Authentication problem between 2.3.16 back-end and 2.2.12 mupdate and front-ends

Michael D. Sofka sofkam at rpi.edu
Wed Oct 6 16:57:06 EDT 2010 

I am in the process of upgrading our cyrus aggregation from 2.2.12 to 
2.3.16. I have installed cyrus 2.3.16 on a new back-end server, and it 
appears fine.  I can create accounts on the server, read email from 
them, etc.

Now I am attempting to place the new back-end server into our 
aggregation so I can begin migrating accounts off the current back-end 
server.   It appears the new back-end is not able to authenticate to the 
mupdate server.

When running ctl_mboxlist -m I get:

    couldn't connect to mupdate server

The mupdate server shows a connection:

Oct  6 15:48:26 imap-fe1 mupdate[17081]: accepted connection
Oct  6 15:48:26 imap-fe1 mupdate[17081]: starttls: TLSv1 with cipher 
AES256-SHA (256/256 bits new) no authentication

(imap-fe1 is our mupdate server)

And the new back-end shows the attempt:

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: Doing a peer verify 

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: Doing a peer verify 

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: received server certificate 

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: starttls: TLSv1 with cipher 
AES256-SHA (256/256 bits new client) no authentication 

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: couldn't authenticate to 
backend server: no mechanism available 

Oct  6 16:22:49 imap-be4 ctl_mboxlist[8264]: mupdate_connect failed: 
SASL(-4): no mechanism available: No worthy mechs found 



I note that when the existing 2.2.12 back-end connects to the mupdate 
server it does *not* use TLS:


Oct  6 16:15:12 imap-fe1 mupdate[17081]: accepted connection
Oct  6 16:15:12 imap-fe1 mupdate[17081]: login: imap-be3.server.rpi.edu 
[128.113.2.247] g_murder LOGIN User logged in


I am wondering if, perhaps, there has been a change in the allowed 
mechanisms between 2.2 and 2.3.   An attempted xfer (before I noticed 
that ctl_mboxlist -m failed) also failed, with the 2.2.12 server 
reporting servers unavailable.  Yet, I can telnet to the new server, and 
authenticate.


Here are the new be-server's imapd.conf settings:

servername: imap-be4.server.rpi.edu
configdirectory: /var/lib/imap
sievedir: /var/lib/imap/sieve
partition-default: /var/spool/imap
partition-1: /var/spool/imap1
partition-2: /var/spool/imap2
partition-3: /var/spool/imap3
defaultpartition: default
metapartition-default: /var/lib/imap/meta0
metapartition_files: index cache expunge squat
admins: g_imap g_proxy
altnamespace: yes
postuser: sharedfolders
logtimestamps: yes
allowapop: no
quotawarn: 95
allowallsubscribe: t
sendmail: /usr/sbin/sendmail
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN GSSAPI
sasl_minimum_layer: 0
tls_key_file: /etc/ssl/mail.rpi.edu.key
tls_cert_file: /etc/ssl/mail.rpi.edu.cert
tls_ca_file: /etc/ssl/entrust.CA.cert
mupdate_username: g_murder
mupdate_authname: g_murder
mupdate_password: <the password>
mupdate_server: imap-fe1.server.rpi.edu
proxyservers: g_proxy
proxy_authname: g_proxy
proxy_password: <the password>
allowusermoves: 1


The settings in the 2.2.12 back-end server are the same.

The mupdate servers imapd.conf file is:

altnamespace: true
servername: imap-fe1.server.rpi.edu
configdirectory: /var/spool/db/imap
partition-default: /tmp
admins: g_imap g_murder

postuser: sharedfolders
allowplaintext: 1
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN GSSAPI
sasl_minimum_layer: 0
tls_key_file: /etc/ssl/mail.rpi.edu.key
tls_cert_file: /etc/ssl/mail.rpi.edu.cert
tls_ca_file: /etc/ssl/entrust.CA.cert

duplicate_db: skiplist
tlscache_db: skiplist

mupdate_connections_max: 2048
mupdate_workers_max: 512
mupdate_workers_start: 25
mupdate_workers_minspare: 2
mupdate_workers_maxspare: 25

mupdate_username: g_murder
mupdate_authname: g_murder
mupdate_password: <the password>
mupdate_server: imap-fe1.server.rpi.edu
proxyservers: g_proxy
proxy_authname: g_proxy
proxy_password: <the password>

proxyd_disable_mailbox_referrals: 0

-- 
Michael D. Sofka               sofkam at rpi.edu
C&MT Sr. Systems Programmer,   Email, HPC, TeX, Epistemology
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/

More information about the Info-cyrus mailing list