On Thu, 2008-01-10 at 16:44 -0800, Phil Pennock wrote: > On 2008-01-10 at 18:07 -0500, Ross Boylan wrote: > > I have been trying to authenticate using the same account database as my > > Cyrus imap server. I can't even seem to get very useful debugging > > output. I would appreciate any help. > > > > Following suggestions earlier on this list, I run (as root) > > exim -d -oX 198.144.201.14.27 -bd 2>&1 > > and ran swaks on the client. > > Try -d+auth to turn on more authentication debugging. > > Since you saw nothing thereafter, not even a connection from the client, > are you sure that you told the client to connect to port 27 instead of > the default port? Argh. I dropped the port specification while I fiddled with the firewall. I put it back in (also with -d+auth). Now I get more information, the key part of which is 9673 Cyrus SASL permanent failure -20 (user not found) 9673 LOG: REJECT 9673 cram_md5_sasl_server authenticator (CRAM-MD5): 9673 Cyrus SASL permanent failure: user not found 9673 SMTP>> 535 Incorrect authentication data
The other thing that seems odd is that I see no exchange of the user name (on either the client or server side). Are the password and username all wrapped into one in the challenge-response? If not, then that's the immediate cause of the problem. I do specify -au to swak. > > > -------------- exim config ------------------------- > > > > cram_md5_sasl_server: > > driver = cyrus_sasl > > public_name = CRAM-MD5 > > server_realm = betterworld.us > > server_set_id = $auth1 > > Since you're setting server_realm, are you sure that the user > identifiers in the DB are all realm-qualified? > > I can't directly help; I vaguely remember all sorts of "interesting" > debugging issues using sasldb back when I did that; these days, I use > cyrus_sasl for GSSAPI and use an Exim-specific password file for > password-based mail-sending. > > As an side: at $previous_employer, I set the policy that as an exception > to the normal rule, email-sending passwords could be written down > because they were generated for the user as pure randomness to protect > against spammers using dictionary attacks; compromise of this > mail-sending-only password would not give the ability to read any email, > "only" send new email as that user. Since people configured their > password in, eg, whatever MTA they used at home, this password > separation policy seemed to work well. > > > Cyrus SASL knows about: CRAM-MD5 > > Cyrus SASL driver cram_md5_sasl_server: CRAM-MD5 initialised > > That looks good. > > > 4186 local_interfaces overridden by -oX: > > 4186 <: 198.144.201.14.27 > > 4186 listening on 198.144.201.14 port 27 > > 4186 changed uid/gid: running as a daemon > > 4186 uid=103 gid=103 pid=4186 > > 4186 auxiliary group list: 45 103 > > 4186 LOG: MAIN > > 4186 exim 4.68 daemon started: pid=4186, no queue runs, listening for > > SMTP on [198.144.201.14]:27 > > 4186 set_process_info: 4186 daemon: no queue runs, listening for SMTP > > on [198.144.201.14]:27 > > 4186 daemon running with uid=103 gid=103 euid=103 egid=103 > > 4186 Listening... > > # everything above here preceded client connection > > # and nothing more appears after that. > > There should be something showing when someone connects. Since it made > it into other logs, I strongly suspect that the client software wasn't > using port 27. > > To confirm this, it's useful to have the pid in the log lines; it's not > by default, but you can turn that on with log_selector in the main > config section: > log_selector = +pid > > If you want to test manually, I'mm attaching a short program to let you > cut&paste challenge responses. You could then telnet and run this in a > separate window. > > -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
