Can't authorize as different user in cyradm and sieveshell

Michael Ulitskiy mulitskiy at acedsl.com
Mon Nov 21 12:22:19 EST 2016 

Andrew,

Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:

root at rway-imap-vm:~# sivtest -a proxyadmin -u t4 at virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password: 
C: AUTHENTICATE "PLAIN" {48+}
<redacted>
S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0

while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available

the same happens if I use admin user. 
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?

Thanks,
Michael

On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
> This works for me under v2.4.18.  I'm able to run sieveshell against a 
> frontend or backend authenticating as a cyrus "admins" user or a 
> "proxyservers" user (on the backend).
> 
> Against a frontend:
> 
> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
> connecting to imap.onid.oregonstate.edu
> Please enter your password:
> > list
> onid-web
> real  <- active script
> > quit
> 
> 
> Against a backend:
> 
> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
> connecting to cyrus-be1.onid.oregonstate.edu
> Please enter your password:
> > list
> onid-web
> real  <- active script
> > quit
> 
> 
> My imapd.conf settings:
> 
> admins: cyrus
> allowplaintext: 0
> sasl_mech_list: PLAIN
> sasl_minimum_layer: 0
> sasl_pwcheck_method: saslauthd
> sieve_allowreferrals: 0
> sieve_allowplaintext: 1
> 
> 
> Have you tried using the "sivtest" program?  It will show you the protocol 
> handshakes, which might help.  Here is an example for me:
> 
> # sivtest -u morgan -a cyrus localhost
> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
> S: "SASL" "PLAIN"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags 
> notify envelope body relational regex subaddress copy"
> S: "STARTTLS"
> S: "UNAUTHENTICATE"
> S: OK
> Please enter your password:
> C: AUTHENTICATE "PLAIN" {28+}
> <redacted>
> S: OK
> Authenticated.
> Security strength factor: 0
> C: LOGOUT
> OK "Logout Complete"
> Connection closed.
> 
> 
>  	Andy
> 
> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
> 
> > Since nobody answered, I guess, nobody has any idea.
> > I wonder if anybody uses this feature and it works for you?
> > I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all?
> > Thanks in advance,
> >
> > Michael
> >
> > On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote:
> >> Hello,
> >>
> >> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
> >> i'm trying to use sieveshell to setup users sieve scripts, but since
> >> i don't know users passwords i want to use a special user for authentication
> >> and authorize as the target user.
> >> Here's what I have.
> >>
> >> imapd.conf:
> >> admins: mailadmin
> >> proxyservers: proxyadmin
> >> sasl_pwcheck_method: saslauthd
> >> #sasl_pwcheck_method: alwaystrue
> >> sasl_mech_list: PLAIN
> >> allowplaintext: yes
> >>
> >> here's what i do:
> >>
> >> root at rway-imap-vm:~# sieveshell -a proxyadmin -u t4 at virtualcrap.com localhost
> >> connecting to localhost
> >> Please enter your password:
> >> unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
> >>
> >> here's the log:
> >> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
> >> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access
> >> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available
> >> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
> >>
> >> as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong
> >> and it says "PLAIN no mechanism available".
> >> this only happens if i try to authorize as different user. if i don't everything works fine:
> >>
> >> root at rway-imap-vm:~# sieveshell -a t4 at virtualcrap.com -u t4 at virtualcrap.com localhost
> >> connecting to localhost
> >> Please enter your password:
> >>>
> >>
> >> log:
> >> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
> >> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't4 at virtualcrap.com' granted access
> >> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in
> >>
> >> the same happends to cyradm:
> >> root at rway-imap-vm:~# cyradm --user=proxyadmin --authz=t4 at virtualcrap.com --auth=plain localhost
> >> Password:
> >> IMAP Password:
> >>
> >> log:
> >> Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access
> >> Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773]
> >>
> >> but ok without trying to authorize as different user:
> >> root at rway-imap-vm:~# cyradm --user=t4 at virtualcrap.com --auth=plain localhost
> >> Password:
> >> localhost>
> >> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't4 at virtualcrap.com' granted access
> >> Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t4 at virtualcrap.com PLAIN User logged in SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
> >>
> >> Can somebody tell me what I am doing wrong?
> >> Thanks a lot,
> >>
> >> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20161121/4c45f4f9/attachment-0001.html>

More information about the Info-cyrus mailing list