SASLAUTH and cyrus

Dan White dwhite at olp.net
Fri Jul 22 17:53:26 EDT 2011


On 22/07/11 12:49 -0700, Maria McKinley wrote:
>I am having a weirdness in my cyrus installation. I am getting messages
>in the logs:
>
>Jul 22 08:41:59 ella cyrus/imaps[29387]: Fatal error:
>tls_start_servertls() failed
>
>Weirdly, this does not seem to actually affect performance, so maybe I
>shouldn't even be worrying about this. But, I did try to do some
>troubleshooting. I used imtest and found this:
>
>ella:~# imtest -m plain -u cyrus -a cyrus -s localhost
>verify error:num=19:self signed certificate in certificate chain
>TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
>S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready
>C: C01 CAPABILITY
>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
>NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
>THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN
>AUTH=LOGIN SASL-IR
>S: C01 OK Completed
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN <cut>
>S: A01 NO authentication failure
>Authentication failed. generic failure
>Security strength factor: 256
>^C^CC: Q01 LOGOUT
>Connection closed.
>
>This appears to be a username/password problem, rather than an
>installation problem, since things work fine for postmaster:
>
>ella:~# imtest -m plain -u postmaster -a postmaster -s localhost
>
>                   SASLPASSWD2(8)
>
>verify error:num=19:self signed certificate in certificate chain
>TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
>S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready
>C: C01 CAPABILITY
>S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
>NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
>THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN
>AUTH=LOGIN SASL-IR
>S: C01 OK Completed
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN <cut>
>S: A01 OK Success (tls protection)
>Authenticated.
>Security strength factor: 256
>^CC: Q01 LOGOUT
>Connection closed.
>
>So I did a check of users, and thought I had figured out the problem.
>cyrus was tied to an old hostname:
>
>ella:~# sasldblistusers2
>postmaster at ella: userPassword
>cyrus at montoya: userPassword
>
>But, when I created cyrus at ella, and deleted cyrus at montoya using
>saslpasswd2, this did not solve the problem. Both are listed in
>imapd.conf as admins. Any ideas about what could be going on? I have a
>memory that I am not using imaps port, but instead using a secure
>connection over the imap port, but the error message still bugs me, and
>I would like to get to the bottom of it. I'm afraid that with that last
>sentence it becomes obvious I haven't looked at this in a while, and
>have probably forgotten some key points about cyrus configuration. Some
>hints about where to go hunting would be most appreciated.

What is your sasl configuration in imapd.conf? (grep for sasl)

If pwcheck_method does not include 'auxprop' in your configuration, then
you are not using sasldb2 to authenticate. Your admin accounts should be
using the same authentication database as your normal users, which could be
PAM, for instance, if you're configured to use saslauthd.

Also, be aware that the 'A01 AUTHENTICATE PLAIN ...' strings you included
in your original email contain the uuencoded form of your password, and can
be trivially reversed. If your server is publicly accessible, you may want
to change your admin passwords.

-- 
Dan White


More information about the Info-cyrus mailing list