----- Original Message ----- From: "Mark Crispin" <[EMAIL PROTECTED]> To: "Ole" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, July 02, 2004 1:46 AM Subject: Re: login failed with username and password
> On Fri, 2 Jul 2004, Ole wrote: > > Using debian with sendmail+squrrilmail+(imap) > > I have installed imap-2004 with the command "make slx", because i want > > to user the passwords in /ets/shadow so i guess this is the right make > > option. > > "make ldb" is more likely to be correct, since Debian has different > locations for the OpenSSL stuff; also this builds to use use PAM instead > of direct validation of the password. > > > * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED] localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 01:06:28 +0200 (CEST) > > A01 login weel password > > A01 NO LOGIN failed > > The key is the "LOGINDISABLED" capability which appeared in the greeting. > If you refer to the imap-2004/docs/BUILD document, you'll find the > following text early on: > -------------------------------------------------------------------------- ---- > The default build is to build with SSL and disabling plaintext passwords > unless SSL/TLS encryption is in effect (SSLTYPE=nopwd). This means that > OpenSSL MUST be installed before building the IMAP toolkit. Please refer to > the SSLBUILD file for more information. > > To build without SSL, add "SSLTYPE=none" to the make command line. > Note that doing so will produce an IMAP server which is NON-COMPLIANT with > current IESG security requirements. > -------------------------------------------------------------------------- ---- > > Referring to the SSLBUILD file, we find quite a bit, including: > -------------------------------------------------------------------------- ---- > To build with SSL but allow plaintext passwords in insecure sessions, > add "SSLTYPE=unix" to the make command line. > -------------------------------------------------------------------------- ---- > > Here, then, is the answer. You can't login because plaintext passwords > are disabled when you are not in an SSL or TLS encrypted session -- which > absolutely describes a TELNET session. Since you don't have any > non-plaintext password authentication mechanism (such as CRAM-MD5 or > GSSAPI) set up, you can't log in at all without negotiating encryption. > > If you have a TLS-enabled client (such as Pine), you can try connecting to > your IMAP server from there and see if you can log in. Alternatively, you > can use any SSL-enabled client to connect to SSL IMAP on port 993 instead > of port 143. Of course, this all requires that you've set up your system > for SSL/TLS encryption as described in the SSLBUILD document. > > > Same thing happens if i try pop. > > The POP3 server has the same issue. If you do the CAPA command, you will > see that the "USER" capability isn't listed, which is POP3's way of saying > "LOGINDISABLED". Once again, you have to use an SSL/TLS enabled client. > > > I then tried "make sl5", to use pam > > sl5 isn't for PAM; it's for a very ancient version of Linux. For Linux > with PAM, you must use either lnp or one of the PAM-enabled variants (such > as ldb for Debian). > > -- Mark -- > > http://staff.washington.edu/mrc > Science does not emerge from voting, party politics, or public debate. > Si vis pacem, para bellum. Thanks for good help, but i dont got any closer. I did try the following, did a make clean in imap-2004 dir, and removed /usr/local/etc/imap. Compiled with the following: make SSLTYPE=unix ldb: copy the imapd/imapd /usr/local/etc reboot, and imap was running then i try to telnet: * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS AUTH=LOGIN] localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 01:58:26 +0200 (CEST) a1 login weel password a1 NO LOGIN failed I now see that i have "AUTH=LOGIN", so i would guess that i could use user/pass, but no. Then i try: make SSLTYPE=nopwd ldb: * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED] localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 02:05:51 +0200 (CEST) a1 login weel password a1 NO LOGIN failed And then i try: (not sure if this is correct) because i got: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Building in PARTIAL compliance with RFC 3501 security + requirements: + Compliant: ++ TLS/SSL encryption is supported + Non-compliant: ++ Unencrypted plaintext passwords are permitted + + In order to rectify this problem, you MUST build with: ++ SSLTYPE=unix.nopwd +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ make SSLTYPE=unix SSLTYPE=unix.nopwd ldb: * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED] localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 02:15:29 +0200 (CEST) a1 login weel password a1 NO LOGIN failed Then i did: xxx:~/imap-2004# make SSLTYPE=none SSLTYPE=nopwd ldb make sslnopwd make[1]: Entering directory `/root/imap-2004' +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Building in full compliance with RFC 3501 security + requirements: ++ TLS/SSL encryption is supported ++ Unencrypted plaintext passwords are prohibited +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS LOGINDISABLED] localhost IMAP4rev1 2004.350 at Fri, 2 Jul 2004 02:28:44 +0200 (CEST) a1 login weel password a1 NO LOGIN failed When it say: "TLS/SSL encryption is supported" i thought it had ssl support ? i do have ssl under /usr/local/ssl. Maby im doing it wrong, or i didnt get you right, but what am i doing wrong:) ? Thanks again for helping :) -ole
