SASLAUTH and cyrus

Fri Jul 22 18:52:08 EDT 2011

On 7/22/11 2:53 PM, Dan White wrote:
> On 22/07/11 12:49 -0700, Maria McKinley wrote:
>> I am having a weirdness in my cyrus installation. I am getting messages
>> in the logs:
>>
>> Jul 22 08:41:59 ella cyrus/imaps[29387]: Fatal error:
>> tls_start_servertls() failed
>>
>> Weirdly, this does not seem to actually affect performance, so maybe I
>> shouldn't even be worrying about this. But, I did try to do some
>> troubleshooting. I used imtest and found this:
>>
>> ella:~# imtest -m plain -u cyrus -a cyrus -s localhost
>> verify error:num=19:self signed certificate in certificate chain
>> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
>> S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
>> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN
>> AUTH=LOGIN SASL-IR
>> S: C01 OK Completed
>> Please enter your password:
>> C: A01 AUTHENTICATE PLAIN <cut>
>> S: A01 NO authentication failure
>> Authentication failed. generic failure
>> Security strength factor: 256
>> ^C^CC: Q01 LOGOUT
>> Connection closed.
>>
>> This appears to be a username/password problem, rather than an
>> installation problem, since things work fine for postmaster:
>>
>> ella:~# imtest -m plain -u postmaster -a postmaster -s localhost
>>
>> SASLPASSWD2(8)
>>
>> verify error:num=19:self signed certificate in certificate chain
>> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
>> S: * OK ella Cyrus IMAP4 v2.2.13-Debian-2.2.13-14+lenny4 server ready
>> C: C01 CAPABILITY
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
>> NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT
>> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN
>> AUTH=LOGIN SASL-IR
>> S: C01 OK Completed
>> Please enter your password:
>> C: A01 AUTHENTICATE PLAIN <cut>
>> S: A01 OK Success (tls protection)
>> Authenticated.
>> Security strength factor: 256
>> ^CC: Q01 LOGOUT
>> Connection closed.
>>
>> So I did a check of users, and thought I had figured out the problem.
>> cyrus was tied to an old hostname:
>>
>> ella:~# sasldblistusers2
>> postmaster at ella: userPassword
>> cyrus at montoya: userPassword
>>
>> But, when I created cyrus at ella, and deleted cyrus at montoya using
>> saslpasswd2, this did not solve the problem. Both are listed in
>> imapd.conf as admins. Any ideas about what could be going on? I have a
>> memory that I am not using imaps port, but instead using a secure
>> connection over the imap port, but the error message still bugs me, and
>> I would like to get to the bottom of it. I'm afraid that with that last
>> sentence it becomes obvious I haven't looked at this in a while, and
>> have probably forgotten some key points about cyrus configuration. Some
>> hints about where to go hunting would be most appreciated.
>
> What is your sasl configuration in imapd.conf? (grep for sasl)
>

sasl_mech_list: PLAIN LOGIN

sasl_pwcheck_method: saslauthd

sasl_auto_transition: no

> If pwcheck_method does not include 'auxprop' in your configuration, then
> you are not using sasldb2 to authenticate. Your admin accounts should be
> using the same authentication database as your normal users, which could be
> PAM, for instance, if you're configured to use saslauthd.

Hmm, I am using PAM for other things, maybe I should be using PAM here 
too? It appears I am not now.

>
> Also, be aware that the 'A01 AUTHENTICATE PLAIN ...' strings you included
> in your original email contain the uuencoded form of your password, and can
> be trivially reversed. If your server is publicly accessible, you may want
> to change your admin passwords.
>

Oops, meant to delete that. Changing passwords now...

thanks,
maria