Hello Ken, thank you very much. Adding „-m plain“ did it.
Now i also get it now that enabling mech’s thru sasl_mech_list must be supported the backing auth providers. Thx again for your support. BTW i’m very pleased that cyrus still has such an active and supportive community. I’m convinced that i have picked the right dovecot successor for me :-) Mike > Am 31.01.2018 um 01:29 schrieb Ken Murchison <mu...@fastmail.com>: > > OK. Major brain fart, since I'm trying to do 5 things at once. saslauthd > will only be using for verifying plaintext passwords -- meaning its only used > for plaintext authentication methods. Your imtest is trying to use SCRAM by > default. > > Add '-m plain' to your imtest and see what happens. > > If you want to do your auth using only PAM, you will have to disable > non-plaintext SASL mechs for Cyrus. Add the following to imapd.conf: > > sasl_mech_list: PLAIN LOGIN > > > > On 01/30/2018 06:51 PM, Michael Rüger wrote: >> After enabling debug and restarting saslauthd and retrigger imtest, >> saslauthd gets no request. >> >> root@cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart >> Stopping saslauthd. >> Waiting for PIDS: 88717. >> Starting saslauthd. >> saslauthd[90858] :main : num_procs : 5 >> saslauthd[90858] :main : mech_option: NULL >> saslauthd[90858] :main : run_path : /var/run/saslauthd >> saslauthd[90858] :main : auth_mech : pam >> saslauthd[90858] :ipc_init : using accept lock file: >> /var/run/saslauthd/mux.accept >> saslauthd[90858] :detach_tty : master pid is: 0 >> saslauthd[90858] :ipc_init : listening on socket: >> /var/run/saslauthd/mux >> saslauthd[90858] :main : using process model >> saslauthd[90858] :have_baby : forked child: 90859 >> saslauthd[90859] :get_accept_lock : acquired accept lock >> saslauthd[90858] :have_baby : forked child: 90860 >> saslauthd[90858] :have_baby : forked child: 90861 >> saslauthd[90858] :have_baby : forked child: 90862 >> >> >>> Am 31.01.2018 um 00:39 schrieb Ken Murchison <mu...@fastmail.com >>> <mailto:mu...@fastmail.com>>: >>> >>> You're understanding is correct. Can you run saslauthd with the -d (debug) >>> command line option and see if it sheds any light? >>> >>> >>> >>> On 01/30/2018 06:31 PM, Michael Rüger wrote: >>>> Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is >>>> not calling saslauthd at all. I wondered if saslauthd support is even >>>> compiled in. >>>> >>>> But if i understand the architecture correctly (and please correct me if >>>> i’m wrong), imap is using the sasl lib, and the sasl lib should have >>>> saslauthd support compiled in. This is as far as i can see configured by >>>> HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that >>>> >>>> config.h:#define HAVE_SASLAUTHD /**/ >>>> >>>> is enabled and >>>> >>>> root@cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ >>>> <mailto:root@cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/> >>>> # strings /usr/local/lib/libsasl2.so | grep saslauthd >>>> saslauthd_path >>>> /var/run/saslauthd >>>> cannot create socket for saslauthd: %m >>>> cannot connect to saslauthd server: %m >>>> >>>> gives me confidence that it is compiled in. >>>> >>>> I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace >>>> has some problems inside a jail. >>>> >>>> So i guess i miss something tiny but important ;) >>>> >>>> Thx again for your support. >>>> Mike >>>> >>>> >>>>> Am 31.01.2018 um 00:09 schrieb Ken Murchison <mu...@fastmail.com >>>>> <mailto:mu...@fastmail.com>>: >>>>> >>>>> Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't >>>>> look like Cyrus is even trying to use saslauthd. >>>>> >>>>> On 01/30/2018 06:03 PM, Michael Rüger wrote: >>>>>> Struggled with enabling local6. The trick was to touch the new syslog >>>>>> output file before restarting syslog with this new line >>>>>> >>>>>> local6.* /var/log/local6 >>>>>> >>>>>> >>>>>> root@cyrus3:/var/log # cat local6 >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher >>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher >>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get >>>>>> auxprops >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get >>>>>> auxprops >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] >>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get >>>>>> auxprops] >>>>>> Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] >>>>>> SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get >>>>>> auxprops] >>>>>> >>>>>> >>>>>>> Am 30.01.2018 um 23:41 schrieb Ken Murchison <mu...@fastmail.com >>>>>>> <mailto:mu...@fastmail.com>>: >>>>>>> >>>>>>> Hmm. >>>>>>> >>>>>>> I just switched my dev box to using saslauthd and it just worked. I'm >>>>>>> sure your problem is something simple, but its escaping me at the >>>>>>> moment. >>>>>>> When imtest fails, what is logged in the Cyrus IMAP log (wherever >>>>>>> local6 is logged) >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 01/30/2018 05:34 PM, Michael Rüger wrote: >>>>>>>> Ken, thank you for jumping in! >>>>>>>> >>>>>>>> Some more info: the apps run as the following users and groups >>>>>>>> >>>>>>>> root@cyrus3:~ # ps aux >>>>>>>> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND >>>>>>>> root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 >>>>>>>> /usr/sbin/syslogd -s >>>>>>>> root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 >>>>>>>> /usr/local/sbin/saslauthd -a pam >>>>>>>> root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 >>>>>>>> /usr/local/sbin/saslauthd -a pam >>>>>>>> root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 >>>>>>>> /usr/local/sbin/saslauthd -a pam >>>>>>>> root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 >>>>>>>> /usr/local/sbin/saslauthd -a pam >>>>>>>> root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 >>>>>>>> /usr/local/sbin/saslauthd -a pam >>>>>>>> cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 >>>>>>>> /usr/local/cyrus/libexec/master -d >>>>>>>> >>>>>>>> root@cyrus3:~ # su - cyrus >>>>>>>> % id >>>>>>>> uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth) >>>>>>>> >>>>>>>> >>>>>>>>> Am 30.01.2018 um 23:25 schrieb Michael Rüger >>>>>>>>> <michael.g.rue...@gmail.com <mailto:michael.g.rue...@gmail.com>>: >>>>>>>>> >>>>>>>>> root@cyrus3:~ # ls -la /var/run/saslauthd/ >>>>>>>>> total 13 >>>>>>>>> drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 . >>>>>>>>> drwxr-xr-x 6 root wheel 15 Jan 30 21:40 .. >>>>>>>>> srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux >>>>>>>>> -rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept >>>>>>>>> -rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid >>>>>>>>> >>>>>>>>>> Am 30.01.2018 um 23:23 schrieb Ken Murchison <mu...@fastmail.com >>>>>>>>>> <mailto:mu...@fastmail.com>>: >>>>>>>>>> >>>>>>>>>> Hi Michael, >>>>>>>>>> >>>>>>>>>> What are the permissions on the socket that saslauthd is listening >>>>>>>>>> on? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 01/30/2018 05:06 PM, Michael Rüger wrote: >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> (btw. i was Guest39278 on IRC yesterday and got the chance to >>>>>>>>>>> introduce myself on googletalk) >>>>>>>>>>> >>>>>>>>>>> I’m trying to set up imapd to use saslauthd for authentication. >>>>>>>>>>> >>>>>>>>>>> I have already a running saslauthd which uses PAM. I can run this >>>>>>>>>>> >>>>>>>>>>> root@cyrus3:/ # testsaslauthd -u mike -p mike >>>>>>>>>>> 0: OK "Success.“ >>>>>>>>>>> >>>>>>>>>>> and if i run >>>>>>>>>>> >>>>>>>>>>> root@cyrus3:/ # testsaslauthd -u mike -p abc >>>>>>>>>>> 0: NO "authentication failed“ >>>>>>>>>>> >>>>>>>>>>> i get that logged in auth.log like this >>>>>>>>>>> >>>>>>>>>>> Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth >>>>>>>>>>> failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM >>>>>>>>>>> auth error] >>>>>>>>>>> >>>>>>>>>>> In imapd.conf i have >>>>>>>>>>> >>>>>>>>>>> sasl_pwcheck_method: saslauthd >>>>>>>>>>> >>>>>>>>>>> Now i’m authenticate against imapd >>>>>>>>>>> >>>>>>>>>>> root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost >>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS >>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 >>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me >>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready >>>>>>>>>>> C: S01 STARTTLS >>>>>>>>>>> S: S01 OK Begin TLS negotiation now >>>>>>>>>>> verify error:num=18:self signed certificate >>>>>>>>>>> TLS connection established: TLSv1.2 with cipher >>>>>>>>>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >>>>>>>>>>> C: C01 CAPABILITY >>>>>>>>>>> S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA >>>>>>>>>>> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT >>>>>>>>>>> CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY >>>>>>>>>>> SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT >>>>>>>>>>> THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 >>>>>>>>>>> METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA >>>>>>>>>>> WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE >>>>>>>>>>> DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 >>>>>>>>>>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN >>>>>>>>>>> SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE >>>>>>>>>>> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE >>>>>>>>>>> S: C01 OK Completed >>>>>>>>>>> C: A01 AUTHENTICATE SCRAM-SHA-1 >>>>>>>>>>> bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc= >>>>>>>>>>> S: A01 NO authentication failure >>>>>>>>>>> Authentication failed. generic failure >>>>>>>>>>> Security strength factor: 256 >>>>>>>>>>> >>>>>>>>>>> Nothing is reported in auth.conf >>>>>>>>>>> >>>>>>>>>>> If i do this >>>>>>>>>>> >>>>>>>>>>> root@cyrus3:~ # saslpasswd2 -c m...@cyrus3.intern.rueger.me >>>>>>>>>>> <mailto:m...@cyrus3.intern.rueger.me> >>>>>>>>>>> …<entering „mike“ twice here> >>>>>>>>>>> root@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost >>>>>>>>>>> S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS >>>>>>>>>>> LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 >>>>>>>>>>> AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me >>>>>>>>>>> <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready >>>>>>>>>>> C: S01 STARTTLS >>>>>>>>>>> … >>>>>>>>>>> Authenticated. >>>>>>>>>>> Security strength factor: 256 >>>>>>>>>>> >>>>>>>>>>> it is working against local db BUT NOT against saslauthd. >>>>>>>>>>> >>>>>>>>>>> How do i setup imapd to talk to saslauthd? >>>>>>>>>>> >>>>>>>>>>> BTW i’m using >>>>>>>>>>> * cyrus-imapd30-3.0.5 >>>>>>>>>>> * cyrus-sasl-2.1.26_13 >>>>>>>>>>> * cyrus-sasl-saslauthd-2.1.26_3 >>>>>>>>>>> on FreeBSD 11.1 >>>>>>>>>>> >>>>>>>>>>> Thank you for any help, >>>>>>>>>>> Mike >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Ken Murchison >>>>>>>>>> Cyrus Development Team >>>>>>>>>> FastMail US LLC >>>>>>>>>> <murch.vcf> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ken Murchison >>>>>>> Cyrus Development Team >>>>>>> FastMail US LLC >>>>>>> <murch.vcf> >>>>>> >>>>> >>>>> -- >>>>> Ken Murchison >>>>> Cyrus Development Team >>>>> FastMail US LLC >>>>> <murch.vcf> >>>> >>> >>> -- >>> Ken Murchison >>> Cyrus Development Team >>> FastMail US LLC >>> <murch.vcf> >> > > -- > Ken Murchison > Cyrus Development Team > FastMail US LLC > <murch.vcf>
