Authentication 'realm' problem

Charles Bradshaw brad at bradcan.homelinux.com
Mon Jan 21 12:47:53 EST 2013


I am seeing an authentication problem when using imtest. I have
cyrus-imapd-utils-2.4.14-1.fc17.i686

The imtest man page says the -r switch specifies the 'realm', but -r does not
seem to work.

I used:
[root at imap-server ~]# saslpasswd2 user
Password ...
and
[root at imap-server ~]# saslpasswd2 cyrus
...
Which puts cyrus at imap-host.mydomain and user at imap-host@mydomain into /etc/sasldb2

Now:
$ imtest -s -a cyrus localhost'
Authenticates.

But 
$ imtest -s -a cyrus imap-host
$ imtest -s -a cyrus -r imap-host.mydomain imap-host

>From another host fails with:
"Authentication failed. generic failure"

On the other hand:
$ imtest -s -a user localhost
$ imtest -s -a user
BOTH authenticate, but are pointless because I need to authenticate for other,
different, realms.

If instead I use:
[root at imap-server ~]# saslpasswd2 -u mydomain user
Password ... 
That is, secify the (badly named 'domain') realm realm for sasldb2. Now:
$ imtest -s -a user -r mydomain localhost
$ imtest -s -a user -r mydomain imap-host

Both produce "Authentication failed. generic failure"

The /var/log/maillog messages are equally un-helpfull:

Jan 21 17:39:21 imap-host imaps[5610]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Jan 21 17:39:48 imap-host imaps[5610]: badlogin: localhost [::1] DIGEST-MD5
[SASL(-13): user not found: no secret in database]

Obviously I missed some 'realm' configuration for cyrus-imapd or don't
understand how to use -u realm for saslpasswd2 or the -r realm parameter for
imtest!

I think I understood saslpasswd -u realm because I have realms working for
sendmail using saslauthd.

What am I doing wrong?

# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
sasl_auxprop_plugin:sasldb
#allowplaintext: no
#defaultdomain: mail
#loginrealms: mydomain
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

I tried loginrealms: mydomain without success!

The localhost test FQDN is imap-host.mydomain and my DNS works.
ie '$ host imap-host' produces imap-host.mydomain has address 192.168.#.#

Thanks in advance, Charles Bradshaw


More information about the Info-cyrus mailing list