On 1/24/08, Alexander Dalloz <ad+lists at uni-x.org> wrote: > Alain Reguera Delgado schrieb: > > Here is the /etc/imapd.conf file. > > configdirectory: /var/lib/imap > > partition-default: /var/spool/imap > > admins: cyrus cyrusadm > > sievedir: /var/lib/imap/sieve > > sendmail: /usr/sbin/sendmail > > hashimapspool: true > > sasl_pwcheck_method: auxprop > > sasl_mech_list: PLAIN > > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > > virtdomains: yes > > defaultdomain: example.com > > unixhierarchysep: yes > > > For testing please specify additionally > > allowplaintext: yes Option added for testing and after that a `service cyrus-imapd restart` was run. > > > >> I wonder that `imtest' succeeds and `sivtest' fails. I think it would > >> help if you provide an `imtest' run in verbose mode (parameter "-v"). > >> > > > > Yep. See: > > > > S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] > > orion.example.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-1.1.el5 server > > ready > > C: C01 CAPABILITY > > S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS ACL RIGHTS=kxte > > QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT > > CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT > > THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT > > LIST-SUBSCRIBED X-NETSCAPE URLAUTH > > S: C01 OK Completed > > Please enter your password: > > C: L01 LOGIN al {15} > > S: + go ahead > > C: <omitted> > > S: L01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL > > RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME > > UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE > > CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged > > in > > Authenticated. > > Security strength factor: 0 > > C: Q01 LOGOUT > > Connection closed. > > > STARTTLS is offered but not used. I wonder that you can LOGIN with PLAIN > though the default is to not permit plaintext logins without encryption. > Thus I beg you to set the additional parameter inside imapd.conf. done. > >>>> What does `sivtest' tell you? > >>>> > >>>> > >>> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" > >>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > >>> imapflags notify envelope relational regex subaddress copy" > >>> S: "STARTTLS" > >>> S: OK > >>> Authentication failed. generic failure > >>> Security strength factor: 0 > >>> C: LOGOUT > >>> Connection closed. > >>> > >>> > >> Ok. The server even fails to offer authentication properly. Please run > >> it again in verbose mode with parameter "-v". > >> > > > > Not too much difference from previous one: > > > > S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" > > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation > > imapflags notify envelope relational regex subaddress copy" > > S: "STARTTLS" > > S: OK > > Authentication failed. generic failure > > Security strength factor: 0 > > C: LOGOUT > > Connection closed. > > > Again no SASL offering. Please check your cyrus-sasl installs. $ rpm -qa | grep cyrus cyrus-sasl-2.1.22-4 <------------- see here cyrus-imapd-2.3.7-1.1.el5 cyrus-sasl-lib-2.1.22-4 <------------- and here cyrus-imapd-perl-2.3.7-1.1.el5 cyrus-imapd-utils-2.3.7-1.1.el5 > And test > following: Run > > openssl s_client -connect localhost:2000 -starttls smtp CONNECTED(00000003) 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567: > > Does that offer SASL then? You can too test with > > sivtest -u al at example.com -a al at example.com -t "" S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy" S: "STARTTLS" S: OK C: STARTTLS S: NO "Error initializing TLS" Authentication failed. generic failure Security strength factor: 0 C: LOGOUT Connection closed. > > > >>>> Try with non LOGIN nor PLAIN mech. > >>>> > >>>> > >>> How could we do that ? > >>> > >>> > >> man sivtest -> -m mech > >> > > > > Yep, but which method should we use after -m ... auxprop ? > > > No. In imapd.conf you specified your own > > sasl_mech_list: PLAIN > > > so it should be obvious which mechanism you can choose. As you > previously said running sasldb I thought you would offer MD5 mechs, and > thus my suggestion. So, to offer MD5 we could add it to sasl_mech_list ? Something like: sasl_mech_list: PLAIN MD5 > > Please report back. > > Alexander Cheers, al.