Re: does xfer require murder?

Tue, 25 Apr 2006 16:45:57 -0700

I create a cert on both servers per the Install-configure.html and can run imtest to either host. 


From server1 to server2 for example:
/opt/mail/cyrus-imapd/bin/imtest -t "" -m plain -a cyrus -u cyrus -p imap -v server2.sub2 

after much output at the end it lists

S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256

I can see in the logs on server2


Apr 25 16:08:28 server2 imap[10683]: starttls: TLSv1 with cipher AES256-SHA 
(256/256 bits new) no authentication
Apr 25 16:08:33 server2 imap[10683]: login: server1.sub1.domain.com 
[10.248.176.34] cyrus PLAIN+TLS User logged in


So imtest looks good.

I log in to do the xfer and I get the same error from before.

/opt/mail/cyrus-imapd/bin/cyradm --user cyrus --auth plain server1
Password:
IMAP Password:
server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation


I see in the log on the source server it was auth with PLAIN not PLAIN+TLS 
like listed from imtest.


The connection to the remote host also lists PLAIN and not PLAIN+TLS.

Is there away to force the tls part?


Here is imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: plain login
tls_cert_file: /local/imap/server1.sub1.domain.com.pem
tls_key_file: /local/imap/server1.sub1.domain.com.pem


Thank you for any help

Perry


Bascially:

Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.

The SASL mechanism you are using is PLAIN (I don't think LOGIN is a  SASL 
mechanism, its a imap specific)

PLAIN requires TLS
TLS requires certificates.
You don't have certificates.

if
imtest -t "" -m PLAIN -a cyrus -u cyrus servername

does not work, then xfer never will.


Get a cert! :)

-Patrick
On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:


Sorry to keep bugging everyone on this but it seems I am close I'm  just 
over looking something obvious.


I looked through the config on the hosts and we are using pam.


I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN


Imtest looks to work Ok with Login

server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost

S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  ANNOTATEMORE IDLE 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR  LISTEXT LIST-SUBSCRIBED 
X-NETSCAPE

S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0

This works to the localhost as well as to server2.

I try the xfer from server1 to server2:


server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus -- server 
server1.sub1 --auth login

IMAP Password:
             server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation

the log from server2 shows:

Apr 21 12:56:31  server2 imap[27408]: badlogin:  server1.sub1.domain.com 
[10.12.12.12] PLAIN [SASL(-4): no mechanism  available: security flags do 
not match required]


/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}


Is there a doc on the sysconfig/saslauthd flags? I looked through  the 
docs that came with cyrus-imap and cyrus-sasl and did not find  anything.



From server1 I can log into server2 with imtest, testsaslauthd  works OK 
as

well. What security flags do not match? Is there a way to kick up  the 
verbosity of the logging to see if that would give a clue?



Perry



I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap

And it got rejected.

C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0


I can not find a tls conf file so I do not thing starttls is set up.

I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: PLAIN

And it gets things furthur along then before


$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server  server1 
--auth PLAIN

domain.com authorized use only. [EMAIL PROTECTED] Password:
Password:
IMAP Password:
             server1.sub1.domain.com>
server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation

log on source:

Apr 20 17:42:05 server1 imap[1458]: accepted connection

Apr 20 17:42:07 server1 imap[1458]: badlogin:  server1.ssub1.domain.com 
[10.12.12.12] PLAIN [SASL(-4): no  mechanism available: security flags do 
not match required]
Apr 20 17:42:14 server1  imap[1458]: login:  server1.sub1.domain.com 
[10.12.12.12] cyrus plaintext User logged in

Apr 20 17:42:41 server1  master[27630]: process 32354 exited,  status 0

Apr 20 17:42:41 server1  master[2161]: about to exec /opt/mail/ 
cyrus-imapd/bin/imapd

Apr 20 17:42:41 server1  imap[2161]: executed

Apr 20 17:42:55 server1  imap[1458]: couldn't authenticate to  backend 
server: authentication failure
Apr 20 17:42:55 server1  imap[1458]: Could not move mailbox:  
user.vbperry, Initial backend connect failed




But I'm now at least seeing something on the destination server:


Apr 20 17:42:52 server2 imap[24375]: badlogin:  server1.sub1.domain.com 
[10.12.12.12] PLAIN [SASL(-4): no  mechanism available: security flags do 
not match required]




If I can take a step back (sorry I'm trying to decipher how the  previous 
admin had things set up in the environment). The document  on how this 
was set up states.



cyrus-sasl was config'ed with

./configure --prefix=/opt/mail/cyrus-sasl \
   --enable-login --enable-plain --enable-cram \
   --enable-digest --with-bdb-incdir=/usr/include/db4 \
   --with-pam --enable-static=yes --enable-sample \
   --disable-java --disable-otp --disable-krb4 \
   --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2

The cyrus-sasl cyrus.conf states:

srvtab: /var/imap/srvtab <<< seems I could remove this since  kerberos is 
disabled above.

pwcheck_method: saslauthd


saslauthd is started in with pam support:

root      2060  0.0  0.0  2564 1036 ?        S    Apr14   0:00 / 
usr/sbin/saslauthd -m /var/run/saslauthd -a pam


There is /etc/pam.d/imap and pop3 with the following content..
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system- auth
account    required     /lib/security/pam_stack.so service=system- auth


Cyrus-imap was compiled with (again what is in the notes from  install 
from previoys admin)



 CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/ 
cyrus-imapd \

   --with-cyrus-prefix=/opt/mail/cyrus-imapd \
   --with-cyrus-user=cyrimap \
   --with-cyrus-group=mail \
   --with-bdb-incdir=/usr/include/db4 \
   --build=i686-pc-linux-gnu \
   --with-sasl=/opt/mail/cyrus-sasl \
   --with-auth=unix \
   --enable-netscapehack \
   --enable-listext \
   --with-perl=/opt/third-party/bin/perl \
   --disable-murder


I can run a testsaslauthd and it works fine to the local host

server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3
0: OK "Success."
1: OK "Success."
2: OK "Success."

It seems I do not need to have a realm defined because we are  using pam.

and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist.  This 
not seem to be the problem though since saslauthd is using  pam. yes?



When I login into cyradm again locally with --auth plain I can do  
commands like listmailbox and such. I  can't seem to be able to  run 
"info" I just go back to the prompt on that one.


What should my security flags be? What am I missing?

Thank you
perry




You need to use tls as well for PLAIN to work.  add -t ""  to  your  
arguments




What mechanism do you want to use for connecting between  backends? If  
its PLAIN then you want

force_sasl_client_mech: PLAIN

in your imapd.conf file.


Otherwise, the machines will see GSSAPI advertised and will try  using  
that.


-Patrick





On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:











Perry Brown wrote:

Thanks for the imtest idea.

It looks like I can log in OK.



server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p  imap  
server2.sub2.domain.com



Force imtest to use one of the SASL mechanisms that are  listed.   
The backends *only* use SASL, not protocol specific  login  commands 
(IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO  USER/PASS).




I'm sorry I got my dounce cap on today or something.


Should I change the -m login to -m and one of the AUTH= values   from 
the CAPABILITY output?

ie  -m GSSAPI? or digest-md5 etc...

Andy Morgan wrote:
Maybe "-m plain"?


thank you for the suggestion Andy but no luck.

server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
WARNING: no hostname supplied, assuming localhost

S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  CHILDREN  MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT  THREAD=REFERENCES  ANNOTATEMORE IDLE 
AUTH=GSSAPI AUTH=DIGEST-MD5  AUTH=CRAM-MD5 SASL-IR  LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE

S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0




I gave this a try with GSSAPI, and got nothing.

digest-md5,

server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
WARNING: no hostname supplied, assuming localhost

S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT  CHILDREN  MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT  THREAD=REFERENCES  ANNOTATEMORE 
IDLE AUTH=GSSAPI AUTH=DIGEST- MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT 
LIST-SUBSCRIBED X-NETSCAPE

S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S:
wkrnfjknf (etc list of characters)
Please enter your password: (I enter passwd for cyrus)
C: dXNlcm5h (another long list of characters)
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128


This is what I see in local6.log on server1.sub1

Apr 20 11:04:32 server1 imap[17729]: accepted connection

Apr 20 11:04:38 server1 imap[17729]: badlogin:   localhost.localdomain 
[127.0.0.1] DIGEST-MD5 [SASL(-13): user  not  found: no secret in 
database]


This is in the auth.log

Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley  db / 
etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley  db / 
etc/sasldb2: No such file or directory

Apr 20 11:06:26 server1 imap[15971]: no secret in database



cram-md5 got me pretty much the same thing.


Is there a cyrus or sasl command I should/can run to get the  auth  
for digest-md5 working?



Perry






S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY

S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-  
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT   CHILDREN 
MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT   THREAD=REFERENCES 
ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST- MD5  AUTH=CRAM-MD5 
SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE

S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY



----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html



----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html





----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html



----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html





----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html














    











					Reply via email to