Frontend couldn't authenticate to backend server: authentication failure

Dan White dwhite at olp.net
Mon Jun 4 09:30:42 EDT 2018 

!!!
Please be aware that the password for mailproxy was exposed below in
uuencoded form.
!!!

On 06/04/18 11:23 +0200, Jean-Christophe Delaye wrote:
>On 06/01/2018 07:54 PM, Dan White wrote:
>> On 06/01/18 18:03 +0200, Jean-Christophe Delaye wrote:
>
>[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
>-a mailproxy imap1.eurecom.fr
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN <removed>
>Authenticated.
>Security strength factor: 0
>. LIST "" "*"
>. OK Completed (0.000 secs)
>
>> imtest -m plain -a mailproxy -u <some_user> imap1.eurecom.fr
>
>[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
>-a mailproxy -u delaye imap1.eurecom.fr
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN <removed>
>S: A01 NO no mechanism available
>Authentication failed. generic failure
>Security strength factor: 0
>
>Note, if I choose  login mech , it works !

>[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m login
>-a mailproxy -u delaye imap1.eurecom.fr
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>Please enter your password:
>C: L01 LOGIN mailproxy {7}
>S: + go ahead
>Authenticated.

You may need 'sasl_minimum_layer: 0' within imapd.conf, on the backend.

If that doesn't work, please include syslog output for the above two
authentication attempts.

>root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
>/opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer -m plain
>Installed and properly configured auxprop mechanisms are:
><none>
>Installed and properly configured SASL (server side) mechanisms are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>Available SASL (server side) mechanisms matching your criteria are:
>  PLAIN
>List of server plugins follows
>Plugin "plain" [loaded],        API version: 4
>Available SASL (client side) mechanisms matching your criteria are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>List of client plugins follows
>Plugin "plain" [loaded],        API version: 4
>
>mailproxy credentials are ok !
>
>root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
>/opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer
>Installed and properly configured auxprop mechanisms are:
><none>
>Installed and properly configured SASL (server side) mechanisms are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>Available SASL (server side) mechanisms matching your criteria are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 CRAM-MD5 PLAIN ANONYMOUS
>List of server plugins follows
>Plugin "scram" [loaded],        API version: 4
>Plugin "scram" [loaded],        API version: 4
>Plugin "digestmd5" [loaded],    API version: 4
>Plugin "crammd5" [loaded],      API version: 4
>Plugin "plain" [loaded],        API version: 4
>Plugin "anonymous" [loaded],    API version: 4
>Installed and properly configured SASL (client side) mechanisms are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>Available SASL (client side) mechanisms matching your criteria are:
>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>List of client plugins follows
>Plugin "scram" [loaded],        API version: 4
>Plugin "scram" [loaded],        API version: 4
>Plugin "digestmd5" [loaded],    API version: 4
>Plugin "EXTERNAL" [loaded],     API version: 4
>Plugin "crammd5" [loaded],      API version: 4
>Plugin "plain" [loaded],        API version: 4
>Plugin "anonymous" [loaded],    API version: 4
>>
>>> On the backend:
>>>
>>> allowplaintext: yes
>>> proxyservers: mailproxy cyrus1 cyrus
>>> sasl_saslauthd_path: /global/cyrus1/var/state/saslauthd/mux
>>> sasl_mech_list: plain
>>> sasl_auto_transition: no
>>> sasl_pwcheck_method: saslauthd
>>
>>> on the frontend/mupdate master:
>>>
>>> proxy_authname: mailproxy
>>> proxy_password: yyyyyyyyy
>>> sasl_saslauthd_path: /global/cyrus/var/state/saslauthd/mux
>>> sasl_mech_list: plain
>>> sasl_auto_transition: no
>>> sasl_pwcheck_method: saslauthd

-- 
Dan White

More information about the Info-cyrus mailing list