Alain Reguera Delgado schrieb:
On 1/28/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
Hm. You shouldn't be able to SASL auth at all! You are missing the cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* libraries. Very certainly installing this RPM will solve your problem.
Yes. I installed those RPMs and things start working!!! ... I am very happy :D
Congratulations.
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hm, that command works for me this way. Instead of "-starttls smtp" you may try "-starttls pop3" or "-tls1".
Well, that return the same error with "-starttls pop3" but a different one with -tls1
CONNECTED(00000003) 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284
Not so important. If `sivtest ... -t ""' shows a working STARTTLS you are on the save side.
Even your SSL/TLS setup seems to be broken. Are the certificate files in place.
I looked at /etc/pki/cyrus-imapd/ and that directory is empty.
Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file like that mentioned in imapd.conf file. I tried to copy/linking it into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is still there when the openssl command is run.
I have created a .crt and .key file to apache, related to my domain ... with the command:
/usr/bin/openssl req -newkey rsa:1024 -keyout /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/example.com.crt (that taken from /etc/pki/tls/certs/make-dummy-cert bash script)
Tried to use them but still no success. Don't know, how this error could affect cyrus-imapd-sieve?
The question is whether a possible lack of TLS/SSL encryption is causing the transmission of authentication data in plaintext over the wire. If you use sieve just locally I feel you can ignore that.
What does the cyrus-imapd service start report in the maillog?
When run the command (the openssl s_client one), none ... just: ... sieve[30807]: executed sieve[30807]: accepted connection master[28736]: process 30807 exited, status 0
Any errors?
Not this time .. I think :)
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: AUTHENTICATE "DIGEST-MD5" S: {264} S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: {416+} C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw== S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==") Authenticated. Security strength factor: 128 C: LOGOUT Connection closed.
Fine. As MD5 mechs do not cause transmission of passwords there is no risk they could be sniffed.
or to avoid plaintext passwords over the wire
sasl_mech_list: CRAM-MD5 DIGEST-MD5
In this configuration, we have a webmail (squirrelmail) with ssl available in the same machine. Do you think it would work without PLAIN mech available ?
I assume you have squirrelmail talking to your Cyrus-Imapd over localhost. Limited risc when using PLAIN or LOGIN. Of course you can use MD5 mechs either on localhost only or through networks. In general it is advised to protect passwords whereever you can.
Thank you very much for this Tremendous Help. I uploaded some sieve scripts using sieveshell, took a look at maillog and enjoyed to see what happened .. that worked pretty nice!!!
Cheers, al.
Glad that I could help. Have fun with your powerful Cyrus-Imapd :)