Cyrus Imap plaintext authentication with saslauth & PAM

Kővári János bsh at freemail.hu
Fri Apr 24 05:29:29 EDT 2009 


Simon Matter írta:
>>>> I have a postfix relay server and a (local) cyrus imap server on the
>>>> same machine. Everything was fine until I thought, I change the imap
>>>> authentication from sasldb to saslauth, to have global authentication
>>>> on postfix and cyrus.<br>
>>>> Postfix uses saslauthd, which is configured for PAM. It works
>>>> perfectly, with plain/login/cram/digest mechanisms, with or without
>>>> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
>>>> obviously.<br>
>>>> So I decided to use this with cyrus imap too. Set it to use the same
>>>> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.<br>
>>>> Since then, I can not login with plain or login mechs, because they
>>>> aren't being offered at all by cyrus imapd. I can login with cram or
>>>> digest fine.<br>
>>>> I understand that plain login isn't offered by default, only after a
>>>> successfull tls session setup, but if I understand correctly, the
>>>> "allowplaintext: yes" option should still force imapd to offer plain
>>>> logins. But it doesn't. I tried it with different sasl_min|max_levels,
>>>> to no avail.<br>
>>>>
>>>>         
>>> "allowplaintext: 1" should indeed enable plain. At least that works well
>>> for me. I expect you are using the packages from a distribution, maybe
>>> they have added some kind of "security" patches to make things more
>>> safe?
>>> Could you try with the following line in your cyrus config:
>>>
>>> sasl_mech_list: PLAIN
>>>
>>> Regards,
>>> Simon
>>>
>>>
>>>       
>> yes, the server is running ubuntu 7.04 i386, 2.6.20-17-generic, and
>> postfix and cyrus are installed via the ubuntu repositiories.
>>     
>
> Can you check which cyrus-sasl-* packages you have installed? Most
> distributions split cyrus­-sasl into multiple packages and maybe you have
> not installed the -plain package?
>
> Simon
>
>   

I have these installed:
cyrus-admin-2.2 (2.2.13-10ubuntu2), cyrus-clients-2.2 
(2.2.13-10ubuntu2), cyrus-common-2.2 (2.2.13-10ubuntu2), cyrus-imapd-2.2 
(2.2.13-10ubuntu2), cyrus-murder-2.2 (2.2.13-10ubuntu2), 
libauthen-sasl-cyrus-perl (0.13-server-1), libauthen-sasl-perl (2.10-1), 
libcyrus-imap-perl22 (2.2.13-10ubuntu2), libsasl2-2 
(2.1.22.dsfg1-8ubuntu2), libsasl2-modules (2.1.22.dfsg1-8ubuntu2), 
sasl2-bin (2.1.22.dfsg1-8ubuntu2)

And these AREN'T installed:
libsasl2-modules-gssapi-heimdal, libsasl2-modules-gssapi-mit, 
libsasl2-modules-ldap, libsasl2-modules-otp, libsasl2-modules-sql.

Can't seem to find separate -plain packages or anything similar.

Postfix shows this, when in smtpd.conf the mech_list is set to PLAIN only:

Apr 24 11:13:56 localhost postfix/smtpd[8026]: connect from client4[192.168.2.126]
Apr 24 11:13:56 localhost postfix/smtpd[8026]: 4C4319CDF8: client=client4[192.168.2.126], sasl_method=PLAIN, sasl_username=user at piller-server

when it's set to LOGIN only:

Apr 24 11:16:42 localhost postfix/smtpd[8178]: connect from client4[192.168.2.126]
Apr 24 11:16:42 localhost postfix/smtpd[8178]: 839B69CDF8: client=client4[192.168.2.126], sasl_method=LOGIN, sasl_username=user at piller-server

with CRAM-MD5 only:

Apr 24 11:18:24 localhost postfix/smtpd[8299]: connect from client4[192.168.2.126]
Apr 24 11:18:24 localhost postfix/smtpd[8299]: 8164B9CDF8: client=client4[192.168.2.126], sasl_method=CRAM-MD5, sasl_username=user at piller-server


Janos

More information about the Info-cyrus mailing list