lmtpd don't advertise the EXTERNAL auth method
Hi! I use a backported version of debian's (thanks hmh) cyrus21 2.1.11-5 package. My problem is that, lmtpd don't advertise the EXTERNAL auth method on unix socket (neither on tcp). Because it cyrdeliver (deliver) cant use AUTH parameter of the MAIL FROM command (see lmtp_runtxn in lmtpengine.c), and because it, cyrdeliver (-a auth-id option) and the mta cant provide the authenticated userid to cyrus. Every post is run as So our users cant post to the shared folders etc etc. # socat UNIX-CONNECT:/var/run/cyrus/socket/lmtp - 220 mail.rit.bme.hu LMTP Cyrus v2.1.11-Debian-4.woody.1 ready LHLO mail.rit.bme.hu 250-mail.rit.bme.hu 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250 IGNOREQUOTA Note,that lmtpd misses the 250-AUTH EXTERNAL line. /etc/cyrus.conf: lmtpunixcmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=1 maxchild=20 /etc/imapd.conf: configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no admins: cyrus admin realman allowanonymouslogin: no popminpoll: 0 autocreatequota: 0 umask: 077 sendmail: /usr/sbin/sendmail sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes # i dont think, that EXTERNAL is neaded here sasl_mech_list: PLAIN LOGIN GSSAPI KERBEROS_V4 EXTERNAL sasl_minimum_layer: 56 sasl_pwcheck_method: saslauthd sasl_auto_transition: yes servername: mail.rit.bme.hu loginrealms: RIT.BME.HU tls_cert_file: /etc/ssl/certs/mail.rit.bme.hu.crt tls_key_file: /etc/ssl/certs/mail.rit.bme.hu.key.nopass tls_ca_file: /etc/ssl/certs/ca.crt tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify
lmtpd don't advertise the EXTERNAL auth method
Hi! I use a backported version of debian's (thanks hmh) cyrus21 2.1.11-5 package. My problem is that, lmtpd don't advertise the EXTERNAL auth method on unix socket (neither on tcp). Because it, cyrdeliver (deliver) can't use the AUTH parameter of the MAIL FROM command (see lmtp_runtxn in lmtpengine.c), and because it, cyrdeliver (-a auth-id option) and the mta can't provide the authenticated userid to cyrus. Every post run as anyone, so our users cant post to the shared folders etc etc. 2.1.9 and under seems to works fine. (I didn't use 2.1.10) What's the solution? Can anybody reproduce it? Thanks: balsa # socat UNIX-CONNECT:/var/run/cyrus/socket/lmtp - 220 mail.rit.bme.hu LMTP Cyrus v2.1.11-Debian-4.woody.1 ready LHLO mail.rit.bme.hu 250-mail.rit.bme.hu 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250 IGNOREQUOTA Note,that lmtpd misses the 250-AUTH EXTERNAL line. /etc/cyrus.conf: lmtpunixcmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=1 maxchild=20 /etc/imapd.conf: configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no admins: cyrus admin realman allowanonymouslogin: no popminpoll: 0 autocreatequota: 0 umask: 077 sendmail: /usr/sbin/sendmail sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes # i dont think, that EXTERNAL is neaded here sasl_mech_list: PLAIN LOGIN GSSAPI KERBEROS_V4 EXTERNAL sasl_minimum_layer: 56 sasl_pwcheck_method: saslauthd sasl_auto_transition: yes servername: mail.rit.bme.hu loginrealms: RIT.BME.HU tls_cert_file: /etc/ssl/certs/mail.rit.bme.hu.crt tls_key_file: /etc/ssl/certs/mail.rit.bme.hu.key.nopass tls_ca_file: /etc/ssl/certs/ca.crt tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify
Re: lmtpd don't advertise the EXTERNAL auth method
2003-03-24, h keltezssel Rob Siemborski ezt rta: I'm unclear what the problem is here. Certainly I don't believe there is one with LMTPd (though perhaps there is one with cyrdeliver). Sorry this was an old draft mail. (Evolution is buggy) This was a sasl2 bug (as I can recollect sasl 2.1.9), sasl2 upgrade solved the problem. (though perhaps there is one with cyrdeliver). No, as you see I used socat, so this was not cyrdeliver's fault. balsa
Re: lmtpd don't advertise the EXTERNAL auth method
Please ignore my previous (old draft) mail. Evolution is little buggy. Sorry and Thanks. balsa
Re: lmtpd don't advertise the EXTERNAL auth method
On Mon, 24 Mar 2003, Balazs GAL wrote: I'm unclear what the problem is here. Certainly I don't believe there is one with LMTPd (though perhaps there is one with cyrdeliver). Sorry this was an old draft mail. (Evolution is buggy) This was a sasl2 bug (as I can recollect sasl 2.1.9), sasl2 upgrade solved the problem. (though perhaps there is one with cyrdeliver). No, as you see I used socat, so this was not cyrdeliver's fault. I meant in its interpretation of what was going on. In any case, I'm glad its fixed. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: lmtpd don't advertise the EXTERNAL auth method
On Mon, 24 Mar 2003, Balazs GAL wrote: I use a backported version of debian's (thanks hmh) cyrus21 2.1.11-5 package. My problem is that, lmtpd don't advertise the EXTERNAL auth method on unix socket (neither on tcp). Because it, cyrdeliver (deliver) can't use the AUTH parameter of the MAIL FROM command (see lmtp_runtxn in lmtpengine.c), and because it, cyrdeliver (-a auth-id option) and the mta can't provide the authenticated userid to cyrus. Every post run as anyone, so our users cant post to the shared folders etc etc. I'm unclear what the problem is here. Certainly I don't believe there is one with LMTPd (though perhaps there is one with cyrdeliver). Over TCP, you're going to need an external authentication source (e.g. TLS client cert) before you can advertise EXTERNAL as a SASL auth mech. On a unix socket, the connection is assumed to be preauthenticated as an admin, so you shouldn't need to authenticate at all (i.e. don't let non admins write to the unix socket!). -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: lmtpd don't advertise the EXTERNAL auth method
2003-01-06, h keltezssel Balazs GAL ezt rta: Hi! I use a backported version of debian's (thanks hmh) cyrus21 2.1.11-5 package. My problem is that, lmtpd don't advertise the EXTERNAL auth method [...] What's the solution? Can anybody reproduce it? sasl_minimum_layer: 56 The problem is the sasl_minimum_layer option, e.g if I set it to 0, it works. I don't think, that this is the normal behavior of lmtpd, because it run on an Preauthorized connection. I think that lmtpd should only care the sasl_minimum_layer option if it run on an NOT Preauthorized connection like a tcp port running without the '-a' cmdl option. So I think this is a bug here in cyrus 2.1.11. balsa
lmtpd don't advertise the EXTERNAL auth method
Hi! I use a backported version of debian's (thanks hmh) cyrus21 2.1.11-5 package. My problem is that, lmtpd don't advertise the EXTERNAL auth method on unix socket (neither on tcp). Because it, cyrdeliver (deliver) can't use the AUTH parameter of the MAIL FROM command (see lmtp_runtxn in lmtpengine.c), and because it, cyrdeliver (-a auth-id option) and the mta can't provide the authenticated userid to cyrus. Every post run as anyone, so our users cant post to the shared folders etc etc. 2.1.9 and under seems to works fine. (I didn't use 2.1.10) What's the solution? Can anybody reproduce it? Thanks balsa # socat UNIX-CONNECT:/var/run/cyrus/socket/lmtp - 220 mail.rit.bme.hu LMTP Cyrus v2.1.11-Debian-4.woody.1 ready LHLO mail.rit.bme.hu 250-mail.rit.bme.hu 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250 IGNOREQUOTA Note,that lmtpd misses the 250-AUTH EXTERNAL line. /etc/cyrus.conf: lmtpunixcmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=1 maxchild=20 /etc/imapd.conf: configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no admins: cyrus admin realman allowanonymouslogin: no popminpoll: 0 autocreatequota: 0 umask: 077 sendmail: /usr/sbin/sendmail sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes # i dont think, that EXTERNAL is neaded here sasl_mech_list: PLAIN LOGIN GSSAPI KERBEROS_V4 EXTERNAL sasl_minimum_layer: 56 sasl_pwcheck_method: saslauthd sasl_auto_transition: yes servername: mail.rit.bme.hu loginrealms: RIT.BME.HU tls_cert_file: /etc/ssl/certs/mail.rit.bme.hu.crt tls_key_file: /etc/ssl/certs/mail.rit.bme.hu.key.nopass tls_ca_file: /etc/ssl/certs/ca.crt tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify
