Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 04 Oct 2010, at 13:37, Patrick Goetz wrote: > On 10/04/2010 12:29 PM, Andrew Morgan wrote: >> cyrus-be4:~# cyradm --user cyrus --tlskey '' localhost > > That did it! The trick is to use --tlskey with an empty field as > demonstrated above. Who knew? That's a bug, please report it. It ought to notice that there are no auth mechs in common, implicitly try TLS, and look again for common auth mechs. That it doesn't is a flaw, not an undocumented feature. :wes Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 04/10/10 11:51 -0500, Patrick Goetz wrote: >On 10/04/2010 11:07 AM, Dan White wrote: >> >> You can connect via a non plaintext mechanism, like digest-md5. >> > >This seems like a straightforward case of RTFM, but how does one >determine the auth mechanism? I'm using saslauthd, pam, and have a >self-signed certificate (which I know works): saslauthd does not support shared secret mechanisms (you'd need to use an auxprop plugin to do so). with cyradm, you'd choose the mechanism with the '--auth' option. See: http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php for details. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On Mon, 4 Oct 2010, Patrick Goetz wrote: > On 10/04/2010 12:29 PM, Andrew Morgan wrote: >> >> cyrus-be4:~# cyradm --user cyrus --tlskey '' localhost > > > That did it! The trick is to use --tlskey with an empty field as > demonstrated above. Who knew? > > -- > ibis:~~$ cyradm --user pgoetz --tlskey '' localhost > verify error:num=18:self signed certificate > Password: > localhost> > -- > > > Thanks for your help with this. The next question is how anyone would > have figured this out without help from this list.. I took it from the help for imtest: -t file : Enable TLS. file has the TLS public and private keys (specify "" to not use TLS for authentication) Not exactly obvious! :) Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 10/04/2010 12:29 PM, Andrew Morgan wrote: > > cyrus-be4:~# cyradm --user cyrus --tlskey '' localhost That did it! The trick is to use --tlskey with an empty field as demonstrated above. Who knew? -- ibis:~~$ cyradm --user pgoetz --tlskey '' localhost verify error:num=18:self signed certificate Password: localhost> -- Thanks for your help with this. The next question is how anyone would have figured this out without help from this list.. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On Mon, 4 Oct 2010, Patrick Goetz wrote: > On 10/04/2010 08:41 AM, Wesley Craig wrote: >> >> TLS isn't available to Cyrus::IMAP pre 2.3.2. I expect it's a bug. > > > Sorry,I didn't specifically say that I'm using the latest release, 2.3.16. > > > I find cyradm to be very convenient to use for smaller sites, but is > this essentially a dead tool and I need to be rolling my own > administrative tools? We have some of our own scripts we use, of course, but cyradm works fine for me with TLS: cyrus-be4:~# cyradm --user cyrus --tlskey '' localhost verify error:num=19:self signed certificate in certificate chain Password: localhost> This is Cyrus 2.3.16. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 10/04/2010 11:41 AM, Wesley Craig wrote: > I understood that, tho I did notice you pasted the 2.2.x error, not the 2.3.x > error. > Nope, this is precisely the error I'm getting on my 2.3.16 install: ibis:~~$ dpkg -l | grep cyrus-common ii cyrus-common-2.32.3.16-1 Cyrus mail system - common files ibis:~~$ cyradm localhost Login disabled. cyradm: cannot authenticate to server as pgoetz ibis:~~$ > Why would you suppose it's a dead tool? Because it has a bug? > I'm just asking because it's not working for me when I disable plain text authentication. <:) See my previous message for efforts to use cyradm [--auth mechanism] [--tlskey keyfile] flags to get around this. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 10/04/2010 11:07 AM, Dan White wrote: > > You can connect via a non plaintext mechanism, like digest-md5. > This seems like a straightforward case of RTFM, but how does one determine the auth mechanism? I'm using saslauthd, pam, and have a self-signed certificate (which I know works): - ibis:~~$ cyradm --auth digest-md5 --tlskey /etc/ssl/private/ssl-cert-mail.internetbs.com.key localhost [ unable to get certificate from '/etc/ssl/private/ssl-cert-mail.internetbs.com.key' ] [ TLS engine: cannot load cert/key data, might be a cert/key mismatch] [ TLS engine failed ] ^C ibis:~~$ ibis:~ssl$ sudo ls -l /etc/ssl/private total 8 -rw-r- 1 root ssl-cert 887 2009-09-13 14:02 ssl-cert-mail.internetbs.com.key -rw-r- 1 root ssl-cert 887 2010-04-11 14:00 ssl-cert-snakeoil.key ibis:~ssl$ groups cyrus cyrus : mail sasl ssl-cert Maybe the problem is I'm still not 100% clear on how SASL works. I have saslauthd running with MECHANISMS="pam" OPTIONS="-c -m /var/run/saslauthd" However, there's no sasl pam.d config file -- presumably SASL somehow uses /etc/pam.d/imap /etc/pam.d/lmtp ??? I don't have lmtp running in a chroot jail, which is how I can get away with this. smtp does run in a chroot jail, but has it's own saslauthd with OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" I don't remember anyone mentioning this possibility (running multiple saslauthd daemons) in any howto; most people seem to jump through inordinate hoops to get all other programs to use the sasl socket in the smtp chroot jail, which seems to unnecessarily complicate things. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 04 Oct 2010, at 10:26, Patrick Goetz wrote: > Sorry,I didn't specifically say that I'm using the latest release, 2.3.16. I understood that, tho I did notice you pasted the 2.2.x error, not the 2.3.x error. > I find cyradm to be very convenient to use for smaller sites, but is > this essentially a dead tool and I need to be rolling my own > administrative tools? Not at all. Most very large sites do roll their own tools, I find, but only because they are integrating with a lot of non-cyrus automation. Even in sites with heavy automation, cyradm is still used for troubleshooting and the like. Why would you suppose it's a dead tool? Because it has a bug? :wes Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 04/10/10 09:26 -0500, Patrick Goetz wrote: >On 10/04/2010 08:41 AM, Wesley Craig wrote: >> >> TLS isn't available to Cyrus::IMAP pre 2.3.2. I expect it's a bug. > > >Sorry,I didn't specifically say that I'm using the latest release, 2.3.16. > > >I find cyradm to be very convenient to use for smaller sites, but is >this essentially a dead tool and I need to be rolling my own >administrative tools? You can connect via a non plaintext mechanism, like digest-md5. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 10/04/2010 08:41 AM, Wesley Craig wrote: > > TLS isn't available to Cyrus::IMAP pre 2.3.2. I expect it's a bug. Sorry,I didn't specifically say that I'm using the latest release, 2.3.16. I find cyradm to be very convenient to use for smaller sites, but is this essentially a dead tool and I need to be rolling my own administrative tools? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
cyradm and allowing only encrypted passwords with 2.3.16?
I was having problems making Cyrus 2.2.x work with only encrypted passwords. Setting allowplaintext: no in imapd.conf prevents plain text logins, but then cyradm stops working: ibis:~etc$ cyradm localhost Login disabled. cyradm: cannot authenticate to server as pgoetz I thought this was fixed in 2.3.x, but apparently not. I'm having exactly the same problem. If I set allowplaintext: no, then cyradm stops working as described above. Any thoughts on this? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: cyradm and allowing only encrypted passwords with 2.3.16?
On 04 Oct 2010, at 01:09, Patrick Goetz wrote: > I was having problems making Cyrus 2.2.x work with only encrypted > passwords. Setting > > allowplaintext: no > > in imapd.conf prevents plain text logins, but then cyradm stops working: > > ibis:~etc$ cyradm localhost > Login disabled. > cyradm: cannot authenticate to server as pgoetz > > > I thought this was fixed in 2.3.x, but apparently not. I'm having > exactly the same problem. If I set allowplaintext: no, then cyradm > stops working as described above. TLS isn't available to Cyrus::IMAP pre 2.3.2. I expect it's a bug. Perhaps it's similar to the problems in the C code, e.g., comparing available & offered authN mechanisms, calling starttls, re-retriving available mechanisms, etc. :wes Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/