Murder, couldn't authenticate to backend server: no mechanism available
Michael Menge
michael.menge at zdv.uni-tuebingen.de
Thu Mar 7 05:55:36 EST 2019
Hi,
I suspect, lmtp it trying to proxy auth, which is not possible with
the PLAIN mech,
(but e.g. with LOGIN). So as only PLAIN is availble "No worthy mechs found".
You can try not to set "mupdate_username: murder" in the frontend imapd.conf.
But keep "mupdate_authname: murder". This should result in normal
PLAIN authentication
as user "murder".
Even if you enable the LOGIN mech, setting mupdate_username can cause
some problems.
I can't remember which problems, but I reminded myself not to set
mupdate_username
with a comment in my own imapd.conf
Regards
Michael Menge
Quoting Ismaël Tanguy <ismael.tanguy at univ-brest.fr>:
> Hello,
>
> I'm stucked in configuring a murder cluster with one frontend and
> one backend.
> LMTP between frontend and backend doesn't work, the logs says that
> no mechanism is available.
> I'm using sasl plain.
> When turning saslauthd in debug mode, mta connection to frontend is
> OK, but there's no request for the connection between frontend and
> backend.
> lmtptest -t "" -a murder backend is OK and goes over TLS.
> Here's the debug log:
>
> ### /var/log/maillog -> frontend cyrus
>
> frontend cyrus/lmtp[19541]: accepted connection
> frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
> frontend cyrus/lmtp[19541]: command: LHLO mta.domain
> frontend cyrus/lmtp[19541]: TLS is available.
> frontend cyrus/lmtp[19541]: command: STARTTLS
> frontend cyrus/lmtp[19541]: TLS is available.
> frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
> frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
> frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
> frontend cyrus/lmtp[19541]: command: LHLO mta.domain
> frontend cyrus/lmtp[19541]: TLS is available.
> frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
> frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS
> User logged in
> frontend cyrus/lmtp[19541]: command: MAIL FROM:<mail at domain> SIZE=576
> frontend cyrus/lmtp[19541]: command: RCPT TO:<mail at domain>
> frontend cyrus/lmtp[19541]: command: DATA
> frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932 sys: 0.017066
> frontend cyrus/lmtp[19537]: accepted connection
> frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
> frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
> frontend cyrus/lmtp[19537]: TLS is available.
> frontend cyrus/lmtp[19537]: command: STARTTLS
> frontend cyrus/lmtp[19537]: TLS is available.
> frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL)
> tls_server_ca_file=/etc/ssl/certs/wildcard.ca
> frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
> frontend cyrus/lmtp[19541]: Doing a peer verify
> frontend cyrus/lmtp[19541]: Doing a peer verify
> frontend cyrus/lmtp[19541]: Doing a peer verify
> frontend cyrus/lmtp[19537]: Doing a peer verify
> frontend cyrus/lmtp[19537]: Doing a peer verify
> frontend cyrus/lmtp[19537]: Doing a peer verify
> frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
> frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
> frontend cyrus/lmtp[19537]: received client certificate
> frontend cyrus/lmtp[19537]:
> subject=***********************************************
> frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as
> *.domain
> frontend cyrus/lmtp[19541]: received server certificate
> frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no
> authentication
> frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
> frontend cyrus/lmtp[19537]: TLS is available.
> frontend cyrus/lmtp[19541]: couldn't authenticate to backend server:
> no mechanism available
> frontend cyrus/lmtp[19537]: command: QUIT
> frontend cyrus/lmtp[19541]: command: QUIT
>
>
> ### saslauthd -d -a pam >> cyrus is lmtpuser from mta, murder is
> lmtpuser for the backend,
> ### lmtp connection to the backend doesn't go to saslauthd
> saslauthd[19525] :rel_accept_lock : released accept lock
> saslauthd[19527] :get_accept_lock : acquired accept lock
> saslauthd[19525] :do_auth : auth success: [user=cyrus]
> [service=lmtp] [realm=] [mech=pam]
> saslauthd[19525] :do_request : response: OK
>
>
> ### /var/log/messages
> frontend cyrus/lmtp[19563]: No worthy mechs found
> frontend cyrus/lmtp[19563]: No worthy mechs found
>
> ### /var/log/maillog -> mta postfix
> mta postfix/smtpd[7678]: connect from client_test
> mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
> mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
> mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>, size=576,
> nrcpt=1 (queue active)
> mta postfix/smtpd[7678]: disconnect from client_test
> mta postfix/lmtp[7683]: Untrusted TLS connection established to
> frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> (256/256 bits)
> mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>,
> relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3,
> status=deferred (host frontend said: 451 4.4.3 Remote server
> unavailable (in reply to end of DATA command))
>
>
> ### /etc/imapd.conf -> frontend
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> mupdate_server: cyrus-murder.univ-brest.fr
> mupdate_username: murder
> mupdate_authname: murder
> mupdate_password: password
> backend_password: password
> proxy_authname: murder
>
>
> ### /etc/cyrus.conf -> frontend
> START {
> recover cmd="ctl_cyrusdb -r"
> }
> SERVICES {
> # add or remove based on preferences
> mupdate cmd="mupdate" listen=3905 prefork=1
> imap cmd="imapd" listen="imap" prefork=5
> imaps cmd="imapd -s" listen="imaps" prefork=1
> pop3 cmd="pop3d" listen="pop3" prefork=3
> pop3s cmd="pop3d -s" listen="pop3s" prefork=1
> sieve cmd="timsieved" listen="sieve" prefork=0
> nntp cmd="nntpd" listen="nntp" prefork=3
> lmtp cmd="lmtpd" listen="lmtp" prefork=0
> }
> EVENTS {
> checkpoint cmd="ctl_cyrusdb -c" period=30
> delprune cmd="cyr_expire -E 3" at=0400
> tlsprune cmd="tls_prune" at=0400
> }
> DAEMON {
> idled cmd="idled"
> }
>
> ### /etc/sysconfig/saslauthd
> SOCKETDIR=/run/saslauthd
> MECH=pam
>
> ### lmtptest frontend -> backend
> (frontend)# lmtptest -t "" -a murder backend
> S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora server ready
> C: LHLO lmtptest
> S: 250-backend.domain
> S: 250-8BITMIME
> S: 250-ENHANCEDSTATUSCODES
> S: 250-PIPELINING
> S: 250-SIZE
> S: 250-STARTTLS
> S: 250-AUTH PLAIN
> S: 250-IGNOREQUOTA
> S: 250 Ok SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
> C: STARTTLS
> S: 220 Begin TLS negotiation now
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> C: LHLO lmtptest
> S: 250-backend.domain
> S: 250-8BITMIME
> S: 250-ENHANCEDSTATUSCODES
> S: 250-PIPELINING
> S: 250-SIZE
> S: 250-AUTH PLAIN
> S: 250-IGNOREQUOTA
> S: 250 Ok SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
> Please enter your password:
> C: AUTH PLAIN ***************************************
> S: 235 Authenticated!
> Authenticated.
> Security strength factor: 256
>
>
> It seems I miss something in imapd.conf to tell LMTP to use sasl
> plain but I didn't find the way.
> Any help would be greatly appreciated.
>
> Thanks
>
>
> Ismaël TANGUY
> Université de Bretagne Occidentale
> Brest - France
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
More information about the Info-cyrus
mailing list