Cyrus Imap plaintext authentication with saslauth & PAM

Simon Matter simon.matter at invoca.ch
Fri Apr 24 04:28:52 EDT 2009


>>> I have a postfix relay server and a (local) cyrus imap server on the
>>> same machine. Everything was fine until I thought, I change the imap
>>> authentication from sasldb to saslauth, to have global authentication
>>> on postfix and cyrus.<br>
>>> Postfix uses saslauthd, which is configured for PAM. It works
>>> perfectly, with plain/login/cram/digest mechanisms, with or without
>>> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
>>> obviously.<br>
>>> So I decided to use this with cyrus imap too. Set it to use the same
>>> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.<br>
>>> Since then, I can not login with plain or login mechs, because they
>>> aren't being offered at all by cyrus imapd. I can login with cram or
>>> digest fine.<br>
>>> I understand that plain login isn't offered by default, only after a
>>> successfull tls session setup, but if I understand correctly, the
>>> "allowplaintext: yes" option should still force imapd to offer plain
>>> logins. But it doesn't. I tried it with different sasl_min|max_levels,
>>> to no avail.<br>
>>>
>>
>> "allowplaintext: 1" should indeed enable plain. At least that works well
>> for me. I expect you are using the packages from a distribution, maybe
>> they have added some kind of "security" patches to make things more
>> safe?
>> Could you try with the following line in your cyrus config:
>>
>> sasl_mech_list: PLAIN
>>
>> Regards,
>> Simon
>>
>>
> yes, the server is running ubuntu 7.04 i386, 2.6.20-17-generic, and
> postfix and cyrus are installed via the ubuntu repositiories.

Can you check which cyrus-sasl-* packages you have installed? Most
distributions split cyrus­-sasl into multiple packages and maybe you have
not installed the -plain package?

Simon



More information about the Info-cyrus mailing list