On 1/28/08, Alexander Dalloz <ad+lists at uni-x.org> wrote: > Alain Reguera Delgado schrieb: > > Hello Alain, > > sorry for replying late. > > >>> Not too much difference from previous one: > >>> > >>> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" > >>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > >>> imapflags notify envelope relational regex subaddress copy" > >>> S: "STARTTLS" > >>> S: OK > >>> Authentication failed. generic failure > >>> Security strength factor: 0 > >>> C: LOGOUT > >>> Connection closed. > >>> > >>> > >> Again no SASL offering. Please check your cyrus-sasl installs. > >> > > > > $ rpm -qa | grep cyrus > > cyrus-sasl-2.1.22-4 <------------- see here > > cyrus-imapd-2.3.7-1.1.el5 > > cyrus-sasl-lib-2.1.22-4 <------------- and here > > cyrus-imapd-perl-2.3.7-1.1.el5 > > cyrus-imapd-utils-2.3.7-1.1.el5 > > > > > Hm. You shouldn't be able to SASL auth at all! You are missing the > cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so* > libraries. Very certainly installing this RPM will solve your problem. Yes. I installed those RPMs and things start working!!! ... I am very happy :D > >> And test > >> following: Run > >> > >> openssl s_client -connect localhost:2000 -starttls smtp > >> > > > > CONNECTED(00000003) > > 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > > protocol:s23_clnt.c:567: > > > Hm, that command works for me this way. Instead of "-starttls smtp" you > may try "-starttls pop3" or "-tls1". Well, that return the same error with "-starttls pop3" but a different one with -tls1 CONNECTED(00000003) 30901:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284 > >> Does that offer SASL then? You can too test with > >> > >> sivtest -u al at example.com -a al at example.com -t "" > >> > > > > S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" > > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > > imapflags notify envelope relational regex subaddress copy" > > S: "STARTTLS" > > S: OK > > C: STARTTLS > > S: NO "Error initializing TLS" > > Authentication failed. generic failure > > Security strength factor: 0 > > C: LOGOUT > > Connection closed. > > > Even your SSL/TLS setup seems to be broken. Are the certificate files in > place. I looked at /etc/pki/cyrus-imapd/ and that directory is empty. Took a look at /etc/pki/tls/certs/ and there is a cyrus-imapd.pem file like that mentioned in imapd.conf file. I tried to copy/linking it into /etc/pki/cyrus-imapd/ and restart cyrus-imapd but that error is still there when the openssl command is run. I have created a .crt and .key file to apache, related to my domain ... with the command: /usr/bin/openssl req -newkey rsa:1024 -keyout /etc/pki/tls/private/example.com.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/example.com.crt (that taken from /etc/pki/tls/certs/make-dummy-cert bash script) Tried to use them but still no success. Don't know, how this error could affect cyrus-imapd-sieve? > What does the cyrus-imapd service start report in the maillog? When run the command (the openssl s_client one), none ... just: ... sieve[30807]: executed sieve[30807]: accepted connection master[28736]: process 30807 exited, status 0 > Any errors? Not this time .. I think :) S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SASL" "CRAM-MD5 DIGEST-MD5 LOGIN PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: AUTHENTICATE "DIGEST-MD5" S: {264} S: bm9uY2U9IkNpRTF5c0x2NllwcHNwQjhXVUo4TlRiakxFM3FBbDJPUzZVK1paNi9EbGM9IixyZWFsbT0ib3Jpb24uY2lnZXQuY2llbmZ1ZWdvcy5jdSIscW9wPSJhdXRoLGF1dGgtaW50LGF1dGgtY29uZiIsY2lwaGVyPSJyYzQtNDAscmM0LTU2LHJjNCxkZXMsM2RlcyIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M= Please enter your password: {416+} C: dXNlcm5hbWU9ImFsQGNpZ2V0LmNpZW5mdWVnb3MuY3UiLHJlYWxtPSJvcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1Iixub25jZT0iQ2lFMXlzTHY2WXBwc3BCOFdVSjhOVGJqTEUzcUFsMk9TNlUrWlo2L0RsYz0iLGNub25jZT0id0Y2TktJQ0VRRitnZ2N4N21Xb3MvL0ptclVlK2pCNWloZDJBd3d2ZXhNND0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLWNvbmYsY2lwaGVyPXJjNCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJzaWV2ZS9vcmlvbi5jaWdldC5jaWVuZnVlZ29zLmN1IixyZXNwb25zZT1jNTg2OWJkYTEzNDlhYTNhNTQ4YTA3NWZlYjU2OTZjMw== S: OK (SASL "cnNwYXV0aD1mMTg5YzEzYjFmMzk5Y2NhYjcyZmI0NDJkMmQzNTZmNw==") Authenticated. Security strength factor: 128 C: LOGOUT Connection closed. > > > So, to offer MD5 we could add it to sasl_mech_list ? Something like: > > > > sasl_mech_list: PLAIN MD5 > > > No. To offer MD5 mechanisms use "DIGEST-MD5" or "CRAM-MD5" or even both. > Being able to offer MD5 mechs is one of the positive aspects of using > sasldb based auth. > > sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 I'm currently using this one on the imapd.conf file. > > or to avoid plaintext passwords over the wire > > sasl_mech_list: CRAM-MD5 DIGEST-MD5 In this configuration, we have a webmail (squirrelmail) with ssl available in the same machine. Do you think it would work without PLAIN mech available ? > > Pay attention to have the cyrus-sasl-md5 RPM installed. This will > provide the required libraries for MD5 mech auth, Yep. That was installed too. :) > > Kind regards > > Alexander > Thank you very much for this Tremendous Help. I uploaded some sieve scripts using sieveshell, took a look at maillog and enjoyed to see what happened .. that worked pretty nice!!! Cheers, al.