Frontend couldn't authenticate to backend server: authentication failure

Jean-Christophe Delaye Jean-Christophe.Delaye at eurecom.fr
Fri Jun 1 12:03:51 EDT 2018 

Dear all,

I'm trying to complete setup Cyrus Murder : 1 frontend with mupdate and
1 backend (initial config).
Machines are running Solaris 11.3 (for ZFS, HA clustering and zone
capabilities), SASL 2.1.27(rc8) and Cyrus 3.0.7.

Services seems running fine on both master/frontend (hostname cassandra)
and backend (hostname imap1).
I can create mailboxes on backend and location is maintained on the
mupdate server.

Backend#
root at imap1:# ./ctl_mboxlist -C /global/cyrus1/etc/imapd.conf -d

user.delaye     0 default delaye        lrswipkxtecdan
user.delaye.INBOX.JCD   0 default delaye        lrswipkxtecdan
user.delaye.Trash       0 default delaye        lrswipkxtecdan
user.standard   0 default standard      lrswipkxtecdan  delaye
lrswipkxtecdan  titi    lrswipkxtecdan
user.standart   0 default standart      lrswipkxtecdan

Master#
[root at cassandra sbin]# ./ctl_mboxlist -C /global/cyrus/etc/imapd.conf -d
user.delaye     1 imap1.eurecom.fr!default delaye       lrswipkxtecdan
user.delaye.INBOX.JCD   1 imap1.eurecom.fr!default delaye
lrswipkxtecdan
user.delaye.Trash       1 imap1.eurecom.fr!default delaye
lrswipkxtecdan
user.standard   1 imap1.eurecom.fr!default standard     lrswipkxtecdan
delaye lrswipkxtecdan   titi    lrswipkxtecdan
user.standart   1 imap1.eurecom.fr!default standart     lrswipkxtecdan

>From client, connection to backend is ok

# telnet imap1 imap
Trying 192.168.106.208...
Connected to imap1.eurecom.fr.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
001 login standard XXXXXXX
001 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT
SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN
QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY
MUPDATE=mupdate://cassandra.eurecom.fr/ LOGINDISABLED COMPRESS=DEFLATE
X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
SESSIONID=<cyrus1-11584-1527864026-1-553541307793954667>
A001 SELECT INBOX
* 0 EXISTS
* 0 RECENT
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] Ok
* OK [UIDVALIDITY 1527674348] Ok
* OK [UIDNEXT 1] Ok
* OK [HIGHESTMODSEQ 3] Ok
* OK [URLMECH INTERNAL] Ok
* OK [ANNOTATIONS 65536] Ok
A001 OK [READ-WRITE] Completed

The problem seems to be the proxy connections through frontend to the
server with a backend role.

The frontend is forwarding the imap requests to the backend using
proxy_authname username

saslauthd[18753] :auth success: [user=mailproxy] [service=imap] [realm=]
[mech=shadow]

>From client(s), connection to frontend is the issue

001 login standard xxxxxxx
001 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT
SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN
QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY
MUPDATE=mupdate://cassandra.eurecom.fr/ LOGINDISABLED COMPRESS=DEFLATE
X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
SESSIONID=<cyrus-17553-1527863251-1-12888262518610106734>

Once I get connected and authenticated, I launch the command
“select inbox”, but I receive the message
A001 SELECT INBOX
A001 NO Server(s) unavailable to complete operation

In the log files there is an error from both frontend and backend

>From frontend:
cassandra cyrus/imap[19868]:
couldn't authenticate to backend server: authentication failure

>From backend:
imap1 cyrus1/master
about to exec /opt/cyrus-imapd_3.0.7-cyrus1/libexec/imapd

imap1 cyrus1/imap[11632]: SASL could not find auxprop plugin, was
searching for '[all]'
badlogin: cassandra.eurecom.fr [192.168.106.61] PLAIN [SASL(-4): no
mechanism available: Password verification failed]

It seems to me that the imap process on the backend is unable to use the
correct sasl authentication library. (I've compiled imapd with standard
dynamic sasl).

Any help would be appreciated.  I have spent several days working in
this problem without getting any progress at all.

Here are my configuration files (cyr_info conf)

On the backend:

admins: cyrus1 cyrus postman
allowallsubscribe: yes
allowplaintext: yes
allowusermoves: yes
auditlog: yes
configdirectory: /global/cyrus1/var/mail
defaultpartition: default
duplicate_db_path: /var/run/cyrus1/deliver.db
hashimapspool: yes
debug: yes
httpmodules: caldav carddav
idlesocket: /var/run/cyrus1/idle
mboxname_lockpath: /var/run/cyrus1_lock
mupdate_authname: postman
mupdate_password: xxxxxxx
mupdate_server: cassandra.eurecom.fr
mupdate_username: postman
popminpoll: 1
proc_path: /var/run/cyrus1_proc
proxy_authname: mailproxy
proxy_password: yyyyyyyy
proxyservers: mailproxy cyrus1 cyrus
ptscache_db_path: /var/run/cyrus1/ptscache.db
servername: imap1.eurecom.fr
sievedir: /global/cyrus1/var/sieve
statuscache_db_path: /var/run/cyrus1/statuscache.db
syslog_prefix: cyrus1
tls_sessions_db_path: /var/run/cyrus1/tls_sessions.db
sasl_saslauthd_path: /global/cyrus1/var/state/saslauthd/mux
sasl_mech_list: plain
sasl_auto_transition: no
sasl_pwcheck_method: saslauthd
partition-default: /global/cyrus1/mail
lmtp_admins: mailproxy cyrus1 cyrus


on the frontend/mupdate master:

admins: cyrus cyrus1 postman
allowallsubscribe: yes
allowplaintext: yes
allowusermoves: yes
auditlog: yes
configdirectory: /global/cyrus/var/mail
defaultpartition: default
duplicate_db_path: /var/run/cyrus/deliver.db
force_sasl_client_mech: PLAIN
hashimapspool: yes
debug: yes
httpmodules: caldav carddav
idlesocket: /var/run/cyrus/idle
mboxname_lockpath: /var/run/cyrus_lock
mupdate_authname: postman
mupdate_password: xxxxxxx
mupdate_server: cassandra.eurecom.fr
mupdate_username: postman
popminpoll: 1
proc_path: /var/run/cyrus_proc
proxy_authname: mailproxy
proxy_password: yyyyyyyyy
ptscache_db_path: /var/run/cyrus/ptscache.db
servername: cassandra.eurecom.fr
sievedir: /global/cyrus/var/sieve
statuscache_db_path: /var/run/cyrus/statuscache.db
syslog_prefix: cyrus
cassandra_mechs: PLAIN
sasl_saslauthd_path: /global/cyrus/var/state/saslauthd/mux
imap1_mechs: PLAIN
sasl_mech_list: plain
sasl_auto_transition: no
sasl_pwcheck_method: saslauthd
partition-default: /global/cyrus/mail

More information about the Info-cyrus mailing list