On 1/24/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Here is the /etc/imapd.conf file. configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus cyrusadm sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt virtdomains: yes defaultdomain: example.com unixhierarchysep: yes
For testing please specify additionally
allowplaintext: yes
Option added for testing and after that a `service cyrus-imapd restart` was run.
I wonder that `imtest' succeeds and `sivtest' fails. I think it would help if you provide an `imtest' run in verbose mode (parameter "-v").
Yep. See:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] orion.example.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed Please enter your password: C: L01 LOGIN al {15} S: + go ahead C: <omitted> S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in Authenticated. Security strength factor: 0 C: Q01 LOGOUT Connection closed.
STARTTLS is offered but not used. I wonder that you can LOGIN with PLAIN though the default is to not permit plaintext logins without encryption. Thus I beg you to set the additional parameter inside imapd.conf.
done.
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Ok. The server even fails to offer authentication properly. Please run it again in verbose mode with parameter "-v".
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Try with non LOGIN nor PLAIN mech.
How could we do that ?
man sivtest -> -m mech
Yep, but which method should we use after -m ... auxprop ?
No. In imapd.conf you specified your own
sasl_mech_list: PLAIN
so it should be obvious which mechanism you can choose. As you previously said running sasldb I thought you would offer MD5 mechs, and thus my suggestion.
So, to offer MD5 we could add it to sasl_mech_list ? Something like:
sasl_mech_list: PLAIN MD5
Please report back.
Alexander
Cheers, al.