AUTH response for POP3 Over SSL

Ken Murchison murch at andrew.cmu.edu
Mon Mar 31 11:56:35 EDT 2008


You can either remove the CRAM-MD5 SASL plugin, or restrict the list of 
advertised mechanisms by using the 'sasl_mech_list' option in imapd.conf


Joshua Tew wrote:
> I have not been able to authenticate POP3 over SSL from thunderbird 
> 2.0.0.12 to Cyrus POm.3.8 on a OS X Server 10.5.
> 
> 
> I have narrowed down the cause to be a wrong set of supported 
> authentication mechanism being advertised when thunderbird queried the 
> POP3 server in AUTH.
> For example, the server responded with CRAM-MD5 as a support mechanism 
> in AUTH when it really has not been configured as such, not in POP3 anyway.
> 
> 
> I would like to know if it is a configuration issue, is there something 
> missing in the OS X configuration of the Cyrus server that is supposed 
> to stop CRAM-MD5 and a list of other auth mechanism from being 
> advertised as supported in the AUTH process? i.e. Apple messed up the 
> configuration/build.
> 
> Or is this a "feature" of this version of the Cyrus server and resolved 
> in a later version?
> 
> Or Thunderbird should have used the mechanism listed in CAPA response 
> only as CRAM-MD5 only appeared in AUTH.
> 
> 
> 
> Thanks for your help.
> 
> 
> Joshua
> 
> my system generated imapd.conf is as follows:
> 
> admins: cyrusimap
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> unixhierarchysep: yes
> altnamespace: yes
> servername: mailserver.abc.edu
> sievedir: /usr/sieve
> sendmail: /usr/sbin/sendmail
> lmtp_downcase_rcpt: 1
> unix_group_enable: 0
> berkeley_txns_max: 400
> berkeley_locks_max: 20000
> berkeley_cachesize: 8192
> berkeley_max_log_region: 2048
> berkeley_max_log_file: 10240
> berkeley_max_log_buffer: 2048
> tls_key_file: /Volumes/system/etc/certificates/mail.abc.edu.key
> quota_warn_frequency_days: 2
> tls_cert_file: /Volumes/system/etc/certificates/mail.abc.edu.crt
> enable_quota_warnings: yes
> log_rolling_days_enabled: 0
> log_rolling_days: 1
> lmtp_over_quota_perm_failure: yes
> imap_auth_plain: yes
> imap_auth_md5: yes
> lmtp_luser_relay: joshua
> pop_auth_apop: yes
> tls_server_options: use
> tls_ca_file: /Volumes/system/etc/certificates/mail.abc.edu.ca-bundle
> 
> 
> OS X POP3 Log
> 
> Mar 20 10:42:47 webserver pop3[12181]: starttls: TLSv1 with cipher 
> AES256-SHA (256/256 bits new) no authentication
> Mar 20 10:43:31 webserver pop3[12261]: executed
> Mar 20 10:43:31 webserver pop3[12261]: accepted connection
> Mar 20 10:43:36 webserver pop3[12261]: badlogin: jt.abc.edu 
> [10.10.1.123] CRAM-MD5 user not found
> 
> 
> 
> This is a log of the Thunderbird POP3 process
> 
> 
> -1604083808[1109db0]: RECV: +OK mailserver.abc.edu Cyrus POP3 v2.3.8-OS 
> X Server 10.5: 9A562 server ready 
> <1261331586.1205925688 at mailserver.abc.edu 
> <mailto:1261331586.1205925688 at mailserver.abc.edu>>
> -1604083808[1109db0]: POP3: Entering state: 29
> -1604083808[1109db0]: SEND: AUTH
> -1604083808[1109db0]: Entering NET_ProcessPop3 159
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: +OK List of supported mechanisms follows
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-NTLMv2
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-NT
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-LAN-MANAGER
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: MS-CHAPv2
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: PPS
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: OTP
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: GSSAPI
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: DIGEST-MD5
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: CRAM-MD5
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: WEBDAV-DIGEST
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: DHX
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: APOP
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: .
> -1604083808[1109db0]: POP3: Entering state: 31
> -1604083808[1109db0]: SEND: CAPA
> -1604083808[1109db0]: Entering NET_ProcessPop3 206
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: +OK List of capabilities follows
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: SASL APOP
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: STLS
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: EXPIRE NEVER
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: LOGIN-DELAY 0
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: TOP
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: UIDL
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: PIPELINING
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: RESP-CODES
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: AUTH-RESP-CODE
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: USER
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: IMPLEMENTATION Cyrus POP3 server v2.3.8-OS X 
> Server 10.5: 9A562
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: .
> -1604083808[1109db0]: POP3: Entering state: 33
> -1604083808[1109db0]: SEND: STLS
> -1604083808[1109db0]: Entering NET_ProcessPop3 31
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: +OK Begin TLS negotiation now
> -1604083808[1109db0]: POP3: Entering state: 45
> -1604083808[1109db0]: POP3: Entering state: 29
> -1604083808[1109db0]: SEND: AUTH
> -1604083808[1109db0]: Entering NET_ProcessPop3 173
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: +OK List of supported mechanisms follows
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-NTLMv2
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-NT
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: SMB-LAN-MANAGER
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: MS-CHAPv2
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: PPS
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: PLAIN
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: OTP
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: LOGIN
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: GSSAPI
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: DIGEST-MD5
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: CRAM-MD5
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: WEBDAV-DIGEST
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: DHX
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: APOP
> -1604083808[1109db0]: POP3: Entering state: 30
> -1604083808[1109db0]: RECV: .
> -1604083808[1109db0]: POP3: Entering state: 31
> -1604083808[1109db0]: SEND: CAPA
> -1604083808[1109db0]: Entering NET_ProcessPop3 200
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: +OK List of capabilities follows
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: SASL APOP
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: EXPIRE NEVER
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: LOGIN-DELAY 0
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: TOP
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: UIDL
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: PIPELINING
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: RESP-CODES
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: AUTH-RESP-CODE
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: USER
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: IMPLEMENTATION Cyrus POP3 server v2.3.8-OS X 
> Server 10.5: 9A562
> -1604083808[1109db0]: POP3: Entering state: 32
> -1604083808[1109db0]: RECV: .
> -1604083808[1109db0]: POP3: Entering state: 33
> -1604083808[1109db0]: POP3: Entering state: 46
> -1604083808[1109db0]: POP3: Entering state: 33
> -1604083808[1109db0]: POP3: Entering state: 5
> -1604083808[1109db0]: SEND: AUTH CRAM-MD5
> -1604083808[1109db0]: Entering NET_ProcessPop3 64
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: + 
> PDExMzk5somerandomcharsforpublickey?MuZWR1LnNnPg==
> -1604083808[1109db0]: POP3: Entering state: 34
> -1604083808[1109db0]: POP3: Entering state: 6
> -1604083808[1109db0]: Logging suppressed for this command (it probably 
> contained authentication information)
> -1604083808[1109db0]: Entering NET_ProcessPop3 52
> -1604083808[1109db0]: POP3: Entering state: 3
> -1604083808[1109db0]: RECV: -ERR [AUTH] authenticating: authentication 
> failure
> 
> 
> ------------------------------------------------------------------------
> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University


More information about the Info-cyrus mailing list