Hello,
I’m about to update our cyrus-imapd murder from Debian 11 (cyrus-imapd
3.2.11 self-build, cyrus-sasl 2.1.27+dfsg-2.1+deb11u1) to Debian 13
(cyrus-imapd 3.10.2, cyrus-sasl 2.1.28+dfsg1-9).
Authentication from frontend to backend is done with DIGEST-MD5:
frontend:
proxy_authname: _frontend
proxy_password: …
backend:
sasl_mech_list: DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
I’ve set up /etc/sasldb2 with saslpasswd2 -c _frontend with password,
sasldblistusers2 shows: [email protected]: userPassword
This works for 3.2.X murder cluster for years.
Now I’ve setup a new backend server "prepaid.hrz.tu-chenitz.de" with 3.10.2.
Test with imtest from frontend with 3.2.11 is ok:
imtest -u test -a _frontend -t '' prepaid.hrz.tu-chenitz.de
S: * OK [CAPABILITY IMAP4rev1 IMAP4rev2 AUTH=DIGEST-MD5 ENABLE ID LITERAL+
LOGINDISABLED SASL-IR STARTTLS
MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/] prepaid.hrz.tu-chemnitz.de
Cyrus IMAP 3.10.2-Debian-3.10.2-1 server ready
S: * OK [CAPABILITY IMAP4rev1 IMAP4rev2 AUTH=DIGEST-MD5 ENABLE ID LITERAL+
LOGINDISABLED SASL-IR STARTTLS
MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/] prepaid.hrz.tu-chemnitz.de
Cyrus IMAP 3.10.2-Debian-3.10.2-1 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 IMAP4rev2 ACL ANNOTATE-EXPERIMENT-1
APPENDLIMIT=2147483647 AUTH=DIGEST-MD5 BINARY CATENATE CHILDREN
COMPRESS=DEFLATE CONDSTORE CREATE-SPECIAL-USE ENABLE ESEARCH ESORT ID IDLE
LIST-EXTENDED LIST-METADATA LIST-MYRIGHTS LIST-STATUS LITERAL+
MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND MULTISEARCH NAMESPACE NOTIFY
OBJECTID PREVIEW QRESYNC QUOTA QUOTA=RES-STORAGE QUOTA=RES-MESSAGE
QUOTA=RES-ANNOTATION-STORAGE QUOTA=RES-MAILBOX QUOTASET REPLACE RIGHTS=kxten
SASL-IR SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY SPECIAL-USE
STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDONLY UIDPLUS UNSELECT
URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1
MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/ NO_ATOMIC_RENAME SCAN
SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION
X-REPLICATION-ARCHIVE X-SIEVE-MAILBOX XLIST XMOVE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: + bm9…
Please enter your password:
C: dXNl…
S: + cnN…
C:
S: A01 OK [CAPABILITY IMAP4rev1 IMAP4rev2 ACL ANNOTATE-EXPERIMENT-1
APPENDLIMIT=2147483647 BINARY CATENATE CHILDREN COMPRESS=DEFLATE CONDSTORE
CREATE-SPECIAL-USE ENABLE ESEARCH ESORT ID IDLE LIST-EXTENDED LIST-METADATA
LIST-MYRIGHTS LIST-STATUS LITERAL+ LOGINDISABLED MAILBOX-REFERRALS METADATA
MOVE MULTIAPPEND MULTISEARCH NAMESPACE NOTIFY OBJECTID PREVIEW QRESYNC QUOTA
QUOTA=RES-STORAGE QUOTA=RES-MESSAGE QUOTA=RES-ANNOTATION-STORAGE
QUOTA=RES-MAILBOX QUOTASET REPLACE RIGHTS=kxten SAVEDATE SEARCH=FUZZY
SEARCHRES SORT SORT=DISPLAY SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES UIDONLY UIDPLUS UNSELECT URL-PARTIAL URLAUTH
URLAUTH=BINARY WITHIN DIGEST=SHA1
MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/ NO_ATOMIC_RENAME SCAN
SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION
X-REPLICATION-ARCHIVE X-SIEVE-MAILBOX XLIST XMOVE] Success (tls protection)
SESSIONID=<cyrus-1772020321-43207-1-10610630412189950369>
Authenticated.
Security strength factor: 256
. SELECT INBOX
* 3 EXISTS
* 0 RECENT
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk $Label4)
…
. OK [READ-WRITE] Completed
But the imapd on 3.2-frontend doesn’t work with the 3.10 backend:
Log on backend:
2026-02-25T12:45:12.601428+01:00 prepaid cyrus/master[43240]: about to exec
/usr/lib/cyrus/bin/imapd
2026-02-25T12:45:12.627416+01:00 prepaid cyrus/imap[43240]: SQL backend
defaulting to engine 'pgsql'
2026-02-25T12:45:12.627467+01:00 prepaid cyrus/imap[43240]: zoneinfo_dir is
unset, libical will find its own timezone data
2026-02-25T12:45:12.627787+01:00 prepaid cyrus/imap[43240]:
ical_support_init: found 418 timezones
2026-02-25T12:45:12.630623+01:00 prepaid cyrus/imap[43240]: executed
2026-02-25T12:45:50.398725+01:00 prepaid cyrus/imap[43240]: accepted connection
2026-02-25T12:45:50.405919+01:00 prepaid cyrus/imap[43240]:
extractor_init(0x55d682207b10)
2026-02-25T12:45:50.406813+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5
server step 1
2026-02-25T12:45:50.407430+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5
server step 2
2026-02-25T12:45:50.410526+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5
create_layer_keys()
2026-02-25T12:45:50.417187+01:00 prepaid cyrus/imap[43240]: login:
julian.hrz.tu-chemnitz.de [2001:638:911:b0e:134:109:228:25] fri DIGEST-MD5
User logged in SESSIONID=<cyrus-1772019950-43240-1-7292512404913775762>
2026-02-25T12:45:50.418740+01:00 prepaid cyrus/imap[43240]: fetching
user_deny.db entry for 'fri'
2026-02-25T12:45:50.463437+01:00 prepaid cyrus/imap[43240]: decoding error:
generic failure; SASL(-1): generic failure: user:
[email protected] property: cmusaslsecretDIGEST-MD5 not
found in sasldb, closing connection
2026-02-25T12:45:50.464542+01:00 prepaid cyrus/imap[43240]: session ended:
sessionid=<cyrus-1772019950-43240-1-7292512404913775762> userid=<fri>
id.name=<(null)>
Can anybody explain the "decoding error: … cmusaslsecretDIGEST-MD5 not found
in sasldb"? And how to correct it?
Is DIGEST-MD5 still sufficient or are there better SASL mechanisms to
authenticate frontend to backend?
Thanks in advance,
Frank
--
Frank Richter, Chemnitz University of Technology, Germany
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/Tc654c39c5afc4bc1-M57a71a7d519540d30f697523
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
