Quoting Scott Russell <[EMAIL PROTECTED]>: > On Sat, Oct 05, 2002 at 12:53:46PM -0400, Ken Murchison wrote: > > Quoting Matt Bernstein <[EMAIL PROTECTED]>: > > > > > At 09:24 -0400 Ken Murchison wrote: > > > > > > >> Telnet-ing to port 2000 gives me: > > > >> > > > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0" > > > >> "SIEVE" "fileinto reject envelope vacation imapflags notify > subaddress > > > >> relational regex" > > > >> OK > > > >> > > > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line. > > > > > > >I'm guessing that one of two things is happening: > > > > > > > >1. you have allowplaintext:no in imapd.conf > > > > > > nope :) In fact I'd even tried explicitly "allowplaintext: yes". > > > > > > >2. you installed SASL in a non-default location and Cyrus can't find the > > > > >plugins. If you do: > > > > > > > >imtest -t '' -a <user> -u <user> <server> > > > > > > [mangled by pine justifying my middle button paste :)] > > > > > > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT > > > LIST-SUBSCRIBED ANNOTATEMORE > > > S: C01 OK Completed > > > C: S01 STARTTLS > > > S: S01 OK Begin TLS negotiation now > > > verify error:num=19:self signed certificate in certificate chain > > > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 > bits) > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN > > > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE > > > S: C01 OK Completed > > > C: A01 AUTHENTICATE LOGIN > > > S: + VXNlcm5hbWU6 > > > > > > >what mechs are listed? I'm guessing none. If this is the case, either > link > > > > > > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the > > > > >--with-sasl option. FYI, the reason that IMAP and POP3 both work is > that > > > they > > > >each have their own plaintext login commands (LOGIN and USER/PASS > > > >respectively), which don't depend on SASL plugins. > > > > > > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe > > > > our new accounts to a couple of folders we create. > > > > > > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the > > > > right things. > > > > Hmm. You shot me down on both common problems. You only see this problem > with > > timsieved? What about lmtpd? > > I've been following this thread and have timsieved from cyrus 2.1.9 > working fine myself. A few things nag me about the imtest capture from > above. > > Previously it was said that only PLAIN and LOGIN mechs are allowed > based on the imapd.conf line: sasl_mech_list: plain login. But if you > look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown > until _after_ the TLS negotiation takes place. To me this indicates > that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL > layer.
This is true for imapd and pop3d since they both have their own plaintext login commands. Since timsieved doesn't have a separate command, plaintext SASL mechs are always allowed unless they are explcitly turned off. > I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I > don't recall but doesn't that exclude PLAIN and LOGIN unless they are > under SSL/TLS? Good catch! I completely missed this the first time around. Most people don't use those sasl options, so it never occured to me to look. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp