I'm using Debian packages for sasl. Here is what libsasl2-modules
includes:
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
But in my imapd.conf, I'm not specifying an auxprop plugins:
# grep sasl /etc/imapd.conf
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
#sasl_maximum_layer: 256
sasl_pwcheck_method: saslauthd
Since we are using saslauthd, we don't use auxprop plugins, I think...
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
I'm trying to read the code and it seems that it tries to lookup authorization
id
in auxprop plugin. since I don't have any auxprop plugins that returns
SASL_NOMECH and results
in the error I'm seeing.
By any chance do you have any auxprop plugin defined?
On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
Maybe there is something wrong with your saslauthd parameters or PAM
config?
Here is what I use:
saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service
auth sufficient pam_ldap.so
auth required pam_unix.so
account sufficient pam_ldap.so
account required pam_unix.so
(pretty simple!)
In your original email, you showed that you could authenticate as the
target user successfully. Can you connect to sieve as the admin user (no
proxy-auth)?
Thanks,
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
Andrew,
Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:
root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify
envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}
<redacted>
S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0
while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN
no mechanism available
the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?
Thanks,
Michael
On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
This works for me under v2.4.18. I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).
Against a frontend:
# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
Against a backend:
# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
My imapd.conf settings:
admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1
Have you tried using the "sivtest" program? It will show you the protocol
handshakes, which might help. Here is an example for me:
# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}
<redacted>
S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.
Andy
On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup
or may be that feature isn't functional at all?
Thanks in advance,
Michael
On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus
wrote:
Hello,
I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.
imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
sasl_mech_list: PLAIN
allowplaintext: yes
here's what i do:
root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost
connecting to localhost
Please enter your password:
unable to connect to server at /usr/bin/sieveshell line 191, <STDIN> line 1.
here's the log:
Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN
no mechanism available
Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
as you can see user proxyadmin authenticated successfully, but then something
(authorization?) went wrong
and it says "PLAIN no mechanism available".
this only happens if i try to authorize as different user. if i don't
everything works fine:
root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com
localhost
connecting to localhost
Please enter your password:
log:
Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user
't...@virtualcrap.com' granted access
Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1]
t...@virtualcrap.com PLAIN User logged in
the same happends to cyradm:
root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com
--auth=plain localhost
Password:
IMAP Password:
log:
Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user
'proxyadmin' granted access
Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN
[SASL(-4): no mechanism available: Unable to find a callback: 32773]
but ok without trying to authorize as different user:
root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost
Password:
localhost>
Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user
't...@virtualcrap.com' granted access
Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1]
t...@virtualcrap.com PLAIN User logged in
SESSIONID=<rway-imap.aceinnovative.com-2276-1479425249-1-16233364852996823733>
Can somebody tell me what I am doing wrong?
Thanks a lot,
Michael
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
