Authentication problem between 2.3.16 back-end and 2.2.12 mupdate and front-ends

Michael D. Sofka sofkam at rpi.edu
Thu Oct 7 16:33:52 EDT 2010 

Additional information.  Recall that:

> I am in the process of upgrading our cyrus aggregation from 2.2.12 to 
> 2.3.16. I have installed cyrus 2.3.16 on a new back-end server, and it 
> appears fine.  I can create accounts on the server, read email from 
> them, etc.
> 
> Now I am attempting to place the new back-end server into our 
> aggregation so I can begin migrating accounts off the current back-end 
> server.   It appears the new back-end is not able to authenticate to the 
> mupdate server.

On the existing 2.2.12 back-end server I can run:

    mupdatetest -v -p 3905 -a g_murder imap-fe1.server.rpi.edu

And, it connects, and logs onto the front-end server.  If I run:

    mupdatetest -v -t '' -p 3905 -a g_murder imap-fe1.server.rpi.edu

It does the same with TLS.


Trying this on the 2.3.16 server, built from Simon Matter's source RPM 
on a RE5 server I get:

Hacker[901]:mupdatetest -v -p 3905 -a g_murder imap-fe1.server.rpi.edu
S: * AUTH "LOGIN" "PLAIN"
S: * STARTTLS
S: * PARTIAL-UPDATE
S: * OK MUPDATE "imap-fe1.server.rpi.edu" "Cyrus Murder" 
"v2.2.12-Invoca-RPM-2.2.12-20" "(master)"
Authentication failed. no mechanism available
Security strength factor: 0

Note "no mechanisms available."  But, I can run the AUTHENTICATE 
command with either the PLAIN or LOGIN options, I can authenticate just 
fine.  Same with the -t '' option, except it goes through TLS first.


Running:

    ctl_mboxlist -cw

returns:

    couldn't connect to mupdate server

And syslog reports:

Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: starttls: TLSv1 with cipher 
AES256-SHA (256/256 bits new client) no authentication
Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: couldn't authenticate to 
backend server: no mechanism available
Oct  7 16:23:56 imap-be4 ctl_mboxlist[916]: mupdate_connect failed: 
SASL(-4): no mechanism available: No worthy mechs found


"No worthy mechs found"  This seems to be saying that ctl_mboxlist 
doesn't like PLAIN or LOGIN.  If so, then what does it want?


For incoming connections, there appears to be a similar problem.  When I 
attempt an xfer from the 2.2.12 back-end to the 2.3.16 back-end the 
transfer fails with the message:

    xfermailbox: Server(s) unavailable to complete operation

and the 2.3.16 syslog reports:

Oct  7 16:27:33 imap-be4 imap[830]: accepted connection
Oct  7 16:27:33 imap-be4 master[942]: about to exec 
/usr/lib/cyrus-imapd/imapd
Oct  7 16:27:33 imap-be4 imap[942]: executed
Oct  7 16:27:33 imap-be4 imap[830]: skiplist: checkpointed 
/var/lib/imap/tls_sessions.db (6 records, 1240 bytes) in 0 seconds
Oct  7 16:27:33 imap-be4 imap[830]: imapd:Loading hard-coded DH parameters
Oct  7 16:27:33 imap-be4 imap[830]: SSL_accept() incomplete -> wait
Oct  7 16:27:33 imap-be4 imap[830]: SSL_accept() succeeded -> done
Oct  7 16:27:33 imap-be4 imap[830]: starttls: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits new) no authentication


I've configured saslauthd to use PAM, and PAM to use pam_unix.so.  And, 
as noted, authentication does work.

Mike

-- 
Michael D. Sofka               sofkam at rpi.edu
C&MT Sr. Systems Programmer,   Email, HPC, TeX, Epistemology
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/

More information about the Info-cyrus mailing list