Re: Murder and Backend Authentication
On Sat, 1 Feb 2003, Rob Siemborski wrote: > > This sounds like that when a connection is referred it no longer "passes > > thru" the front end server. Rather there is a direct connection made from > > the client to the back end. Is this correct? If so, I'm assuming that this > > would only be the case for IMAP operations and not POP. > > Yes, this will only happen with IMAP connections. Actually, it will occur with timsieved connections as well, though if you are not concerned about IMAP, I'm guessing you don't care about sieve either. Though, if you *are* only concerned with POP, there are defiantely better solutions than using the Cyrus Murder. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
On Sat, Feb 1, 2003, Rob Siemborski wrote: > On Sat, 1 Feb 2003, Hank Beatty wrote: > > > I'm thinking that in my case this isn't necessarily a problem because the > > clients will not be able to reach the back end servers so all communication > > will have to be proxied. > > This is not the way the aggregator works. It is always possible (and > sometimes required, especailly for administrative operations) for a > frontend to refer a client to the backend for particular operations. This sounds like that when a connection is referred it no longer "passes thru" the front end server. Rather there is a direct connection made from the client to the back end. Is this correct? If so, I'm assuming that this would only be the case for IMAP operations and not POP. > > This is a large performace win for clients which susport referrals (and as > I said above, is necessary for some administrative operations). > > -Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper >
Re: Murder and Backend Authentication
On Sat, 1 Feb 2003, Hank Beatty wrote: > This sounds like that when a connection is referred it no longer "passes > thru" the front end server. Rather there is a direct connection made from > the client to the back end. Is this correct? If so, I'm assuming that this > would only be the case for IMAP operations and not POP. Yes, this will only happen with IMAP connections. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
I'm thinking that in my case this isn't necessarily a problem because the clients will not be able to reach the back end servers so all communication will have to be proxied. Hank - Original Message - From: "Rob Siemborski" <[EMAIL PROTECTED]> To: "Ken Murchison" <[EMAIL PROTECTED]> Cc: "Hank Beatty" <[EMAIL PROTECTED]>; "Cyrus-Info" <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 4:35 PM Subject: Re: Murder and Backend Authentication > On Fri, 31 Jan 2003, Ken Murchison wrote: > > > Like Rob said, just PLAIN, which will require you to use STARTTLS, which > > is only in 2.2. That being said, since you will likely only have one or > > two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5. > > This may break some clients, since they may then try to authenticate using > DIGEST-MD5 to the backend (Say, via a referral), and then get upset when > they can't. > > You really want a uniform authentication enviornment for the aggregator. > > -Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper >
Re: Murder and Backend Authentication
On Sat, 1 Feb 2003, Hank Beatty wrote: > I'm thinking that in my case this isn't necessarily a problem because the > clients will not be able to reach the back end servers so all communication > will have to be proxied. This is not the way the aggregator works. It is always possible (and sometimes required, especailly for administrative operations) for a frontend to refer a client to the backend for particular operations. This is a large performace win for clients which susport referrals (and as I said above, is necessary for some administrative operations). -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
Ken, Thanks. This is exactly what I did. I was just getting ready to post a follow-up to let everyone know. Hank - Original Message - From: "Ken Murchison" <[EMAIL PROTECTED]> To: "Hank Beatty" <[EMAIL PROTECTED]> Cc: "Rob Siemborski" <[EMAIL PROTECTED]>; "Cyrus-Info" <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 4:34 PM Subject: Re: Murder and Backend Authentication > > > Hank Beatty wrote: > > > > OK. That makes sense. Are there any SASL mechs that can use PAM? > > Like Rob said, just PLAIN, which will require you to use STARTTLS, which > is only in 2.2. That being said, since you will likely only have one or > two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5. > > > > > > - Original Message - > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > Sent: Friday, January 31, 2003 3:18 PM > > Subject: Re: Murder and Backend Authentication > > > > > You aren't offering any SASL mechanisms. I believe the 2.2 code even > > > supports STARTTLS (and therefore PLAIN). > > > > > > You need to support a SASL mechanism that allows proxy authentication. > > > The regular IMAP login command isn't good enough. > > > > > > -Rob > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > And when I use imtest: > > > > > > > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > > > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > > > > C: C01 CAPABILITY > > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE > > > > MUPDATE=mupdate://zeus.email.starband.net/ > > > > S: C01 OK Completed > > > > Please enter your password: > > > > C: L01 LOGIN hbeatty {4} > > > > S: + go ahead > > > > C: > > > > S: L01 OK User logged in > > > > Authenticated. > > > > Security strength factor: 0 > > > > > > > > - Original Message - > > > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > > > Sent: Friday, January 31, 2003 2:29 PM > > > > Subject: Re: Murder and Backend Authentication > > > > > > > > > > > > > What SASL mechanism are you using between your frontend and backends? > > > > > > > > > > Or rather, what mechanisms are your backends advertising? > > > > > > > > > > -Rob > > > > > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > > > > > I'm working on getting a Murder setup and I can authenticate and > > pull > > > > mail > > > > > > directly from the backend server. > > > > > > > > > > > > However, when I try to proxy the connection I get this in > > > > /var/log/messages > > > > > > on the proxy/master: > > > > > > > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] > > hbeatty > > > > > > plaintext > > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > > > > server: no > > > > > > mechanism available > > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > > server > > > > > > > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > > > > Jan 31 13:45:01 draco master[32724]: about to exec > > /usr/cyrus/bin/pop3d > > > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > > > > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > > > > > > > With this in mind it would seem that when using the proxy the > > > > authentication > > > > > > method is different somehow. Is this correct? > > > > > > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > > > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > -- > Kenneth Murchison Oceana Matrix Ltd. > Software Engineer 21 Princeton Place > 716-662-8973 x26 Orchard Park, NY 14127 > --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Murder and Backend Authentication
On Fri, 31 Jan 2003, Eric S. Pulley wrote: > Sorry if this is just obvious but... Everyone keep stating that > STARTTLS is not supported in 2.1.x I'm assuming that it just doesn't > work for the Backend Authentication in a Murder since I'm using it to > connect to my standalone server just fine. Or do I have something very > worng going on here? Yes, that's roughly correct. All the server-side STARTTLS code is implemented. However, the proxys do not have code to make use of STARTTLS when they connect to the backend, so STARTTLS isn't an option for proxy->backend authentication (not client->proxy or client->backend authentication, that works fine) in 2.1. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
Sorry if this is just obvious but... Everyone keep stating that STARTTLS is not supported in 2.1.x I'm assuming that it just doesn't work for the Backend Authentication in a Murder since I'm using it to connect to my standalone server just fine. Or do I have something very worng going on here? S: * OK xxx Cyrus IMAP4 v2.1.11 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED S: C01 OK Completed --On Friday, January 31, 2003 16:34 -0500 Ken Murchison <[EMAIL PROTECTED]> wrote: Hank Beatty wrote: OK. That makes sense. Are there any SASL mechs that can use PAM? Like Rob said, just PLAIN, which will require you to use STARTTLS, which is only in 2.2. That being said, since you will likely only have one or two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5. - Original Message - From: "Rob Siemborski" <[EMAIL PROTECTED]> To: "Hank Beatty" <[EMAIL PROTECTED]> Cc: "Cyrus-Info" <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 3:18 PM Subject: Re: Murder and Backend Authentication > You aren't offering any SASL mechanisms. I believe the 2.2 code > even supports STARTTLS (and therefore PLAIN). > > You need to support a SASL mechanism that allows proxy > authentication. The regular IMAP login command isn't good enough. > > -Rob > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > And when I use imtest: > > > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ > > MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT > > CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT > > THREAD=REFERENCES IDLE > > MUPDATE=mupdate://zeus.email.starband.net/ > > S: C01 OK Completed > > Please enter your password: > > C: L01 LOGIN hbeatty {4} > > S: + go ahead > > C: > > S: L01 OK User logged in > > Authenticated. > > Security strength factor: 0 > > > > - Original Message - > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > Sent: Friday, January 31, 2003 2:29 PM > > Subject: Re: Murder and Backend Authentication > > > > > > > What SASL mechanism are you using between your frontend and > > > backends? > > > > > > Or rather, what mechanisms are your backends advertising? > > > > > > -Rob > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > I'm working on getting a Murder setup and I can authenticate > > > > and pull > > mail > > > > directly from the backend server. > > > > > > > > However, when I try to proxy the connection I get this in > > /var/log/messages > > > > on the proxy/master: > > > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: > > > > SERVER[192.168.247.241] hbeatty > > > > plaintext > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to > > > > backend > > server: no > > > > mechanism available > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to > > > > backend server > > > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > > Jan 31 13:45:01 draco master[32724]: about to exec /usr/cyrus/bin/pop3d > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, > > > > status 0 Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > > > With this in mind it would seem that when using the proxy the > > authentication > > > > method is different somehow. Is this correct? > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > -=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 > > > * 412-268-7456 Research Systems Programmer * /usr/contributed > > > Gatekeeper > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > -=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * > 412-268-7456 Research Systems Programmer * /usr/contributed > Gatekeeper > -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp | Eric S. Pulley | | Sr. Unix Administrator | | Hamilton Partners| |+1.707.431.4300 | | <[EMAIL PROTECTED]> | msg10765/pgp0.pgp Description: PGP signature
Re: Murder and Backend Authentication
Hank Beatty wrote: > > OK. That makes sense. Are there any SASL mechs that can use PAM? Like Rob said, just PLAIN, which will require you to use STARTTLS, which is only in 2.2. That being said, since you will likely only have one or two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5. > > - Original Message - > From: "Rob Siemborski" <[EMAIL PROTECTED]> > To: "Hank Beatty" <[EMAIL PROTECTED]> > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > Sent: Friday, January 31, 2003 3:18 PM > Subject: Re: Murder and Backend Authentication > > > You aren't offering any SASL mechanisms. I believe the 2.2 code even > > supports STARTTLS (and therefore PLAIN). > > > > You need to support a SASL mechanism that allows proxy authentication. > > The regular IMAP login command isn't good enough. > > > > -Rob > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > And when I use imtest: > > > > > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE > > > MUPDATE=mupdate://zeus.email.starband.net/ > > > S: C01 OK Completed > > > Please enter your password: > > > C: L01 LOGIN hbeatty {4} > > > S: + go ahead > > > C: > > > S: L01 OK User logged in > > > Authenticated. > > > Security strength factor: 0 > > > > > > - Original Message - > > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > > Sent: Friday, January 31, 2003 2:29 PM > > > Subject: Re: Murder and Backend Authentication > > > > > > > > > > What SASL mechanism are you using between your frontend and backends? > > > > > > > > Or rather, what mechanisms are your backends advertising? > > > > > > > > -Rob > > > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > > > I'm working on getting a Murder setup and I can authenticate and > pull > > > mail > > > > > directly from the backend server. > > > > > > > > > > However, when I try to proxy the connection I get this in > > > /var/log/messages > > > > > on the proxy/master: > > > > > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] > hbeatty > > > > > plaintext > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > > > server: no > > > > > mechanism available > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > server > > > > > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > > > Jan 31 13:45:01 draco master[32724]: about to exec > /usr/cyrus/bin/pop3d > > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > > > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > > > > > With this in mind it would seem that when using the proxy the > > > authentication > > > > > method is different somehow. Is this correct? > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > Research Systems Programmer * /usr/contributed Gatekeeper > > -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Murder and Backend Authentication
On Fri, 31 Jan 2003, Ken Murchison wrote: > Like Rob said, just PLAIN, which will require you to use STARTTLS, which > is only in 2.2. That being said, since you will likely only have one or > two proxy admins, you could just put them in sasldb2 and use DIGEST-MD5. This may break some clients, since they may then try to authenticate using DIGEST-MD5 to the backend (Say, via a referral), and then get upset when they can't. You really want a uniform authentication enviornment for the aggregator. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
OK. That makes sense. Are there any SASL mechs that can use PAM? - Original Message - From: "Rob Siemborski" <[EMAIL PROTECTED]> To: "Hank Beatty" <[EMAIL PROTECTED]> Cc: "Cyrus-Info" <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 3:18 PM Subject: Re: Murder and Backend Authentication > You aren't offering any SASL mechanisms. I believe the 2.2 code even > supports STARTTLS (and therefore PLAIN). > > You need to support a SASL mechanism that allows proxy authentication. > The regular IMAP login command isn't good enough. > > -Rob > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > And when I use imtest: > > > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE > > MUPDATE=mupdate://zeus.email.starband.net/ > > S: C01 OK Completed > > Please enter your password: > > C: L01 LOGIN hbeatty {4} > > S: + go ahead > > C: > > S: L01 OK User logged in > > Authenticated. > > Security strength factor: 0 > > > > - Original Message ----- > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > Sent: Friday, January 31, 2003 2:29 PM > > Subject: Re: Murder and Backend Authentication > > > > > > > What SASL mechanism are you using between your frontend and backends? > > > > > > Or rather, what mechanisms are your backends advertising? > > > > > > -Rob > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > I'm working on getting a Murder setup and I can authenticate and pull > > mail > > > > directly from the backend server. > > > > > > > > However, when I try to proxy the connection I get this in > > /var/log/messages > > > > on the proxy/master: > > > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] hbeatty > > > > plaintext > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > > server: no > > > > mechanism available > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server > > > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > > Jan 31 13:45:01 draco master[32724]: about to exec /usr/cyrus/bin/pop3d > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > > > With this in mind it would seem that when using the proxy the > > authentication > > > > method is different somehow. Is this correct? > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper >
Re: Murder and Backend Authentication
PLAIN is your only choice (so you'll need to be sure you can get a TLS layer between the frontend and backend). Like I said, I believe 2.2 has this code. I know 2.1 does not. -Rob On Fri, 31 Jan 2003, Hank Beatty wrote: > OK. That makes sense. Are there any SASL mechs that can use PAM? > > - Original Message - > From: "Rob Siemborski" <[EMAIL PROTECTED]> > To: "Hank Beatty" <[EMAIL PROTECTED]> > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > Sent: Friday, January 31, 2003 3:18 PM > Subject: Re: Murder and Backend Authentication > > > > You aren't offering any SASL mechanisms. I believe the 2.2 code even > > supports STARTTLS (and therefore PLAIN). > > > > You need to support a SASL mechanism that allows proxy authentication. > > The regular IMAP login command isn't good enough. > > > > -Rob > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > And when I use imtest: > > > > > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > > > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE > > > MUPDATE=mupdate://zeus.email.starband.net/ > > > S: C01 OK Completed > > > Please enter your password: > > > C: L01 LOGIN hbeatty {4} > > > S: + go ahead > > > C: > > > S: L01 OK User logged in > > > Authenticated. > > > Security strength factor: 0 > > > > > > - Original Message - > > > From: "Rob Siemborski" <[EMAIL PROTECTED]> > > > To: "Hank Beatty" <[EMAIL PROTECTED]> > > > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > > > Sent: Friday, January 31, 2003 2:29 PM > > > Subject: Re: Murder and Backend Authentication > > > > > > > > > > What SASL mechanism are you using between your frontend and backends? > > > > > > > > Or rather, what mechanisms are your backends advertising? > > > > > > > > -Rob > > > > > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > > > > > I'm working on getting a Murder setup and I can authenticate and > pull > > > mail > > > > > directly from the backend server. > > > > > > > > > > However, when I try to proxy the connection I get this in > > > /var/log/messages > > > > > on the proxy/master: > > > > > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] > hbeatty > > > > > plaintext > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > > > server: no > > > > > mechanism available > > > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > server > > > > > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > > > Jan 31 13:45:01 draco master[32724]: about to exec > /usr/cyrus/bin/pop3d > > > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > > > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > > > > > With this in mind it would seem that when using the proxy the > > > authentication > > > > > method is different somehow. Is this correct? > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
You aren't offering any SASL mechanisms. I believe the 2.2 code even supports STARTTLS (and therefore PLAIN). You need to support a SASL mechanism that allows proxy authentication. The regular IMAP login command isn't good enough. -Rob On Fri, 31 Jan 2003, Hank Beatty wrote: > And when I use imtest: > > [root@draco root]# imtest -u hbeatty -a hbeatty localhost > S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE > MUPDATE=mupdate://zeus.email.starband.net/ > S: C01 OK Completed > Please enter your password: > C: L01 LOGIN hbeatty {4} > S: + go ahead > C: > S: L01 OK User logged in > Authenticated. > Security strength factor: 0 > > - Original Message - > From: "Rob Siemborski" <[EMAIL PROTECTED]> > To: "Hank Beatty" <[EMAIL PROTECTED]> > Cc: "Cyrus-Info" <[EMAIL PROTECTED]> > Sent: Friday, January 31, 2003 2:29 PM > Subject: Re: Murder and Backend Authentication > > > > What SASL mechanism are you using between your frontend and backends? > > > > Or rather, what mechanisms are your backends advertising? > > > > -Rob > > > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > > > I'm working on getting a Murder setup and I can authenticate and pull > mail > > > directly from the backend server. > > > > > > However, when I try to proxy the connection I get this in > /var/log/messages > > > on the proxy/master: > > > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] hbeatty > > > plaintext > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend > server: no > > > mechanism available > > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server > > > > > > I get this in /var/log/imapd.log on the backend server: > > > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > > Jan 31 13:45:01 draco master[32724]: about to exec /usr/cyrus/bin/pop3d > > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > > > With this in mind it would seem that when using the proxy the > authentication > > > method is different somehow. Is this correct? > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > > Research Systems Programmer * /usr/contributed Gatekeeper > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Murder and Backend Authentication
My conf file looks like this: ## # Global info's ## configdirectory: /var/imap partition-default: /var/spool/imap unixhierarchysep: yes altnamespace: yes imapidresponse: no ## # Authentification & User rights ## admins: cyrus murderbackend murderproxy sasl_pwcheck_method: saslauthd allowanonymouslogin: no sasl_mech_list: PLAIN LOGIN # sasl_auto_transition: yes ## # Quota & Message size limit ## quotawarn: 90 autocreatequota: 10240 # maxmessagesize: 10485760 lmtp_overquota_perm_failure: no ## # ACL ## defaultacl: anyone lrs ## # Virtual Domain Support ## virtdomains: yes defaultdomain: starburn.net ## # mupdate parameters ## mupdate_authname: cyrus mupdate_password: SuperSecretPassword :) mupdate_port: 2004 #mupdate_realm: mupdate_retry_delay: 20 mupdate_server: zeus.email.starband.net mupdate_workers_start: 5 mupdate_workers_minspare: 2 mupdate_workers_maxspare: 10 mupdate_workers_max: 50 mupdate_username: cyrus proxyservers: murderproxy And when I use imtest: [root@draco root]# imtest -u hbeatty -a hbeatty localhost S: * OK draco Cyrus IMAP4 v2.2.prealpha server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE MUPDATE=mupdate://zeus.email.starband.net/ S: C01 OK Completed Please enter your password: C: L01 LOGIN hbeatty {4} S: + go ahead C: S: L01 OK User logged in Authenticated. Security strength factor: 0 - Original Message - From: "Rob Siemborski" <[EMAIL PROTECTED]> To: "Hank Beatty" <[EMAIL PROTECTED]> Cc: "Cyrus-Info" <[EMAIL PROTECTED]> Sent: Friday, January 31, 2003 2:29 PM Subject: Re: Murder and Backend Authentication > What SASL mechanism are you using between your frontend and backends? > > Or rather, what mechanisms are your backends advertising? > > -Rob > > On Fri, 31 Jan 2003, Hank Beatty wrote: > > > I'm working on getting a Murder setup and I can authenticate and pull mail > > directly from the backend server. > > > > However, when I try to proxy the connection I get this in /var/log/messages > > on the proxy/master: > > > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] hbeatty > > plaintext > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server: no > > mechanism available > > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server > > > > I get this in /var/log/imapd.log on the backend server: > > > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > > Jan 31 13:45:01 draco master[32724]: about to exec /usr/cyrus/bin/pop3d > > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > > Jan 31 13:45:01 draco pop3[32724]: executed > > > > With this in mind it would seem that when using the proxy the authentication > > method is different somehow. Is this correct? > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper >
Re: Murder and Backend Authentication
What SASL mechanism are you using between your frontend and backends? Or rather, what mechanisms are your backends advertising? -Rob On Fri, 31 Jan 2003, Hank Beatty wrote: > I'm working on getting a Murder setup and I can authenticate and pull mail > directly from the backend server. > > However, when I try to proxy the connection I get this in /var/log/messages > on the proxy/master: > > Jan 31 13:40:35 zeus pop3[5437]: login: SERVER[192.168.247.241] hbeatty > plaintext > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server: no > mechanism available > Jan 31 13:40:35 zeus pop3[5437]: couldn't authenticate to backend server > > I get this in /var/log/imapd.log on the backend server: > > Jan 31 13:45:01 draco pop3[32718]: accepted connection > Jan 31 13:45:01 draco master[32724]: about to exec /usr/cyrus/bin/pop3d > Jan 31 13:45:01 draco master[32688]: process 32718 exited, status 0 > Jan 31 13:45:01 draco pop3[32724]: executed > > With this in mind it would seem that when using the proxy the authentication > method is different somehow. Is this correct? > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper