Re: Can't authorize as different user in cyradm and sieveshell
Dan, You nailed it. Mere presence of sasldb plugin makes it work. The code doesn't look kosher to me though. In sasl_server_new() there's a line: serverconn->sparams->canon_user = &_sasl_canon_user_lookup; which unconditionally set canon_user callback to the function that performs both canonicalization and auxprop lookup. In case there's no auxprop plugins it results in SASL_NOMECH. I guess it should check whether auxprop plugins are available in the system and either set it to _sasl_canon_user_lookup() or _sasl_canon_user(). Anyway installing sasldb plugin is easy enough workaround. Thanks everybody, Michael On Monday, November 21, 2016 04:36:01 PM Dan White wrote: > In the absence of an [sasl_]auxprop_plugins statement, all plugins will be > queried. For example, running pluginviewer (or saslpluginviewer on debian) > should typically list sasldb if it's installed on your system. > > The canon_user plugins and auxprop plugins are coded within the same code, > and so are tied together somewhat, although I haven't dug into the code to > explain the error Michael is experiencing. > > Michael, > > I'd suggest installing the sasldb auxprop to see if that clears up the > issue. That may not even require a configuration change. > > On 11/21/16 13:43 -0800, Andrew Morgan via Info-cyrus wrote: > >I'm using Debian packages for sasl. Here is what libsasl2-modules > >includes: > > > >/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 > > > >But in my imapd.conf, I'm not specifying an auxprop plugins: > > > ># grep sasl /etc/imapd.conf > >sasl_mech_list: PLAIN > >sasl_minimum_layer: 0 > >#sasl_maximum_layer: 256 > >sasl_pwcheck_method: saslauthd > > > >Since we are using saslauthd, we don't use auxprop plugins, I think... > > > > Andy > > > >On Mon, 21 Nov 2016, Michael Ulitskiy wrote: > > > >>I'm trying to read the code and it seems that it tries to lookup > >>authorization id > >>in auxprop plugin. since I don't have any auxprop plugins that returns > >>SASL_NOMECH and results > >>in the error I'm seeing. > >> > >>By any chance do you have any auxprop plugin defined? > > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't authorize as different user in cyradm and sieveshell
I'm trying to read the code and it seems that it tries to lookup authorization id in auxprop plugin. since I don't have any auxprop plugins that returns SASL_NOMECH and results in the error I'm seeing. By any chance do you have any auxprop plugin defined? On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote: > Maybe there is something wrong with your saslauthd parameters or PAM > config? > > Here is what I use: > > saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5 > > # cat /etc/pam.d/sieve > # PAM configuration file for Cyrus IMAP service > > authsufficient pam_ldap.so > authrequiredpam_unix.so > > account sufficient pam_ldap.so > account requiredpam_unix.so > > > (pretty simple!) > > In your original email, you showed that you could authenticate as the > target user successfully. Can you connect to sieve as the admin user (no > proxy-auth)? > > Thanks, > Andy > > > On Mon, 21 Nov 2016, Michael Ulitskiy wrote: > > > Andrew, > > > > Thanks for the reply. It's good to know it works for someone. > > I've tried to downgrade cyrus to 2.4.18, but that didn't help. > > sivtest doesn't provide much clue: > > > > root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost > > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" > > S: "SASL" "PLAIN" > > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags > > notify envelope imap4flags relational regex subaddress copy" > > S: "UNAUTHENTICATE" > > S: OK > > Please enter your password: > > C: AUTHENTICATE "PLAIN" {48+} > > > > S: NO "Authentication Error" > > Authentication failed. generic failure > > Security strength factor: 0 > > > > while log is saying: > > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user > > 'proxyadmin' granted access > > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] > > PLAIN no mechanism available > > > > the same happens if I use admin user. > > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure > > no authentication problems stand in the way, but that also didn't help. > > I'm at loss now. Anymore troubleshooting clues? > > > > Thanks, > > Michael > > > > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: > >> This works for me under v2.4.18. I'm able to run sieveshell against a > >> frontend or backend authenticating as a cyrus "admins" user or a > >> "proxyservers" user (on the backend). > >> > >> Against a frontend: > >> > >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu > >> connecting to imap.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> Against a backend: > >> > >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu > >> connecting to cyrus-be1.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> My imapd.conf settings: > >> > >> admins: cyrus > >> allowplaintext: 0 > >> sasl_mech_list: PLAIN > >> sasl_minimum_layer: 0 > >> sasl_pwcheck_method: saslauthd > >> sieve_allowreferrals: 0 > >> sieve_allowplaintext: 1 > >> > >> > >> Have you tried using the "sivtest" program? It will show you the protocol > >> handshakes, which might help. Here is an example for me: > >> > >> # sivtest -u morgan -a cyrus localhost > >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" > >> S: "SASL" "PLAIN" > >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags > >> notify envelope body relational regex subaddress copy" > >> S: "STARTTLS" > >> S: "UNAUTHENTICATE" > >> S: OK > >> Please enter your password: > >> C: AUTHENTICATE "PLAIN" {28+} > >> > >> S: OK > >> Authenticated. > >> Security strength factor: 0 > >> C: LOGOUT > >> OK "Logout Complete
Re: Can't authorize as different user in cyradm and sieveshell
i run saslauthd as follows: /usr/sbin/saslauthd -a pam -m /var/state/saslauthd -n 4 -r i guess the notable difference is option '-r', which combines realm with login username. i've tried to create a couple of unqualified users and run saslauthd without it with the same result - proxyauth doesn't work. pam: root@rway-imap-vm:~# cat /etc/pam.d/sieve authrequiredpam_warn.so authrequiredpam_userdb.so db=/etc/mail/virtpasswd crypt=crypt account requiredpam_warn.so account requiredpam_userdb.so db=/etc/mail/virtpasswd crypt=crypt yes i can connect as target user or admin user or proxy user. proxyauth is the only problematic scenario. that's what puzzles me the most On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote: > Maybe there is something wrong with your saslauthd parameters or PAM > config? > > Here is what I use: > > saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5 > > # cat /etc/pam.d/sieve > # PAM configuration file for Cyrus IMAP service > > authsufficient pam_ldap.so > authrequiredpam_unix.so > > account sufficient pam_ldap.so > account requiredpam_unix.so > > > (pretty simple!) > > In your original email, you showed that you could authenticate as the > target user successfully. Can you connect to sieve as the admin user (no > proxy-auth)? > > Thanks, > Andy > > > On Mon, 21 Nov 2016, Michael Ulitskiy wrote: > > > Andrew, > > > > Thanks for the reply. It's good to know it works for someone. > > I've tried to downgrade cyrus to 2.4.18, but that didn't help. > > sivtest doesn't provide much clue: > > > > root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost > > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" > > S: "SASL" "PLAIN" > > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags > > notify envelope imap4flags relational regex subaddress copy" > > S: "UNAUTHENTICATE" > > S: OK > > Please enter your password: > > C: AUTHENTICATE "PLAIN" {48+} > > > > S: NO "Authentication Error" > > Authentication failed. generic failure > > Security strength factor: 0 > > > > while log is saying: > > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user > > 'proxyadmin' granted access > > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] > > PLAIN no mechanism available > > > > the same happens if I use admin user. > > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure > > no authentication problems stand in the way, but that also didn't help. > > I'm at loss now. Anymore troubleshooting clues? > > > > Thanks, > > Michael > > > > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: > >> This works for me under v2.4.18. I'm able to run sieveshell against a > >> frontend or backend authenticating as a cyrus "admins" user or a > >> "proxyservers" user (on the backend). > >> > >> Against a frontend: > >> > >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu > >> connecting to imap.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> Against a backend: > >> > >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu > >> connecting to cyrus-be1.onid.oregonstate.edu > >> Please enter your password: > >>> list > >> onid-web > >> real <- active script > >>> quit > >> > >> > >> My imapd.conf settings: > >> > >> admins: cyrus > >> allowplaintext: 0 > >> sasl_mech_list: PLAIN > >> sasl_minimum_layer: 0 > >> sasl_pwcheck_method: saslauthd > >> sieve_allowreferrals: 0 > >> sieve_allowplaintext: 1 > >> > >> > >> Have you tried using the "sivtest" program? It will show you the protocol > >> handshakes, which might help. Here is an example for me: > >> > >> # sivtest -u morgan -a cyrus localhost > >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" > >> S: "SASL" "PLAIN" > >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject v
Re: Can't authorize as different user in cyradm and sieveshell
Andrew, Thanks for the reply. It's good to know it works for someone. I've tried to downgrade cyrus to 2.4.18, but that didn't help. sivtest doesn't provide much clue: root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {48+} S: NO "Authentication Error" Authentication failed. generic failure Security strength factor: 0 while log is saying: Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available the same happens if I use admin user. i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help. I'm at loss now. Anymore troubleshooting clues? Thanks, Michael On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: > This works for me under v2.4.18. I'm able to run sieveshell against a > frontend or backend authenticating as a cyrus "admins" user or a > "proxyservers" user (on the backend). > > Against a frontend: > > # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu > connecting to imap.onid.oregonstate.edu > Please enter your password: > > list > onid-web > real <- active script > > quit > > > Against a backend: > > # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu > connecting to cyrus-be1.onid.oregonstate.edu > Please enter your password: > > list > onid-web > real <- active script > > quit > > > My imapd.conf settings: > > admins: cyrus > allowplaintext: 0 > sasl_mech_list: PLAIN > sasl_minimum_layer: 0 > sasl_pwcheck_method: saslauthd > sieve_allowreferrals: 0 > sieve_allowplaintext: 1 > > > Have you tried using the "sivtest" program? It will show you the protocol > handshakes, which might help. Here is an example for me: > > # sivtest -u morgan -a cyrus localhost > S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" > S: "SASL" "PLAIN" > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags > notify envelope body relational regex subaddress copy" > S: "STARTTLS" > S: "UNAUTHENTICATE" > S: OK > Please enter your password: > C: AUTHENTICATE "PLAIN" {28+} > > S: OK > Authenticated. > Security strength factor: 0 > C: LOGOUT > OK "Logout Complete" > Connection closed. > > > Andy > > On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote: > > > Since nobody answered, I guess, nobody has any idea. > > I wonder if anybody uses this feature and it works for you? > > I mean I'd like to know if that's just me and something is wrong with my > > setup or may be that feature isn't functional at all? > > Thanks in advance, > > > > Michael > > > > On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus > > wrote: > >> Hello, > >> > >> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. > >> i'm trying to use sieveshell to setup users sieve scripts, but since > >> i don't know users passwords i want to use a special user for > >> authentication > >> and authorize as the target user. > >> Here's what I have. > >> > >> imapd.conf: > >> admins: mailadmin > >> proxyservers: proxyadmin > >> sasl_pwcheck_method: saslauthd > >> #sasl_pwcheck_method: alwaystrue > >> sasl_mech_list: PLAIN > >> allowplaintext: yes > >> > >> here's what i do: > >> > >> root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com > >> localhost > >> connecting to localhost > >> Please enter your password: > >> unable to connect to server at /usr/bin/sieveshell line 191, line > >> 1. > >> > >> here's the log: > >> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. > >> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user > >> 'proxyadmin' granted access > >> Nov 17 18:24:46 rway-imap-vm
Re: Can't authorize as different user in cyradm and sieveshell
Since nobody answered, I guess, nobody has any idea. I wonder if anybody uses this feature and it works for you? I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? Thanks in advance, Michael On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: > Hello, > > I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. > i'm trying to use sieveshell to setup users sieve scripts, but since > i don't know users passwords i want to use a special user for authentication > and authorize as the target user. > Here's what I have. > > imapd.conf: > admins: mailadmin > proxyservers: proxyadmin > sasl_pwcheck_method: saslauthd > #sasl_pwcheck_method: alwaystrue > sasl_mech_list: PLAIN > allowplaintext: yes > > here's what i do: > > root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com > localhost > connecting to localhost > Please enter your password: > unable to connect to server at /usr/bin/sieveshell line 191, line 1. > > here's the log: > Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. > Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user > 'proxyadmin' granted access > Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] > PLAIN no mechanism available > Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting > > as you can see user proxyadmin authenticated successfully, but then something > (authorization?) went wrong > and it says "PLAIN no mechanism available". > this only happens if i try to authorize as different user. if i don't > everything works fine: > > root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u > t...@virtualcrap.com localhost > connecting to localhost > Please enter your password: > > > > log: > Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available. > Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user > 't...@virtualcrap.com' granted access > Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] > t...@virtualcrap.com PLAIN User logged in > > the same happends to cyradm: > root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com > --auth=plain localhost > Password: > IMAP Password: > > log: > Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user > 'proxyadmin' granted access > Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] > PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773] > > but ok without trying to authorize as different user: > root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost > Password: > localhost> > Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user > 't...@virtualcrap.com' granted access > Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] > t...@virtualcrap.com PLAIN User logged in > SESSIONID= > > Can somebody tell me what I am doing wrong? > Thanks a lot, > > Michael Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Can't authorize as different user in cyradm and sieveshell
Hello, I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. i'm trying to use sieveshell to setup users sieve scripts, but since i don't know users passwords i want to use a special user for authentication and authorize as the target user. Here's what I have. imapd.conf: admins: mailadmin proxyservers: proxyadmin sasl_pwcheck_method: saslauthd #sasl_pwcheck_method: alwaystrue sasl_mech_list: PLAIN allowplaintext: yes here's what i do: root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: unable to connect to server at /usr/bin/sieveshell line 191, line 1. here's the log: Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong and it says "PLAIN no mechanism available". this only happens if i try to authorize as different user. if i don't everything works fine: root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: > log: Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available. Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't...@virtualcrap.com' granted access Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t...@virtualcrap.com PLAIN User logged in the same happends to cyradm: root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com --auth=plain localhost Password: IMAP Password: log: Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773] but ok without trying to authorize as different user: root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost Password: localhost> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't...@virtualcrap.com' granted access Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t...@virtualcrap.com PLAIN User logged in SESSIONID= Can somebody tell me what I am doing wrong? Thanks a lot, Michael Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus mail spool entirely on SSD
Hello, I have a task to build a mail server with the following requirements: 1. ~ hundred mailboxes with up to 10G of data each 2. several mailboxes that may grow up to 100G each 3. client insists that splitting data into folders is inconvenient to them and so all/most of that data will likely live inside INBOX 4. it must be as fast as possible, searchable etc. My question is: assuming cost is not an issue, would it be advisable to put an entire cyrus mail spool on SSD? I'm thinking about combinining multiple SSDs into RAID10 to further increase performance. I've googled around and I see people put metadata and caches on SSD, but I haven't found a mention of using SSD for entire mail spool. Is it a good idea? Bad idea? Terrible idea? What do you think? Thanks, Michael Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus