Murder, couldn't authenticate to backend server: no mechanism available

Ismaël Tanguy ismael.tanguy at univ-brest.fr
Thu Mar 7 05:23:29 EST 2019 

Hello,

I'm stucked in configuring a murder cluster with one frontend and one 
backend.
LMTP between frontend and backend doesn't work, the logs says that no 
mechanism is available.
I'm using sasl plain.
When turning saslauthd in debug mode, mta connection to frontend is OK, 
but there's no request for the connection between frontend and backend.
lmtptest -t "" -a murder backend is OK and goes over TLS.
Here's the debug log:

### /var/log/maillog -> frontend cyrus

frontend cyrus/lmtp[19541]: accepted connection
frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: STARTTLS
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS User 
logged in
frontend cyrus/lmtp[19541]: command: MAIL FROM:<mail at domain> SIZE=576
frontend cyrus/lmtp[19541]: command: RCPT TO:<mail at domain>
frontend cyrus/lmtp[19541]: command: DATA
frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932 sys: 0.017066
frontend cyrus/lmtp[19537]: accepted connection
frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19537]: command: STARTTLS
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL) 
tls_server_ca_file=/etc/ssl/certs/wildcard.ca
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19537]: received client certificate
frontend cyrus/lmtp[19537]: 
subject=***********************************************
frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as *.domain
frontend cyrus/lmtp[19541]: received server certificate
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no authentication
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: couldn't authenticate to backend server: no 
mechanism available
frontend cyrus/lmtp[19537]: command: QUIT
frontend cyrus/lmtp[19541]: command: QUIT


### saslauthd -d -a pam  >> cyrus is lmtpuser from mta, murder is 
lmtpuser for the backend,
### lmtp connection to the backend doesn't go to saslauthd
saslauthd[19525] :rel_accept_lock : released accept lock
saslauthd[19527] :get_accept_lock : acquired accept lock
saslauthd[19525] :do_auth         : auth success: [user=cyrus] 
[service=lmtp] [realm=] [mech=pam]
saslauthd[19525] :do_request      : response: OK


### /var/log/messages
frontend cyrus/lmtp[19563]: No worthy mechs found
frontend cyrus/lmtp[19563]: No worthy mechs found

### /var/log/maillog -> mta postfix
mta postfix/smtpd[7678]: connect from client_test
mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>, size=576, 
nrcpt=1 (queue active)
mta postfix/smtpd[7678]: disconnect from client_test
mta postfix/lmtp[7683]: Untrusted TLS connection established to 
frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>, 
relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3, 
status=deferred (host frontend said: 451 4.4.3 Remote server unavailable 
(in reply to end of DATA command))


### /etc/imapd.conf -> frontend
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
mupdate_server: cyrus-murder.univ-brest.fr
mupdate_username: murder
mupdate_authname: murder
mupdate_password: password
backend_password: password
proxy_authname: murder


### /etc/cyrus.conf -> frontend
START {
   recover       cmd="ctl_cyrusdb -r"
}
SERVICES {
   # add or remove based on preferences
   mupdate       cmd="mupdate" listen=3905 prefork=1
   imap          cmd="imapd" listen="imap" prefork=5
   imaps         cmd="imapd -s" listen="imaps" prefork=1
   pop3          cmd="pop3d" listen="pop3" prefork=3
   pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
   sieve         cmd="timsieved" listen="sieve" prefork=0
   nntp          cmd="nntpd" listen="nntp" prefork=3
   lmtp          cmd="lmtpd" listen="lmtp" prefork=0
}
EVENTS {
   checkpoint    cmd="ctl_cyrusdb -c" period=30
   delprune      cmd="cyr_expire -E 3" at=0400
   tlsprune      cmd="tls_prune" at=0400
}
DAEMON {
   idled         cmd="idled"
}

### /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam

### lmtptest frontend -> backend
(frontend)# lmtptest -t "" -a murder backend
S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora server ready
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
C: STARTTLS
S: 220 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: LHLO lmtptest
S: 250-backend.domain
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-AUTH PLAIN
S: 250-IGNOREQUOTA
S: 250 Ok SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
Please enter your password:
C: AUTH PLAIN ***************************************
S: 235 Authenticated!
Authenticated.
Security strength factor: 256


It seems I miss something in imapd.conf to tell LMTP to use sasl plain 
but I didn't find the way.
Any help would be greatly appreciated.

Thanks


Ismaël TANGUY
Université de Bretagne Occidentale
Brest - France

More information about the Info-cyrus mailing list