'PLAIN encryption needed to use mechanism' error

Blake Hudson blake at ispn.net
Wed Jul 29 03:58:32 EDT 2009


-------- Original Message  --------
Subject: Re: 'PLAIN encryption needed to use mechanism' error
From: Dan White <dwhite at olp.net>
To: Blake Hudson <blake at ispn.net>
Cc: info-cyrus at lists.andrew.cmu.edu
Date: Wednesday, July 29, 2009 2:49:51 AM
> Blake,
>
> What sasl lines do you have in /etc/imapd.conf. Do you have any 
> proxies installed?
my mech list was posted... see below I also have "sasl_pwcheck_method: 
auxprop", everything else sasl has to do with my sql config. no proxies 
are present.
>
> "pop3PRTC" in your syslog looks suspicious...:
that's just the name I gave it...
>
> Usually, pop3 and imap will offer the same mechanisms based on this 
> config item:
>
> sasl_mech_list: x x x
as posted initially I have the following mech list line in imapd.conf:

sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

imap advertises the full list as specified (see original message)
>
> if this line is commented out, then sasl should attempt to initialize 
> all available mechs.
>
> Be on the lookout for customization like this (which overrides the 
> sasl_mech_list config item):
>
> pop3_mech_list: x x x
> imap_mech_list: x x x
>
good idea, though I don't have these specified.


I see your cyrus server is outputting the full mech list via 110... 
wonder why mine isn't?

------------YOURS-----
+OK <1114961040.1248853981 at neo> neo Cyrus POP3 Murder 
v2.3.12-Debian-2.3.12-1-5
server ready
auth
+OK List of supported mechanisms follows
CRAM-MD5
PLAIN
GSSAPI
OTP
DIGEST-MD5
LOGIN
.
------------MINE-----
+OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 
<163906105530322
97444.1248854211 at twinP>
auth
+OK List of supported mechanisms follows
DIGEST-MD5
CRAM-MD5
.


> - Dan
>
> Blake Hudson wrote:
>> Thanks for the reply Scott. I can auth as you described using the 
>> User/Pass method (allowplaintext: is already set to 1 and I've also 
>> tried sasl_minimum_layer: 0 at the same time).
>>
>> My concern is that over port 110 the server is only advertising CRAM-MD5 
>> and DIGEST-MD5. POP3s appears to be advertising PLAIN. Why isn't PLAIN 
>> advertised over both?
>>
>> --Blake
>>
>> -------- Original Message  --------
>> Subject: Re: 'PLAIN encryption needed to use mechanism' error
>> From: Scott M. Likens <damm at yazzy.org>
>> To: Blake Hudson <blake at ispn.net>
>> Cc: info-cyrus at lists.andrew.cmu.edu
>> Date: Wednesday, July 29, 2009 1:30:46 AM
>>   
>>> Hi Blake,
>>>
>>> Actually pop3 by default should be using plain, like
>>>
>>> damm at desolation> telnet localhost 
>>> pop3                                                                                                                                    
>>> ~
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>> Escape character is '^]'.
>>> +OK desolation Cyrus POP3 v2.3.14 server ready 
>>> <8505169291665378509.1248848742 at desolation>
>>> user root
>>> +OK Name is a valid mailbox
>>> pass toor
>>> +OK Mailbox locked and ready
>>>
>>> However, if you man imapd.conf you will notice there is such an option 
>>> as,
>>>
>>> allowplaintext: 0
>>>
>>> You may need to change that to 1, in order for plaintext ala pop3 to 
>>> work.
>>>
>>> Scott
>>>
>>> On Jul 28, 2009, at 10:44 PM, Blake Hudson wrote:
>>>
>>>     
>>>> -------- Original Message  --------
>>>> Subject: 'PLAIN encryption needed to use mechanism' error
>>>> From: Blake Hudson <blake at ispn.net>
>>>> To: info-cyrus at lists.andrew.cmu.edu
>>>> Date: Wednesday, July 29, 2009 12:13:52 AM
>>>>       
>>>>> I recently setup a new server and everything tested well. However, once
>>>>> in production I am seeing errors like the following:
>>>>>
>>>>> pop3PRTC[20896]: badlogin: [204.x.x.x] PLAIN encryption needed to use
>>>>> mechanism
>>>>>
>>>>>
>>>>> I wasn't aware that POP utilized other mechanisms? I can login just 
>>>>> fine
>>>>> with telnet and tbird, and cannot replicate this error myself. Any 
>>>>> ideas?
>>>>>
>>>>> --Blake
>>>>>
>>>>>         
>>>> Looks like the POP side is not advertising LOGIN/PLAIN auth types while
>>>> the imap side is. Is this the intended behavior?
>>>>
>>>> In my imapd.conf i have the following mech list defined:
>>>> sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>>>>
>>>> ---------------------- POP3----------------------
>>>> +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
>>>> <173180331313918
>>>> 17429.1248845988 at twinP>
>>>> auth
>>>> +OK List of supported mechanisms follows
>>>> DIGEST-MD5
>>>> CRAM-MD5
>>>> ..
>>>> --------------------------------------------
>>>> ----------------------IMAP----------------------
>>>>
>>>> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
>>>> AUTH=LOGIN
>>>> AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4
>>>> v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
>>>>
>>>> --------------------------------------------
>>>>
>>>> I suppose this is likely a bad client that is not refreshing its mech
>>>> list after the server switch, but I'd still like to know how to resolve
>>>> the issue server side (if possible).
>>>>
>>>> -Blake
>>>> ----
>>>> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
>>>> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>
>>>>
>>>> !DSPAM:4a6fe485262521931426455!
>>>>
>>>>
>>>>       
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090729/c87c87ae/attachment-0001.html 


More information about the Info-cyrus mailing list