Benachrichtung zum Übermittlungsstatus (Fehlgeschlagen)

Dan White dwhite at
Sun Jul 4 01:57:32 EDT 2010

On 04/07/10 00:29 -0300, D G Teed wrote:
>2010/7/2 Dan White <dwhite at>
>> Cyrus imap will offer all available and initializable SASL
>> authentication plugins it can find (see pluginviewer for that list). In
>> the case where you have a plugin installed that you don't wish to offer,
>> you can restrict the list of mechanisms with the sasl_mech_list option.
>> If you're depending on saslauthd for authentication, you shouldn't be
>> offering anything other than plain and login:
>> sasl_mech_list: PLAIN LOGIN
>Right, I had more in my list.  And since I didn't have the cyrus-sasl-md5
>package before, the mentioning of MD5 mech types in the sasl_mech_list
>didn't matter.
>I have read some comments that suggest the MD5 mech options only work with
>sasl_pwcheck_method of auxprop, and won't work with pam via saslauthd. Is
>that true?  That seems to be what you are saying as well.  If not the
>case, I don't understand what would have been needed to enable the MD5
>types of auth mechanism.  Any pointers to where the MD5 types of mech are
>documented for configuration?

See doc/components.html and doc/sysadmin.html within the Cyrus SASL source.

The sasl_pwcheck_method is not, and cannot be, used for CRAM-MD5 or
DIGEST-MD5. It's only appropriate for mechanisms which receive a password
from the client. For imapd, that would be the PLAIN and LOGIN mechanisms,
and the pre-sasl login command.

Cyrus SASL requires that shared secrets be stored within an auxprop store,
such as sasldb. Regardless of what your sasl_pwcheck_method configuration
is, sasl will always use your auxprop plugin(s) to service the DIGEST-MD5
plugin. To use DIGEST-MD5, you could use saslpasswd2 to store user
credentials within /etc/sasldb2.

saslauthd, and pam, cannot perform the required handshaking that DIGEST-MD5
requires, since the neither have knowledge of what the shared secret
(password) is.

>For some reason, IMAP connections using TLS were not impacted by the
>change.  I'm not sure of all of the ways it was broken because I wanted to
>get the service back up ASAP, but I do know Horde webmail was unable to
>connect using IMAP and notls.

More than likely you were dealing with clients that failed the DIGEST-MD5
authentication and then fell back to PLAIN or pre-sasl login.

If 'allowplaintext' is disabled in your imapd.conf, then PLAIN, LOGIN, and
pre-sasl login can only be achieved in the presence of TLS or some other
encryption. 'allowplaintext: 0' will prevent a clear text password from
being sniffed over the wire.

Dan White

More information about the Info-cyrus mailing list