On 2008-01-10 at 18:07 -0500, Ross Boylan wrote: > I have been trying to authenticate using the same account database as my > Cyrus imap server. I can't even seem to get very useful debugging > output. I would appreciate any help. > > Following suggestions earlier on this list, I run (as root) > exim -d -oX 198.144.201.14.27 -bd 2>&1 > and ran swaks on the client.
Try -d+auth to turn on more authentication debugging. Since you saw nothing thereafter, not even a connection from the client, are you sure that you told the client to connect to port 27 instead of the default port? > -------------- exim config ------------------------- > > cram_md5_sasl_server: > driver = cyrus_sasl > public_name = CRAM-MD5 > server_realm = betterworld.us > server_set_id = $auth1 Since you're setting server_realm, are you sure that the user identifiers in the DB are all realm-qualified? I can't directly help; I vaguely remember all sorts of "interesting" debugging issues using sasldb back when I did that; these days, I use cyrus_sasl for GSSAPI and use an Exim-specific password file for password-based mail-sending. As an side: at $previous_employer, I set the policy that as an exception to the normal rule, email-sending passwords could be written down because they were generated for the user as pure randomness to protect against spammers using dictionary attacks; compromise of this mail-sending-only password would not give the ability to read any email, "only" send new email as that user. Since people configured their password in, eg, whatever MTA they used at home, this password separation policy seemed to work well. > Cyrus SASL knows about: CRAM-MD5 > Cyrus SASL driver cram_md5_sasl_server: CRAM-MD5 initialised That looks good. > 4186 local_interfaces overridden by -oX: > 4186 <: 198.144.201.14.27 > 4186 listening on 198.144.201.14 port 27 > 4186 changed uid/gid: running as a daemon > 4186 uid=103 gid=103 pid=4186 > 4186 auxiliary group list: 45 103 > 4186 LOG: MAIN > 4186 exim 4.68 daemon started: pid=4186, no queue runs, listening for > SMTP on [198.144.201.14]:27 > 4186 set_process_info: 4186 daemon: no queue runs, listening for SMTP > on [198.144.201.14]:27 > 4186 daemon running with uid=103 gid=103 euid=103 egid=103 > 4186 Listening... > # everything above here preceded client connection > # and nothing more appears after that. There should be something showing when someone connects. Since it made it into other logs, I strongly suspect that the client software wasn't using port 27. To confirm this, it's useful to have the pid in the log lines; it's not by default, but you can turn that on with log_selector in the main config section: log_selector = +pid If you want to test manually, I'mm attaching a short program to let you cut&paste challenge responses. You could then telnet and run this in a separate window. -Phil
#!/usr/bin/perl # # $HeadURL: https://svn.spodhuis.org/ksvn/pdp-bincommon/cram_auth_calc $ # $Id: cram_auth_calc 12 2005-06-16 01:23:17Z pdp $ # # CRAM-<HMAC-HASH> calculator for interactive logins. # Assumes base64. # use strict; use warnings; use vars qw/ $progname $algorithm $algorithm_uc $hmac_func $do_hmac /; BEGIN { my %hmacs = ( # keys lower-case md5 => [ 'Digest::HMAC_MD5', 'hmac_md5_hex' ], sha1 => [ 'Digest::HMAC_SHA1', 'hmac_sha1_hex' ], ); my $hmac_re = join('|', keys %hmacs); ($progname = $0) =~ s!^.*/!!; if ($progname =~ /^(?:.*?[_.-])? ($hmac_re) (?:[_.-].*)?$/ix) { $algorithm = lc $1; } else { $algorithm = undef; } unless (defined $algorithm) { if (defined $ARGV[0] and exists $hmacs{lc $ARGV[0]}) { $algorithm = lc $ARGV[0]; shift @ARGV; } } unless (defined $algorithm) { warn "No HMAC algorithm determined. Please supply one of:\n"; warn "\t" . join(' ', map {uc $_} sort keys %hmacs) . "\n"; exit 1; } $algorithm_uc = uc $algorithm; $hmac_func = $hmacs{$algorithm}; my $hmac_module = $hmac_func->[0]; $hmac_module =~ s!::!/!g; $hmac_module .= '.pm'; require $hmac_module; $do_hmac = \&{$hmac_func->[0] . '::' . $hmac_func->[1]}; } use MIME::Base64; use Term::ReadLine; use Term::ReadPassword; my $term = new Term::ReadLine "cram_auth_calc_$algorithm"; die "No terminal initialisation" unless defined $term; $term->ornaments(0); my $challenge = $term->readline("CRAM-$algorithm_uc Challenge (base64 encoded): "); my $usercode = $term->readline('Usercode to authenticate as: '); my $password = read_password('Password: '); my $raw_challenge = decode_base64($challenge); my $authdata = $do_hmac->($raw_challenge, $password); my $raw_response = $usercode . ' ' . $authdata; my $response = encode_base64($raw_response); $response .= "\n" unless $response =~ /\n\z/; print $response;
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
