Juan Leon writes:
>
> I am trying to install a cyrus that works with Mulberry and
>Netscape. I got both 2.0.9 and 1.6.24 working with Mulberry
>with DIGEST-MD5, etc. But none gives me PLAIN for Netscape (or
>Mulberry). SASL's sample-server reports that SASL is offering
>everything except ANONYMOUS, so that would not appear to be the
>problem.
Part of the problem is that there are two authentication methods
that are called LOGIN. One is the pre-SASL IMAP command called
LOGIN, which should be available on all IMAP servers, unless it
is specifically disabled, but is never advertized. The other is
the SASL AUTH=LOGIN mechanism, which is also a plain-text authentication
method. By default, Cyrus will not advertize this mechanism
unless it's using a secure communications channel, such as SSL
or STARTTLS. Sendmail, on the other hand, will advertize this
mechanism if you add it to the list of mechanisms to be advertized.
I believe that it's only used by Microsoft mail clients and by pine.
Netscape uses the pre-SASL LOGIN command.
> So I read in the docs for cyrus 1.5.<something> that PLAIN
>won't show up but that it works as LOGIN. I am not sure what
>this means: does cyrus' LOGIN become SASL's PLAIN? Does Cyrus
>LOGIN become SASL's LOGIN? Neither?
The pre-SASL LOGIN command is also known as plain.
> Apparently the latter:
>my /usr/lib/sasl/Cyrus.conf (and imap.conf and cyrus.conf for
>good measure) has pwcheck_method: sasldb. I check via ldd
>and strace that, indeed, this is the right config directory.
>Yet per the auth.log (which PAM, unlike SASL, is civilized
>enough to use) cyrus insists on trying to authenticate
>LOGIN through PAM, which fails because it is user cyrus requesting
>the auth.
This seems to be a Linux feature. If PAM requires access to the
shadow file, you have to ensure that the cyrus user can read that
file so that cyrus can authenticate other users. Otherwise, PAM
will only authenticate cyrus.
> OK, in the cyrus docs for version 2.0.9 I read that I need to
>enable STARTTLS in order for PLAIN to show up (another approach).
>I have enabled STARTTLS as far as I know, but Netscape is still
>failing. Does cyrus pretend to not grok TLS if there is no
>certificate? I will put one in, but there are only so many
>things I can try in a week.
It needs a certificate, but it can be a self-signed one.
> On a mostly unrelated note, sendmail is failing to authenticate via
>DIGEST-MD5 or anything else (I have recompiled it with
>GroupWriteUnsafeSASL or whatever). This, and the above, makes
>me want BAD to put a trace on SASL. I have tried redefining the
>VL macro to syslog, but this makes everything fail. Is there
>a way of finding out what SASL is doing? It certainly doesn't
>output anything to auth.log (or any other log) of its own will.
>I will ask this in the sasl list, but I thought you might know.
The sendmail web site has some information on it. Generally, you
can bump up the sendmail logging level, and find out what is wrong.
Sendmail and cyrus don't cooperate very well with file access.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
