[CentOS] Cyrus-Imapd Sieve Unable to connect to server

Mon Jan 28 19:43:57 UTC 2008
Alexander Dalloz <ad+lists at uni-x.org>

Alain Reguera Delgado schrieb:

Hello Alain,

sorry for replying late.

>>> Not too much difference from previous one:
>>>
>>> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5"
>>> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
>>> imapflags notify envelope relational regex subaddress copy"
>>> S: "STARTTLS"
>>> S: OK
>>> Authentication failed. generic failure
>>> Security strength factor: 0
>>> C: LOGOUT
>>> Connection closed.
>>>
>>>       
>> Again no SASL offering. Please check your cyrus-sasl installs.
>>     
>
> $ rpm -qa | grep cyrus
> cyrus-sasl-2.1.22-4     <------------- see here
> cyrus-imapd-2.3.7-1.1.el5
> cyrus-sasl-lib-2.1.22-4    <------------- and here
> cyrus-imapd-perl-2.3.7-1.1.el5
> cyrus-imapd-utils-2.3.7-1.1.el5
>
>   
Hm. You shouldn't be able to SASL auth at all! You are missing the
cyrus-sasl-plain RPM to have both the liblogin.so* and libplain.so*
libraries. Very certainly installing this RPM will solve your problem.
>> And test
>> following: Run
>>
>> openssl s_client -connect localhost:2000 -starttls smtp
>>     
>
> CONNECTED(00000003)
> 22760:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:567:
>   
Hm, that command works for me this way. Instead of "-starttls smtp" you
may try "-starttls pop3" or "-tls1".

>> Does that offer SASL then? You can too test with
>>
>> sivtest -u al at example.com -a al at example.com -t ""
>>     
>
> S: "IMPLEMENTATION" "Cyrus timsieved v2.3.7-Invoca-RPM-2.3.7-1.1.el5"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation
> imapflags notify envelope relational regex subaddress copy"
> S: "STARTTLS"
> S: OK
> C: STARTTLS
> S: NO "Error initializing TLS"
> Authentication failed. generic failure
> Security strength factor: 0
> C: LOGOUT
> Connection closed.
>   
Even your SSL/TLS setup seems to be broken. Are the certificate files in
place. What does the cyrus-imapd service start report in the maillog?
Any errors?

> So, to offer MD5 we could add it to sasl_mech_list ? Something like:
>
> sasl_mech_list: PLAIN MD5
>   
No. To offer MD5 mechanisms use "DIGEST-MD5" or "CRAM-MD5" or even both.
Being able to offer MD5 mechs is one of the positive aspects of using
sasldb based auth.

sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5

or to avoid plaintext passwords over the wire

sasl_mech_list: CRAM-MD5 DIGEST-MD5

Pay attention to have the cyrus-sasl-md5 RPM installed. This will
provide the required libraries for MD5 mech auth,

Kind regards

Alexander