Problems with frontend to backend authentication in murder 2.3.12
Nic Bernstein
nic at onlight.com
Tue Sep 30 09:31:17 EDT 2008
Greetings list,
I would like to start out by thanking all of the developers for a truly
great bundle of software. I have been using Cyrus IMAP for over a
decade and think it one of the best packages of software around.
I have recently had occasion to put together a murder, and thought to
start out with a simple "standard" configuration with a mupdate master,
"postman," a backend, "mail.wi" and a frontend, "imap.wi." The problem
I am having is one which I see frequently mentioned on the list, but the
solution has evaded me; frontend authentication.
Here are the details:
* LDAP authentication via saslauthd
* Linux (Fedora 6 and 8) with Invoca (2.3.12p2-1) rpms
There is no problem with mailboxes.db propagation from backend to master
to frontend -- that is fine. The problems come when trying to access
mailboxes using the frontend. Here are configuration files (trimmed):
backend "mail.wi" imapd.conf:
---------------------------------------------------
admins: cyrus cyradmin
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN PLAIN+TLS
servername: mail.wi
mupdate_admins: murder
mupdate_server: postman
mupdate_username: becyradmin
mupdate_authname: becyradmin
mupdate_password: password
mupdate_config: standard
allowusermoves: true
proxyservers: murder
proxy_authname: murder
proxy_password: password
tls_cert_file: /etc/pki/cyrus-imapd/mail.wi.crt
tls_key_file: /etc/pki/cyrus-imapd/mail.wi.key
tls_ca_file: /etc/pki/cyrus-imapd/ca.crt
-----------------------------------------------------
Here is the frontend "imap.wi" imapd.conf:
-----------------------------------------------------
admins: cyrus cyradmin
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN PLAIN+TLS
servername: imap.wi.occinc.com
mupdate_server: postman
mupdate_username: fecyradmin
mupdate_authname: fecyradmin
mupdate_password: password
mupdate_config: standard
allowusermoves: true
proxy_authname: murder
mail_wi_password: password
mail_wi_mechs: PLAIN+TLS
imap_tls_cert_file: /etc/pki/cyrus-imapd/imap.wi.pem
imap_tls_key_file: /etc/pki/cyrus-imapd/imap.wi.pem
tls_ca_file: /etc/pki/cyrus-imapd/imap.wi.pem
-----------------------------------------------------
I am able to authenticate from imap.wi to mail.wi via imtest with
START_TLS, thusly:
-----------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a murder mail.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
MUPDATE=mupdate://postman/ STARTTLS AUTH=PLAIN SASL-IR] mail.wi Cyrus
IMAP Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/
STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/
AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABtdXJkZXIARWltOFVpdGg=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk
\*)]
* 20 EXISTS
* 0 RECENT
* OK [UNSEEN 15]
* OK [UIDVALIDITY 1112292825]
* OK [UIDNEXT 90]
* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox
* OK [URLMECH INTERNAL]
. OK [READ-WRITE] Completed
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------
The successful login is recorded thusly in the logs on mail.wi:
-----------------------------------------------------
Sep 30 08:16:23 localhost imap[19059]: accepted connection
Sep 30 08:16:23 localhost master[19759]: about to exec
/usr/lib/cyrus-imapd/imapd
Sep 30 08:16:23 localhost imap[19759]: executed
Sep 30 08:16:23 localhost imap[19059]: imapd:Loading hard-coded DH
parameters
Sep 30 08:16:23 localhost imap[19059]: SSL_accept() incomplete -> wait
Sep 30 08:16:23 localhost imap[19059]: SSL_accept() succeeded -> done
Sep 30 08:16:23 localhost imap[19059]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:16:28 localhost imap[19059]: login: imap.wi [192.168.190.226]
onlight PLAIN+TLS User logged in
Sep 30 08:16:36 localhost imap[19059]: skiplist: recovered
/var/lib/imap/user/o/onlight.seen (2 records, 15316 bytes) in 0 seconds
Sep 30 08:16:36 localhost imap[19059]: seen_db: user onlight opened
/var/lib/imap/user/o/onlight.seen
Sep 30 08:16:36 localhost imap[19059]: open: user onlight opened inbox
Sep 30 08:18:10 localhost master[19037]: process 19059 exited, status 0
-----------------------------------------------------
But, when I try the same, as the actual user, via imap.wi, I am unable
to select the inbox:
-----------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a onlight imap.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
MUPDATE=mupdate://postman/ STARTTLS AUTH=PLAIN SASL-IR] imap.wi Cyrus
IMAP Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/
STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/
AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABvbmxpZ2h0AG9od2ViNG9G
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
. NO Server(s) unavailable to complete operation
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------
Again, the log output from mail.wi:
-----------------------------------------------------
Sep 30 08:20:34 localhost imap[19052]: accepted connection
Sep 30 08:20:34 localhost master[19762]: about to exec
/usr/lib/cyrus-imapd/imapd
Sep 30 08:20:34 localhost imap[19762]: executed
Sep 30 08:20:34 localhost imap[19052]: imapd:Loading hard-coded DH
parameters
Sep 30 08:20:34 localhost imap[19052]: SSL_accept() incomplete -> wait
Sep 30 08:20:34 localhost imap[19052]: SSL_accept() succeeded -> done
Sep 30 08:20:34 localhost imap[19052]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:21:51 localhost master[19037]: process 19052 exited, status 0
-----------------------------------------------------
And from imap.wi:
-----------------------------------------------------
Sep 30 08:21:57 inside2 imap[17661]: accepted connection
Sep 30 08:21:57 inside2 master[27691]: about to exec
/usr/lib/cyrus-imapd/proxyd
Sep 30 08:21:57 inside2 imap[27691]: executed
Sep 30 08:21:58 inside2 imap[17661]: imapd:Loading hard-coded DH parameters
Sep 30 08:21:58 inside2 imap[17661]: SSL_accept() succeeded -> done
Sep 30 08:21:58 inside2 imap[17661]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Sep 30 08:22:02 inside2 imap[17661]: login: imap.wi [192.168.190.226]
onlight PLAIN+TLS User logged in
Sep 30 08:22:06 inside2 imap[17661]: Doing a peer verify
Sep 30 08:22:06 inside2 imap[17661]: verify error:num=19:self signed
certificate in certificate chain
Sep 30 08:22:06 inside2 imap[17661]: received server certificate
Sep 30 08:22:06 inside2 imap[17661]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Sep 30 08:22:06 inside2 imap[17661]: couldn't authenticate to backend
server: no mechanism available
Sep 30 08:24:09 inside2 master[17627]: process 17661 exited, status 0
-----------------------------------------------------
I have seen much discussion of the "no mechanism available" issue, but
the answer typically is "install certificates," or "Use START_TLS" or
the like. Well, I have certificates, I have START_TLS, and I still have
this problem. How do I get the frontend to use PLAIN+TLS??
Please, any guidance would be appreciated. I have already sunk way too
much time into this and don't even have a working testbed to show for
it. I have spent two days pouring over the archives and cannot find a
parallel situation to mine.
Best regards, and thanks in advance,
-nic
--
Nic Bernstein nic at onlight.com
Onlight llc. www.onlight.com
2266 North Prospect Avenue #610 v. 414.272.4477
Milwaukee, Wisconsin 53202-6306 f. 414.290.0335
More information about the Info-cyrus
mailing list