Cyrus Imap plaintext authentication with saslauth & PAM
dwhite at olp.net
Thu Apr 23 15:21:08 EDT 2009
Kővári János wrote:
> I have a postfix relay server and a (local) cyrus imap server on the
> same machine. Everything was fine until I thought, I change the imap
> authentication from sasldb to saslauth, to have global authentication
> on postfix and cyrus.
> Postfix uses saslauthd, which is configured for PAM. It works
> perfectly, with plain/login/cram/digest mechanisms, with or without
> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
> So I decided to use this with cyrus imap too. Set it to use the same
> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.
> Since then, I can not login with plain or login mechs, because they
> aren't being offered at all by cyrus imapd. I can login with cram or
> digest fine.
> I understand that plain login isn't offered by default, only after a
> successfull tls session setup, but if I understand correctly, the
> "allowplaintext: yes" option should still force imapd to offer plain
> logins. But it doesn't. I tried it with different sasl_min|max_levels,
> to no avail.
> This is the first thing I don't understand.
> The second is: after establishing a tls or ssl connection, plain and
> login are offered, but I can not login with these mechs.
> (I'm using imtest to test it all.)
> However, with "testsaslauth", I am able to authenticate fine.
> I'm quite new to cyrus and linux systems, but I read all kinds of
> manuals and FAQs nd documentation, and googled a lot, but I was unable
> to find the culprit. So you are my last hope.
> If nothing else works, I leave it as is, with digest and cram it works
> and it's more secure. Or I go back to sasldb, which is less
> comfortable for me...
Please include the following information, so we can get a better idea of
Postfix and Cyrus IMAP version
Postfix SASL config:
grep sasl main.cf
cat /etc/postfix/sasl/smtpd.conf (or wherever smtpd.conf it located on
Your cyrus imap.conf config
saslauthd does not support cram-md5 or digest-md5, so you may be (also)
using the sasldb auxprop in Postfix.
More information about the Info-cyrus