Re: timsieved not offering any auth mechanisms
Quoting Scott Russell <[EMAIL PROTECTED]>: > On Sat, Oct 05, 2002 at 12:53:46PM -0400, Ken Murchison wrote: > > Quoting Matt Bernstein <[EMAIL PROTECTED]>: > > > > > At 09:24 -0400 Ken Murchison wrote: > > > > > > >> Telnet-ing to port 2000 gives me: > > > >> > > > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0" > > > >> "SIEVE" "fileinto reject envelope vacation imapflags notify > subaddress > > > >> relational regex" > > > >> OK > > > >> > > > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line. > > > > > > >I'm guessing that one of two things is happening: > > > > > > > >1. you have allowplaintext:no in imapd.conf > > > > > > nope :) In fact I'd even tried explicitly "allowplaintext: yes". > > > > > > >2. you installed SASL in a non-default location and Cyrus can't find the > > > > >plugins. If you do: > > > > > > > >imtest -t '' -a -u > > > > > > [mangled by pine justifying my middle button paste :)] > > > > > > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT > > > LIST-SUBSCRIBED ANNOTATEMORE > > > S: C01 OK Completed > > > C: S01 STARTTLS > > > S: S01 OK Begin TLS negotiation now > > > verify error:num=19:self signed certificate in certificate chain > > > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 > bits) > > > C: C01 CAPABILITY > > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN > > > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE > > > S: C01 OK Completed > > > C: A01 AUTHENTICATE LOGIN > > > S: + VXNlcm5hbWU6 > > > > > > >what mechs are listed? I'm guessing none. If this is the case, either > link > > > > > > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the > > > > >--with-sasl option. FYI, the reason that IMAP and POP3 both work is > that > > > they > > > >each have their own plaintext login commands (LOGIN and USER/PASS > > > >respectively), which don't depend on SASL plugins. > > > > > > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe > > > > our new accounts to a couple of folders we create. > > > > > > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the > > > > right things. > > > > Hmm. You shot me down on both common problems. You only see this problem > with > > timsieved? What about lmtpd? > > I've been following this thread and have timsieved from cyrus 2.1.9 > working fine myself. A few things nag me about the imtest capture from > above. > > Previously it was said that only PLAIN and LOGIN mechs are allowed > based on the imapd.conf line: sasl_mech_list: plain login. But if you > look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown > until _after_ the TLS negotiation takes place. To me this indicates > that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL > layer. This is true for imapd and pop3d since they both have their own plaintext login commands. Since timsieved doesn't have a separate command, plaintext SASL mechs are always allowed unless they are explcitly turned off. > I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I > don't recall but doesn't that exclude PLAIN and LOGIN unless they are > under SSL/TLS? Good catch! I completely missed this the first time around. Most people don't use those sasl options, so it never occured to me to look. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: timsieved not offering any auth mechanisms
On Oct 5 Scott Russell wrote: >Previously it was said that only PLAIN and LOGIN mechs are allowed >based on the imapd.conf line: sasl_mech_list: plain login. But if you >look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown >until _after_ the TLS negotiation takes place. To me this indicates >that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL >layer. > >I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I >don't recall but doesn't that exclude PLAIN and LOGIN unless they are >under SSL/TLS? > >It might be interesting to see if timesieved shows a SASL line after >TLS/SSL negotiation is done. Or try setting sasl_minimum_layer: 0 and >see if the SASL line shows up in timesieved prior to TLS/SSL >negotiation. Bingo! Many thanks. >Just some wild thoughts. I didn't try that earlier because of the following comment: #The minimum SSF that the server will allow a client #to negotiate. A value of 1 requires integrity pro- #tection; any higher value requires some amount of #encryption. I was misled! I think I'd like sasl_minimum_layer to be 0 for localhost and 1 (or maybe higher) for other hosts. Cheers again though, Matt
Re: timsieved not offering any auth mechanisms
On Sat, Oct 05, 2002 at 12:53:46PM -0400, Ken Murchison wrote: > Quoting Matt Bernstein <[EMAIL PROTECTED]>: > > > At 09:24 -0400 Ken Murchison wrote: > > > > >> Telnet-ing to port 2000 gives me: > > >> > > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0" > > >> "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress > > >> relational regex" > > >> OK > > >> > > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line. > > > > >I'm guessing that one of two things is happening: > > > > > >1. you have allowplaintext:no in imapd.conf > > > > nope :) In fact I'd even tried explicitly "allowplaintext: yes". > > > > >2. you installed SASL in a non-default location and Cyrus can't find the > > >plugins. If you do: > > > > > >imtest -t '' -a -u > > > > [mangled by pine justifying my middle button paste :)] > > > > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT > > LIST-SUBSCRIBED ANNOTATEMORE > > S: C01 OK Completed > > C: S01 STARTTLS > > S: S01 OK Begin TLS negotiation now > > verify error:num=19:self signed certificate in certificate chain > > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN > > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE > > S: C01 OK Completed > > C: A01 AUTHENTICATE LOGIN > > S: + VXNlcm5hbWU6 > > > > >what mechs are listed? I'm guessing none. If this is the case, either link > > > > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the > > >--with-sasl option. FYI, the reason that IMAP and POP3 both work is that > > they > > >each have their own plaintext login commands (LOGIN and USER/PASS > > >respectively), which don't depend on SASL plugins. > > > > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe > > our new accounts to a couple of folders we create. > > > > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the > > right things. > > Hmm. You shot me down on both common problems. You only see this problem with > timsieved? What about lmtpd? I've been following this thread and have timsieved from cyrus 2.1.9 working fine myself. A few things nag me about the imtest capture from above. Previously it was said that only PLAIN and LOGIN mechs are allowed based on the imapd.conf line: sasl_mech_list: plain login. But if you look at the imtest dump the AUTH=LOGIN AUTH=PLAIN mechs aren't shown until _after_ the TLS negotiation takes place. To me this indicates that PLAIN and LOGIN are not allowed unless they're under the TLS/SSL layer. I also noticed that sasl_minimum_layer: 1 was set in the imapd.conf. I don't recall but doesn't that exclude PLAIN and LOGIN unless they are under SSL/TLS? It might be interesting to see if timesieved shows a SASL line after TLS/SSL negotiation is done. Or try setting sasl_minimum_layer: 0 and see if the SASL line shows up in timesieved prior to TLS/SSL negotiation. Just some wild thoughts. -- Scott Russell ([EMAIL PROTECTED]) Linux Technology Center, System Admin, RHCE. Dial 877-735-8200 then ask for 919-543-9289 (TTY)
Re: timsieved not offering any auth mechanisms
Quoting Matt Bernstein <[EMAIL PROTECTED]>: > At 12:53 -0400 Ken Murchison wrote: > > >> >1. you have allowplaintext:no in imapd.conf > >> > >> >2. you installed SASL in a non-default location and Cyrus can't find the > > >> >plugins. If you do: > > > >Hmm. You shot me down on both common problems. You only see this problem > with > >timsieved? What about lmtpd? > > I fear I'll have to shut down my MTA to investigate this.. (it's a shame > Cyrus can't run an lmtpd and an "lmtpd -a" on different ports) ..ah! You can. I have all of my daemona listening on their normal ports and *.test daemons listening on port+9000. This way, as I work on the code, I can test it via a different port(s) without screwing my users. And with the -U and -T options that I just added, I can have my "test" daemons not be reused, so my debug/compile/install/test cycles are a lot faster. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: timsieved not offering any auth mechanisms
At 12:53 -0400 Ken Murchison wrote: >> >1. you have allowplaintext:no in imapd.conf >> >> >2. you installed SASL in a non-default location and Cyrus can't find the >> >plugins. If you do: > >Hmm. You shot me down on both common problems. You only see this problem with >timsieved? What about lmtpd? I fear I'll have to shut down my MTA to investigate this.. (it's a shame Cyrus can't run an lmtpd and an "lmtpd -a" on different ports) ..ah! If it only listens on localhost I can just break the chain. Here's what I get: vicar# lmtptest -t '' -u mb -a mb localhost S: 220 vicar LMTP Cyrus v2.1.9 ready C: LHLO example.com S: 250-vicar S: 250-8BITMIME S: 250-ENHANCEDSTATUSCODES S: 250-PIPELINING S: 250-SIZE S: 250-STARTTLS S: 250 IGNOREQUOTA C: STARTTLS S: 220 Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) C: LHLO example.com S: 250-vicar S: 250-8BITMIME S: 250-ENHANCEDSTATUSCODES S: 250-PIPELINING S: 250-SIZE S: 250-STARTTLS S: 250-AUTH LOGIN PLAIN S: 250 IGNOREQUOTA C: AUTH LOGIN S: 334 VXNlcm5hbWU6 ..so it seems to work for lmtpd too :-/ Matt
Re: timsieved not offering any auth mechanisms
Quoting Matt Bernstein <[EMAIL PROTECTED]>: > At 09:24 -0400 Ken Murchison wrote: > > >> Telnet-ing to port 2000 gives me: > >> > >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0" > >> "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress > >> relational regex" > >> OK > >> > >> ..and "STARTTLS" if I configure it. But there's no "SASL" line. > > >I'm guessing that one of two things is happening: > > > >1. you have allowplaintext:no in imapd.conf > > nope :) In fact I'd even tried explicitly "allowplaintext: yes". > > >2. you installed SASL in a non-default location and Cyrus can't find the > >plugins. If you do: > > > >imtest -t '' -a -u > > [mangled by pine justifying my middle button paste :)] > > S: * OK vicar Cyrus IMAP4 v2.1.9 server ready > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT > LIST-SUBSCRIBED ANNOTATEMORE > S: C01 OK Completed > C: S01 STARTTLS > S: S01 OK Begin TLS negotiation now > verify error:num=19:self signed certificate in certificate chain > TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT > THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN > AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE > S: C01 OK Completed > C: A01 AUTHENTICATE LOGIN > S: + VXNlcm5hbWU6 > > >what mechs are listed? I'm guessing none. If this is the case, either link > > >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the > >--with-sasl option. FYI, the reason that IMAP and POP3 both work is that > they > >each have their own plaintext login commands (LOGIN and USER/PASS > >respectively), which don't depend on SASL plugins. > > I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe > our new accounts to a couple of folders we create. > > I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the > right things. Hmm. You shot me down on both common problems. You only see this problem with timsieved? What about lmtpd? -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: timsieved not offering any auth mechanisms
Quoting Matt Bernstein <[EMAIL PROTECTED]>: > ..I think as of 2.1.9. I've seen it works for other people, but was > wondering if anyone else had found this problem, or better yet the > solution! :) imapd is working fine. > > Telnet-ing to port 2000 gives me: > > "IMPLEMENTATION" "Cyrus timsieved v1.1.0" > "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress > relational regex" > OK > > ..and "STARTTLS" if I configure it. But there's no "SASL" line. > > Am I missing something obvious? > > Matt > > # grep -i sasl /etc/imapd.conf > sasl_pwcheck_method: saslauthd > sasl_mech_list: plain login > #sasl_minimum_layer: 40 > sasl_minimum_layer: 1 I'm guessing that one of two things is happening: 1. you have allowplaintext:no in imapd.conf 2. you installed SASL in a non-default location and Cyrus can't find the plugins. If you do: imtest -t '' -a -u what mechs are listed? I'm guessing none. If this is the case, either link your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the --with-sasl option. FYI, the reason that IMAP and POP3 both work is that they each have their own plaintext login commands (LOGIN and USER/PASS respectively), which don't depend on SASL plugins. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: timsieved not offering any auth mechanisms
At 09:24 -0400 Ken Murchison wrote: >> Telnet-ing to port 2000 gives me: >> >> "IMPLEMENTATION" "Cyrus timsieved v1.1.0" >> "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress >> relational regex" >> OK >> >> ..and "STARTTLS" if I configure it. But there's no "SASL" line. >I'm guessing that one of two things is happening: > >1. you have allowplaintext:no in imapd.conf nope :) In fact I'd even tried explicitly "allowplaintext: yes". >2. you installed SASL in a non-default location and Cyrus can't find the >plugins. If you do: > >imtest -t '' -a -u [mangled by pine justifying my middle button paste :)] S: * OK vicar Cyrus IMAP4 v2.1.9 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT LIST-SUBSCRIBED ANNOTATEMORE S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=LOGIN AUTH=PLAIN LISTEXT LIST-SUBSCRIBED ANNOTATEMORE S: C01 OK Completed C: A01 AUTHENTICATE LOGIN S: + VXNlcm5hbWU6 >what mechs are listed? I'm guessing none. If this is the case, either link >your SASL plugins directory to /usr/lib/sasl2 or rebuild Cyrus using the >--with-sasl option. FYI, the reason that IMAP and POP3 both work is that they >each have their own plaintext login commands (LOGIN and USER/PASS >respectively), which don't depend on SASL plugins. I've got AUTHENTICATE PLAIN working on imapd as it's used to presubscribe our new accounts to a couple of folders we create. I have /usr/lib/sasl2 -> ../local/lib/sasl2, in which live seemingly the right things. FWIW, # ldd /usr/cyrus/bin/timsieved libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x40014000) libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002c000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000) libdb3.so.3 => /usr/lib/libdb3.so.3 (0x4011a000) libresolv.so.2 => /lib/libresolv.so.2 (0x401c2000) libwrap.so.0 => /lib/libwrap.so.0 (0x401d2000) libnsl.so.1 => /lib/libnsl.so.1 (0x401da000) libc.so.6 => /lib/libc.so.6 (0x401ee000) libdl.so.2 => /lib/libdl.so.2 (0x4030b000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) Cheers, Matt