cyradm cannot connect to cyrus imap server
Dear Cyrus Friends,
I need your help to solve the following:
I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following
package: cyrus-imapd24-2.4.17_4
If I test my setup with imtest, I get connection to the imap server.
MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR]
MyComputer Cyrus IMAP v2.4.17 server ready
Please enter your password:
C: L01 LOGIN username {13}
S: + go ahead
C:
S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN COMPRESS=DEFLATE
IDLE] User logged in SESSIONID=
Authenticated.
Security strength factor: 256
>From the message log file:
Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH parameters
Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1]
plaintext username SASL(-13): authentication failure: checkpass failed
Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1] username
plaintext+TLS User logged in SESSIONID=
Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys:
0.022632
However, if I try to connect via cyradm, I cannot login.
MyName@MyComputer:~$ cyradm --user username localhost
Password:
verify error:num=19:self signed certificate in certificate chain
cyradm: cannot authenticate to server with as username
from the message log file:
Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't read/write
key database /etc/opiekeys: Permission denied
Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get
auxprops]
Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get auxprops]
Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters
Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't read/write
key database /etc/opiekeys: Permission denied
Either I use imtest to setup my users, or I need cyradm running. Can
someone help me in either way?
What are the commands for imtest? Is it in the imap rfc?
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Wiel
*
W.K. Offermans
Home: +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: wi...@offermans.rompen.nl
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/20/14 10:35 +0100, Willy Offermans wrote:
>I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following
>package: cyrus-imapd24-2.4.17_4
>
>If I test my setup with imtest, I get connection to the imap server.
>
>MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost
>verify error:num=19:self signed certificate in certificate chain
>TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1
>AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR]
>MyComputer Cyrus IMAP v2.4.17 server ready
>Please enter your password:
>C: L01 LOGIN username {13}
>S: + go ahead
>C:
>S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
>MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
>MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
>THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
>QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1
>AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN COMPRESS=DEFLATE
>IDLE] User logged in SESSIONID=
>Authenticated.
>Security strength factor: 256
>
>>From the message log file:
>
>Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH parameters
>Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with cipher
>DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't
>read/write key database /etc/opiekeys: Permission denied
>Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1]
>plaintext username SASL(-13): authentication failure: checkpass failed
>Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher
>DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't
>read/write key database /etc/opiekeys: Permission denied
>Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1] username
>plaintext+TLS User logged in SESSIONID=
>Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys:
>0.022632
>
>However, if I try to connect via cyradm, I cannot login.
>
>MyName@MyComputer:~$ cyradm --user username localhost
>Password:
>verify error:num=19:self signed certificate in certificate chain
>cyradm: cannot authenticate to server with as username
Does the output really say this (empty username)? I'm assuming you just
removed it when pasting it.
>from the message log file:
>Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't
>read/write key database /etc/opiekeys: Permission denied
>Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
>SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get
>auxprops]
>Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
>DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get
>auxprops]
>Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters
>Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher
>DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't
>read/write key database /etc/opiekeys: Permission denied
In imapd.conf, set:
sasl_mech_list: PLAIN LOGIN EXTERNAL
to remove some extraneous error messages. Try specifying a mechanism
(--auth=PLAIN) in your cyradm command.
--
Dan White
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
Hello Dan and Cyrus Friends,
On Thu, Feb 20, 2014 at 08:38:42AM -0600, Dan White wrote:
> On 02/20/14 10:35 +0100, Willy Offermans wrote:
> >I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following
> >package: cyrus-imapd24-2.4.17_4
> >
> >If I test my setup with imtest, I get connection to the imap server.
> >
> >MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost
> >verify error:num=19:self signed certificate in certificate chain
> >TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
> >bits)
> >S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1
> >AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR]
> >MyComputer Cyrus IMAP v2.4.17 server ready
> >Please enter your password:
> >C: L01 LOGIN username {13}
> >S: + go ahead
> >C:
> >S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
> >MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> >MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
> >THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
> >QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1
> >AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
> >COMPRESS=DEFLATE IDLE] User logged in
> >SESSIONID=
> >Authenticated.
> >Security strength factor: 256
> >
> >>From the message log file:
> >
> >Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH
> >parameters Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with
> >cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> >Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't
> >read/write key database /etc/opiekeys: Permission denied
> >Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1]
> >plaintext username SASL(-13): authentication failure: checkpass failed
> >Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher
> >DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> >Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't
> >read/write key database /etc/opiekeys: Permission denied
> >Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1]
> >username plaintext+TLS User logged in
> >SESSIONID=
> >Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys:
> >0.022632
> >
> >However, if I try to connect via cyradm, I cannot login.
> >
> >MyName@MyComputer:~$ cyradm --user username localhost
> >Password:
> >verify error:num=19:self signed certificate in certificate chain
> >cyradm: cannot authenticate to server with as username
>
> Does the output really say this (empty username)? I'm assuming you just
> removed it when pasting it.
No Dan, I did not remove anything. I just replaced the actual username by
username. There is a whitespace between with and as in the output!
>
> >from the message log file:
> >Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't
> >read/write key database /etc/opiekeys: Permission denied
> >Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
> >SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get
> >auxprops]
> >Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
> >DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get
> >auxprops]
> >Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters
> >Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher
> >DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> >Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't
> >read/write key database /etc/opiekeys: Permission denied
>
> In imapd.conf, set:
>
> sasl_mech_list: PLAIN LOGIN EXTERNAL
>
> to remove some extraneous error messages. Try specifying a mechanism
> (--auth=PLAIN) in your cyradm command.
>
> --
> Dan White
I did this and it worked:
MyName@MyComputer:~$ cyradm --user username --auth PLAIN localhost
verify error:num=19:self signed certificate in certificate chain
Password:
localhost>
Many thnx for your help!
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
Wiel
*
W.K. Offermans
Home: +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: wi...@offermans.rompen.nl
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On Thu, Feb 20, 2014 at 10:35:42AM +0100, Willy Offermans wrote: > Dear Cyrus Friends, > > I need your help to solve the following: > > I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following > package: cyrus-imapd24-2.4.17_4 > > If I test my setup with imtest, I get connection to the imap server. > > MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost > > > > However, if I try to connect via cyradm, I cannot login. > > MyName@MyComputer:~$ cyradm --user username localhost > Password: > verify error:num=19:self signed certificate in certificate chain > cyradm: cannot authenticate to server with as username > You specified your authentication mechanism to be "login" with imtest. You did not specify an authentication mechanism with cyradm. Perhaps it would work if you try : cyradm --auth login --user username localhost That is only a guess. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
if cyrus is your user admin just do cyradm --user cyrus --server localhost and it will work depending on your password backend you may need to add user cyrus with sasldb2 or if you use local unix account with saslauthd you just need to set a password for user cyrus with passwd On 2/20/14 11:12 PM, Scott Lambert wrote: > On Thu, Feb 20, 2014 at 10:35:42AM +0100, Willy Offermans wrote: >> Dear Cyrus Friends, >> >> I need your help to solve the following: >> >> I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following >> package: cyrus-imapd24-2.4.17_4 >> >> If I test my setup with imtest, I get connection to the imap server. >> >> MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost >> >> >> >> However, if I try to connect via cyradm, I cannot login. >> >> MyName@MyComputer:~$ cyradm --user username localhost >> Password: >> verify error:num=19:self signed certificate in certificate chain >> cyradm: cannot authenticate to server with as username >> > You specified your authentication mechanism to be "login" with imtest. > > You did not specify an authentication mechanism with cyradm. > > Perhaps it would work if you try : > > cyradm --auth login --user username localhost > > That is only a guess. > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
Dear Cyrus Friends, On Thu, Feb 20, 2014 at 04:12:29PM -0600, Scott Lambert wrote: > On Thu, Feb 20, 2014 at 10:35:42AM +0100, Willy Offermans wrote: > > Dear Cyrus Friends, > > > > I need your help to solve the following: > > > > I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the > > following > > package: cyrus-imapd24-2.4.17_4 > > > > If I test my setup with imtest, I get connection to the imap server. > > > > MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost > > > > > > > > However, if I try to connect via cyradm, I cannot login. > > > > MyName@MyComputer:~$ cyradm --user username localhost > > Password: > > verify error:num=19:self signed certificate in certificate chain > > cyradm: cannot authenticate to server with as username > > > > You specified your authentication mechanism to be "login" with imtest. > > You did not specify an authentication mechanism with cyradm. > > Perhaps it would work if you try : > > cyradm --auth login --user username localhost > > That is only a guess. > > -- > Scott LambertKC5MLE Unix SysAdmin > lamb...@lambertfam.org Indeed, I needed to specify an authentication mechanism and then I could use the command line interface of cyradm: cyradm --user username --auth PLAIN localhost If we are at this point anyway, I was wondering what I need to do to use another authentication mechanism. Is this possible? And what do I need to consider? The IMAP server response with the following authentication mechanism: AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN If I login with SCRAM-SHA-1: MyName@MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost Password: verify error:num=19:self signed certificate in certificate chain cyradm: cannot authenticate to server with SCRAM-SHA-1 as username In the logs: Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops] I'm pretty sure that the user is registered in the ldap database. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: wi...@offermans.rompen.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 10:50 +0100, Willy Offermans wrote: >Indeed, I needed to specify an authentication mechanism and then I could >use the command line interface of cyradm: > >cyradm --user username --auth PLAIN localhost > >If we are at this point anyway, I was wondering what I need to do to use >another authentication mechanism. Is this possible? And what do I need to >consider? > >The IMAP server response with the following authentication mechanism: > >AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN > >If I login with SCRAM-SHA-1: > >MyName@MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost >Password: >verify error:num=19:self signed certificate in certificate chain >cyradm: cannot authenticate to server with SCRAM-SHA-1 as username > >In the logs: > >Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] >SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get >auxprops] > >I'm pretty sure that the user is registered in the ldap database. DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access to the shared secret (clear text password) to complete authentication. If you're using LDAP to store your user credentials, you'll need to use the ldapdb auxprop plugin and store users' clear text passwords in userPassword. Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which is sufficient for PLAIN and LOGIN authentication. If you choose not to go the ldapdb route, I recommend specifying a sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if you intend to do starttls client authentication). If you don't do that, in your current setup, most clients will attempt to first authenticate using a shared secret mechanism (including cyradm in your initial attempt), which will always fail on that attempt. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
Hallo Dan, On Fri, Feb 21, 2014 at 08:50:41AM -0600, Dan White wrote: > On 02/21/14 10:50 +0100, Willy Offermans wrote: > >Indeed, I needed to specify an authentication mechanism and then I could > >use the command line interface of cyradm: > > > >cyradm --user username --auth PLAIN localhost > > > >If we are at this point anyway, I was wondering what I need to do to use > >another authentication mechanism. Is this possible? And what do I need to > >consider? > > > >The IMAP server response with the following authentication mechanism: > > > >AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN > >AUTH=LOGIN > > > >If I login with SCRAM-SHA-1: > > > >MyName@MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost > >Password: > >verify error:num=19:self signed certificate in certificate chain > >cyradm: cannot authenticate to server with SCRAM-SHA-1 as username > > > >In the logs: > > > >Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] > >SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get > >auxprops] > > > >I'm pretty sure that the user is registered in the ldap database. > > DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access > to the shared secret (clear text password) to complete authentication. If > you're using LDAP to store your user credentials, you'll need to use the > ldapdb auxprop plugin and store users' clear text passwords in userPassword. > Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which > is sufficient for PLAIN and LOGIN authentication. > > If you choose not to go the ldapdb route, I recommend specifying a > sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if > you intend to do starttls client authentication). If you don't do that, in > your current setup, most clients will attempt to first authenticate using a > shared secret mechanism (including cyradm in your initial attempt), which > will always fail on that attempt. > > -- > Dan White Thank you a lot for the clarification. I did some search on the internet myself and I got some increased understanding myself. I changed the imapd.conf on the imap server and added: sasl_mech_list: PLAIN LOGIN to the settings. This solved several issues. So I can already confirm your suggestion for solution. But many thnx anyway. You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand this mechanism yet. At the moment I believe I have PLAIN password wrapped into TLS. So I already do starttls client authentication. What will EXTERNAL do? -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: wi...@offermans.rompen.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 16:11 +0100, Willy Offermans wrote: >You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand >this mechanism yet. At the moment I believe I have PLAIN password wrapped >into TLS. So I already do starttls client authentication. What will EXTERNAL >do? TLS client authentication is a scenario where you perform TLS authentication where the client also has a certificate. The server can then use the contents of the client certificate to derive the username (with no password, per se). For example, 'cyradm --tlskey '. The EXTERNAL mechanism should not be offered unless TLS client authentication was successful during the starttls step. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
Hello Dan, On Fri, Feb 21, 2014 at 09:22:55AM -0600, Dan White wrote: > On 02/21/14 16:11 +0100, Willy Offermans wrote: > >You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand > >this mechanism yet. At the moment I believe I have PLAIN password wrapped > >into TLS. So I already do starttls client authentication. What will EXTERNAL > >do? > > TLS client authentication is a scenario where you perform TLS > authentication where the client also has a certificate. The server can > then use the contents of the client certificate to derive the username > (with no password, per se). For example, 'cyradm --tlskey '. > > The EXTERNAL mechanism should not be offered unless TLS client > authentication was successful during the starttls step. > > -- > Dan White This sounds interesting. I thought that in slapd.conf was forcing this behavior. I like to read more about the EXTERNAL mechanism. Do you recommend some reading? At the moment I will stick to PLAIN and play with replication, serving multiple domains etc. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Wiel * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: wi...@offermans.rompen.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 16:33 +0100, Willy Offermans wrote: >This sounds interesting. I thought that in >slapd.conf was forcing this behavior. I like to read more about the >EXTERNAL mechanism. Do you recommend some reading? > >At the moment I will stick to PLAIN and play with replication, serving >multiple domains etc. A TLS primer would be the best place to start. A problem that you may encounter with EXTERNAL over STARTTLS, is that the username mapping process is not standardized, and is left up to the server implementation to perform. Cyrus imapd and slapd may do so in inconsistent ways. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
