Frontend couldn't authenticate to backend server: authentication failure

Jean-Christophe Delaye Jean-Christophe.Delaye at eurecom.fr
Mon Jun 4 05:23:55 EDT 2018


On 06/01/2018 07:54 PM, Dan White wrote:
> On 06/01/18 18:03 +0200, Jean-Christophe Delaye wrote:
>> I'm trying to complete setup Cyrus Murder : 1 frontend with mupdate and
>> 1 backend (initial config).
> 
>> # telnet imap1 imap
>> Trying 192.168.106.208...
>> Connected to imap1.eurecom.fr.
>> Escape character is '^]'.
>> * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>> MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
> 
>> 001 login standard XXXXXXX
> 
>> A001 SELECT INBOX
>> * 0 EXISTS
>> * 0 RECENT
>> * FLAGS (\Answered \Flagged \Draft \Deleted \Seen)
>> * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] Ok
>> * OK [UIDVALIDITY 1527674348] Ok
>> * OK [UIDNEXT 1] Ok
>> * OK [HIGHESTMODSEQ 3] Ok
>> * OK [URLMECH INTERNAL] Ok
>> * OK [ANNOTATIONS 65536] Ok
>> A001 OK [READ-WRITE] Completed
> 
> Note that you have 'mailproxy' configured as the proxy_authname on your
> frontend. Use imtest to simulate your frontend:
> 
> imtest -m plain -a mailproxy imap1.eurecom.fr

[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
-a mailproxy imap1.eurecom.fr
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN AG1haWxwcm94eQBvcmFjbGUx
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT
SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN
QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY
MUPDATE=mupdate://cassandra.eurecom.fr/ LOGINDISABLED COMPRESS=DEFLATE
X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
X-QUOTA=X-NUM-FOLDERS IDLE] Success (no protection)
SESSIONID=<cyrus1-12201-1528102985-1-12851385816673753763>
Authenticated.
Security strength factor: 0
. LIST "" "*"
. OK Completed (0.000 secs)


> imtest -m plain -a mailproxy -u <some_user> imap1.eurecom.fr

[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
-a mailproxy -u delaye imap1.eurecom.fr
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN ZGVsYXllAG1haWxwcm94eQBvcmFjbGUx
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0


Note, if I choose  login mech , it works !

[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m login
-a mailproxy -u delaye imap1.eurecom.fr
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
Please enter your password:
C: L01 LOGIN mailproxy {7}
S: + go ahead
C: <omitted>
S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT
SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN
QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY
MUPDATE=mupdate://cassandra.eurecom.fr/ LOGINDISABLED COMPRESS=DEFLATE
X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
SESSIONID=<cyrus1-12201-1528103147-1-4029279614867022129>
Authenticated.
Security strength factor: 0
. LIST "" "*"
. OK Completed (0.000 secs)


> 
>> The problem seems to be the proxy connections through frontend to the
>> server with a backend role.
>>
>> From client(s), connection to frontend is the issue
>>
>> 001 login standard xxxxxxx
> 
>> X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
> 
>> Once I get connected and authenticated, I launch the command
>> “select inbox”, but I receive the message
>> A001 SELECT INBOX
>> A001 NO Server(s) unavailable to complete operation
>>
>> In the log files there is an error from both frontend and backend
>>
>> From frontend:
>> cassandra cyrus/imap[19868]:
>> couldn't authenticate to backend server: authentication failure
>>
>> From backend:
>> imap1 cyrus1/master
>> about to exec /opt/cyrus-imapd_3.0.7-cyrus1/libexec/imapd
>>
>> imap1 cyrus1/imap[11632]: SASL could not find auxprop plugin, was
>> searching for '[all]'
> 
> The above error is probably not important.
> 
>> badlogin: cassandra.eurecom.fr [192.168.106.61] PLAIN [SASL(-4): no
>> mechanism available: Password verification failed]
> 
> Check that the plain mechanism is available on the backend with
> 'pluginviewer', and verify your mailproxy credentials.

root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
/opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer -m plain
Installed and properly configured auxprop mechanisms are:
<none>
Installed and properly configured SASL (server side) mechanisms are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
  PLAIN
List of server plugins follows
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Installed and properly configured SASL (client side) mechanisms are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
List of client plugins follows
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION

mailproxy credentials are ok !


root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
/opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer
Installed and properly configured auxprop mechanisms are:
<none>
Installed and properly configured SASL (server side) mechanisms are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 CRAM-MD5 PLAIN ANONYMOUS
List of server plugins follows
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING|SUPPORTS_HTTP
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-256, best SSF: 0, supports setpass: yes
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING|SUPPORTS_HTTP
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Installed and properly configured SASL (client side) mechanisms are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
List of client plugins follows
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-1, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING|SUPPORTS_HTTP
Plugin "scram" [loaded],        API version: 4
        SASL mechanism: SCRAM-SHA-256, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|CHANNEL_BINDING|SUPPORTS_HTTP
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST

> 
>> On the backend:
>>
>> admins: cyrus1 cyrus postman
>> allowallsubscribe: yes
>> allowplaintext: yes
>> allowusermoves: yes
>> auditlog: yes
>> configdirectory: /global/cyrus1/var/mail
>> defaultpartition: default
>> duplicate_db_path: /var/run/cyrus1/deliver.db
>> hashimapspool: yes
>> debug: yes
>> httpmodules: caldav carddav
>> idlesocket: /var/run/cyrus1/idle
>> mboxname_lockpath: /var/run/cyrus1_lock
>> mupdate_authname: postman
>> mupdate_password: xxxxxxx
>> mupdate_server: cassandra.eurecom.fr
>> mupdate_username: postman
>> popminpoll: 1
>> proc_path: /var/run/cyrus1_proc
>> proxy_authname: mailproxy
>> proxy_password: yyyyyyyy
>> proxyservers: mailproxy cyrus1 cyrus
>> ptscache_db_path: /var/run/cyrus1/ptscache.db
>> servername: imap1.eurecom.fr
>> sievedir: /global/cyrus1/var/sieve
>> statuscache_db_path: /var/run/cyrus1/statuscache.db
>> syslog_prefix: cyrus1
>> tls_sessions_db_path: /var/run/cyrus1/tls_sessions.db
> 
>> sasl_saslauthd_path: /global/cyrus1/var/state/saslauthd/mux
>> sasl_mech_list: plain
>> sasl_auto_transition: no
>> sasl_pwcheck_method: saslauthd
> 
>> partition-default: /global/cyrus1/mail
>> lmtp_admins: mailproxy cyrus1 cyrus
> 
>> on the frontend/mupdate master:
>>
>> admins: cyrus cyrus1 postman
>> allowallsubscribe: yes
>> allowplaintext: yes
>> allowusermoves: yes
>> auditlog: yes
>> configdirectory: /global/cyrus/var/mail
>> defaultpartition: default
>> duplicate_db_path: /var/run/cyrus/deliver.db
>> force_sasl_client_mech: PLAIN
>> hashimapspool: yes
>> debug: yes
>> httpmodules: caldav carddav
>> idlesocket: /var/run/cyrus/idle
>> mboxname_lockpath: /var/run/cyrus_lock
>> mupdate_authname: postman
>> mupdate_password: xxxxxxx
>> mupdate_server: cassandra.eurecom.fr
>> mupdate_username: postman
>> popminpoll: 1
>> proc_path: /var/run/cyrus_proc
>> proxy_authname: mailproxy
>> proxy_password: yyyyyyyyy
>> ptscache_db_path: /var/run/cyrus/ptscache.db
>> servername: cassandra.eurecom.fr
>> sievedir: /global/cyrus/var/sieve
>> statuscache_db_path: /var/run/cyrus/statuscache.db
>> syslog_prefix: cyrus
> 
>> cassandra_mechs: PLAIN
>> sasl_saslauthd_path: /global/cyrus/var/state/saslauthd/mux
>> imap1_mechs: PLAIN
>> sasl_mech_list: plain
>> sasl_auto_transition: no
>> sasl_pwcheck_method: saslauthd
> 
>> partition-default: /global/cyrus/mail
> 



More information about the Info-cyrus mailing list