Best distro for Exim/Cyrus

Paul O'Rorke paul at tracker-software.com
Thu Feb 20 00:00:38 EST 2014


Another strange this.  The encrypted passwords would not be a problem if 
I could get TLS working, I could auth with *login_sasl_server* but even 
though exim appears to be advertising STARTTLS none of the MUA clients 
I've tested recognise the TLS. (Thunderbird and Outlos 2013)

When I use swaks to test the connection I get:

    root at vm-manager:~# swaks -a -tls -q HELO -s
    chemainus.mjbrownloos.com -au hire -ap '<>'
    === Trying chemainus.mjbrownloos.com:25...
    === Connected to chemainus.mjbrownloos.com.
    <-  220 blmail.chemainus.mjbrownloos.com ESMTP Exim 4.80 Wed, 19 Feb
    2014 20:57:30 -0800
      -> EHLO vm-manager.chemaimus.tracker-software.com
    <-  250-blmail.chemainus.mjbrownloos.com Hello
    vm-manager.chemaimus.tracker-software.com [192.168.4.254]
    <-  250-SIZE 52428800
    <-  250-8BITMIME
    <-  250-PIPELINING
    <-  250-STARTTLS
    <-  250 HELP
      -> STARTTLS
    <-  220 TLS go ahead
    === TLS started w/ cipher DHE-RSA-AES256-SHA
    === TLS peer subject DN="/C=CA/ST=British Columbia/L=Chemainus/O=MJ
    Brown Ltd/OU=Brown Loos/CN=blmail.chemainus.mjbrownloos.com"
      ~> EHLO vm-manager.chemaimus.tracker-software.com
    <~  250-blmail.chemainus.mjbrownloos.com Hello
    vm-manager.chemaimus.tracker-software.com [192.168.4.254]
    <~  250-SIZE 52428800
    <~  250-8BITMIME
    <~  250-PIPELINING
    <~  250-AUTH DIGEST-MD5
    <~  250 HELP
      ~> QUIT
    <~  221 blmail.chemainus.mjbrownloos.com closing connection
    === Connection closed with remote host.

so why would clients not be able to use TLS?  Auto-config in both 
clients returns with no TLS options.

confused but determined to get there...

*Paul O'Rorke* Tracker Software Products paul at tracker-software.com 
<mailto:paul.ororke at tracker-software.com>

On 2/19/2014 8:50 PM, Paul O'Rorke wrote:
> Hi again guys,
>
> thanks for the help thus far.  I have managed to get cyrus talking 
> with exim to deliver mail (the -a inside the quotes did this) and I 
> have the cyrus_sasl driver authenticating using DIGEST-MD5:
>
>     digest_md5_sasl_server:
>        driver = cyrus_sasl
>        public_name = DIGEST-MD5
>        server_realm = chemainus.mjbrownloos.com
>        server_set_id = $auth1
>        .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
>        server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
>        .endif
>
> I can receive mail OK, exim passes it to cyrus and I can work with 
> mailboxes in Thunderbird however I don't seem to be able to 
> authenticate to the SMTP server when sending.  Do I need to specify a 
> separate auth for sending through SMTP?
>
> If I turn on *AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes* I can send if I 
> enable *login_sasl_server* but I'm sending plaintext passwords.  :-(
>
> If I turn off *AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes* then I cannot 
> send using *login_sasl_server* because it obviously needs an encrypted 
> password but I keep getting the message relay not permitted.
>
> If I disable login_sasl_server leaving only the 
> *digest_md5_sasl_server* I still get relay not permitted so it seems 
> it's not authenticating on send.
>
> If it can authenticate for IMAP using *digest_md5_sasl_server* why 
> would it fail when sending?
>
> regards
>
> *Paul O'Rorke*
> Tracker Software Products paul at tracker-software.com 
> <mailto:paul.ororke at tracker-software.com>
>
> On 2/17/2014 12:42 AM, Vladislav Kurz wrote:
>>
>> On Saturday 15 of February 2014 00:05:59 Paul O'Rorke wrote:
>>
>> > If I don't use any encrypted passwords I can log in, work with
>>
>> > mailboxes, receive mail but not send (relay not permitted which I
>>
>> > suspect is so as to not be an open relay..?)
>>
>> You can always set relay_nets (using "dpkg-reconfigure exim4-config") 
>> to your local subnet.
>>
>> > What do I need to do to authenticate with the cyrus_sasl db? Why would
>>
>> > the authenticator driver "cyrus_sasl" not be available? Do I need to
>>
>> > enable that somewhere?
>>
>> I'm not sure but check if you have installed these packages:
>>
>> sasl2-bin, libsasl2-modules and exim4-daemon-heavy (instead of -light).
>>
>> > I've read so many conflicting pages I've completely confused myself.
>>
>> > Maybe I should be looking at TLS/SSL now...
>>
>> If you are on secure net, try setting 
>> AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes (in conf.d/main/00_whatever), 
>> to allow plaintext auth.
>>
>> -- 
>>
>> S pozdravem
>>
>> Vladislav Kurz
>>
>> === WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
>>
>> address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
>>
>> === www.webstep.net ======= vladislav.kurz at webstep.net ===
>>
>>
>>
>> ----
>> Cyrus Home Page:http://www.cyrusimap.org/
>> List Archives/Info:http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20140219/9ef2620f/attachment.html 


More information about the Info-cyrus mailing list