Solved Re: Frontend couldn't authenticate to backend server: authentication failure

Jean-Christophe Delaye Jean-Christophe.Delaye at eurecom.fr
Mon Jun 4 10:54:04 EDT 2018


On 06/04/2018 03:30 PM, Dan White wrote:
> !!!
> Please be aware that the password for mailproxy was exposed below in
> uuencoded form.
> !!!

Thanks, this is an (internal) lab platform !

I finally focus on the fact that authentication fails if userid and
authid differ.

So, my primary setup was (without sasldb)

Installed and properly configured auxprop mechanisms are:
>> <none>

I recompiled sasl with sasldb

then auxprop was not empty
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 8
        supports store: yes

and now everything works fine:

[root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
-a mailproxy -u delaye imap1.eurecom.fr
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
Please enter your password:
......
Authenticated.
Security strength factor: 0
* BYE idle for too long
Connection closed.

Thanks for your help.

> 
> On 06/04/18 11:23 +0200, Jean-Christophe Delaye wrote:
>> On 06/01/2018 07:54 PM, Dan White wrote:
>>> On 06/01/18 18:03 +0200, Jean-Christophe Delaye wrote:
>>
>> [root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
>> -a mailproxy imap1.eurecom.fr
>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>> MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>> imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>> Please enter your password:
>> C: A01 AUTHENTICATE PLAIN <removed>
>> Authenticated.
>> Security strength factor: 0
>> . LIST "" "*"
>> . OK Completed (0.000 secs)
>>
>>> imtest -m plain -a mailproxy -u <some_user> imap1.eurecom.fr
>>
>> [root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m plain
>> -a mailproxy -u delaye imap1.eurecom.fr
>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>> MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>> imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>> Please enter your password:
>> C: A01 AUTHENTICATE PLAIN <removed>
>> S: A01 NO no mechanism available
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>> Note, if I choose  login mech , it works !
> 
>> [root at cassandra etc]# /opt/cyrus-imapd_3.0.7-cyrus/bin/imtest  -m login
>> -a mailproxy -u delaye imap1.eurecom.fr
>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE
>> MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR]
>> imap1.eurecom.fr Cyrus IMAP 3.0.7 server ready
>> Please enter your password:
>> C: L01 LOGIN mailproxy {7}
>> S: + go ahead
>> Authenticated.
> 
> You may need 'sasl_minimum_layer: 0' within imapd.conf, on the backend.
> 
> If that doesn't work, please include syslog output for the above two
> authentication attempts.
> 
>> root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
>> /opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer -m plain
>> Installed and properly configured auxprop mechanisms are:
>> <none>
>> Installed and properly configured SASL (server side) mechanisms are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>> Available SASL (server side) mechanisms matching your criteria are:
>>  PLAIN
>> List of server plugins follows
>> Plugin "plain" [loaded],        API version: 4
>> Available SASL (client side) mechanisms matching your criteria are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>> List of client plugins follows
>> Plugin "plain" [loaded],        API version: 4
>>
>> mailproxy credentials are ok !
>>
>> root at ipso:/opt/cyrus-imapd_3.0.7-cyrus1/sbin#
>> /opt/cyrus-sasl_2.1.27-cyrus1/sbin/pluginviewer
>> Installed and properly configured auxprop mechanisms are:
>> <none>
>> Installed and properly configured SASL (server side) mechanisms are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>> Available SASL (server side) mechanisms matching your criteria are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 CRAM-MD5 PLAIN ANONYMOUS
>> List of server plugins follows
>> Plugin "scram" [loaded],        API version: 4
>> Plugin "scram" [loaded],        API version: 4
>> Plugin "digestmd5" [loaded],    API version: 4
>> Plugin "crammd5" [loaded],      API version: 4
>> Plugin "plain" [loaded],        API version: 4
>> Plugin "anonymous" [loaded],    API version: 4
>> Installed and properly configured SASL (client side) mechanisms are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>> Available SASL (client side) mechanisms matching your criteria are:
>>  SCRAM-SHA-1 SCRAM-SHA-256 DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS
>> List of client plugins follows
>> Plugin "scram" [loaded],        API version: 4
>> Plugin "scram" [loaded],        API version: 4
>> Plugin "digestmd5" [loaded],    API version: 4
>> Plugin "EXTERNAL" [loaded],     API version: 4
>> Plugin "crammd5" [loaded],      API version: 4
>> Plugin "plain" [loaded],        API version: 4
>> Plugin "anonymous" [loaded],    API version: 4
>>>
>>>> On the backend:
>>>>
>>>> allowplaintext: yes
>>>> proxyservers: mailproxy cyrus1 cyrus
>>>> sasl_saslauthd_path: /global/cyrus1/var/state/saslauthd/mux
>>>> sasl_mech_list: plain
>>>> sasl_auto_transition: no
>>>> sasl_pwcheck_method: saslauthd
>>>
>>>> on the frontend/mupdate master:
>>>>
>>>> proxy_authname: mailproxy
>>>> proxy_password: yyyyyyyyy
>>>> sasl_saslauthd_path: /global/cyrus/var/state/saslauthd/mux
>>>> sasl_mech_list: plain
>>>> sasl_auto_transition: no
>>>> sasl_pwcheck_method: saslauthd
> 



More information about the Info-cyrus mailing list