sivtest fails to authenticate but imtiest succeeds

John Hayward john.hayward at wheaton.edu
Sat Jul 11 17:56:05 EDT 2015


Hi Dan,

Thanks so much for your pointer - the issue was the the sieve directory did not exist and permissions were such that it was not able to create it.  Once I had the directory and permissions correct I could authenticate with sivtest.

I note the manual for imap.d does not indicate the logging option for sasl - but telling me to set that option caused me to start looking in various logs where the error was reported - in hindsight should have looked there in the first place.

Thanks again for your help.

johnh...

________________________________________
From: Dan White <dwhite at olp.net>
Sent: Monday, June 29, 2015 2:43 PM
To: John Hayward
Cc: info-cyrus at lists.andrew.cmu.edu
Subject: Re: sivtest fails to authenticate but imtiest succeeds

On 06/27/15 13:33 +0000, John Hayward wrote:
>I am having trouble authenticating to sivtest but can authenticate to Imtest.

>my /usr/pkg/etc/imapd.conf currently looks like:
>
>===== imapd.conf ====
>configdirectory: /var/imap
>partition-default: /var/spool/imap
>#sieveusehomedir: true
>hashimapspool: false
>sievedir: /usr/pkg/sieve
>sieve_maxscriptsize: 32
>sieve_maxscripts: 5
>admins: cyrus johnh
>#sasl_mech_list: PLAIN
>sasl_pwcheck_method: auxprop
>sasl_auxprop_plugin: sasldb
>allowanonymouslogin: no
>allowplaintext: yes
>tls_ca_file: /var/imap/server.pem
>tls_cert_file: /var/imap/server.pem
>tls_key_file: /var/imap/server.pem
>===== end imapd.conf ======

>Here is what I am seeing when I run imtest and sivtest
>
>==== sieve.log ===
>Script started on Sat Jun 27 07:54:38 2015
>ESC[?1034hbash-3.2$ imtest -a linda -u linda localhost
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=LOGIN AUTH=PLAIN SASL-IR] haywardfamily.org Cyrus IMAP v2.4.17 server ready^M
>C: A01 AUTHENTICATE LOGIN^M
>S: + VXNlcm5hbWU6^M
>Please enter your password:
>C: bGluZGE=^M
>S: + UGFzc3dvcmQ6^M
>C: MnphcHB5^M

If this is a publicly accessible server, you should change this password as
it's easily reversible.

>S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) SESSIONID=<haywardfamily.org-4536-1435409698-1>^M
>Authenticated.
>Security strength factor: 0
>^CC: Q01 LOGOUT^M
>Connection closed.
>bash-3.2$ sivtest -a linda -u linda localhost
>S: "IMPLEMENTATION" "Cyrus timsieved v2.4.17"^M
>S: "SASL" "LOGIN PLAIN"^M
>S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy"^M
>S: "STARTTLS"^M
>S: "UNAUTHENTICATE"^M
>S: OK^M
>C: AUTHENTICATE "LOGIN"^M
>S: {12}^M
>S: VXNlcm5hbWU6^M
>Please enter your password:
>C: {8+}^M
>C: bGluZGE=^M
>S: {12}^M
>S: UGFzc3dvcmQ6^M
>C: {8+}^M
>C: MnphcHB5^M
>S: NO "Authentication Error"^M
>Authentication failed. generic failure
>Security strength factor: 0
>^CC: LOGOUT^M
>Connection closed.
>bash-3.2$ exit
>exit
>
>Script done on Sat Jun 27 07:55:49 2015
>==== end of sieve.log ===
>
>Any suggestions on how to resolve this issue?

Review your syslog (auth facility). Increase your sasl log level if
necessary (set 'sasl_log_level: 7' in imapd.conf).

>Some additional questions:
>
>1) if one is trying to use sasldb with sasl_auxprop_plugin then saslauthd
>is out of the picture - I have it running but don't think it needs to be
>involved.

Correct, when 'sasl_pwcheck_method: auxprop' is set.


>2) There appears to be both login and plain mechanisms - on imtest I can
>specify either and they both authenticate - which one should I be focused
>on?

PLAIN is preferred in that it supports passing authz (-u) identities. Be aware
that specifying '-m login' (for imtest only) will fall back to using
pre-sasl 'login' authentication, or at least it used to.

--
Dan White


More information about the Info-cyrus mailing list