cyrus imapd 1.6.24 and sasl authentication mechanisms

[Tony Johnson]

I have cyrus-imapd 1.6.24 and cyrus-sasl 1.5.24 installed on a Solaris 8
intel box but not configured correctly.
I have installed these sasl libraries:

bash-2.04$ ls /usr/local/lib/sasl
Cyrus.conf  libdigestmd5.la libkerberos4.so.1
libanonymous.a  libdigestmd5.so libkerberos4.so.1.0.15
libanonymous.la libdigestmd5.so.0   liblogin.la
libanonymous.so libdigestmd5.so.0.0.17  liblogin.so
libanonymous.so.1   libgssapiv2.a   liblogin.so.0
libanonymous.so.1.0.15  libgssapiv2.la  liblogin.so.0.0.5
libcrammd5.alibgssapiv2.so  libplain.a
libcrammd5.la   libgssapiv2.so.1libplain.la
libcrammd5.so   libgssapiv2.so.1.0.14   libplain.so
libcrammd5.so.1 libkerberos4.a  libplain.so.1
libcrammd5.so.1.0.15libkerberos4.la libplain.so.1.0.14
libdigestmd5.a  libkerberos4.so

When i...

bash-2.04$ /usr/local/bin/imtest -m login -p imap money
C: C01 CAPABILITY
S: * OK money.expertsolns.com Cyrus IMAP4 v1.6.24 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
X-NON-HIERARCHICAL-RENAME NO_ATOMIC_RENAME UNSELECT ID X-NETSCAPE
S: C01 OK Completed
Password:

I have no authentication mechanisms so all logins fail.

I want to use kerberos because I don't have to add users to my system and
can use the same database over multiple systems.  I think I have mit
kerberos5 1.2.1 setup correctly because I can ksu, but the kerbers4 aspect
seems to be not setup:

bash-2.04$ ksu
Authenticated [EMAIL PROTECTED]
Account root: authorization for [EMAIL PROTECTED] successful
Changing uid to root (0)
bash-2.04$

To make a long story short the install.html from cyrus-imapd-1.6.24 says
that:

Any message other than one starting with a "A01 OK" means there is a
problem. If the test fails, a more specific error message is written through
syslog to the server log. To terminate the connection, type ". logout".

What problem?  How can i fix this "problem"?  How do I add authentication
mechanisms to cyrus imapd correctly?  It says in the same web page that if
the authentication mechanisms do not show up then they failed to initialize.
How do I make these mechanisms initialize correctly?

sorry about duplicates

[Ilya]

;(

Sieve and MySQL authentication

[Ilya]

Hi.
I have a mysql db with users and passwords, which I use from PAM-MySQL.
Cyrus itself is working perfectly, I can login to imap/pop/cyradmin with
usernames and passwords from mysql db. But when I try to use installsieve as
described in INSTALL document (testing sieve) I always get User Not Found
error. even if I supply -u user.
To use cyradm i need to specify -m PAM, for imap and pop i have these
entries in pam.conf:
imap auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
(same for account and password and than 3 lines like this for pop).
I have tried to create same lines for sieve ie:
sieve auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
and specify -m PAM in installsieve line, but than I get immediately :
Authentication failed.

does anyone have any ideas how to get sieve working with my setup? there is
probably just minor thing i missing from the picture.

thx

sieve and mysql

[Ilya]

Hi.
I have a mysql db with users and passwords, which I use from PAM-MySQL.
Cyrus itself is working perfectly, I can login to imap/pop/cyradmin with
usernames and passwords from mysql db. But when I try to use installsieve as
described in INSTALL document (testing sieve) I always get User Not Found
error. even if I supply -u user.
To use cyradm i need to specify -m PAM, for imap and pop i have these
entries in pam.conf:
imap auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
(same for account and password and than 3 lines like this for pop).
I have tried to create same lines for sieve ie:
sieve auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
and specify -m PAM in installsieve line, but than I get immediately :
Authentication failed.

does anyone have any ideas how to get sieve working with my setup? there is
probably just minor thing i missing from the picture.

thx

Sieve and MySQL authentication

[Ilya]

Hi.
I have a mysql db with users and passwords, which I use from PAM-MySQL.
Cyrus itself is working perfectly, I can login to imap/pop/cyradmin with
usernames and passwords from mysql db. But when I try to use installsieve as
described in INSTALL document (testing sieve) I always get User Not Found
error. even if I supply -u user.
To use cyradm i need to specify -m PAM, for imap and pop i have these
entries in pam.conf:
imap auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
(same for account and password and than 3 lines like this for pop).
I have tried to create same lines for sieve ie:
sieve auth required  /usr/local/lib/pam_mysql.so user=user passwd=pass
host=localhost db=db table=table usercolumn=user passwdcolumn=password
crypt=2
and specify -m PAM in installsieve line, but than I get immediately :
Authentication failed.

does anyone have any ideas how to get sieve working with my setup? there is
probably just minor thing i missing from the picture.

thx

Cyrus-2.0.7 + LDAP + CRAM-MD5 can never work, by definition?

[Darren Nickerson]

Folks,

I must be missing something obvious here . . . please can someone tell me
how to get Cyrus to use LDAP for all types of authentication? I'm happily
using PAM + LDAP for Cyrus authentication thanks to the following line in
/etc/imapd.conf:

sasl_pwcheck_method: pam

and it's working fine with LOGIN authentication:

[root@mail2 nss_ldap-122]# imtest -u someone -a someone -m LOGIN localhost
C: C01 CAPABILITY
S: * OK mail2.iworkwell.com Cyrus IMAP4 v2.0.7 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS 
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND ID SORT THREAD=ORDEREDSUBJECT 
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password: 
+ go ahead
L01 OK User logged in
Authenticated.
Security strength factor: 0
. logout

I've jacked up slapd's logging, and I can see lots of activity when the
authentication takes place.

Unfortunately, if I switch to a CRAM-MD5 test, slapd is silent (no request is
made) and the authentication fails with the following message:

Dec  8 18:19:56 mail2 imapd[14340]: badlogin: mail2.iworkwell.com[127.0.0.1] 
CRAM-MD5 authentication failure [no secret in database]

The following excerpt from sasl's sysadmin.html seems relevant:

The PAM authentication for SASL only affects the plaintext
authentication it does. It has no effect on the other mechanisms, so
it is incorrect to try to use PAM to enforce additional restrictions
beyond correct password on an application that uses SASL for
authentication.

Am I beating a dead horse here? Does authenticating against MySQL or LDAP using
PAM by definition mean I'm limited to *shock horror* plaintext passwords? Say
it ain't so!? Am I forced to interoperate with that nasty sasldb beast if I
want to CRAM-MD5 my way through life?

Thanks for any advice. 

-Darren

Re: Bug or Missconfiguration on Imapd4 2.0.7 ?

[Jeremy Howard]

Patrick LIN wrote:
> When a read mail message is copied from one folder to another, it is
> always marked as unread in the destination folder. It should be marked
> as read instead.
>
> Any comments and/or help ?
>
Yes, that is a bug. According to the RFC flags should be copied. It's been
mentioned on the list before--hopefully the next version will include a fix.

Bug or Missconfiguration on Imapd4 2.0.7 ?

[Patrick LIN]

hi,

i found something strange on the imap server i running on a sun solaris
box:

- imap 2.0.7
- solaris 2.6
- sasl 1.5.24

Ok this what i see :

When a read mail message is copied from one folder to another, it is
always marked as unread in the destination folder. It should be marked
as read instead.

Any comments and/or help ?


thanks

patrick

Re: Generic notify hook

[Ross Golder]

Jeremy Howard wrote:
> 
> As some of you may know, Cyrus has a hook that allows new mail notifications
> to be implemented. It comes with a Zephyr notification hook.
> 
> Creating your own notification hook requires writing a C function and
> compiling it in. I'm not that keen on that approach for two reasons:
> 
> * I'm no C guru
> * I don't want to recompile the server just to change the notification code.
> 

Why not provide a mechanism for storing these functions in dynamic
libraries, so they can be compiled/inserted independently of the server
code. I don't know how difficult this would be, as I've never done it
before, but 'man dlopen' makes it look reasonably straightforward.

That is not to discredit your method, which provides a perfectly good
solution for non-C gurus. :)

> The current notify() code does no error checking--I played around with using
> non-blocking sockets and select() to make things a bit more solid, but in
> the end I went with this more simple approach... This way even if the Perl
> daemon dies, the deliver process won't wait.
> 

You're no C guru, eh? It sounds like you know what you're talking about.
:)

-- 
Ross

Re: Authentication against MySQL Database

[Scot W. Hetzel]

From: "Tim Evans" <[EMAIL PROTECTED]>
> I am adding Web-based e-mail to an existing portal-like site, using
> IMP and Cyrus imapd.  The site is built pretty much exclusively with
> PHP and MySQL.
>
> We already have all the userid's and passwords for the
> portal site in MySQL and would like to let users log into
> their IMP/Webmail accounts with the same password.
>
> I believe Cyrus/SASL authentication using PAM may be one way of doing
this,
> but would hope this is a wheel someone else has already invented.
>

You can also use the Cyrus-SASL LDAP+MySQL auth patch
(http://www.surf.org.uk/), which creates 2 new pwcheck methods (ldap, and
mysql).  This patch doesn't modify the pwcheck daemon, instead it modifies
lib/checkpw.c to add theses new pwcheck methods.

Scot

Re: Authentication against MySQL Database

[Ross Golder]

Tim Evans wrote:
> 
> I believe Cyrus/SASL authentication using PAM may be one way of doing this,
> but would hope this is a wheel someone else has already invented.
>

Yes, indeed. I have Cyrus working w/pam_mysql. It's fairly trivial once
you've got the pam_mysql distribution and read the docs enclosed.


Regards,

-- 
Ross

Re: Authentication against MySQL Database

[Paul Wiechman]

Yes, it has... use PAM with the pam_mysql modules. I am using it quit
effectively, one caveat... make sure you have unique ID's. The module
doesn't like it when you return more than one row on a select.

Paul

Tim Evans wrote:
> 
> I am adding Web-based e-mail to an existing portal-like site, using
> IMP and Cyrus imapd.  The site is built pretty much exclusively with
> PHP and MySQL.
> 
> We already have all the userid's and passwords for the
> portal site in MySQL and would like to let users log into
> their IMP/Webmail accounts with the same password.
> 
> I believe Cyrus/SASL authentication using PAM may be one way of doing this,
> but would hope this is a wheel someone else has already invented.
> 
> Or, if IMP folks have already done this sort of thing, I'd like to hear about
> that, too.  Best of all possible worlds would be a single login to both the
> portal site and IMP.
> 
> Thanks, I will summarize.
> --
> Tim Evans   [EMAIL PROTECTED] |5 Chestnut Court
> http://www.tkevans.com/tkevans.html |Owings Mills, MD 21117
> (443) 394-3864  |(800) 946-4646, PIN #1716638

Re: Authentication against MySQL Database

[Jeremy Howard]

Tim Evans wrote:
> I am adding Web-based e-mail to an existing portal-like site, using
> IMP and Cyrus imapd.  The site is built pretty much exclusively with
> PHP and MySQL.
>
> We already have all the userid's and passwords for the
> portal site in MySQL and would like to let users log into
> their IMP/Webmail accounts with the same password.
>
> I believe Cyrus/SASL authentication using PAM may be one way of doing
this,
> but would hope this is a wheel someone else has already invented.
>
You can download an RPM which authenticates Cyrus IMAP logins against a
MySQL DB from:

  http://www.hazard.maks.net/

I haven't released the MySQL pwcheck daemon outside of the RPM, but if you
can't use RPM send me an email and I'll send you the daemon on it's own.

Yes, you can also use PAM. Search the Cyrus archives for 'PAM' and 'MySQL'
since this has been dealt with before:

http://asg.web.cmu.edu/archive/mailbox.php3?mailbox=archive.info-cyrus

HTH,
  Jeremy