Re: Postfix cyrus-sasl 2.1.25 issues
--On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan eray.as...@caf.com.tr wrote: There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. If you compile any auxprop plugins (like you have), you will never see it. It's a bug in the auxprop loader rewrite that is only triggered if one elects to have no auxprop plugins. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3625 --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix cyrus-sasl 2.1.25 issues
--On Wednesday, January 11, 2012 1:13 PM -0800 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan eray.as...@caf.com.tr wrote: There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. If you compile any auxprop plugins (like you have), you will never see it. It's a bug in the auxprop loader rewrite that is only triggered if one elects to have no auxprop plugins. https://bugzilla.cyrusimap.org/show_bug.cgi?id=3625 Better fix in: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590 --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix cyrus-sasl 2.1.25 issues
On Thu, Jan 05, 2012 at 04:46:08PM -0800, Quanah Gibson-Mount wrote: Thus my question as to whether or not anyone has gotten 2.1.25 to work with Postfix at all. If someone can confirm they have SMTP auth working with a Cyrus-SASL 2.1.25 linked Postfix, then it gives me other avenues to examine. $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 london0.caf.com.tr ESMTP Postfix ehlo localhost 250-london0.caf.com.tr 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN BASE64_HASH 235 2.7.0 Authentication successful quit 221 2.0.0 Bye Connection closed by foreign host. # saslauthd -v saslauthd 2.1.25 authentication mechanisms: sasldb getpwent pam rimap shadow # postconf mail_version mail_version = 2.8.7 Tested with ldap as well. Also no problem. FWIW, here is with cyrus-imap: # imtest -a eras localhost S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR] london0.caf.com.tr Cyrus IMAP v2.4.12 server ready Please enter your password: C: A01 AUTHENTICATE PLAIN BASE64_HASH S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY X-NETSCAPE LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) Authenticated. Security strength factor: 0 a logout * BYE LOGOUT received a OK Completed Connection closed. There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. -- Eray Aslan
Re: Postfix cyrus-sasl 2.1.25 issues
--On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan eray.as...@caf.com.tr wrote: On Thu, Jan 05, 2012 at 04:46:08PM -0800, Quanah Gibson-Mount wrote: Thus my question as to whether or not anyone has gotten 2.1.25 to work with Postfix at all. If someone can confirm they have SMTP auth working with a Cyrus-SASL 2.1.25 linked Postfix, then it gives me other avenues to examine. $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 london0.caf.com.tr ESMTP Postfix ehlo localhost 250-london0.caf.com.tr 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN BASE64_HASH 235 2.7.0 Authentication successful quit 221 2.0.0 Bye Connection closed by foreign host. # saslauthd -v saslauthd 2.1.25 authentication mechanisms: sasldb getpwent pam rimap shadow zimbra@zqa-062:~$ /opt/zimbra/cyrus-sasl/sbin/saslauthd -v saslauthd 2.1.25 authentication mechanisms: getpwent kerberos5 rimap shadow zimbra # postconf mail_version mail_version = 2.8.7 zimbra@zqa-062:~$ postconf mail_version mail_version = 2.8.7 There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. That is what I'm seeing. :/ Where else did you see these reports? testsaslauthd works like a charm, which I forgot to mention in my original report: zimbra@zqa-062:~$ /opt/zimbra/cyrus-sasl/sbin/testsaslauthd -u admin -p xxx 0: OK Success. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Postfix cyrus-sasl 2.1.25 issues
I'm curious if anyone has tested Postfix SMTP auth in conjunction with Cyrus-SASL 2.1.25. My testing shows that when used linked to Cyrus-SASL 2.1.25, SMTP auth fails with an unknown mechanism error. Downgrading to Cyrus-SASL 2.1.23 with the exact same configuration and build parameters works as expected. My guess is this is an bug with Cyrus-SASL 2.1.25, however it is entirely possible there are API changes in 2.1.25 that Postfix needs to be adjusted for. I guess consider this a general heads up, and if anyone has gotten it to work, I'd love to know that. ;) A 2.1.25 linked Postfix always complains about no available mechanism: openssl s_client -connect zqa-062.eng.vmware.com:25 -starttls smtp -cipher AES128-SHA -crlf EHLO foo.com 250-zqa-062.eng.vmware.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 YWRtaW4tMDYyLmVuZy52bXdhcmUuY29t 334 UGFzc3dvcmQ6 encodedpasswordhere 535 5.7.8 Error: authentication failed: no mechanism available --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix cyrus-sasl 2.1.25 issues
Quanah Gibson-Mount: I'm curious if anyone has tested Postfix SMTP auth in conjunction with Cyrus-SASL 2.1.25. My testing shows that when used linked to Cyrus-SASL 2.1.25, SMTP auth fails with an unknown mechanism error. Downgrading to Cyrus-SASL 2.1.23 with the exact same configuration and build parameters works as expected. My guess is this is an bug with Cyrus-SASL 2.1.25, however it is entirely possible there are API changes in 2.1.25 that Postfix needs to be adjusted for. I guess consider this a general heads up, and if anyone has gotten it to work, I'd love to know that. ;) A 2.1.25 linked Postfix always complains about no available mechanism: I recall that OpenLDAP also links with Cyrus SASL. Perhaps Postfix and OpenLDAP were built with different Cyrus SASL versions? In that case, you can expect to experience all kinds of memory corruption, resulting in mysterious failures. Maybe you can run smtpd under valgrind. Instructions are below. Wietse 1 - Put these lines in /usr/libexec/postfix/smtpd.valgrind: #!/bin/sh CMD=`basename $0 .valgrind` /usr/local/bin/valgrind --tool=memcheck /usr/libexec/postfix/$CMD $@ 2 - Make the file executable: # chmod 755 /usr/libexec/postfix/smtpd.valgrind 3 - Edit master.cf to invoke smtpd.valgrind instead of smtpd. 4 - Stop Postfix and run the master daemon by hand: # postfix stop # /usr/libexec/postfix/master -d That will send valgrind's output to your terminal. 5 - Connect to the SMTP port and watch das blinkenlicht.
Re: Postfix cyrus-sasl 2.1.25 issues
--On Thursday, January 05, 2012 7:39 PM -0500 Wietse Venema wie...@porcupine.org wrote: Hi Wieste, A 2.1.25 linked Postfix always complains about no available mechanism: I recall that OpenLDAP also links with Cyrus SASL. Perhaps Postfix and OpenLDAP were built with different Cyrus SASL versions? No, that is not the case. We build all of our software from the ground up, and OpenLDAP is linked to the same cyrus-sasl version. Also, our smtp auth isn't using LDAP for the authentication. In that case, you can expect to experience all kinds of memory corruption, resulting in mysterious failures. I'd expect a lot of odd behavior from the LDAP server in that case as well, which we aren't seeing. Maybe you can run smtpd under valgrind. Instructions are below. I'll give this a shot, just in case. Thanks for the information. However, I've found a variety of other bugs in Cyrus SASL 2.1.25 already that I've filed upstream with them, so it wouldn't surprise me in the least that this is yet another one of those. Thus my question as to whether or not anyone has gotten 2.1.25 to work with Postfix at all. If someone can confirm they have SMTP auth working with a Cyrus-SASL 2.1.25 linked Postfix, then it gives me other avenues to examine. Regards, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix cyrus-sasl 2.1.25 issues
Quanah Gibson-Mount: --On Thursday, January 05, 2012 7:39 PM -0500 Wietse Venema wie...@porcupine.org wrote: Hi Wieste, A 2.1.25 linked Postfix always complains about no available mechanism: I recall that OpenLDAP also links with Cyrus SASL. Perhaps Postfix and OpenLDAP were built with different Cyrus SASL versions? No, that is not the case. We build all of our software from the ground up, Unfortunately I don't have the time to grab the latest Cyrus SASL library and build Postfix with it. If someone wants to give it a try I suggest building without LDAP to avoid cross-dependencies. Wietse