Authentication 'realm' problem
Charles Bradshaw
brad at bradcan.homelinux.com
Mon Jan 21 12:47:53 EST 2013
I am seeing an authentication problem when using imtest. I have
cyrus-imapd-utils-2.4.14-1.fc17.i686
The imtest man page says the -r switch specifies the 'realm', but -r does not
seem to work.
I used:
[root at imap-server ~]# saslpasswd2 user
Password ...
and
[root at imap-server ~]# saslpasswd2 cyrus
...
Which puts cyrus at imap-host.mydomain and user at imap-host@mydomain into /etc/sasldb2
Now:
$ imtest -s -a cyrus localhost'
Authenticates.
But
$ imtest -s -a cyrus imap-host
$ imtest -s -a cyrus -r imap-host.mydomain imap-host
>From another host fails with:
"Authentication failed. generic failure"
On the other hand:
$ imtest -s -a user localhost
$ imtest -s -a user
BOTH authenticate, but are pointless because I need to authenticate for other,
different, realms.
If instead I use:
[root at imap-server ~]# saslpasswd2 -u mydomain user
Password ...
That is, secify the (badly named 'domain') realm realm for sasldb2. Now:
$ imtest -s -a user -r mydomain localhost
$ imtest -s -a user -r mydomain imap-host
Both produce "Authentication failed. generic failure"
The /var/log/maillog messages are equally un-helpfull:
Jan 21 17:39:21 imap-host imaps[5610]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Jan 21 17:39:48 imap-host imaps[5610]: badlogin: localhost [::1] DIGEST-MD5
[SASL(-13): user not found: no secret in database]
Obviously I missed some 'realm' configuration for cyrus-imapd or don't
understand how to use -u realm for saslpasswd2 or the -r realm parameter for
imtest!
I think I understood saslpasswd -u realm because I have realms working for
sendmail using saslauthd.
What am I doing wrong?
# cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
sasl_auxprop_plugin:sasldb
#allowplaintext: no
#defaultdomain: mail
#loginrealms: mydomain
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
I tried loginrealms: mydomain without success!
The localhost test FQDN is imap-host.mydomain and my DNS works.
ie '$ host imap-host' produces imap-host.mydomain has address 192.168.#.#
Thanks in advance, Charles Bradshaw
More information about the Info-cyrus
mailing list