Hi,
Do you know if sieve implementation on cyrus-imapd package is working correctly ? When trying to connect to timsieved at localhost with sieveshell I'm getting the following error:
$ sieveshell --user=al --authname=cyrus localhost connecting to localhost unable to connect to server at /usr/bin/sieveshell line 169
The configuration on /etc/cyrus.conf is by defult. Port 2000 is listening on all tcp interfaces. This port is not open in Iptables configuration.
From localhost, when trying imtest, authentication works fine ... I'm
using auxprop with sasldb2 here in a CentOS 5.0 box.
Some idea ?
Some related references I'v found: http://lists.linuxcoding.com/rhl/2005/msg03157.html http://www.irbs.net/internet/info-cyrus/0503/0205.html
Thank you very much, al.
Alain Reguera Delgado schrieb:
Hi,
Do you know if sieve implementation on cyrus-imapd package is working correctly ? When trying to connect to timsieved at localhost with sieveshell I'm getting the following error:
$ sieveshell --user=al --authname=cyrus localhost connecting to localhost unable to connect to server at /usr/bin/sieveshell line 169
The configuration on /etc/cyrus.conf is by defult. Port 2000 is listening on all tcp interfaces. This port is not open in Iptables configuration.
Sure the CentOS 5 default cyrus.conf uses SASL auxprop with sasldb plugin?
From localhost, when trying imtest, authentication works fine ... I'm
using auxprop with sasldb2 here in a CentOS 5.0 box.
Some idea ?
Some related references I'v found: http://lists.linuxcoding.com/rhl/2005/msg03157.html http://www.irbs.net/internet/info-cyrus/0503/0205.html
Thank you very much, al.
What does `sivtest' tell you? Try with non LOGIN nor PLAIN mech.
Alexander
On 1/22/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Hi,
Do you know if sieve implementation on cyrus-imapd package is working correctly ? When trying to connect to timsieved at localhost with sieveshell I'm getting the following error:
$ sieveshell --user=al --authname=cyrus localhost connecting to localhost unable to connect to server at /usr/bin/sieveshell line 169
The configuration on /etc/cyrus.conf is by defult. Port 2000 is listening on all tcp interfaces. This port is not open in Iptables configuration.
Sure the CentOS 5 default cyrus.conf uses SASL auxprop with sasldb plugin?
Don't know :(. I haven't touch /etc/cyrus.conf. Just /etc/imapd.conf to use auxprop. Should I modify /etc/cyrus.conf ? This is my first experience with sieve configuration.
From localhost, when trying imtest, authentication works fine ... I'm
using auxprop with sasldb2 here in a CentOS 5.0 box.
Some idea ?
...
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Try with non LOGIN nor PLAIN mech.
How could we do that ?
Alexander
Thank you very much Alexander
Cheers, al
Alain Reguera Delgado schrieb:
On 1/22/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Hi,
Do you know if sieve implementation on cyrus-imapd package is working correctly ? When trying to connect to timsieved at localhost with sieveshell I'm getting the following error:
$ sieveshell --user=al --authname=cyrus localhost connecting to localhost unable to connect to server at /usr/bin/sieveshell line 169
The configuration on /etc/cyrus.conf is by defult. Port 2000 is listening on all tcp interfaces. This port is not open in Iptables configuration.
Sure the CentOS 5 default cyrus.conf uses SASL auxprop with sasldb plugin?
Don't know :(. I haven't touch /etc/cyrus.conf. Just /etc/imapd.conf to use auxprop. Should I modify /etc/cyrus.conf ? This is my first experience with sieve configuration.
O sorry. I meant imapd.conf when speaking about the SASL setup for cyrus-imapd. You may post your imapd.conf.
From localhost, when trying imtest, authentication works fine ... I'm
using auxprop with sasldb2 here in a CentOS 5.0 box.
Some idea ?
I wonder that `imtest' succeeds and `sivtest' fails. I think it would help if you provide an `imtest' run in verbose mode (parameter "-v").
...
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Ok. The server even fails to offer authentication properly. Please run it again in verbose mode with parameter "-v".
Try with non LOGIN nor PLAIN mech.
How could we do that ?
man sivtest -> -m mech
Alexander
Thank you very much Alexander
Cheers, al
You are welcome. Please be as specific about your cyrus-imapd setup as you can be. Providing config files and some more info is recommeded. For instance please show us `ls -al /etc/sasldb' and the output of `sasldblistusers2'. You are aware that you will always have realmed users? Means you won't have a user "al" but "al@realm" (the realm is your hostname if you don't specify a different one when running `saslpasswd2').
Regards
Alexander
On 1/22/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
On 1/22/08, Alexander Dalloz ad+lists@uni-x.org wrote:
...
Sure the CentOS 5 default cyrus.conf uses SASL auxprop with sasldb
plugin?
Don't know :(. I haven't touch /etc/cyrus.conf. Just /etc/imapd.conf to use auxprop. Should I modify /etc/cyrus.conf ? This is my first experience with sieve configuration.
O sorry. I meant imapd.conf when speaking about the SASL setup for cyrus-imapd. You may post your imapd.conf.
Here is the /etc/imapd.conf file.
configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus cyrusadm sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt virtdomains: yes defaultdomain: example.com unixhierarchysep: yes
From localhost, when trying imtest, authentication works fine ... I'm
using auxprop with sasldb2 here in a CentOS 5.0 box.
Some idea ?
I wonder that `imtest' succeeds and `sivtest' fails. I think it would help if you provide an `imtest' run in verbose mode (parameter "-v").
Yep. See:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] orion.example.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed Please enter your password: C: L01 LOGIN al {15} S: + go ahead C: <omitted> S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in Authenticated. Security strength factor: 0 C: Q01 LOGOUT Connection closed.
...
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Ok. The server even fails to offer authentication properly. Please run it again in verbose mode with parameter "-v".
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Try with non LOGIN nor PLAIN mech.
How could we do that ?
man sivtest -> -m mech
Yep, but which method should we use after -m ... auxprop ?
Alexander
Thank you very much Alexander
...
You are welcome. Please be as specific about your cyrus-imapd setup as you can be. Providing config files and some more info is recommeded. For instance please show us `ls -al /etc/sasldb'
-r--r----- 1 cyrus mail 12288 Jan 22 00:43 /etc/sasldb2
and the output of `sasldblistusers2'.
al@orion.example.com: userPassword
You are aware that you will always have realmed
users? Means you won't have a user "al" but "al@realm" (the realm is your hostname if you don't specify a different one when running `saslpasswd2').
Yes, it is nice to remember that. This was one of the main reasons of using auxprop. When this small mail server was configured,at the beginning, this configuration used two virtual domains (i.e, example-1.com, example-2.com) plus default one, example.com. With this, I was able to set passwords to user@example-1.com and user@example-2.com and user@example.com independently as completely different users.
Correct me if it is wrong, please.
At this moment all virtual domain accounts doesn't exist.
Alexander
Cheers, al.
Alain Reguera Delgado schrieb:
Here is the /etc/imapd.conf file. configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus cyrusadm sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt virtdomains: yes defaultdomain: example.com unixhierarchysep: yes
For testing please specify additionally
allowplaintext: yes
I wonder that `imtest' succeeds and `sivtest' fails. I think it would help if you provide an `imtest' run in verbose mode (parameter "-v").
Yep. See:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] orion.example.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed Please enter your password: C: L01 LOGIN al {15} S: + go ahead C: <omitted> S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in Authenticated. Security strength factor: 0 C: Q01 LOGOUT Connection closed.
STARTTLS is offered but not used. I wonder that you can LOGIN with PLAIN though the default is to not permit plaintext logins without encryption. Thus I beg you to set the additional parameter inside imapd.conf.
...
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Ok. The server even fails to offer authentication properly. Please run it again in verbose mode with parameter "-v".
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs. And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
Try with non LOGIN nor PLAIN mech.
How could we do that ?
man sivtest -> -m mech
Yep, but which method should we use after -m ... auxprop ?
No. In imapd.conf you specified your own
sasl_mech_list: PLAIN
so it should be obvious which mechanism you can choose. As you previously said running sasldb I thought you would offer MD5 mechs, and thus my suggestion.
Please report back.
Alexander
On 1/24/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Here is the /etc/imapd.conf file. configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus cyrusadm sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt virtdomains: yes defaultdomain: example.com unixhierarchysep: yes
For testing please specify additionally
allowplaintext: yes
Option added for testing and after that a `service cyrus-imapd restart` was run.
I wonder that `imtest' succeeds and `sivtest' fails. I think it would help if you provide an `imtest' run in verbose mode (parameter "-v").
Yep. See:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] orion.example.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH S: C01 OK Completed Please enter your password: C: L01 LOGIN al {15} S: + go ahead C: <omitted> S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in Authenticated. Security strength factor: 0 C: Q01 LOGOUT Connection closed.
STARTTLS is offered but not used. I wonder that you can LOGIN with PLAIN though the default is to not permit plaintext logins without encryption. Thus I beg you to set the additional parameter inside imapd.conf.
done.
What does `sivtest' tell you?
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Ok. The server even fails to offer authentication properly. Please run it again in verbose mode with parameter "-v".
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Try with non LOGIN nor PLAIN mech.
How could we do that ?
man sivtest -> -m mech
Yep, but which method should we use after -m ... auxprop ?
No. In imapd.conf you specified your own
sasl_mech_list: PLAIN
so it should be obvious which mechanism you can choose. As you previously said running sasldb I thought you would offer MD5 mechs, and thus my suggestion.
So, to offer MD5 we could add it to sasl_mech_list ? Something like:
sasl_mech_list: PLAIN MD5
Please report back.
Alexander
Cheers, al.
Alain Reguera Delgado schrieb:
Hello Alain,
sorry for replying late.
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
Hm. You shouldn't be able to SASL auth at all! You are missing the cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* libraries. Very certainly installing this RPM will solve your problem.
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hm, that command works for me this way. Instead of "-starttls smtp" you may try "-starttls pop3" or "-tls1".
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Even your SSL/TLS setup seems to be broken. Are the certificate files in place. What does the cyrus-imapd service start report in the maillog? Any errors?
So, to offer MD5 we could add it to sasl_mech_list ? Something like:
sasl_mech_list: PLAIN MD5
No. To offer MD5 mechanisms use "DIGEST-MD5" or "CRAM-MD5" or even both. Being able to offer MD5 mechs is one of the positive aspects of using sasldb based auth.
sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
or to avoid plaintext passwords over the wire
sasl_mech_list: CRAM-MD5 DIGEST-MD5
Pay attention to have the cyrus-sasl-md5 RPM installed. This will provide the required libraries for MD5 mech auth,
Kind regards
Alexander
On 1/28/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Alain Reguera Delgado schrieb:
Hello Alain,
sorry for replying late.
Not too much difference from previous one:
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
Hm. You shouldn't be able to SASL auth at all! You are missing the cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* libraries. Very certainly installing this RPM will solve your problem.
Yes. I installed those RPMs and things start working!!! ... I am very happy :D
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hm, that command works for me this way. Instead of "-starttls smtp" you may try "-starttls pop3" or "-tls1".
Well, that return the same error with "-starttls pop3" but a different one with -tls1
CONNECTED(00000003) 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284
Does that offer SASL then? You can too test with
sivtest -u al@example.com -a al@example.com -t ""
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed.
Even your SSL/TLS setup seems to be broken. Are the certificate files in place.
I looked at /etc/pki/cyrus-imapd/ and that directory is empty.
Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file like that mentioned in imapd.conf file. I tried to copy/linking it into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is still there when the openssl command is run.
I have created a .crt and .key file to apache, related to my domain ... with the command:
/usr/bin/openssl req -newkey rsa:1024 -keyout /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/example.com.crt (that taken from /etc/pki/tls/certs/make-dummy-cert bash script)
Tried to use them but still no success. Don't know, how this error could affect cyrus-imapd-sieve?
What does the cyrus-imapd service start report in the maillog?
When run the command (the openssl s_client one), none ... just: ... sieve[30807]: executed sieve[30807]: accepted connection master[28736]: process 30807 exited, status 0
Any errors?
Not this time .. I think :)
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: AUTHENTICATE "DIGEST-MD5" S: {264} S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: {416+} C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw== S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==") Authenticated. Security strength factor: 128 C: LOGOUT Connection closed.
So, to offer MD5 we could add it to sasl_mech_list ? Something like:
sasl_mech_list: PLAIN MD5
No. To offer MD5 mechanisms use "DIGEST-MD5" or "CRAM-MD5" or even both. Being able to offer MD5 mechs is one of the positive aspects of using sasldb based auth.
sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
I'm currently using this one on the imapd.conf file.
or to avoid plaintext passwords over the wire
sasl_mech_list: CRAM-MD5 DIGEST-MD5
In this configuration, we have a webmail (squirrelmail) with ssl available in the same machine. Do you think it would work without PLAIN mech available ?
Pay attention to have the cyrus-sasl-md5 RPM installed. This will provide the required libraries for MD5 mech auth,
Yep. That was installed too. :)
Kind regards
Alexander
Thank you very much for this Tremendous Help. I uploaded some sieve scripts using sieveshell, took a look at maillog and enjoyed to see what happened .. that worked pretty nice!!!
Cheers, al.
Alain Reguera Delgado schrieb:
On 1/28/08, Alexander Dalloz ad+lists@uni-x.org wrote:
Again no SASL offering. Please check your cyrus-sasl installs.
$ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5
Hm. You shouldn't be able to SASL auth at all! You are missing the cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* libraries. Very certainly installing this RPM will solve your problem.
Yes. I installed those RPMs and things start working!!! ... I am very happy :D
Congratulations.
And test following: Run
openssl s_client -connect localhost:2000 -starttls smtp
CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
Hm, that command works for me this way. Instead of "-starttls smtp" you may try "-starttls pop3" or "-tls1".
Well, that return the same error with "-starttls pop3" but a different one with -tls1
CONNECTED(00000003) 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284
Not so important. If `sivtest ... -t ""' shows a working STARTTLS you are on the save side.
Even your SSL/TLS setup seems to be broken. Are the certificate files in place.
I looked at /etc/pki/cyrus-imapd/ and that directory is empty.
Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file like that mentioned in imapd.conf file. I tried to copy/linking it into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is still there when the openssl command is run.
I have created a .crt and .key file to apache, related to my domain ... with the command:
/usr/bin/openssl req -newkey rsa:1024 -keyout /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/example.com.crt (that taken from /etc/pki/tls/certs/make-dummy-cert bash script)
Tried to use them but still no success. Don't know, how this error could affect cyrus-imapd-sieve?
The question is whether a possible lack of TLS/SSL encryption is causing the transmission of authentication data in plaintext over the wire. If you use sieve just locally I feel you can ignore that.
What does the cyrus-imapd service start report in the maillog?
When run the command (the openssl s_client one), none ... just: ... sieve[30807]: executed sieve[30807]: accepted connection master[28736]: process 30807 exited, status 0
Any errors?
Not this time .. I think :)
S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: AUTHENTICATE "DIGEST-MD5" S: {264} S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: {416+} C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw== S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==") Authenticated. Security strength factor: 128 C: LOGOUT Connection closed.
Fine. As MD5 mechs do not cause transmission of passwords there is no risk they could be sniffed.
or to avoid plaintext passwords over the wire
sasl_mech_list: CRAM-MD5 DIGEST-MD5
In this configuration, we have a webmail (squirrelmail) with ssl available in the same machine. Do you think it would work without PLAIN mech available ?
I assume you have squirrelmail talking to your Cyrus-Imapd over localhost. Limited risc when using PLAIN or LOGIN. Of course you can use MD5 mechs either on localhost only or through networks. In general it is advised to protect passwords whereever you can.
Thank you very much for this Tremendous Help. I uploaded some sieve scripts using sieveshell, took a look at maillog and enjoyed to see what happened .. that worked pretty nice!!!
Cheers, al.
Glad that I could help. Have fun with your powerful Cyrus-Imapd :)
-
Alain Reguera Delgado -
Alexander Dalloz