'PLAIN encryption needed to use mechanism' error
Dan White
dwhite at olp.net
Wed Jul 29 04:40:27 EDT 2009
Blake Hudson wrote:
> -------- Original Message --------
> Subject: Re: 'PLAIN encryption needed to use mechanism' error
> From: Dan White <dwhite at olp.net>
> To: Blake Hudson <blake at ispn.net>
> Cc: info-cyrus at lists.andrew.cmu.edu
> Date: Wednesday, July 29, 2009 3:20:08 AM
>
> ------------ NO SSL ------------
> root at twinp src]# pop3test -m PLAIN -a xxx mail.xxx.com
> S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
> <12408582082392233762.1248855924 at twinP>
> C: CAPA
> S: +OK List of capabilities follows
> S: SASL DIGEST-MD5 CRAM-MD5
> S: STLS
> S: EXPIRE NEVER
> S: LOGIN-DELAY 0
> S: TOP
> S: UIDL
> S: PIPELINING
> S: RESP-CODES
> S: AUTH-RESP-CODE
> S: USER
> S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5
> S: .
> Please enter your password:
> C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw==
> S: -ERR [AUTH] authenticating: encryption needed to use mechanism
> Authentication failed. generic failure
> Security strength factor: 0
> quit
> +OK
> Connection closed.
> ------------ SSL ------------
> [root at twinp src]# pop3test -s -m PLAIN -a xxxmail.xxx.com
> verify error:num=18:self signed certificate
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
> S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready
> <832124781731685216.1248855943 at twinP>
> C: CAPA
> S: +OK List of capabilities follows
> S: SASL DIGEST-MD5 LOGIN PLAIN CRAM-MD5
> S: EXPIRE NEVER
> S: LOGIN-DELAY 0
> S: TOP
> S: UIDL
> S: PIPELINING
> S: RESP-CODES
> S: AUTH-RESP-CODE
> S: USER
> S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5
> S: .
> Please enter your password:
> C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw==
> S: +OK Mailbox locked and ready
> Authenticated.
> Security strength factor: 256
> quit
> +OK
> Connection closed.
> -------------------------
>
>
> It sure seems like pop is picking up on different sasl security settings
> (such as the sasl_minimum_layer or the noplaintextwithouttls option).
> However, IMAP seems to obey these just fine as configured with the same
> config file.
>
>
Agreed. A possible work around until you figure out the issue would be
to add '-p 256' within cyrus.conf, for your pop3 entry (see man pop3d).
That would emulate a sasl security layer of 256 bits, and would be
treated as if you had connected via SSL when you hadn't.
- Dan
More information about the Info-cyrus
mailing list