Thank you very much. This helped clear up the confusion between LOGIN and
AUTH=LOGIN.
In fact, I got cyrus to work with netscape, though, weirdly, the fix required
eliminating LOGIN from
the mechanisms supported by SASL. Does Netscape confuse IMAP LOGIN with
AUTH=LOGIN?
It might seem that when netscape sees AUTH=LOGIN it instead issues an
IMAP LOGIN command,
which cyrus sends to PAM, which fails. Taking AUTH=LOGIN out forced netscape
to use PLAIN,
which cyrus correctly sent to SASL, which correctly used the sasldb.
This response also gave the the motivation I needed to try creating a
certificate next, which enabled
STARTTLS. Thanks again,
Juan
[EMAIL PROTECTED] wrote:
> Juan Leon writes:
> >
> > I am trying to install a cyrus that works with Mulberry and
> >Netscape. I got both 2.0.9 and 1.6.24 working with Mulberry
> >with DIGEST-MD5, etc. But none gives me PLAIN for Netscape (or
> >Mulberry). SASL's sample-server reports that SASL is offering
> >everything except ANONYMOUS, so that would not appear to be the
> >problem.
>
> Part of the problem is that there are two authentication methods
> that are called LOGIN. One is the pre-SASL IMAP command called
> LOGIN, which should be available on all IMAP servers, unless it
> is specifically disabled, but is never advertized. The other is
> the SASL AUTH=LOGIN mechanism, which is also a plain-text authentication
> method. By default, Cyrus will not advertize this mechanism
> unless it's using a secure communications channel, such as SSL
> or STARTTLS. Sendmail, on the other hand, will advertize this
> mechanism if you add it to the list of mechanisms to be advertized.
> I believe that it's only used by Microsoft mail clients and by pine.
> Netscape uses the pre-SASL LOGIN command.
>
> > So I read in the docs for cyrus 1.5.<something> that PLAIN
> >won't show up but that it works as LOGIN. I am not sure what
> >this means: does cyrus' LOGIN become SASL's PLAIN? Does Cyrus
> >LOGIN become SASL's LOGIN? Neither?
>
> The pre-SASL LOGIN command is also known as plain.
>
> > Apparently the latter:
> >my /usr/lib/sasl/Cyrus.conf (and imap.conf and cyrus.conf for
> >good measure) has pwcheck_method: sasldb. I check via ldd
> >and strace that, indeed, this is the right config directory.
> >Yet per the auth.log (which PAM, unlike SASL, is civilized
> >enough to use) cyrus insists on trying to authenticate
> >LOGIN through PAM, which fails because it is user cyrus requesting
> >the auth.
>
> This seems to be a Linux feature. If PAM requires access to the
> shadow file, you have to ensure that the cyrus user can read that
> file so that cyrus can authenticate other users. Otherwise, PAM
> will only authenticate cyrus.
>
> > OK, in the cyrus docs for version 2.0.9 I read that I need to
> >enable STARTTLS in order for PLAIN to show up (another approach).
> >I have enabled STARTTLS as far as I know, but Netscape is still
> >failing. Does cyrus pretend to not grok TLS if there is no
> >certificate? I will put one in, but there are only so many
> >things I can try in a week.
>
> It needs a certificate, but it can be a self-signed one.
>
> > On a mostly unrelated note, sendmail is failing to authenticate via
> >DIGEST-MD5 or anything else (I have recompiled it with
> >GroupWriteUnsafeSASL or whatever). This, and the above, makes
> >me want BAD to put a trace on SASL. I have tried redefining the
> >VL macro to syslog, but this makes everything fail. Is there
> >a way of finding out what SASL is doing? It certainly doesn't
> >output anything to auth.log (or any other log) of its own will.
> >I will ask this in the sasl list, but I thought you might know.
>
> The sendmail web site has some information on it. Generally, you
> can bump up the sendmail logging level, and find out what is wrong.
> Sendmail and cyrus don't cooperate very well with file access.
>
> --
> -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
