Authentication problem
Simon Matter
simon.matter at invoca.ch
Mon Jun 9 08:58:07 EDT 2008
>
> --- Simon Matter <simon.matter at invoca.ch> wrote:
>
>
> Sorry previously I made a mistake on posting /etc/default/saslauthd
>
>
> It should read as;
>
> $ cat /etc/default/saslauthd
> # This needs to be uncommented before saslauthd will be run
> automatically
> START=yes
> PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
> # You must specify the authentication mechanisms you wish to use.
> # This defaults to "pam" for PAM support, but may also include
> # "shadow" or "sasldb", like this:
> # MECHANISMS="pam shadow"
>
> MECHANISMS="pam"
> * end *
>
>
>> > $ locate pam
>> > /etc/pam.conf
>> > /etc/pam.d
>> > /etc/pam.d/atd
>> > /etc/pam.d/chage
>> > /etc/pam.d/chfn
>> > /etc/pam.d/chsh
>> > /etc/pam.d/common-account
>> > /etc/pam.d/common-auth
>> > /etc/pam.d/common-password
>> > /etc/pam.d/common-session
>> > /etc/pam.d/cron
>> > /etc/pam.d/cupsys
>> > /etc/pam.d/cvs
>> > /etc/pam.d/dovecot
>> > /etc/pam.d/groupadd
>> > /etc/pam.d/groupdel
>> > /etc/pam.d/groupmod
>> > /etc/pam.d/imap
>> > /etc/pam.d/lmtp
>> > /etc/pam.d/login
>> > /etc/pam.d/newusers
>> > /etc/pam.d/other
>> > /etc/pam.d/passwd
>> > /etc/pam.d/pop
>> > /etc/pam.d/ppp
>> > /etc/pam.d/sieve
>> > /etc/pam.d/ssh
>> > /etc/pam.d/su
>> > /etc/pam.d/sudo
>> > /etc/pam.d/useradd
>> > /etc/pam.d/userdel
>> > /etc/pam.d/usermod
>> > /etc/pam.d/vsftpd
>>
>> For example /etc/pam.d/imap, /etc/pam.d/lmtp, /etc/pam.d/pop and
>> /etc/pam.d/sieve. How are they configured?
>
>
> $ cat /etc/pam.d/imap
> @include common-auth
> @include common-account
Well, now you should provide us the common-auth and common-account configs.
>
>
> $ cat /etc/pam.d/lmtp
> @include common-auth
> @include common-account
>
>
> $ cat /etc/pam.d/pop
> @include common-auth
> @include common-account
>
>
> $ cat /etc/pam.d/sieve
> @include common-auth
> @include common-account
>
>
>
>> There is one more thing. You tried 'imtest -m login -p imap
>> localhost' as
>> root which means per default it tries to authenticate as user root.
>> Maybe you want to try
>>
>> imtest -m login -p imap -u satimiscyrus localhost
>
>
> $ imtest -m login -p imap -u satimiscyrus localhost
> S: * OK lampserver Cyrus IMAP4 v2.2.12-Debian-2.2.12-4ubuntu1 server
> ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> AUTH=NTLM AUTH=ANONYMOUS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
> S: C01 OK Completed
> Please enter your password:
> C: L01 LOGIN satimis {12}
> S: + go ahead
> C: <omitted>
> S: L01 NO Login failed: generic failure
> Authentication failed. generic failure
> Security strength factor: 0
> (it is hanging here)
I have the feeling you should add this to your imapd.conf:
sasl_mech_list: PLAIN
Regards,
Simon
> then pressing [Ctrl]+c
> ^@C: Q01 LOGOUT
> Connection closed.
>
>
>
> B.R.
> Stephen
>
>
>> >
>> > $ cat /etc/pam.conf
>> > #
>> >
>>
> ---------------------------------------------------------------------------#
>> > # /etc/pam.conf
>> > #
>> > #
>> >
>>
> ---------------------------------------------------------------------------#
>> > #
>> > # NOTE
>> > # ----
>> > #
>> > # NOTE: Most program use a file under the /etc/pam.d/ directory to
>> > setup their
>> > # PAM service modules. This file is used only if that directory
>> does
>> > not exist.
>> > #
>> >
>>
> ---------------------------------------------------------------------------#
>> >
>> > # Format:
>> > # serv. module ctrl module [path] ...[args..]
>> > #
>> > # name type flag
>> > #
>> > * end *
>> >
>> >
>> > What other file/files I have to check ? Thanks.
>> >
>> >
>> >
>> > B.R.
>> > Stephen
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> > $ cat /etc/cyrus.conf
>> >> > # Debian defaults for Cyrus IMAP server/cluster implementation
>> >> > # see cyrus.conf(5) for more information
>> >> > #
>> >> > # All the tcp services are tcpd-wrapped. see hosts_access(5)
>> >> > # $Id: cyrus.conf 120 2005-05-01 03:23:18Z sven $
>> >> >
>> >> > START {
>> >> > # do not delete this entry!
>> >> > recover cmd="/usr/sbin/ctl_cyrusdb -r"
>> >> >
>> >> > # this is only necessary if using idled for IMAP IDLE
>> >> > # this is NOT to be enabled right now in Debian builds
>> >> > #idled cmd="idled"
>> >> >
>> >> > # this is useful on backend nodes of a Murder cluster
>> >> > # it causes the backend to syncronize its mailbox list
>> with
>> >> > # the mupdate master upon startup
>> >> > #mupdatepush cmd="/usr/sbin/ctl_mboxlist -m"
>> >> >
>> >> > # this is recommended if using duplicate delivery
>> >> suppression
>> >> > delprune cmd="/usr/sbin/ctl_deliver -E 3"
>> >> > # this is recommended if caching TLS sessions
>> >> > tlsprune cmd="/usr/sbin/tls_prune"
>> >> > }
>> >> >
>> >> > # UNIX sockets start with a slash and are absolute paths
>> >> > # you can use a maxchild=# to limit the maximum number of forks
>> of
>> >> a
>> >> > service
>> >> > # you can use babysit=true and maxforkrate=# to keep tight tabs
>> on
>> >> the
>> >> > service
>> >> > # most services also accept -U (limit number of reuses) and -T
>> >> > (timeout)
>> >> > SERVICES {
>> >> > # --- Normal cyrus spool, or Murder backends ---
>> >> > # add or remove based on preferences
>> >> > imap cmd="imapd -U 30" listen="imap"
>> prefork=0
>> >> > maxchild=100
>> >> > imaps cmd="imapd -s -U 30" listen="imaps"
>> >> prefork=0
>> >> > maxchild=100
>> >> > #pop3 cmd="pop3d -U 30" listen="pop3"
>> prefork=0
>> >> > maxchild=50
>> >> > #pop3s cmd="pop3d -s -U 30" listen="pop3s"
>> >> prefork=0
>> >> > maxchild=50
>> >> >
>> >> >
>> >> > #nntp cmd="nntpd -U 30" listen="nntp"
>> prefork=0
>> >> > maxchild=100
>> >> > #nntps cmd="nntpd -s -U 30" listen="nntps"
>> >> prefork=0
>> >> > maxchild=100
>> >> >
>> >> > # At least one form of LMTP is required for delivery
>> >> > # (you must keep the Unix socket name in sync with
>> >> imap.conf)
>> >> > #lmtp cmd="lmtpd" listen="localhost:lmtp"
>> >> prefork=0
>> >> > maxchild=20
>> >> > lmtpunix cmd="lmtpd"
>> >> listen="/var/run/cyrus/socket/lmtp"
>> >> > prefork=0 maxchild=20
>> >> > # ----------------------------------------------
>> >> >
>> >> > # useful if you need to give users remote access to
>> sieve
>> >> > # by default, we limit this to localhost in Debian
>> >> > sieve cmd="timsieved" listen="localhost:sieve"
>> >> > prefork=0 maxchild=100
>> >> >
>> >> > # this one is needed for the notification services
>> >> > notify cmd="notifyd"
>> >> > listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
>> >> >
>> >> > # --- Murder frontends -------------------------
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > # ----------------------------------------------
>> >> > }
>> >> >
>> >> > EVENTS {
>> >> > # this is required
>> >> > checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
>> >> >
>> >> > # this is only necessary if using duplicate delivery
>> >> > suppression
>> >> >
>> >> >
>> >> > delprune cmd="/usr/sbin/ctl_deliver -E 3" at=0401
>> >> >
>> >> > # this is only necessary if caching TLS sessions
>> >> > tlsprune cmd="/usr/sbin/tls_prune" at=0401
>> >> > }
>> >> >
>> >> > admins: cyrus
>> >> > unixhierarchysep: 1
>> >> > * end *
>> >> >
>> >> >
>> >> >
>> >> > $ cat /etc/imapd.conf
>> >> > # Debian Cyrus imapd.conf
>> >> > # $Id: imapd.conf 229 2005-12-08 23:26:29Z astronut $
>> >> > # See imapd.conf(5) for more information and more options
>> >> >
>> >> > # Configuration directory
>> >> > configdirectory: /var/lib/cyrus
>> >> >
>> >> > # Which partition to use for default mailboxes
>> >> > defaultpartition: default
>> >> > partition-default: /var/spool/cyrus/mail
>> >> >
>> >> > # News setup
>> >> > partition-news: /var/spool/cyrus/news
>> >> > newsspool: /var/spool/news
>> >> >
>> >> > # Alternate namespace
>> >> > # If enabled, activate the alternate namespace as documented in
>> >> > # /usr/share/doc/cyrus-doc-2.2/html/altnamespace.html, where an
>> >> user's
>> >> > # subfolders are in the same level as the INBOX
>> >> > # See also userprefix and sharedprefix on imapd.conf(5)
>> >> > altnamespace: no
>> >> >
>> >> > # UNIX Hierarchy Convention
>> >> > # Set to yes, and cyrus will accept dots in names, and use the
>> >> forward
>> >> > # slash "/" to delimit levels of the hierarchy. This is done by
>> >> > converting
>> >> > # internally all dots to "^", and all "/" to dots. So the
>> >> > "rabbit.holes"
>> >> > # mailbox of user "helmer.fudd" is stored in
>> >> > "user.elmer^fud.rabbit^holes"
>> >> > unixhierarchysep: yes
>> >> >
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > # Uncomment the following and add the space-separated users who
>> >> > # have admin rights for all services.
>> >> > admins: cyrus
>> >> >
>> >> >
>> >> > - sni -
>> >> >
>> >> >
>> >> > # No anonymous logins
>> >> > #allowanonymouslogin: no
>> >> > allowanonymouslogin: yes
>> >> >
>> >> > # Minimum time between POP mail fetches in minutes
>> >> > popminpoll: 1
>> >> >
>> >> > # If nonzero, normal users may create their own IMAP accounts by
>> >> > creating
>> >> > # the mailbox INBOX. The user's quota is set to the value if it
>> is
>> >> > positive,
>> >> > # otherwise the user has unlimited quota.
>> >> > autocreatequota: 0
>> >> >
>> >> > # umask used by Cyrus programs
>> >> > umask: 077
>> >> >
>> >> > - snip -
>> >> >
>> >> > # If enabled, cyrdeliver will look for Sieve scripts in user's
>> home
>> >> > # directories: ~user/.sieve.
>> >> > sieveusehomedir: false
>> >> >
>> >> > # If sieveusehomedir is false, this directory is searched for
>> Sieve
>> >> > scripts.
>> >> > sievedir: /var/spool/sieve
>> >> >
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > # If enabled, the partitions will also be hashed, in addition to
>> >> the
>> >> > hashing
>> >> > # done on configuration directories. This is recommended if one
>> >> > partition has a
>> >> > # very bushy mailbox tree.
>> >> > hashimapspool: true
>> >> >
>> >> > # Allow plaintext logins by default (SASL PLAIN)
>> >> > allowplaintext: yes
>> >> >
>> >> > # Force PLAIN/LOGIN authentication only
>> >> > # (you need to uncomment this if you are not using an
>> auxprop-based
>> >> > SASL
>> >> > # mechanism. saslauthd users, that means you!). And pay
>> attention
>> >> to
>> >> > # sasl_minimum_layer and allowapop below, too.
>> >> > #sasl_mech_list: PLAIN
>> >> >
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > # Do note that, since sasl will be run as user cyrus, you may
>> have
>> >> a
>> >> > lot of
>> >> > # trouble to set this up right.
>> >> > #sasl_pwcheck_method: auxprop
>> >> > sasl_pwcheck_method: saslauthd
>> >> >
>> >> > # What auxpropd plugins to load, if using sasl_pwcheck_method:
>> >> auxprop
>> >> > # by default, all plugins are tried (which is probably NOT what
>> you
>> >> > want).
>> >> > #sasl_auxprop_plugin: sasldb
>> >> >
>> >> > # If enabled, the SASL library will automatically create
>> >> authentication
>> >> > secrets
>> >> > # when given a plaintext password. Refer to SASL documentation
>> >> > sasl_auto_transition: no
>> >> >
>> >> > #
>> >> > # SSL/TLS Options
>> >> > #
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > # File containing one or more Certificate Authority (CA)
>> >> certificates.
>> >> > #tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
>> >> >
>> >> > # Path to directory with certificates of CAs.
>> >> > tls_ca_path: /etc/ssl/certs
>> >> >
>> >> > # The length of time (in minutes) that a TLS session will be
>> cached
>> >> for
>> >> > later
>> >> > # reuse. The maximum value is 1440 (24 hours), the default. A
>> >> value
>> >> > of 0 will
>> >> > # disable session caching.
>> >> > tls_session_timeout: 1440
>> >> >
>> >> > # The list of SSL/TLS ciphers to allow, in decreasing order of
>> >> > precedence.
>> >> > # The format of the string is described in ciphers(1). The
>> Debian
>> >> > default
>> >> > # selects TLSv1 high-security ciphers only, and removes all
>> >> anonymous
>> >> > ciphers
>> >> > # from the list (because they provide no defense against
>> >> > man-in-the-middle
>> >> > # attacks). It also orders the list so that stronger ciphers
>> come
>> >> > first.
>> >> > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>> >> >
>> >> >
>> >> > - snip -
>> >> >
>> >> >
>> >> > ## KEEP THESE IN SYNC WITH cyrus.conf
>> >> > ##
>> >> > # Unix domain socket that lmtpd listens on.
>> >> > lmtpsocket: /var/run/cyrus/socket/lmtp
>> >> >
>> >> > # Unix domain socket that idled listens on.
>> >> > idlesocket: /var/run/cyrus/socket/idle
>> >> >
>> >> > # Unix domain socket that the new mail notification daemon
>> listens
>> >> on.
>> >> > notifysocket: /var/run/cyrus/socket/notify
>> >> >
>> >> > # Syslog prefix. Defaults to cyrus (so logging is done as
>> >> cyrus/imap
>> >> > etc.)
>> >> > syslog_prefix: cyrus
>> >> >
>> >> >
>> >> > - snip -
>> >> > * end *
>> >> >
>> >> >
>> >> > B.R.
>> >> > Stephen L
>> >
>> >
>> > Send instant messages to your online friends
>> http://uk.messenger.yahoo.com
>> > ----
>> > Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>> > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>> >
>>
>>
>>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
More information about the Info-cyrus
mailing list