Re: sasl authentication and mysql
it seems ok, does it working ? Thomas On Thu, 2005-08-04 at 23:44 +0200, Gregor Bruhin wrote: Hi, I'm just trying to configure cyrus to authenticate using a mysql db, is the following configuration correct ? sasl_auto_transition: no sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_mysql_password_format: crypt* sasl_mysql_hostnames: 10.0.0.5 sasl_mysql_user: my_user sasl_mysql_passwd: my_pwd sasl_mysql_database: clients sasl_mysql_statement: select password from accounts where username = '%u' sasl_mysql_verbose: true What else do I need to configure (I think it is everything for sasl, my sql server is up and running, the accounts table is also ready) ? With which options should I start saslauthd ? Thanks for your help ! Greg * I patched my sasl sources to include crypted password support in mysql --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Making Cyrus use the saslpasswd?
which method uses your saslauthd ? i think its pam in your case ... On Mon, 2005-08-01 at 11:06 -0400, Edward Corrado wrote: Hello All, I have a Cyrus IMAP install (2.1.x on RH 9 with Fedora Legacy updates) and when someone checks there mail, it is authenticating against the password in /etc/passwd (well, /etc/shadow really) instead of the password created in the sasl database using saslpasswd. I'd like it to use the sasl password if possible (which it seems it is), however, I can't seem to figure out what to change to make it use the passwords created by saslpasswd instead of the regular password on this system The /etc/imapd.conf file contains the following two lines: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN It seems that maybe changing the second one could be of some help, but I don't know what it should be. In case it helps, the whole imapd.conf file is: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt Does anyone have any suggestions? Thank you, Edward --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Making Cyrus use the saslpasswd?
please have a look to your saslauthd start script, there is an entry with MECH= -Thomas On Mon, 2005-08-01 at 11:37 -0400, Edward Corrado wrote: I believe that it is currently going through PAM, which in turn looks at the systems passwd files. Edward Thomas Börnert said the following on 8/1/2005 11:30 AM: which method uses your saslauthd ? i think its pam in your case ... On Mon, 2005-08-01 at 11:06 -0400, Edward Corrado wrote: Hello All, I have a Cyrus IMAP install (2.1.x on RH 9 with Fedora Legacy updates) and when someone checks there mail, it is authenticating against the password in /etc/passwd (well, /etc/shadow really) instead of the password created in the sasl database using saslpasswd. I'd like it to use the sasl password if possible (which it seems it is), however, I can't seem to figure out what to change to make it use the passwords created by saslpasswd instead of the regular password on this system The /etc/imapd.conf file contains the following two lines: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN It seems that maybe changing the second one could be of some help, but I don't know what it should be. In case it helps, the whole imapd.conf file is: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt Does anyone have any suggestions? Thank you, Edward --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: login info
for saslauthd with pam_mysql you can log to a separate table and with a small scriptn delete your users. for auxprop i'm looking at the moment for a solution for myself. i think i should patch the cyrus sasl. Thomas Am Sonntag, den 31.07.2005, 15:58 +0200 schrieb Sebastian Fohler: I want to delete accounts where the users have not logged in over a certain period of time. Therefor I need some login information, or the information when the last login on a certain account has been made. Is ther some possiblity to do that? Sebastian --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: imapd -s does not seem to be responding
have you build your sasl with --enable-sql ? how looks your cyrus.conf and imapd.conf ? Thomas Am Sonntag, den 31.07.2005, 11:50 -0400 schrieb Ralph Blach: Andreas, I get a lot of these messages. Jul 31 11:46:22 blach imap[520]: sql_select option missing Jul 31 11:46:22 blach imap[520]: auxpropfunc error no mechanism available But these never seemed to affect anything before. The mail is correctly getting delivered by postscript. I can pick the mail up using port 143, but not 993. This used to work. I do get a message sometimes that the server has disconnected on the client side. Chip Andreas Hasenack wrote: Em Domingo 31 Julho 2005 09:31, Ralph Blach escreveu: Any ideas on why 147 would work and 993 would not work. By the way, both show up in the netstat -a list as listening *If there is nothing else in the logs*, then perhaps your entropy pool is depleted? Check if you have /dev/random and /dev/urandom. One of them (I always forget which one!) is a better quality source for random data and can be depleted quite fast. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
log the last login time to database with auxprop
hello cyrus list!
i'm using auxprop because of using NTLM, DIGEST-MD5
i want to log the last login time to the database for web-cyradm.
i tried this workarround:
sasl_sql_select: INSERT INTO `log` (`msg`,`user`,`time`) VALUES ('AUTH
SUCCESSFUL','%u',NOW()); SELECT `password` FROM `accountuser` WHERE
`username` = '%u'
but it doesn't work. :-(
have anyone another idea ?
thx
Thomas
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus imapd auth
with cram-md5 your password should be stored in plaintext in ldap. is it encrypted ? -Thomas On Mon, 2005-07-25 at 13:45 +0100, Dmitriy Kirhlarov wrote: Hi, list. I try use ldap-autentication. When I try work with imap-server without TLS/SSL -- all work. When I try use starttls -- autentication not work and, as I can see in slapd debug -- nobody try connect to server in this moment. My configs: --- $ cat /usr/local/etc/imapd.conf configdirectory: /var/imap partition-default: /var/spool/imap sieveusehomedir: false sievedir: /var/imap/sieve sasl_pwcheck_method: saslauthd servername: free2.mow.oilspace.com admins: cyrus root dkirhlarov tls_ca_file: /usr/local/etc/ssl/cacert.pem tls_cert_file: /usr/local/etc/ssl/imap-free2.crt tls_key_file: /usr/local/etc/ssl/imap-free2.key --- $ cat /usr/local/etc/saslauthd.conf ldap_servers: ldaps://free2.mow.oilspace.com/ ldap_search_base: ou=users,o=oilspace ldap_tls_cacert_file: /usr/local/etc/openldap/ssl/cacert.pem --- /var/log/messages in moment of connect I get: Jul 25 12:38:29 free2 imap[66302]: auxpropfunc error invalid parameter supplied Jul 25 12:38:29 free2 imap[66302]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Jul 25 12:38:30 free2 imap[66302]: starttls: TLSv1 with cipher RC4-SHA (128/128 bits new) no authentication Jul 25 12:38:30 free2 imap[66302]: no user in db Jul 25 12:38:30 free2 imap[66302]: no user in db Jul 25 12:38:30 free2 imap[66302]: no secret in database Jul 25 12:38:30 free2 imap[66302]: badlogin: dkirhlarov.mow.oilspace.com [172.17.1.254] CRAM-MD5 [SASL(-13): user not found: no secret in database] --- $ uname -rs FreeBSD 5.4-STABLE I try use plaintext password over SSL for autentication. I must use only crypted connection between imap client-server, saslauthd-slapd. PS. Sorry for my english. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
problem ntlm won't work with mysql
hi list,
ntlm with evolution or outlook isn't working:
imap[17765]: badlogin: localhost.localdomain [127.0.0.1] NTLM [SASL
(-13): authentication failure: incorrect NTLM response]
i've found: if i use sasldb2 then it works.
if i use the mysql setup below that it won't work :-(.
have anyone an idea ?
thanks
thomas
my imapd.conf
-- snip ---
configdirectory: /var/lib/imap
#duplicatesuppression: 0
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
autocreatequota: 100
quotawarn: 90
timeout: 30
poptimeout: 10
#popminpoll: 1
servername: pop.domain.net
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sendmail: /usr/sbin/sendmail
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/cyrus-imapd.pem
sasl_sql_engine: mysql
sasl_sql_hostnames: localhost
sasl_sql_user: mail
sasl_sql_passwd: secret
sasl_sql_database: mail
sasl_sql_select: select password from accountuser where username = '%u'
-- snip ---
my cyrus.conf
-- snip ---
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd=ctl_cyrusdb -r
# this is only necessary if using idled for IMAP IDLE
idled cmd=idled
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd=imapd listen=[localhost]:imap prefork=5
imaps cmd=imapd -s listen=[localhost]:imaps prefork=1
pop3 cmd=pop3d listen=[pop]:pop3 prefork=3
pop3s cmd=pop3d -s listen=[pop]:pop3s prefork=1
sieve cmd=timsieved listen=[localhost]:sieve prefork=0
# at least one LMTP is required for delivery
# lmtp cmd=lmtpd listen=[localhost]:lmtp prefork=0
lmtpunix cmd=lmtpd listen=/var/lib/imap/socket/lmtp prefork=1
# this is only necessary if using notifications
# notify cmd=notifyd listen=/var/lib/imap/socket/notify
proto=udp prefork=1
}
EVENTS {
# this is required
checkpointcmd=ctl_cyrusdb -c period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd=ctl_deliver -E 3 at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd=tls_prune at=0400
# create SQUAT indexes for all mailboxes
squatter cmd=/usr/lib/cyrus-imapd/squatter -r user.% at=401
}
-- snip ---
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem ntlm won't work with mysql
Yes, DIGEST-MD5 don't work too :-(.
Why is it working with sasldb2 (auxprop) ?
There exists an patch for cyrus with auxprop/mysql.
Have anyone tested it ?
Thanks.
-Thomas
On Mon, 2005-07-11 at 08:19 -0400, Ken Murchison wrote:
Thomas Börnert wrote:
hi list,
ntlm with evolution or outlook isn't working:
imap[17765]: badlogin: localhost.localdomain [127.0.0.1] NTLM [SASL
(-13): authentication failure: incorrect NTLM response]
i've found: if i use sasldb2 then it works.
if i use the mysql setup below that it won't work :-(.
Do CRAM-MD5 or DIGEST-MD5 work with mysql?
have anyone an idea ?
My guess is that you are encrypting the passwords in your mysql
database, which will cause non-plaintext mechanisms like NTLM and
DIGEST-MD5 to fail.
my imapd.conf
-- snip ---
configdirectory: /var/lib/imap
#duplicatesuppression: 0
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
autocreatequota: 100
quotawarn: 90
timeout: 30
poptimeout: 10
#popminpoll: 1
servername: pop.domain.net
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sendmail: /usr/sbin/sendmail
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/cyrus-imapd.pem
sasl_sql_engine: mysql
sasl_sql_hostnames: localhost
sasl_sql_user: mail
sasl_sql_passwd: secret
sasl_sql_database: mail
sasl_sql_select: select password from accountuser where username = '%u'
-- snip ---
my cyrus.conf
-- snip ---
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd=ctl_cyrusdb -r
# this is only necessary if using idled for IMAP IDLE
idled cmd=idled
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd=imapd listen=[localhost]:imap prefork=5
imaps cmd=imapd -s listen=[localhost]:imaps prefork=1
pop3 cmd=pop3d listen=[pop]:pop3 prefork=3
pop3s cmd=pop3d -s listen=[pop]:pop3s prefork=1
sieve cmd=timsieved listen=[localhost]:sieve prefork=0
# at least one LMTP is required for delivery
# lmtp cmd=lmtpd listen=[localhost]:lmtp prefork=0
lmtpunix cmd=lmtpd listen=/var/lib/imap/socket/lmtp prefork=1
# this is only necessary if using notifications
# notify cmd=notifyd listen=/var/lib/imap/socket/notify
proto=udp prefork=1
}
EVENTS {
# this is required
checkpointcmd=ctl_cyrusdb -c period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd=ctl_deliver -E 3 at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd=tls_prune at=0400
# create SQUAT indexes for all mailboxes
squatter cmd=/usr/lib/cyrus-imapd/squatter -r user.% at=401
}
-- snip ---
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem ntlm won't work with mysql
On Mon, 2005-07-11 at 16:55 -0400, Ken Murchison wrote:
Thomas Börnert wrote:
Yes, DIGEST-MD5 don't work too :-(.
Why is it working with sasldb2 (auxprop) ?
The mechanisms need the plaintext password (or plaintext equivalent)
stored in the auxprop backend.
Where is the patch availiable ???
Thanks
-Thomas
The SQL auxprop that ships with SASL
will work correctly unless you've patched it to store encrypted
passwords, in which case the SQL auxprop will only work for plaintext
SASL mechanisms and plaintext authentication protocol commands.
There exists an patch for cyrus with auxprop/mysql.
Have anyone tested it ?
Thanks.
-Thomas
On Mon, 2005-07-11 at 08:19 -0400, Ken Murchison wrote:
Thomas Börnert wrote:
hi list,
ntlm with evolution or outlook isn't working:
imap[17765]: badlogin: localhost.localdomain [127.0.0.1] NTLM [SASL
(-13): authentication failure: incorrect NTLM response]
i've found: if i use sasldb2 then it works.
if i use the mysql setup below that it won't work :-(.
Do CRAM-MD5 or DIGEST-MD5 work with mysql?
have anyone an idea ?
My guess is that you are encrypting the passwords in your mysql
database, which will cause non-plaintext mechanisms like NTLM and
DIGEST-MD5 to fail.
my imapd.conf
-- snip ---
configdirectory: /var/lib/imap
#duplicatesuppression: 0
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
autocreatequota: 100
quotawarn: 90
timeout: 30
poptimeout: 10
#popminpoll: 1
servername: pop.domain.net
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sendmail: /usr/sbin/sendmail
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_mech_list: LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/cyrus-imapd.pem
sasl_sql_engine: mysql
sasl_sql_hostnames: localhost
sasl_sql_user: mail
sasl_sql_passwd: secret
sasl_sql_database: mail
sasl_sql_select: select password from accountuser where username = '%u'
-- snip ---
my cyrus.conf
-- snip ---
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd=ctl_cyrusdb -r
# this is only necessary if using idled for IMAP IDLE
idled cmd=idled
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd=imapd listen=[localhost]:imap prefork=5
imaps cmd=imapd -s listen=[localhost]:imaps prefork=1
pop3 cmd=pop3d listen=[pop]:pop3 prefork=3
pop3s cmd=pop3d -s listen=[pop]:pop3s prefork=1
sieve cmd=timsieved listen=[localhost]:sieve prefork=0
# at least one LMTP is required for delivery
# lmtp cmd=lmtpd listen=[localhost]:lmtp prefork=0
lmtpunix cmd=lmtpd listen=/var/lib/imap/socket/lmtp prefork=1
# this is only necessary if using notifications
# notify cmd=notifyd listen=/var/lib/imap/socket/notify
proto=udp prefork=1
}
EVENTS {
# this is required
checkpointcmd=ctl_cyrusdb -c period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd=ctl_deliver -E 3 at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd=tls_prune at=0400
# create SQUAT indexes for all mailboxes
squatter cmd=/usr/lib/cyrus-imapd/squatter -r user.% at=401
}
-- snip ---
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
