[CentOS] Cyrus-Imapd Sieve Unable to connect to server

Tue Jan 29 21:19:32 UTC 2008

Alain Reguera Delgado schrieb:
> On 1/28/08, Alexander Dalloz <ad+lists at uni-x.org> wrote:
>   
>>
>>>> Again no SASL offering. Please check your cyrus-sasl installs.
>>>>
>>>>         
>>> $ rpm -qa | grep cyrus
>>> cyrus-sasl-2.1.22-4     <------------- see here
>>> cyrus-imapd-2.3.7-1.1.el5
>>> cyrus-sasl-lib-2.1.22-4    <------------- and here
>>> cyrus-imapd-perl-2.3.7-1.1.el5
>>> cyrus-imapd-utils-2.3.7-1.1.el5
>>>
>>>
>>>       
>> Hm. You shouldn't be able to SASL auth at all! You are missing the
>> cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so*
>> libraries. Very certainly installing this RPM will solve your problem.
>>     
>
> Yes. I installed those RPMs and things start working!!! ... I am very happy :D
>
>   
Congratulations.
>>>> And test
>>>> following: Run
>>>>
>>>> openssl s_client -connect localhost:2000 -starttls smtp
>>>>
>>>>         
>>> CONNECTED(00000003)
>>> 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol:s23_clnt.c:567:
>>>
>>>       
>> Hm, that command works for me this way. Instead of "-starttls smtp" you
>> may try "-starttls pop3" or "-tls1".
>>     
>
> Well, that return the same error with "-starttls pop3" but a different
> one with -tls1
>
> CONNECTED(00000003)
> 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:284
>
>   
Not so important. If `sivtest ... -t ""' shows a working STARTTLS you
are on the save side.
>
>> Even your SSL/TLS setup seems to be broken. Are the certificate files in
>> place.
>>     
>
> I looked at /etc/pki/cyrus-imapd/ and that directory is empty.
>
> Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file
> like that mentioned in imapd.conf file. I tried to copy/linking it
> into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is
> still there when the openssl command is run.
>
> I have created a .crt and .key file to apache, related to my domain
> ... with the command:
>
> /usr/bin/openssl req -newkey rsa:1024 -keyout
> /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out
> /etc/pki/tls/certs/example.com.crt
> (that taken from /etc/pki/tls/certs/make-dummy-cert bash script)
>
> Tried to use them but still no success. Don't know, how this error
> could affect cyrus-imapd-sieve?
>   
The question is whether a possible lack of TLS/SSL encryption is causing
the transmission of authentication data in plaintext over the wire. If
you use sieve just locally I feel you can ignore that.
>   
>> What does the cyrus-imapd service start report in the maillog?
>>     
>
> When run the command (the openssl s_client one), none ... just:
> ...
> sieve[30807]: executed
> sieve[30807]: accepted connection
> master[28736]: process 30807 exited, status 0
>
>   
>> Any errors?
>>     
>
> Not this time .. I think :)
>
> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5"
> S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
> imapflags notify envelope relational regex subaddress copy"
> S: "STARTTLS"
> S: OK
> C: AUTHENTICATE "DIGEST-MD5"
> S: {264}
> S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
> Please enter your password:
> {416+}
> C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw==
> S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==")
> Authenticated.
> Security strength factor: 128
> C: LOGOUT
> Connection closed.
>   
Fine. As MD5 mechs do not cause transmission of passwords there is no
risk they could be sniffed.
>
>> or to avoid plaintext passwords over the wire
>>
>> sasl_mech_list: CRAM-MD5 DIGEST-MD5
>>     
>
> In this configuration, we have a webmail (squirrelmail) with ssl
> available in the same machine. Do you think it would work without
> PLAIN mech available ?
>   
I assume you have squirrelmail talking to your Cyrus-Imapd over
localhost. Limited risc when using PLAIN or LOGIN. Of course you can use
MD5 mechs either on localhost only or through networks. In general it is
advised to protect passwords whereever you can.
>
> Thank you very much for this Tremendous Help. I uploaded some sieve
> scripts using sieveshell, took a look at maillog and enjoyed to see
> what happened .. that worked pretty nice!!!
>
> Cheers,
> al.
>   
Glad that I could help. Have fun with your powerful Cyrus-Imapd :)