Authentication problem

Stephen Liu satimis at yahoo.com
Mon Jun 9 07:26:57 EDT 2008


--- Simon Matter <simon.matter at invoca.ch> wrote:


Sorry previously I made a mistake on posting /etc/default/saslauthd


It should read as;

$ cat /etc/default/saslauthd
# This needs to be uncommented before saslauthd will be run
automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"
* end *


> > $ locate pam
> > /etc/pam.conf
> > /etc/pam.d
> > /etc/pam.d/atd
> > /etc/pam.d/chage
> > /etc/pam.d/chfn
> > /etc/pam.d/chsh
> > /etc/pam.d/common-account
> > /etc/pam.d/common-auth
> > /etc/pam.d/common-password
> > /etc/pam.d/common-session
> > /etc/pam.d/cron
> > /etc/pam.d/cupsys
> > /etc/pam.d/cvs
> > /etc/pam.d/dovecot
> > /etc/pam.d/groupadd
> > /etc/pam.d/groupdel
> > /etc/pam.d/groupmod
> > /etc/pam.d/imap
> > /etc/pam.d/lmtp
> > /etc/pam.d/login
> > /etc/pam.d/newusers
> > /etc/pam.d/other
> > /etc/pam.d/passwd
> > /etc/pam.d/pop
> > /etc/pam.d/ppp
> > /etc/pam.d/sieve
> > /etc/pam.d/ssh
> > /etc/pam.d/su
> > /etc/pam.d/sudo
> > /etc/pam.d/useradd
> > /etc/pam.d/userdel
> > /etc/pam.d/usermod
> > /etc/pam.d/vsftpd
> 
> For example /etc/pam.d/imap, /etc/pam.d/lmtp, /etc/pam.d/pop and
> /etc/pam.d/sieve. How are they configured?


$ cat /etc/pam.d/imap 
@include common-auth
@include common-account


$ cat /etc/pam.d/lmtp 
@include common-auth
@include common-account


$ cat /etc/pam.d/pop
@include common-auth
@include common-account


$ cat /etc/pam.d/sieve 
@include common-auth
@include common-account



> There is one more thing. You tried 'imtest -m login -p imap
> localhost' as
> root which means per default it tries to authenticate as user root.
> Maybe you want to try
> 
> imtest -m login -p imap -u satimiscyrus localhost


$ imtest -m login -p imap -u satimiscyrus localhost
S: * OK lampserver Cyrus IMAP4 v2.2.12-Debian-2.2.12-4ubuntu1 server
ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=NTLM AUTH=ANONYMOUS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Please enter your password: 
C: L01 LOGIN satimis {12}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: generic failure
Authentication failed. generic failure
Security strength factor: 0
(it is hanging here)


then pressing [Ctrl]+c
^@C: Q01 LOGOUT
Connection closed.



B.R.
Stephen


> >
> > $ cat /etc/pam.conf
> > #
> >
>
---------------------------------------------------------------------------#
> > # /etc/pam.conf
> >      #
> > #
> >
>
---------------------------------------------------------------------------#
> > #
> > # NOTE
> > # ----
> > #
> > # NOTE: Most program use a file under the /etc/pam.d/ directory to
> > setup their
> > # PAM service modules. This file is used only if that directory
> does
> > not exist.
> > #
> >
>
---------------------------------------------------------------------------#
> >
> > # Format:
> > # serv. module     ctrl       module [path]     ...[args..]
> >      #
> > # name  type       flag
> >      #
> >  * end *
> >
> >
> > What other file/files I have to check ?  Thanks.
> >
> >
> >
> > B.R.
> > Stephen
> >
> >
> >
> >
> >
> >
> >
> >> > $ cat /etc/cyrus.conf
> >> > # Debian defaults for Cyrus IMAP server/cluster implementation
> >> > # see cyrus.conf(5) for more information
> >> > #
> >> > # All the tcp services are tcpd-wrapped. see hosts_access(5)
> >> > # $Id: cyrus.conf 120 2005-05-01 03:23:18Z sven $
> >> >
> >> > START {
> >> >         # do not delete this entry!
> >> >         recover         cmd="/usr/sbin/ctl_cyrusdb -r"
> >> >
> >> >         # this is only necessary if using idled for IMAP IDLE
> >> >         # this is NOT to be enabled right now in Debian builds
> >> >         #idled          cmd="idled"
> >> >
> >> >         # this is useful on backend nodes of a Murder cluster
> >> >         # it causes the backend to syncronize its mailbox list
> with
> >> >         # the mupdate master upon startup
> >> >         #mupdatepush   cmd="/usr/sbin/ctl_mboxlist -m"
> >> >
> >> >         # this is recommended if using duplicate delivery
> >> suppression
> >> >         delprune        cmd="/usr/sbin/ctl_deliver -E 3"
> >> >         # this is recommended if caching TLS sessions
> >> >         tlsprune        cmd="/usr/sbin/tls_prune"
> >> > }
> >> >
> >> > # UNIX sockets start with a slash and are absolute paths
> >> > # you can use a maxchild=# to limit the maximum number of forks
> of
> >> a
> >> > service
> >> > # you can use babysit=true and maxforkrate=# to keep tight tabs
> on
> >> the
> >> > service
> >> > # most services also accept -U (limit number of reuses) and -T
> >> > (timeout)
> >> > SERVICES {
> >> >         # --- Normal cyrus spool, or Murder backends ---
> >> >         # add or remove based on preferences
> >> >         imap            cmd="imapd -U 30" listen="imap"
> prefork=0
> >> > maxchild=100
> >> >         imaps           cmd="imapd -s -U 30" listen="imaps"
> >> prefork=0
> >> > maxchild=100
> >> >         #pop3           cmd="pop3d -U 30" listen="pop3"
> prefork=0
> >> > maxchild=50
> >> >         #pop3s          cmd="pop3d -s -U 30" listen="pop3s"
> >> prefork=0
> >> > maxchild=50
> >> >
> >> >
> >> >         #nntp           cmd="nntpd -U 30" listen="nntp"
> prefork=0
> >> > maxchild=100
> >> >         #nntps          cmd="nntpd -s -U 30" listen="nntps"
> >> prefork=0
> >> > maxchild=100
> >> >
> >> >         # At least one form of LMTP is required for delivery
> >> >         # (you must keep the Unix socket name in sync with
> >> imap.conf)
> >> >         #lmtp           cmd="lmtpd" listen="localhost:lmtp"
> >> prefork=0
> >> > maxchild=20
> >> >         lmtpunix        cmd="lmtpd"
> >> listen="/var/run/cyrus/socket/lmtp"
> >> > prefork=0 maxchild=20
> >> >         # ----------------------------------------------
> >> >
> >> >         # useful if you need to give users remote access to
> sieve
> >> >         # by default, we limit this to localhost in Debian
> >> >         sieve           cmd="timsieved" listen="localhost:sieve"
> >> > prefork=0 maxchild=100
> >> >
> >> >         # this one is needed for the notification services
> >> >         notify          cmd="notifyd"
> >> > listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
> >> >
> >> >         # --- Murder frontends -------------------------
> >> >
> >> > - snip -
> >> >
> >> >
> >> >         # ----------------------------------------------
> >> > }
> >> >
> >> > EVENTS {
> >> >         # this is required
> >> >         checkpoint      cmd="/usr/sbin/ctl_cyrusdb -c" period=30
> >> >
> >> >         # this is only necessary if using duplicate delivery
> >> > suppression
> >> >
> >> >
> >> >         delprune        cmd="/usr/sbin/ctl_deliver -E 3" at=0401
> >> >
> >> >         # this is only necessary if caching TLS sessions
> >> >         tlsprune        cmd="/usr/sbin/tls_prune" at=0401
> >> > }
> >> >
> >> > admins: cyrus
> >> > unixhierarchysep: 1
> >> > * end *
> >> >
> >> >
> >> >
> >> > $ cat /etc/imapd.conf
> >> > # Debian Cyrus imapd.conf
> >> > # $Id: imapd.conf 229 2005-12-08 23:26:29Z astronut $
> >> > # See imapd.conf(5) for more information and more options
> >> >
> >> > # Configuration directory
> >> > configdirectory: /var/lib/cyrus
> >> >
> >> > # Which partition to use for default mailboxes
> >> > defaultpartition: default
> >> > partition-default: /var/spool/cyrus/mail
> >> >
> >> > # News setup
> >> > partition-news: /var/spool/cyrus/news
> >> > newsspool: /var/spool/news
> >> >
> >> > # Alternate namespace
> >> > # If enabled, activate the alternate namespace as documented in
> >> > # /usr/share/doc/cyrus-doc-2.2/html/altnamespace.html, where an
> >> user's
> >> > # subfolders are in the same level as the INBOX
> >> > # See also userprefix and sharedprefix on imapd.conf(5)
> >> > altnamespace: no
> >> >
> >> > # UNIX Hierarchy Convention
> >> > # Set to yes, and cyrus will accept dots in names, and use the
> >> forward
> >> > # slash "/" to delimit levels of the hierarchy. This is done by
> >> > converting
> >> > # internally all dots to "^", and all "/" to dots. So the
> >> > "rabbit.holes"
> >> > # mailbox of user "helmer.fudd" is stored in
> >> > "user.elmer^fud.rabbit^holes"
> >> > unixhierarchysep: yes
> >> >
> >> >
> >> > - snip -
> >> >
> >> >
> >> > # Uncomment the following and add the space-separated users who
> >> > # have admin rights for all services.
> >> > admins: cyrus
> >> >
> >> >
> >> > - sni -
> >> >
> >> >
> >> > # No anonymous logins
> >> > #allowanonymouslogin: no
> >> > allowanonymouslogin: yes
> >> >
> >> > # Minimum time between POP mail fetches in minutes
> >> > popminpoll: 1
> >> >
> >> > # If nonzero, normal users may create their own IMAP accounts by
> >> > creating
> >> > # the mailbox INBOX.  The user's quota is set to the value if it
> is
> >> > positive,
> >> > # otherwise the user has unlimited quota.
> >> > autocreatequota: 0
> >> >
> >> > # umask used by Cyrus programs
> >> > umask: 077
> >> >
> >> > - snip -
> >> >
> >> > # If enabled, cyrdeliver will look for Sieve scripts in user's
> home
> >> > # directories: ~user/.sieve.
> >> > sieveusehomedir: false
> >> >
> >> > # If sieveusehomedir is false, this directory is searched for
> Sieve
> >> > scripts.
> >> > sievedir: /var/spool/sieve
> >> >
> >> >
> >> > - snip -
> >> >
> >> >
> >> > # If enabled, the partitions will also be hashed, in addition to
> >> the
> >> > hashing
> >> > # done on configuration directories. This is recommended if one
> >> > partition has a
> >> > # very bushy mailbox tree.
> >> > hashimapspool: true
> >> >
> >> > # Allow plaintext logins by default (SASL PLAIN)
> >> > allowplaintext: yes
> >> >
> >> > # Force PLAIN/LOGIN authentication only
> >> > # (you need to uncomment this if you are not using an
> auxprop-based
> >> > SASL
> >> > # mechanism.  saslauthd users, that means you!). And pay
> attention
> >> to
> >> > # sasl_minimum_layer and allowapop below, too.
> >> > #sasl_mech_list: PLAIN
> >> >
> >> >
> >> > - snip -
> >> >
> >> >
> >> > # Do note that, since sasl will be run as user cyrus, you may
> have
> >> a
> >> > lot of
> >> > # trouble to set this up right.
> >> > #sasl_pwcheck_method: auxprop
> >> > sasl_pwcheck_method: saslauthd
> >> >
> >> > # What auxpropd plugins to load, if using sasl_pwcheck_method:
> >> auxprop
> >> > # by default, all plugins are tried (which is probably NOT what
> you
> >> > want).
> >> > #sasl_auxprop_plugin: sasldb
> >> >
> >> > # If enabled, the SASL library will automatically create
> >> authentication
> >> > secrets
> >> > # when given a plaintext password. Refer to SASL documentation
> >> > sasl_auto_transition: no
> >> >
> >> > #
> >> > # SSL/TLS Options
> >> > #
> >> >
> >> > - snip -
> >> >
> >> >
> >> > # File containing one or more Certificate Authority (CA)
> >> certificates.
> >> > #tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
> >> >
> >> > # Path to directory with certificates of CAs.
> >> > tls_ca_path: /etc/ssl/certs
> >> >
> >> > # The length of time (in minutes) that a TLS session will be
> cached
> >> for
> >> > later
> >> > # reuse.  The maximum value is 1440 (24 hours), the default.  A
> >> value
> >> > of 0 will
> >> > # disable session caching.
> >> > tls_session_timeout: 1440
> >> >
> >> > # The list of SSL/TLS ciphers to allow, in decreasing order of
> >> > precedence.
> >> > # The format of the string is described in ciphers(1).  The
> Debian
> >> > default
> >> > # selects TLSv1 high-security ciphers only, and removes all
> >> anonymous
> >> > ciphers
> >> > # from the list (because they provide no defense against
> >> > man-in-the-middle
> >> > # attacks).  It also orders the list so that stronger ciphers
> come
> >> > first.
> >> > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> >> >
> >> >
> >> > - snip -
> >> >
> >> >
> >> > ## KEEP THESE IN SYNC WITH cyrus.conf
> >> > ##
> >> > # Unix domain socket that lmtpd listens on.
> >> > lmtpsocket: /var/run/cyrus/socket/lmtp
> >> >
> >> > # Unix domain socket that idled listens on.
> >> > idlesocket: /var/run/cyrus/socket/idle
> >> >
> >> > # Unix domain socket that the new mail notification daemon
> listens
> >> on.
> >> > notifysocket: /var/run/cyrus/socket/notify
> >> >
> >> > # Syslog prefix. Defaults to cyrus (so logging is done as
> >> cyrus/imap
> >> > etc.)
> >> > syslog_prefix: cyrus
> >> >
> >> >
> >> > - snip -
> >> > * end *
> >> >
> >> >
> >> > B.R.
> >> > Stephen L
> >
> >
> > Send instant messages to your online friends
> http://uk.messenger.yahoo.com
> > ----
> > Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> >
> 
> 
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com 


More information about the Info-cyrus mailing list