Tony Wicks wrote:
Hi all, I've been trying to upgrade a mail server from Centos 3 to Centos 4, the machine runs imap with local users only. I noticed that the imap-2002d-11 package does not exist on Centos 4 and I'm guessing that cyrus-imapd is a replacement. The problem is that users cannot authenticate to cyrus -
May 7 06:32:14 #removed# imap[14650]: badlogin: #removed# [#removed#] plaintext #removed# SASL(-1): generic failure: checkpass failed
Can anyone point me in the right direction ? thanks
Dovecot is direct replacement for wu-imapd. If you want to use Cyrus, you would need to migrate all mailbox into Cyrus mailstore first, and change couple of things in sendmail configuration to instruct sendmail that it should use cyrus for local mail delivery (instead of procmail).
If you already did that, and really want to use Cyrus, check /etc/imapd.conf file. What is the value of sasl_pwcheck_method? Is it set to saslauthd?
While in imapd.conf file, check the value of sasl_mech_list. Does it allow PLAIN and/or LOGIN (plaintext passwords)? If yes, and you want to authenticate over SASL, do you allow plaintext passwords over unencrypted connection (non-TLS/SSL)? Check allowplaintext option (if set to 0, you must use SSL/TLS for plaintext login).
If sasl_pwcheck_method is set to saslauthd, check if you enabled saslauthd service, and that saslauthd is running.
If saslauthd is running (needed only if you configured Cyrus to use it), check /etc/sysconfig/saslauthd file.
What is the value of MECH variable?
If your users are stored in /etc/passwd and /etc/shadow files, you can use either shadow or pam. If they are on NIS, use pam (since shadow mechanism obviosly can handle only local files). If your users are in LDAP, you'd need to create /etc/saslauthd.conf file and define where your LDAP server is inthere, and how to search for the users in your directory.
You can also install cyrus-imapd-utils package. One of utilities that comes with it is imtest. See the man page for it. It can be used to test and debug all kinds of problems with IMAP servers (not only Cyrus, you can use it to debug Devocot, Courier or anything else). Very handy utility even if you don't use Cyrus IMAPD. It supports all kinds of authentication (plaintext, SASL stuff, Kerberos, SSL/TLS).
For example, if you use Kerberos for authentication:
kinit (to get Kerberos ticket, if you don't have one already) imtest -m GSSAPI -a username imap-server
Or to test plain plaintext over TLS (this will also give you list of supported authentication mechanisms before and after START TLS):
imtest -t "" -m LOGIN -a username imap-server
Or plaintext over SASL (but this time, no TLS):
imtest -m PLAIN -a username imap-server
And so on...