Re: Benachrichtung zum Übermittlungsstatus (Fehlgeschlagen)

D G Teed donald.teed at gmail.com
Sat Jul 3 23:29:18 EDT 2010 

2010/7/2 Dan White <dwhite at olp.net>

> On 02/07/10 14:43 -0300, D G Teed wrote:
>
>> 2010/7/2 D G Teed <donald.teed at gmail.com>
>>
>>> Subject: Authentication problems since Redhat 5.5 updates
>>>
>>>>
>>>> We had a nice trouble free cyrus running until it was updated with
>>>> updates from Redhat today.
>>>>
>>>> I've tested with testsaslauthd (no service name given) and it works OK,
>>>> so I'd think things are fine on the pam, AD and ldap end.
>>>>
>>>> In the cyrus server's maillog I'm seeing messages like this from
>>>> attempts to connect from the remote webmail:
>>>>
>>>> Jul  2 13:54:22 navi imap[4073]: badlogin:
>>>> webmail.example.com[XXX.YYY.ZZZ.111] CRAM-MD5 [SASL(-13): user not
>>>> found: no secret in database]
>>>>
>>>>
>> I have things working again.  I had disabled Unix authentication in pam
>> temporarily to try troubleshooting with my account.  That had the side
>> effect of disabling the cyrus user from authentication.  So that explains
>> the scripts using IMAP::Admin breaking.
>>
>> I also removed the package cyrus-sasl-md5 and I believe this has an impact
>> on the issue I was facing with "CRAM-MD5".
>>
>> Any tips on how to co-exist with that package are welcomed.
>>
>
> Cyrus imap will offer all available and initializable SASL authentication
> plugins it can find (see pluginviewer for that list). In the case where you
> have a plugin installed that you don't wish to offer, you can restrict the
> list of mechanisms with the sasl_mech_list option.
>
> If you're depending on saslauthd for authentication, you shouldn't be
> offering anything other than plain and login:
>
> sasl_mech_list: PLAIN LOGIN
>
>
Right, I had more in my list.  And since I didn't have the cyrus-sasl-md5
package before, the mentioning of MD5 mech types in the sasl_mech_list
didn't
matter.

I have read some comments that suggest the MD5 mech options
only work with sasl_pwcheck_method of auxprop, and won't work
with pam via saslauthd. Is that true?  That seems to be what
you are saying as well.  If not the case, I don't understand
what would have been needed to enable the MD5 types of
auth mechanism.  Any pointers to where the MD5 types of mech
are documented for configuration?

For some reason, IMAP connections using TLS were not impacted
by the change.  I'm not sure of all of the ways it was broken because
I wanted to get the service back up ASAP, but I do know Horde
webmail was unable to connect using IMAP and notls.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100704/d7586036/attachment.html

More information about the Info-cyrus mailing list