Problems with frontend to backend authentication in murder 2.3.12

Nic Bernstein nic at onlight.com
Tue Sep 30 15:36:09 EDT 2008 

Wesley Craig wrote:
> On 30 Sep 2008, at 09:31, Nic Bernstein wrote:
>> I have seen much discussion of the "no mechanism available" issue, but
>> the answer typically is "install certificates," or "Use START_TLS" or
>> the like.  Well, I have certificates, I have START_TLS, and I still have
>> this problem.  How do I get the frontend to use PLAIN+TLS??
>
> PLAIN+TLS is not a mechanism.  In the released code, if you want 
> PLAIN+TLS, you need to configure the server to not allow plain text.  
> You also need to not configure the frontend with a mechanism at all.  
> Personally, I think this is a bug.  See:
>
>     https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3093
>
> for a fix.  Good luck.
>
> :wes
Thanks for your answer, but I am not sure I understand all of what you 
say. 

The PLAIN+TLS not being a mechanism I get, I was just trying anything.

Given your suggestions, I have tried the following:

On the backend server, "mail.wi":
    removed "sasl_mech_list" entirely
    added "allowplaintext: false" (in Invoca rpm default setting is "true")

On the frontend server, "imap.wi":
    removed "mail_wi_mechs" entirely

Otherwise both servers are configured as previously stated in this thread.

When I test again using imtest I get exactly the same error:
-----------------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a onlight imap.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ STARTTLS AUTH=PLAIN SASL-IR] imap.wi Cyrus 
IMAP Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
STARTTLS AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA 
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE 
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABvbmxpZ2h0AG9od2ViNG9G
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
. NO Server(s) unavailable to complete operation
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------------

As before the frontend log shows:

-----------------------------------------------------------
Sep 30 14:24:32 inside2 imap[7197]: Doing a peer verify
Sep 30 14:24:32 inside2 imap[7197]: verify error:num=19:self signed 
certificate in certificate chain
Sep 30 14:24:32 inside2 imap[7197]: received server certificate
Sep 30 14:24:32 inside2 imap[7197]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Sep 30 14:24:32 inside2 imap[7197]: couldn't authenticate to backend 
server: no mechanism available
-----------------------------------------------------------

For the record, I tried this both with and without "allowplaintext: 
false" in the frontend imapd.conf and get the same results (also tried 
with and without "-m PLAIN" in imtest command).

For completeness, I retried my imtest to the backend server with these 
results:

-----------------------------------------------------------
# imtest -t "" -m PLAIN -u onlight -a murder mail.wi
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ STARTTLS LOGINDISABLED] mail.wi Cyrus IMAP 
Murder v2.3.12p2-Invoca-RPM-2.3.12p2-1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
STARTTLS LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE 
UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA 
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://postman/ 
AUTH=LOGIN AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN b25saWdodABtdXJkZXIARWltOFVpdGg=
S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID 
MUPDATE=mupdate://postman/ LOGINDISABLED ACL RIGHTS=kxte QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE URLAUTH] Success (tls protection)
Authenticated.
Security strength factor: 256
. select inbox
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk 
\*)] 
* 20 EXISTS
* 0 RECENT
* OK [UNSEEN 15] 
* OK [UIDVALIDITY 1112292825] 
* OK [UIDNEXT 90] 
* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox
* OK [URLMECH INTERNAL]
. OK [READ-WRITE] Completed
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
-----------------------------------------------------------

So please forgive me if I am missing something, but I don't seem to be 
any closer.

Any help??
    -nic

-- 
Nic Bernstein                             nic at onlight.com
Onlight llc.                              www.onlight.com
2266 North Prospect Avenue #610	          v. 414.272.4477
Milwaukee, Wisconsin  53202-6306          f. 414.290.0335

More information about the Info-cyrus mailing list