Murder, couldn't authenticate to backend server: no mechanism available
Ismaël Tanguy
ismael.tanguy at univ-brest.fr
Thu Mar 7 10:23:50 EST 2019
Hi Mickael,
thank you very much.
That's work.
I am now blocked in autocreating user on backend, but it's another
problem ;-)
Thanks again,
Ismaël Tanguy
Le 07/03/2019 à 11:55, Michael Menge a écrit :
> Hi,
>
>
> I suspect, lmtp it trying to proxy auth, which is not possible with
> the PLAIN mech,
> (but e.g. with LOGIN). So as only PLAIN is availble "No worthy mechs
> found".
>
> You can try not to set "mupdate_username: murder" in the frontend
> imapd.conf.
> But keep "mupdate_authname: murder". This should result in normal
> PLAIN authentication
> as user "murder".
>
> Even if you enable the LOGIN mech, setting mupdate_username can cause
> some problems.
> I can't remember which problems, but I reminded myself not to set
> mupdate_username
> with a comment in my own imapd.conf
>
> Regards
>
> Michael Menge
>
>
> Quoting Ismaël Tanguy <ismael.tanguy at univ-brest.fr>:
>
>> Hello,
>>
>> I'm stucked in configuring a murder cluster with one frontend and one
>> backend.
>> LMTP between frontend and backend doesn't work, the logs says that no
>> mechanism is available.
>> I'm using sasl plain.
>> When turning saslauthd in debug mode, mta connection to frontend is
>> OK, but there's no request for the connection between frontend and
>> backend.
>> lmtptest -t "" -a murder backend is OK and goes over TLS.
>> Here's the debug log:
>>
>> ### /var/log/maillog -> frontend cyrus
>>
>> frontend cyrus/lmtp[19541]: accepted connection
>> frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
>> frontend cyrus/lmtp[19541]: command: LHLO mta.domain
>> frontend cyrus/lmtp[19541]: TLS is available.
>> frontend cyrus/lmtp[19541]: command: STARTTLS
>> frontend cyrus/lmtp[19541]: TLS is available.
>> frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
>> frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
>> frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
>> frontend cyrus/lmtp[19541]: command: LHLO mta.domain
>> frontend cyrus/lmtp[19541]: TLS is available.
>> frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***************
>> frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS
>> User logged in
>> frontend cyrus/lmtp[19541]: command: MAIL FROM:<mail at domain> SIZE=576
>> frontend cyrus/lmtp[19541]: command: RCPT TO:<mail at domain>
>> frontend cyrus/lmtp[19541]: command: DATA
>> frontend cyrus/lmtp[19541]: USAGE <uid> user: 0.030932 sys: 0.017066
>> frontend cyrus/lmtp[19537]: accepted connection
>> frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
>> frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
>> frontend cyrus/lmtp[19537]: TLS is available.
>> frontend cyrus/lmtp[19537]: command: STARTTLS
>> frontend cyrus/lmtp[19537]: TLS is available.
>> frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL)
>> tls_server_ca_file=/etc/ssl/certs/wildcard.ca
>> frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
>> frontend cyrus/lmtp[19541]: Doing a peer verify
>> frontend cyrus/lmtp[19541]: Doing a peer verify
>> frontend cyrus/lmtp[19541]: Doing a peer verify
>> frontend cyrus/lmtp[19537]: Doing a peer verify
>> frontend cyrus/lmtp[19537]: Doing a peer verify
>> frontend cyrus/lmtp[19537]: Doing a peer verify
>> frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
>> frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
>> frontend cyrus/lmtp[19537]: received client certificate
>> frontend cyrus/lmtp[19537]:
>> subject=***********************************************
>> frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as *.domain
>> frontend cyrus/lmtp[19541]: received server certificate
>> frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no authentication
>> frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
>> frontend cyrus/lmtp[19537]: TLS is available.
>> frontend cyrus/lmtp[19541]: couldn't authenticate to backend server:
>> no mechanism available
>> frontend cyrus/lmtp[19537]: command: QUIT
>> frontend cyrus/lmtp[19541]: command: QUIT
>>
>>
>> ### saslauthd -d -a pam >> cyrus is lmtpuser from mta, murder is
>> lmtpuser for the backend,
>> ### lmtp connection to the backend doesn't go to saslauthd
>> saslauthd[19525] :rel_accept_lock : released accept lock
>> saslauthd[19527] :get_accept_lock : acquired accept lock
>> saslauthd[19525] :do_auth : auth success: [user=cyrus]
>> [service=lmtp] [realm=] [mech=pam]
>> saslauthd[19525] :do_request : response: OK
>>
>>
>> ### /var/log/messages
>> frontend cyrus/lmtp[19563]: No worthy mechs found
>> frontend cyrus/lmtp[19563]: No worthy mechs found
>>
>> ### /var/log/maillog -> mta postfix
>> mta postfix/smtpd[7678]: connect from client_test
>> mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
>> mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
>> mta postfix/qmgr[2161]: DCAEF10392E5: from=<mail.domain>, size=576,
>> nrcpt=1 (queue active)
>> mta postfix/smtpd[7678]: disconnect from client_test
>> mta postfix/lmtp[7683]: Untrusted TLS connection established to
>> frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
>> bits)
>> mta postfix/lmtp[7683]: DCAEF10392E5: to=<mail.domain>,
>> relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3,
>> status=deferred (host frontend said: 451 4.4.3 Remote server
>> unavailable (in reply to end of DATA command))
>>
>>
>> ### /etc/imapd.conf -> frontend
>> sasl_pwcheck_method: saslauthd
>> sasl_mech_list: PLAIN
>> mupdate_server: cyrus-murder.univ-brest.fr
>> mupdate_username: murder
>> mupdate_authname: murder
>> mupdate_password: password
>> backend_password: password
>> proxy_authname: murder
>>
>>
>> ### /etc/cyrus.conf -> frontend
>> START {
>> recover cmd="ctl_cyrusdb -r"
>> }
>> SERVICES {
>> # add or remove based on preferences
>> mupdate cmd="mupdate" listen=3905 prefork=1
>> imap cmd="imapd" listen="imap" prefork=5
>> imaps cmd="imapd -s" listen="imaps" prefork=1
>> pop3 cmd="pop3d" listen="pop3" prefork=3
>> pop3s cmd="pop3d -s" listen="pop3s" prefork=1
>> sieve cmd="timsieved" listen="sieve" prefork=0
>> nntp cmd="nntpd" listen="nntp" prefork=3
>> lmtp cmd="lmtpd" listen="lmtp" prefork=0
>> }
>> EVENTS {
>> checkpoint cmd="ctl_cyrusdb -c" period=30
>> delprune cmd="cyr_expire -E 3" at=0400
>> tlsprune cmd="tls_prune" at=0400
>> }
>> DAEMON {
>> idled cmd="idled"
>> }
>>
>> ### /etc/sysconfig/saslauthd
>> SOCKETDIR=/run/saslauthd
>> MECH=pam
>>
>> ### lmtptest frontend -> backend
>> (frontend)# lmtptest -t "" -a murder backend
>> S: 220 backend.domain Cyrus LMTP 3.0.8-7.el7.centos Fedora server ready
>> C: LHLO lmtptest
>> S: 250-backend.domain
>> S: 250-8BITMIME
>> S: 250-ENHANCEDSTATUSCODES
>> S: 250-PIPELINING
>> S: 250-SIZE
>> S: 250-STARTTLS
>> S: 250-AUTH PLAIN
>> S: 250-IGNOREQUOTA
>> S: 250 Ok SESSIONID=<cyrus-28058-1551952740-1-7710567405059874995>
>> C: STARTTLS
>> S: 220 Begin TLS negotiation now
>> verify error:num=19:self signed certificate in certificate chain
>> TLS connection established: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>> C: LHLO lmtptest
>> S: 250-backend.domain
>> S: 250-8BITMIME
>> S: 250-ENHANCEDSTATUSCODES
>> S: 250-PIPELINING
>> S: 250-SIZE
>> S: 250-AUTH PLAIN
>> S: 250-IGNOREQUOTA
>> S: 250 Ok SESSIONID=<cyrus-28058-1551952740-2-5714180577914972405>
>> Please enter your password:
>> C: AUTH PLAIN ***************************************
>> S: 235 Authenticated!
>> Authenticated.
>> Security strength factor: 256
>>
>>
>> It seems I miss something in imapd.conf to tell LMTP to use sasl
>> plain but I didn't find the way.
>> Any help would be greatly appreciated.
>>
>> Thanks
>>
>>
>> Ismaël TANGUY
>> Université de Bretagne Occidentale
>> Brest - France
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
>
> --------------------------------------------------------------------------------
>
> M.Menge Tel.: (49) 7071/29-70316
> Universität Tübingen Fax.: (49) 7071/29-5912
> Zentrum für Datenverarbeitung mail:
> michael.menge at zdv.uni-tuebingen.de
> Wächterstraße 76
> 72074 Tübingen
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20190307/2927a08c/attachment-0001.html>
More information about the Info-cyrus
mailing list