On 1/28/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Hello Alain,
sorry for replying late.
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
Hm. You shouldn't be able to SASL auth at all! You are missing the cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* libraries. Very certainly installing this RPM will solve your problem.
Yes. I installed those RPMs and things start working!!! ... I am very happy :D
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hm, that command works for me this way. Instead of "-starttls smtp" you may try "-starttls pop3" or "-tls1".
Well, that return the same error with "-starttls pop3" but a different one with -tls1
CONNECTED(00000003) 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Even your SSL/TLS setup seems to be broken. Are the certificate files in place.
I looked at /etc/pki/cyrus-imapd/ and that directory is empty.
Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file like that mentioned in imapd.conf file. I tried to copy/linking it into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is still there when the openssl command is run.
I have created a .crt and .key file to apache, related to my domain ... with the command:
/usr/bin/openssl req -newkey rsa:1024 -keyout /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/example.com.crt (that taken from /etc/pki/tls/certs/make-dummy-cert bash script)
Tried to use them but still no success. Don't know, how this error could affect cyrus-imapd-sieve?
What does the cyrus-imapd service start report in the maillog?
When run the command (the openssl s_client one), none ... just: ... sieve[30807]: executed sieve[30807]: accepted connection master[28736]: process 30807 exited, status 0
Any errors?
Not this time .. I think :)
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: AUTHENTICATE "DIGEST-MD5" S: {264} S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: {416+} C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw== S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==") Authenticated. Security strength factor: 128 C: LOGOUT Connection closed.
So, to offer MD5 we could add it to sasl_mech_list ? Something like:
sasl_mech_list: PLAIN MD5
No. To offer MD5 mechanisms use "DIGEST-MD5" or "CRAM-MD5" or even both. Being able to offer MD5 mechs is one of the positive aspects of using sasldb based auth.
sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
I'm currently using this one on the imapd.conf file.
or to avoid plaintext passwords over the wire
sasl_mech_list: CRAM-MD5 DIGEST-MD5
In this configuration, we have a webmail (squirrelmail) with ssl available in the same machine. Do you think it would work without PLAIN mech available ?
Pay attention to have the cyrus-sasl-md5 RPM installed. This will provide the required libraries for MD5 mech auth,
Yep. That was installed too. :)
Kind regards
Alexander
Thank you very much for this Tremendous Help. I uploaded some sieve scripts using sieveshell, took a look at maillog and enjoyed to see what happened .. that worked pretty nice!!!
Cheers, al.