No authentication error when replication attempted in automatic mode

Ivan Lezhnjov Jr. ivan.lezhnjov.jr at gmail.com
Mon Jul 25 04:19:14 EDT 2011


This is solved by creating self-signed CA (certificate authority) and
certificate+private key bundle. The essential detail is that when
generating the certificate you need to specify Common Name (CN) as a
fully qualified domain name (hostA.localdoman or hostA.imapsite.net,
etc.). This must be done for each host involved, and each certificate
should have that host's FQDN specified as CN. Once the certs were in
place and the service restarted sync_client has been able to login
without any problems.

On Wed, Jul 20, 2011 at 4:56 PM, Ivan Lezhnjov Jr.
<ivan.lezhnjov.jr at gmail.com> wrote:
> I've said before that I fixed the issue with authentication from
> Master<->Replica in a basic two-host setup in a mysterious way. Funny
> thing is that I've managed to successfully replicate from M to R and
> vice versa, swapping the roles of the hosts as many times as I wanted.
> Everything worked  as expected.
>
> Then I set out to repeat this success on a set of two other machines,
> and reached another dead end with a slightly different problem.
>
> This message attempts to describe the issue that I'm battling with and
> what has been tried thus far to win this fight :)
>
> This is a basic two-host setup, host A is Master, host B is Replica.
>
> When replication is attempted in automatic mode it fails.
> Incidentally, it fails in manual mode too.
>
> ------------------- Replica
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: accepted connection
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: cmdloop(): startup
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: imapd:Loading
> hard-coded DH parameters
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept()
> incomplete -> wait
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: SSL_accept()
> succeeded -> done
> Jul 20 15:29:24 clone-machine-target syncserver[3630]: starttls: TLSv1
> with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authent
> ication
>
> ------------------- Master
> Jul 20 15:29:00 clone-machine sync_client[3638]: Doing a peer verify
> Jul 20 15:29:00 clone-machine sync_client[3638]: verify
> error:num=19:self signed certificate in certificate chain
> Jul 20 15:29:00 clone-machine sync_client[3638]: received server certificate
> Jul 20 15:29:00 clone-machine sync_client[3638]: starttls: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authen
> tication
> Jul 20 15:29:00 clone-machine sync_client[3638]: couldn't authenticate
> to backend server: no mechanism available
> Jul 20 15:29:00 clone-machine sync_client[3638]: Can not connect to
> server '10.10.0.178'
>
> The interesting fact is that I can successfully authenticate with
> synctest from Master to Replica like this:
>
> [root at clone-machine ~]# synctest -a cyrus -u cyrus -m plain -t ""
> replica.localdomain
> S: * SASL PLAIN LOGIN
> S: * STARTTLS
> S: * COMPRESS DEFLATE
> S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1
> C: STARTTLS
> S: OK Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> S: * SASL PLAIN LOGIN
> S: * OK clone-machine-target Cyrus sync server v2.4.10-Kolab-2.4.10-1
> Please enter your password:
> C: AUTHENTICATE PLAIN Y3lydXMAY3lydXMAY3lydXNhZG1pbnJlcGxpY2E=
> S: OK Success (tls protection)
> Authenticated.
> Security strength factor: 256
>
> but /usr/lib/cyrus-imapd/sync_client -r fails to.
>
>
>
> SITE CONFIGURATION
>
>
> ------------------- Master
> [root at clone-machine ~]# cat /etc/imapd.conf
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> sasl_minimum_layer: 0
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
> tls_ca_file: /etc/pki/tls/certs/cacert.pem
> guid_mode: sha1
> delete_mode: immediate
> sync_host: 10.10.0.178
> sync_authname: cyrus
> syncpassword: xxxxxxxxxxxxx
> sync_log: 1
> allowplaintext: 1
> tcp_keepalive: 1
>
> [root at clone-machine ~]# cat /etc/cyrus.conf |grep -v \#
>
> START {
>  recover       cmd="ctl_cyrusdb -r"
>
>  idled         cmd="idled"
>
>  syncclient    cmd="/usr/lib/cyrus-imapd/sync_client -r"
> }
>
> SERVICES {
>  imap          cmd="imapd" listen="imap" prefork=5 provide_uuid=1
>  imaps         cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1
>
>
>  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
> provide_uuid=1
>
> }
>
> EVENTS {
>  checkpoint    cmd="ctl_cyrusdb -c" period=30
>
>  delprune      cmd="cyr_expire -D 7 -E 3 -X 7" at=0400
>
>  tlsprune      cmd="tls_prune" at=0400
> }
>
>
>
> ------------------- Replica
> [root at clone-machine-target ~]# cat /etc/imapd.conf
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
> tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-my.pem
> tls_ca_file: /etc/pki/tls/certs/cacert.pem
> allowplaintext: 1
> tcp_keepalive: 1
>
> [root at clone-machine-target ~]# cat /etc/cyrus.conf |grep -v \#
>
> START {
>  recover       cmd="ctl_cyrusdb -r"
>
>  idled         cmd="idled"
>
> }
>
> SERVICES {
>  imap          cmd="imapd" listen="imap" prefork=5 provide_uuid=1
>  imaps         cmd="imapd -s" listen="imaps" prefork=1 provide_uuid=1
>
>
>  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
> provide_uuid=1
>
>
>  syncserver       cmd="/usr/lib/cyrus-imapd/sync_server" listen="csync"
> }
>
> EVENTS {
>  checkpoint    cmd="ctl_cyrusdb -c" period=30
>
>  delprune      cmd="cyr_expire -D 7 -E 3 -X 7" at=0400
>
>  tlsprune      cmd="tls_prune" at=0400
> }
>
> Using my own self-signed certificates and my own CA on both machines.
> CN points to a hosts FQDNs defined in /etc/hosts as master.localdomain
> and replica.localdomain.
>
>
> PAM configuration:
>
> [root at clone-machine ~]# cat /etc/pam.d/{csync,imap,lmtp}
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       include      system-auth
> account    include      system-auth
> session    include      system-auth
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       include      system-auth
> account    include      system-auth
> session    include      system-auth
> #%PAM-1.0
> auth       required     pam_nologin.so
> auth       include      system-auth
> account    include      system-auth
> session    include      system-auth
>
>
> selinux disabled
> iptables disabled
>
> I've tried the following options with no success and positive changes
> in regard to replication:
> - sasl_minimum_layer: 0
> - syncserver       cmd="/usr/lib/cyrus-imapd/sync_server -p 1" listen="csync"
> - removing sasl_mech_list completely while setting allowplaintext to false
>
>
> SOFTWARE INSTALLED
> [root at clone-machine ~]# yum list installed |grep cyrus
> cyrus-imapd.x86_64                       2.4.10-1               installed
> cyrus-imapd-debuginfo.x86_64             2.4.10-1               installed
> cyrus-imapd-devel.x86_64                 2.4.10-1               installed
> cyrus-imapd-perl.x86_64                  2.4.10-1               installed
> cyrus-imapd-utils.x86_64                 2.4.10-1               installed
> cyrus-sasl.x86_64                        2.1.22-4               installed
> cyrus-sasl-devel.x86_64                  2.1.22-4               installed
> cyrus-sasl-lib.x86_64                    2.1.22-4               installed
> cyrus-sasl-plain.x86_64                  2.1.22-4               installed
>
> using a Kolab SRPM for cyrus-imapd as divulged in synctest output. I
> also tried Invoca SRPM (same tests only running Invoca build).
>
> I'm hoping to get any help because I've spent most of the day reading
> mailing list archives, trying to find at least a hint but nothing
> seems to help. I need your fresh look at this whole setup people.
>
> Thanks in advance for your time.
>


More information about the Info-cyrus mailing list