Migrating mailbox data from Cyrus to MicroSoft Office 365 using their import tool.

Dan White dwhite at olp.net
Thu Jun 23 14:19:58 EDT 2016


On 06/23/16 16:49 +0200, Eric Luyten via Info-cyrus wrote:
>On Wed, June 22, 2016 6:02 pm, Dan White wrote:
>> To enable SASL LOGIN support, add 'LOGIN' to your sasl_mech_list. Don't
>> confuse login with pre-sasl user/pass authentication.
>>
>> If Office 365 isn't performing TLS, you'll need to configure
>> sasl_minimum_layer and allowplaintext appropriately.
>
>By restricting the sasl_mech_list in imapd.conf I can make our server
>announce only AUTH=PLAIN in its capabilities string but the client
>insists on (and succeeds in) authenticating using AUTH=LOGIN, thus
>rendering proxying impossible.

You're right. I missed that part before. LOGIN doesn't allow the passing of
authz credentials, which is necessary for proxy authentication.

>There is a mech_list setting in saslauthd.conf which currently reads
>'mech_list: login plain ldap' but this applies server wide and so
>I am a bit reluctant playing with it.

saslauthd.conf does not support a mech_list option (you're looking for
sasl_mech_list in /etc/imapd.conf). If you're using the ldap backend,
reference 'saslauthd/LDAP_SASLAUTHD' in the cyrus sasl source for
documentation.

DIGEST-MD5 is a better approach here, except that you're using saslauthd,
which cannot support it.

If you have access to customer credentials, which I assume you do, then you
could finagle a solution by creating a /etc/sasldb2 database (with
saslpasswd2), and then exposing the DIGEST-MD5 mechanism via mech_list.

>The Office365 IMAP import client uses TLS, I have requested to deselect
>that option to see whether it then switches to using the stronger mech
>AUTH=PLAIN

PLAIN isn't any stronger than LOGIN. Both are considered unsecure without
TLS.

-- 
Dan White


More information about the Info-cyrus mailing list