'PLAIN encryption needed to use mechanism' error

Blake Hudson blake at ispn.net
Wed Jul 29 04:30:40 EDT 2009 

-------- Original Message  --------
Subject: Re: 'PLAIN encryption needed to use mechanism' error
From: Dan White <dwhite at olp.net>
To: Blake Hudson <blake at ispn.net>
Cc: info-cyrus at lists.andrew.cmu.edu
Date: Wednesday, July 29, 2009 3:20:08 AM
> Blake Hudson wrote:
>> -------- Original Message  --------
>> Subject: Re: 'PLAIN encryption needed to use mechanism' error
>> From: Dan White <dwhite at olp.net> <mailto:dwhite at olp.net>
>> To: Blake Hudson <blake at ispn.net> <mailto:blake at ispn.net>
>> Cc: info-cyrus at lists.andrew.cmu.edu 
>> <mailto:info-cyrus at lists.andrew.cmu.edu>
>> Date: Wednesday, July 29, 2009 2:49:51 AM
>>
>
>>
>> I see your cyrus server is outputting the full mech list via 110... 
>> wonder why mine isn't?
>>
>> ------------YOURS-----
>> +OK <1114961040.1248853981 at neo> neo Cyrus POP3 Murder 
>> v2.3.12-Debian-2.3.12-1-5
>> server ready
>> auth
>> +OK List of supported mechanisms follows
>> CRAM-MD5
>> PLAIN
>> GSSAPI
>> OTP
>> DIGEST-MD5
>> LOGIN
>
> All of these are explicitly set in my sasl_mech_list.
>
> GSSAPI and OTP require SASL library configuration. The others, 
> including PLAIN/LOGIN should not.
>> .
>> ------------MINE-----
>> +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 
>> <163906105530322
>> 97444.1248854211 at twinP>
>> auth
>> +OK List of supported mechanisms follows
>> DIGEST-MD5
>> CRAM-MD5
>> .
>
> Do you have either of the following specified?
> sasl_minimum_layer: X
> sasl_maximum_layer: X
I tried specifying the minimum to 0, but it did not make a difference.
>
> Have you specified a '-p xxx' within cyrus.conf for imap but not pop3?
no -p option anywhere.
>
> Are you using TLS/SSL when connecting via IMAP but not POP3? Sounds 
> like your telnetting, so that's probably not the case.
just telnet. Here's the output of pop3test util:

------------ NO SSL ------------
root at twinp src]# pop3test -m PLAIN -a xxx mail.xxx.com
S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 
<12408582082392233762.1248855924 at twinP>
C: CAPA
S: +OK List of capabilities follows
S: SASL DIGEST-MD5 CRAM-MD5
S: STLS
S: EXPIRE NEVER
S: LOGIN-DELAY 0
S: TOP
S: UIDL
S: PIPELINING
S: RESP-CODES
S: AUTH-RESP-CODE
S: USER
S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5
S: .
Please enter your password:
C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw==
S: -ERR [AUTH] authenticating: encryption needed to use mechanism
Authentication failed. generic failure
Security strength factor: 0
quit
+OK
Connection closed.
------------ SSL ------------
[root at twinp src]# pop3test -s -m PLAIN -a xxxmail.xxx.com
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 
<832124781731685216.1248855943 at twinP>
C: CAPA
S: +OK List of capabilities follows
S: SASL DIGEST-MD5 LOGIN PLAIN CRAM-MD5
S: EXPIRE NEVER
S: LOGIN-DELAY 0
S: TOP
S: UIDL
S: PIPELINING
S: RESP-CODES
S: AUTH-RESP-CODE
S: USER
S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5
S: .
Please enter your password:
C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw==
S: +OK Mailbox locked and ready
Authenticated.
Security strength factor: 256
quit
+OK
Connection closed.
-------------------------


It sure seems like pop is picking up on different sasl security settings 
(such as the sasl_minimum_layer or the noplaintextwithouttls option). 
However, IMAP seems to obey these just fine as configured with the same 
config file.

>
> Setting "sasl_log_level: 7" in imapd.conf might provide more 
> information in your syslog.
I'll try that, but it will have to wait till later. I'm also thinking of 
trying a newer version, though nothing about this is listed in the 
changelog.
>
>>>>>        
>>>>>> Looks like the POP side is not advertising LOGIN/PLAIN auth types 
>>>>>> while
>>>>>> the imap side is. Is this the intended behavior?
>>>>>>
>>>>>> In my imapd.conf i have the following mech list defined:
>>>>>> sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>>>>>>
>>>>>> ---------------------- POP3----------------------
>>>>>> +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
>>>>>> <173180331313918
>>>>>> 17429.1248845988 at twinP>
>>>>>> auth
>>>>>> +OK List of supported mechanisms follows
>>>>>> DIGEST-MD5
>>>>>> CRAM-MD5
>>>>>> ..
>>>>>> --------------------------------------------
>>>>>> ----------------------IMAP----------------------
>>>>>>
>>>>>> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS 
>>>>>> AUTH=DIGEST-MD5
>>>>>> AUTH=LOGIN
>>>>>> AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4
>>>>>> v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
>>>>>>
>>>>>> --------------------------------------------
>>>>>>
>>>>>> I suppose this is likely a bad client that is not refreshing its 
>>>>>> mech
>>>>>> list after the server switch, but I'd still like to know how to 
>>>>>> resolve
>>>>>> the issue server side (if possible).
>>>>>>
>>>>>> -Blake

More information about the Info-cyrus mailing list