -- use the local sasldb database file
> # ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
> #
> # Only one option may be used at a time. See the saslauthd man page
> # for more information.
> #
> # Example: MECHANISMS="pam"
> MECHANISMS="pam"
>
> # Additional options for this mechanism. (default: none)
> # See the saslauthd man page for information about mech-specific
> options.
> MECH_OPTIONS=""
>
> # How many saslauthd processes should we run? (default: 5)
> # A value of 0 will fork a new process for each connection.
> THREADS=5
>
> # Other options (default: -c)
> # See the saslauthd man page for information about these options.
> #
> # Example for postfix users: "-c -m
> /var/spool/postfix/var/run/saslauthd"
> # Note: See /usr/share/doc/sasl2-bin/README.Debian
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
> * end *
>
>
> $ locate pam
> /etc/pam.conf
> /etc/pam.d
> /etc/pam.d/atd
> /etc/pam.d/chage
> /etc/pam.d/chfn
> /etc/pam.d/chsh
> /etc/pam.d/common-account
> /etc/pam.d/common-auth
> /etc/pam.d/common-password
> /etc/pam.d/common-session
> /etc/pam.d/cron
> /etc/pam.d/cupsys
> /etc/pam.d/cvs
> /etc/pam.d/dovecot
> /etc/pam.d/groupadd
> /etc/pam.d/groupdel
> /etc/pam.d/groupmod
> /etc/pam.d/imap
> /etc/pam.d/lmtp
> /etc/pam.d/login
> /etc/pam.d/newusers
> /etc/pam.d/other
> /etc/pam.d/passwd
> /etc/pam.d/pop
> /etc/pam.d/ppp
> /etc/pam.d/sieve
> /etc/pam.d/ssh
> /etc/pam.d/su
> /etc/pam.d/sudo
> /etc/pam.d/useradd
> /etc/pam.d/userdel
> /etc/pam.d/usermod
> /etc/pam.d/vsftpd
For example /etc/pam.d/imap, /etc/pam.d/lmtp, /etc/pam.d/pop and
/etc/pam.d/sieve. How are they configured?
There is one more thing. You tried 'imtest -m login -p imap localhost' as
root which means per default it tries to authenticate as user root.
Maybe you want to try
imtest -m login -p imap -u satimiscyrus localhost
Simon
> ....
> .....
> * end *
>
>
> $ cat /etc/pam.conf
> #
> ---------------------------------------------------------------------------#
> # /etc/pam.conf
> #
> #
> ---------------------------------------------------------------------------#
> #
> # NOTE
> # ----
> #
> # NOTE: Most program use a file under the /etc/pam.d/ directory to
> setup their
> # PAM service modules. This file is used only if that directory does
> not exist.
> #
> ---------------------------------------------------------------------------#
>
> # Format:
> # serv. module ctrl module [path] ...[args..]
> #
> # name type flag
> #
> * end *
>
>
> What other file/files I have to check ? Thanks.
>
>
>
> B.R.
> Stephen
>
>
>
>
>
>
>
>> > $ cat /etc/cyrus.conf
>> > # Debian defaults for Cyrus IMAP server/cluster implementation
>> > # see cyrus.conf(5) for more information
>> > #
>> > # All the tcp services are tcpd-wrapped. see hosts_access(5)
>> > # $Id: cyrus.conf 120 2005-05-01 03:23:18Z sven $
>> >
>> > START {
>> > # do not delete this entry!
>> > recover cmd="/usr/sbin/ctl_cyrusdb -r"
>> >
>> > # this is only necessary if using idled for IMAP IDLE
>> > # this is NOT to be enabled right now in Debian builds
>> > #idled cmd="idled"
>> >
>> > # this is useful on backend nodes of a Murder cluster
>> > # it causes the backend to syncronize its mailbox list with
>> > # the mupdate master upon startup
>> > #mupdatepush cmd="/usr/sbin/ctl_mboxlist -m"
>> >
>> > # this is recommended if using duplicate delivery
>> suppression
>> > delprune cmd="/usr/sbin/ctl_deliver -E 3"
>> > # this is recommended if caching TLS sessions
>> > tlsprune cmd="/usr/sbin/tls_prune"
>> > }
>> >
>> > # UNIX sockets start with a slash and are absolute paths
>> > # you can use a maxchild=# to limit the maximum number of forks of
>> a
>> > service
>> > # you can use babysit=true and maxforkrate=# to keep tight tabs on
>> the
>> > service
>> > # most services also accept -U (limit number of reuses) and -T
>> > (timeout)
>> > SERVICES {
>> > # --- Normal cyrus spool, or Murder backends ---
>> > # add or remove based on preferences
>> > imap cmd="imapd -U 30" listen="imap" prefork=0
>> > maxchild=100
>> > imaps cmd="imapd -s -U 30" listen="imaps"
>> prefork=0
>> > maxchild=100
>> > #pop3 cmd="pop3d -U 30" listen="pop3" prefork=0
>> > maxchild=50
>> > #pop3s cmd="pop3d -s -U 30" listen="pop3s"
>> prefork=0
>> > maxchild=50
>> >
>> >
>> > #nntp cmd="nntpd -U 30" listen="nntp" prefork=0
>> > maxchild=100
>> > #nntps cmd="nntpd -s -U 30" listen="nntps"
>> prefork=0
>> > maxchild=100
>> >
>> > # At least one form of LMTP is required for delivery
>> > # (you must keep the Unix socket name in sync with
>> imap.conf)
>> > #lmtp cmd="lmtpd" listen="localhost:lmtp"
>> prefork=0
>> > maxchild=20
>> > lmtpunix cmd="lmtpd"
>> listen="/var/run/cyrus/socket/lmtp"
>> > prefork=0 maxchild=20
>> > # ----------------------------------------------
>> >
>> > # useful if you need to give users remote access to sieve
>> > # by default, we limit this to localhost in Debian
>> > sieve cmd="timsieved" listen="localhost:sieve"
>> > prefork=0 maxchild=100
>> >
>> > # this one is needed for the notification services
>> > notify cmd="notifyd"
>> > listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
>> >
>> > # --- Murder frontends -------------------------
>> >
>> > - snip -
>> >
>> >
>> > # ----------------------------------------------
>> > }
>> >
>> > EVENTS {
>> > # this is required
>> > checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
>> >
>> > # this is only necessary if using duplicate delivery
>> > suppression
>> >
>> >
>> > delprune cmd="/usr/sbin/ctl_deliver -E 3" at=0401
>> >
>> > # this is only necessary if caching TLS sessions
>> > tlsprune cmd="/usr/sbin/tls_prune" at=0401
>> > }
>> >
>> > admins: cyrus
>> > unixhierarchysep: 1
>> > * end *
>> >
>> >
>> >
>> > $ cat /etc/imapd.conf
>> > # Debian Cyrus imapd.conf
>> > # $Id: imapd.conf 229 2005-12-08 23:26:29Z astronut $
>> > # See imapd.conf(5) for more information and more options
>> >
>> > # Configuration directory
>> > configdirectory: /var/lib/cyrus
>> >
>> > # Which partition to use for default mailboxes
>> > defaultpartition: default
>> > partition-default: /var/spool/cyrus/mail
>> >
>> > # News setup
>> > partition-news: /var/spool/cyrus/news
>> > newsspool: /var/spool/news
>> >
>> > # Alternate namespace
>> > # If enabled, activate the alternate namespace as documented in
>> > # /usr/share/doc/cyrus-doc-2.2/html/altnamespace.html, where an
>> user's
>> > # subfolders are in the same level as the INBOX
>> > # See also userprefix and sharedprefix on imapd.conf(5)
>> > altnamespace: no
>> >
>> > # UNIX Hierarchy Convention
>> > # Set to yes, and cyrus will accept dots in names, and use the
>> forward
>> > # slash "/" to delimit levels of the hierarchy. This is done by
>> > converting
>> > # internally all dots to "^", and all "/" to dots. So the
>> > "rabbit.holes"
>> > # mailbox of user "helmer.fudd" is stored in
>> > "user.elmer^fud.rabbit^holes"
>> > unixhierarchysep: yes
>> >
>> >
>> > - snip -
>> >
>> >
>> > # Uncomment the following and add the space-separated users who
>> > # have admin rights for all services.
>> > admins: cyrus
>> >
>> >
>> > - sni -
>> >
>> >
>> > # No anonymous logins
>> > #allowanonymouslogin: no
>> > allowanonymouslogin: yes
>> >
>> > # Minimum time between POP mail fetches in minutes
>> > popminpoll: 1
>> >
>> > # If nonzero, normal users may create their own IMAP accounts by
>> > creating
>> > # the mailbox INBOX. The user's quota is set to the value if it is
>> > positive,
>> > # otherwise the user has unlimited quota.
>> > autocreatequota: 0
>> >
>> > # umask used by Cyrus programs
>> > umask: 077
>> >
>> > - snip -
>> >
>> > # If enabled, cyrdeliver will look for Sieve scripts in user's home
>> > # directories: ~user/.sieve.
>> > sieveusehomedir: false
>> >
>> > # If sieveusehomedir is false, this directory is searched for Sieve
>> > scripts.
>> > sievedir: /var/spool/sieve
>> >
>> >
>> > - snip -
>> >
>> >
>> > # If enabled, the partitions will also be hashed, in addition to
>> the
>> > hashing
>> > # done on configuration directories. This is recommended if one
>> > partition has a
>> > # very bushy mailbox tree.
>> > hashimapspool: true
>> >
>> > # Allow plaintext logins by default (SASL PLAIN)
>> > allowplaintext: yes
>> >
>> > # Force PLAIN/LOGIN authentication only
>> > # (you need to uncomment this if you are not using an auxprop-based
>> > SASL
>> > # mechanism. saslauthd users, that means you!). And pay attention
>> to
>> > # sasl_minimum_layer and allowapop below, too.
>> > #sasl_mech_list: PLAIN
>> >
>> >
>> > - snip -
>> >
>> >
>> > # Do note that, since sasl will be run as user cyrus, you may have
>> a
>> > lot of
>> > # trouble to set this up right.
>> > #sasl_pwcheck_method: auxprop
>> > sasl_pwcheck_method: saslauthd
>> >
>> > # What auxpropd plugins to load, if using sasl_pwcheck_method:
>> auxprop
>> > # by default, all plugins are tried (which is probably NOT what you
>> > want).
>> > #sasl_auxprop_plugin: sasldb
>> >
>> > # If enabled, the SASL library will automatically create
>> authentication
>> > secrets
>> > # when given a plaintext password. Refer to SASL documentation
>> > sasl_auto_transition: no
>> >
>> > #
>> > # SSL/TLS Options
>> > #
>> >
>> > - snip -
>> >
>> >
>> > # File containing one or more Certificate Authority (CA)
>> certificates.
>> > #tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
>> >
>> > # Path to directory with certificates of CAs.
>> > tls_ca_path: /etc/ssl/certs
>> >
>> > # The length of time (in minutes) that a TLS session will be cached
>> for
>> > later
>> > # reuse. The maximum value is 1440 (24 hours), the default. A
>> value
>> > of 0 will
>> > # disable session caching.
>> > tls_session_timeout: 1440
>> >
>> > # The list of SSL/TLS ciphers to allow, in decreasing order of
>> > precedence.
>> > # The format of the string is described in ciphers(1). The Debian
>> > default
>> > # selects TLSv1 high-security ciphers only, and removes all
>> anonymous
>> > ciphers
>> > # from the list (because they provide no defense against
>> > man-in-the-middle
>> > # attacks). It also orders the list so that stronger ciphers come
>> > first.
>> > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>> >
>> >
>> > - snip -
>> >
>> >
>> > ## KEEP THESE IN SYNC WITH cyrus.conf
>> > ##
>> > # Unix domain socket that lmtpd listens on.
>> > lmtpsocket: /var/run/cyrus/socket/lmtp
>> >
>> > # Unix domain socket that idled listens on.
>> > idlesocket: /var/run/cyrus/socket/idle
>> >
>> > # Unix domain socket that the new mail notification daemon listens
>> on.
>> > notifysocket: /var/run/cyrus/socket/notify
>> >
>> > # Syslog prefix. Defaults to cyrus (so logging is done as
>> cyrus/imap
>> > etc.)
>> > syslog_prefix: cyrus
>> >
>> >
>> > - snip -
>> > * end *
>> >
>> >
>> > B.R.
>> > Stephen L
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
More information about the Info-cyrus
mailing list