Can't authorize as different user in cyradm and sieveshell

Andrew Morgan morgan at orst.edu
Sun Nov 20 22:34:58 EST 2016 

This works for me under v2.4.18.  I'm able to run sieveshell against a 
frontend or backend authenticating as a cyrus "admins" user or a 
"proxyservers" user (on the backend).

Against a frontend:

# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:
> list
onid-web
real  <- active script
> quit


Against a backend:

# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:
> list
onid-web
real  <- active script
> quit


My imapd.conf settings:

admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1


Have you tried using the "sivtest" program?  It will show you the protocol 
handshakes, which might help.  Here is an example for me:

# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags 
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}
<redacted>
S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.


 	Andy

On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:

> Since nobody answered, I guess, nobody has any idea.
> I wonder if anybody uses this feature and it works for you?
> I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?
> Thanks in advance,
>
> Michael
>
> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:
>> Hello,
>>
>> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
>> i'm trying to use sieveshell to setup users sieve scripts, but since
>> i don't know users passwords i want to use a special user for authentication
>> and authorize as the target user.
>> Here's what I have.
>>
>> imapd.conf:
>> admins: mailadmin
>> proxyservers: proxyadmin
>> sasl_pwcheck_method: saslauthd
>> #sasl_pwcheck_method: alwaystrue
>> sasl_mech_list: PLAIN
>> allowplaintext: yes
>>
>> here's what i do:
>>
>> root at rway-imap-vm:~# sieveshell -a proxyadmin -u t4 at virtualcrap.com localhost
>> connecting to localhost
>> Please enter your password:
>> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
>>
>> here's the log:
>> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
>> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available
>> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
>>
>> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong
>> and it says "PLAIN no mechanism available".
>> this only happens if i try to authorize as different user. if i don't everything works fine:
>>
>> root at rway-imap-vm:~# sieveshell -a t4 at virtualcrap.com -u t4 at virtualcrap.com localhost
>> connecting to localhost
>> Please enter your password:
>>>
>>
>> log:
>> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
>> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4 at virtualcrap.com' granted access
>> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in
>>
>> the same happends to cyradm:
>> root at rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4 at virtualcrap.com --auth=plain localhost
>> Password:
>> IMAP Password:
>>
>> log:
>> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access
>> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]
>>
>> but ok without trying to authorize as different user:
>> root at rway-imap-vm:~# cyradm --user=t4 at virtualcrap.com --auth=plain localhost
>> Password:
>> localhost>
>> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4 at virtualcrap.com' granted access
>> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
>>
>> Can somebody tell me what I am doing wrong?
>> Thanks a lot,
>>
>> Michael

More information about the Info-cyrus mailing list