Re: Please help with Cyrus vs MS Outlook over TSL/SSL
Ilya Basin wrote: On Wednesday 19 November 2003 20:03, Ken Murchison wrote: I'd like to disable plaintext auth at all. Keep in mind that there is a difference between allowing plaintext authentication and allowing plaintext authentication mechanisms. You can enable plaintext authentication mechanisms (SASL PLAIN, IMAP LOGIN, POP3 USER/PASS) without allowing plaintext authentication by forcing the client to use SSL/TLS. In fact, some older clients use nothing but plaintext authentication mechanisms. I've changed the conf as you suggested to auxprop and t start to work FINE. THANK YOU som much. I shame of myself. If you already have an auxprop plugin populated with the user secrets, then this is the way to go. Ilya Basin wrote: Hi, I've spent a week trying to configure cyrus-imapd-2.1.15 to work with MS Outlook 2000 over TLS/SSL. I see no way to fix it... maybe I've missed something? System: Slackware 9.1 openssl-09.7c cyrus-imapd-cyrus-sasl-2.1.15 cyrus-imapd-2.1.15 compiled with no errors. Mozilla Messanger, PINE - checked & work fine with it over port 993 MS Oultook -> (with the options [secure auth], work over SSL (port 993)) gives an error "CRAM-MD5 auth failed" IMAPD.log: imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no authentication imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found: no secret in database] What kind of authentication do you want to do? Are you only going to allow plaintext auth mechanisms (via saslauthd), or do you want to allow shared secret mechanisms (via an auxprop plugin like sasldb, LDAP, SQL)? The only way you will be able to use Outlook's SPA (NTLM) is to allow the user secrets to be stored in an auxprop backend, or to proxy the NTLM authentication to an NT/2K server. My suggestion is to simply not use Outlook's SPA, since the authentication is already protected by SSL. Unchecking the SPA box should solve your problem. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Please help with Cyrus vs MS Outlook over TSL/SSL
On Wednesday 19 November 2003 20:03, Ken Murchison wrote: I'd like to disable plaintext auth at all. I've changed the conf as you suggested to auxprop and t start to work FINE. THANK YOU som much. I shame of myself. > Ilya Basin wrote: > > Hi, > > I've spent a week trying to configure cyrus-imapd-2.1.15 > > to work with MS Outlook 2000 over TLS/SSL. > > I see no way to fix it... maybe I've missed something? > > > > > > System: > > > > Slackware 9.1 > > openssl-09.7c > > cyrus-imapd-cyrus-sasl-2.1.15 > > cyrus-imapd-2.1.15 > > > > compiled with no errors. > > > > Mozilla Messanger, PINE - checked & work fine with it over port 993 > > MS Oultook -> (with the options [secure auth], work over SSL (port 993)) > > gives an error "CRAM-MD5 auth failed" > > IMAPD.log: > > > > imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no > > authentication > > imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found: > > no secret in database] > > What kind of authentication do you want to do? Are you only going to > allow plaintext auth mechanisms (via saslauthd), or do you want to allow > shared secret mechanisms (via an auxprop plugin like sasldb, LDAP, SQL)? > > The only way you will be able to use Outlook's SPA (NTLM) is to allow > the user secrets to be stored in an auxprop backend, or to proxy the > NTLM authentication to an NT/2K server. > > My suggestion is to simply not use Outlook's SPA, since the > authentication is already protected by SSL. Unchecking the SPA box > should solve your problem.
Re: Please help with Cyrus vs MS Outlook over TSL/SSL
Ilya Basin wrote: Hi, I've spent a week trying to configure cyrus-imapd-2.1.15 to work with MS Outlook 2000 over TLS/SSL. I see no way to fix it... maybe I've missed something? System: Slackware 9.1 openssl-09.7c cyrus-imapd-cyrus-sasl-2.1.15 cyrus-imapd-2.1.15 compiled with no errors. Mozilla Messanger, PINE - checked & work fine with it over port 993 MS Oultook -> (with the options [secure auth], work over SSL (port 993)) gives an error "CRAM-MD5 auth failed" IMAPD.log: imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no authentication imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found: no secret in database] What kind of authentication do you want to do? Are you only going to allow plaintext auth mechanisms (via saslauthd), or do you want to allow shared secret mechanisms (via an auxprop plugin like sasldb, LDAP, SQL)? The only way you will be able to use Outlook's SPA (NTLM) is to allow the user secrets to be stored in an auxprop backend, or to proxy the NTLM authentication to an NT/2K server. My suggestion is to simply not use Outlook's SPA, since the authentication is already protected by SSL. Unchecking the SPA box should solve your problem. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Please help with Cyrus vs MS Outlook over TSL/SSL
On Wednesday 19 November 2003 19:14, Ilya Basin wrote: I have some additional info. Sorry to provide you with so big bunch of info... ALL imtest passed with OK, like: [EMAIL PROTECTED]:~$ imtest -u ilya -p 993 -s localhost -m digest-md5 verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK torer Cyrus IMAP4 v2.1.15 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9InNRVythSmQxaExpa3hJRzY1elZjanloYjdEZ3Jqdmg5VFhhUk5EcEcweGs9IixyZWFsbT0idG9yZXIiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: C: dXNlcm5hbWU9ImlseWEiLHJlYWxtPSJ0b3JlciIsbm9uY2U9InNRVythSmQxaExpa3hJRzY1elZjanloYjdEZ3Jqdmg5VFhhUk5EcEcweGs9Iixjbm9uY2U9InNuT2NqNWc3MklHenRmdjhEY2dhOXBZL3l1U1ByNnZBRUhtd1VCVk5uYms9IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJpbWFwL2xvY2FsaG9zdCIscmVzcG9uc2U9ZWYzMGMyZjg0NTFmYzhlNGY4ZDNmZmFlODFlOTBiMWU= S: + cnNwYXV0aD0xNzcxNTM4MDlkOTdkNWFhYTNkYjNlM2VjOWMzMTZjMg== C: S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 [EMAIL PROTECTED]:~$ imtest -u ilya -p 993 -s localhost -m ntlm verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK torer Cyrus IMAP4 v2.1.15 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE NTLM S: + C: TlRMTVNTUAABB4IgACA= S: + TlRMTVNTUAACCgAKADAFggIAbbWlQikzSmE6IE5UTE0gc2VydmVyIHN0VABPAFIARQBSAA== Please enter your password: C: TlRMTVNTUAADGAAYAEAYABgAWAoACgBwCAAIAHoAggCCBYIAAHEToITshuMXoNRGSZo1bdBAQShmOVTT3SkZ3vXxYZv/ qzD2aNXrN8FSAcpN8VASAVQATwBSAEUAUgBpAGwAeQBhAA== S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 [EMAIL PROTECTED]:~$ imtest -u ilya -p 993 -s localhost -m cram-md5 verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK torer Cyrus IMAP4 v2.1.15 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE CRAM-MD5 S: + PDM3NjY0NTMxMjQuMTIyOTU0NDVAdG9yZXI+ Please enter your password: C: aWx5YSAyNTdkNzgyODA1ZDBkZWFmOTU5YjdhNWQxZGM1YTY4ZA== S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 [EMAIL PROTECTED]:~$ imtest -u ilya -p 993 -s localhost -m OTP verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK torer Cyrus IMAP4 v2.1.15 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE OTP S: + Please enter your secret pass-phrase: C: aWx5YQBpbHlh S: + b3RwLW1kNSA0OTggdG81NTU5IGV4dA== C: aGV4OjZjZTI4MmFiZTk4ZDIyY2U= S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 [EMAIL PROTECTED]:~$ imtest -u ilya -p 993 -s localhost -m SRP verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK torer Cyrus IMAP4 v2.1.15 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE SRP S: + Please enter your password: C: DAAEaWx5YQAEaWx5YQ== S: + AAABIQEArGvbQTJKmpvxZt5eE4lYL69ytmUZh+4H/ DGSlD21YFCjcynLtKCZ7YGT4HV3Z6E91SMSq0sDMQ3Nf0ip2gT9UOgIOWntt2ewz2CVF5oWOrNmGgX71fqq6CkYqZYvC5O4Vfl5k +yXXuqoDXQK2/T/dHNZ0EHVwz6nHSgeRGsUdzvKl7Q6I/ uAFna9IHpDbGSB8dK5B4cXRhpbnTLmiPh3SFRFI7UksNV9Xqd6J3XS7PoDLPvb9S +zeGFgJ5AE5Xrmr4dOcwPOUymczAQce8MI2CpWmPOo0MOCca41+Onb +7aUtcgD2J965DXeI21SX1R1m2XjcvzWjvIPpxEfnkr/cwABAhBJ7hWfe/7e2sJFsO +sRX3PAAltZGE9U0hBLTE= C: AAABDQEAKWbjLQMWWmYoKrbk0FWHDsuvDjALFkKs9c2DYrAt/ TEouoqRBH1R74Bsrf6elkhou3QhhHT7D8
Please help with Cyrus vs MS Outlook over TSL/SSL
Hi,
I've spent a week trying to configure cyrus-imapd-2.1.15
to work with MS Outlook 2000 over TLS/SSL.
I see no way to fix it... maybe I've missed something?
System:
Slackware 9.1
openssl-09.7c
cyrus-imapd-cyrus-sasl-2.1.15
cyrus-imapd-2.1.15
compiled with no errors.
Mozilla Messanger, PINE - checked & work fine with it over port 993
MS Oultook -> (with the options [secure auth], work over SSL (port 993)) gives
an error "CRAM-MD5 auth failed"
IMAPD.log:
imapd[25702]: starttls: TLSv1 with cipher RC4-MD5(128/128 bits new) no
authentication
imapd[25702]: badlogin: [213.152.132.32] NTLM [SASL(-13): user not found: no
secret in database]
###
my imapd.conf:
###
configdirectory:/usr/local/var/imap
partition-default: /usr/local/var/spool/imap
sieveusehomedir:false
admins: cyrus, ilya
allowanonymouslogin: no
allowplaintext: no
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: saslauthd
#sasl_mech_list:
srvtab: /etc/ssl
tls_ca_path: /etc/ssl
tls_ca_file:/etc/ssl/server.pem
tls_cert_file: /etc/ssl/server.pem
tls_key_file: /etc/ssl/server.pem
my cyrus.conf:
###
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idledcmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imapcmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
# sievecmd="timsieved" listen="sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp"
prefork=1
}
EVENTS {
# this is required
checkpointcmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
my imtest -u ilya -s output:
###
[EMAIL PROTECTED]:~$ imtest -u ilya -s localhost
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK torer Cyrus IMAP4 v2.1.15 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=SRP AUTH=NTLM AUTH=PLAIN
AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5
S: C01 OK Completed
C: A01 AUTHENTICATE SRP
S: +
Please enter your password:
C: DAAEaWx5YQAEaWx5YQ==
S: + AAABIQEArGvbQTJKmpvxZt5eE4lYL69ytmUZh+4H/
DGSlD21YFCjcynLtKCZ7YGT4HV3Z6E91SMSq0sDMQ3Nf0ip2gT9UOgIOWntt2ewz2CVF5oWOrNmGgX71fqq6CkYqZYvC5O4Vfl5k
+yXXuqoDXQK2/T/dHNZ0EHVwz6nHSgeRGsUdzvKl7Q6I/
uAFna9IHpDbGSB8dK5B4cXRhpbnTLmiPh3SFRFI7UksNV9Xqd6J3XS7PoDLPvb9S
+zeGFgJ5AE5Xrmr4dOcwPOUymczAQce8MI2CpWmPOo0MOCca41+Onb
+7aUtcgD2J965DXeI21SX1R1m2XjcvzWjvIPpxEfnkr/cwABAhBJ7hWfe/7e2sJFsO
+sRX3PAAltZGE9U0hBLTE=
C: AAABDQEAq7MXJsdRD843HkUEX8cH/
wwTuk4WqoZl97ZQ4PBjHVsz6WO81idFeHBO0r4AzdRTfJmPo32HtgleOLphf1usROjnKH3amiih0Kc7p8b8IBH6ZuWJ7HjcaIir0WiSJV3MnYKC5tcrYfra6rhlhnNO7zOcpQfNrywq8qHG7AMdOaSZYR8n60uhD3fPEdcTqaF2bgbvPDAtcfXW8AiDsElbY401Ck9Xl8r1UVsx8T9Sv3QQrbaN9CxPX8T006
+HQfRHJy8S46wnTSwn7y6bYbuwBhrXwGYPNqU4ancS7mY9cTUMb/fPdROWUwGkEbKt/
c0vWiNu8aUqZ+2b0ijGt7q0mwAJbWRhPVNIQS0x
S: + AAABAgEAHfp4TXZTfSM+z0QC3NW4my/vcJOCoK0c/IJ5rjOSvP7XcBfbRFvIaKmR
+K8qjK8feFciImSB4w
+AuvtYArEuCXsTLAo31mFCWEfjQb8CkYQhqaWht3OIHpMHq2rcsS5hTWvszDQvx6eMhxoGSosJ82JSoXgDvQtP0WuhpvRdz8n88T4Y
+O3TEFmEz8hktFKK5nvEvsyisOWrADzrjJUfvx/F5tl1AFLpMFB2lWgQ+/2zCbGq9ID+bpS
+pfGoiY7WfntuLgVDiWbUZruTZyCAz2rKOICCASsVNtYVgAL0+WFeRfh/
sNQDtN1t6pJYKtXzn7zlgI67LaecWAVEGzSmsw==
C: FRQMsbnVGJCD5pP5opXUXUnLXefjnA==
S: + FRQKUgxKKRnoElg5H5Zj3wk1duK3jg==
C:
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
