Hallo all
I am trying to set up cyrus-imap in order to - ultimately - use it as a
caldav/carddav server on a private server.
I have an openldap instance running in a standard configuration and would like
to use the "auxprop-hashed" pwcheck method along with the "ldapdb" sasl module.
This seems not to be as simple as it sounds. Most probably, I am doing
something wrong.
Is there any chance, somebody could have a look and suggest fixes or - actually
even preferred - point me to a working example of such a configuration?
I have search near and far and read hundreads of documentation and source
files, but I fail to make sense of those log lines:
*badlogin: nexus [fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism
available: unable to canonify user and get auxprops]*
and (or)
*badlogin: nexus [fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism
available: Password verification failed]*
I do not understand, how, why and by which process they are exactly logged.
And, most importantly, can not figure out, what the underlying problem is,
actually? :-) I have tried many tweaks to the config. Plain password, "auxprop"
instead of "auxprop-hashed" pwcheck, and more, all to no avail.
This is an up-to-date internet-connected
ubuntu-20.04-minimal-cloudimg-amd64.img currently running in a quemu-vm on
MacOS 11.6 (BigSur, 2nd-latest).
Any help is much appreciated.
Patrick
So far, I have:
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/cyrus.conf
START {
recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
delprune cmd="/usr/sbin/cyrus expire -E 3"
tlsprune cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
imaps cmd="imapd -s -U 30" listen="nexus:imaps" prefork=0
maxchild=100
imaplocal cmd="imapd -C /etc/imapd-local.conf -U 30"
listen="localhost:imap" prefork=0 maxchild=100
https cmd="httpd -s -U 30" listen="8443" prefork=0
maxchild=100
lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=0
maxchild=20
sieve cmd="timsieved" listen="localhost:sieve" prefork=0
maxchild=100
notify cmd="notifyd" listen="/run/cyrus/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401
tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401
deleteprune cmd="/usr/sbin/cyrus expire -E 4 -D 28" at=0430
expungeprune cmd="/usr/sbin/cyrus expire -E 4 -X 28" at=0445
}
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd.conf
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreate_quota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
httpmodules: caldav carddav
hashimapspool: true
allowplaintext: yes
sasl_pwcheck_method: auxprop-hashed
sasl_auxprop_plugin: ldapdb
@include: /etc/imapd-ldap.conf
sasl_auto_transition: no
tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
tls_client_ca_dir: /etc/ssl/certs
tls_session_timeout: 1440
lmtpsocket: /run/cyrus/socket/lmtp
idlesocket: /run/cyrus/socket/idle
notifysocket: /run/cyrus/socket/notify
syslog_prefix: cyrus
ubuntu@nexus:~$ egrep -v '^\s*(#|$)' /etc/imapd-ldap.conf
ldap_base: ou=people,dc=patrickpfeifer,dc=net
ldap_bind_dn: cn=admin,dc=patrickpfeifer,dc=net
ldap_filter: (mail=%u)
ldap_password: xxxx
ldap_scope: one
ldap_uri: ldapi:///
ldap_version: 3
And:
$ ldapsearch -H ldapi:/// -D cn=admin,dc=patrickpfeifer,dc=net -w xxxx -b
'ou=people,dc=patrickpfeifer,dc=net' '([email protected])'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=patrickpfeifer,dc=net> with scope subtree
# filter: ([email protected])
# requesting: ALL
#
# patrick, people, patrickpfeifer.net
dn: uid=patrick,ou=people,dc=patrickpfeifer,dc=net
cn: Patrick Pfeifer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
uid: patrick
mail: [email protected]
sn: Pfeifer
userPassword:: e1NTSXXXXXXXXXXXXXXXc9PQ=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However:
$ /usr/lib/cyrus/bin/imtest -s -u [email protected] -w xxxxx nexus
verify error:num=18:self signed certificate
TLS connection established: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=DIGEST-MD5 AUTH=NTLM
AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR] nexus Cyrus IMAP
3.0.13-Debian-3.0.13-5 server ready
C: A01 AUTHENTICATE DIGEST-MD5
S: +
bm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9IixyZWFsbT0ibmV4dXMiLHFvcD0iYXV0aCIsbWF4YnVmPTQwOTYsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
C:
dXNlcm5hbWU9InVidW50dSIscmVhbG09Im5leHVzIixhdXRoemlkPSJwYXRyaWNrQHBhdHJpY2twZmVpZmVyLm5ldCIsbm9uY2U9IjQ0M3Y3d2R4d0dTNlV1bzFTcFpSTk9JcjFFdHNGL0VkcnU1Q0QzR09PMXc9Iixjbm9uY2U9IlM2Yzh4WXJUZXFtcXB3dHYrWGJ2aGk3cTVHM1dKby8xUWJlSkZZbGM5K289IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJpbWFwL25leHVzIixyZXNwb25zZT1iZjBmNjVkYmFiMWZhNjg3MmRjYjBhNDk0MmJhYzA0OA==
*S: A01 NO no mechanism available
Authentication failed. generic failure*
Security strength factor: 256
^CC: Q01 LOGOUT
Connection closed.
And:
ubuntu@nexus:~$ journalctl -f
-- Logs begin at Mon 2020-12-28 21:20:09 UTC. --
...
Nov 03 21:55:08 nexus sudo[9147]: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ;
USER=root ; COMMAND=/usr/sbin/service cyrus-imapd start
Nov 03 21:55:08 nexus sudo[9147]: pam_unix(sudo:session): session opened for
user root by ubuntu(uid=0)
Nov 03 21:55:09 nexus systemd[1]: Started Cyrus IMAP/POP3 daemons.
Nov 03 21:55:09 nexus sudo[9147]: pam_unix(sudo:session): session closed for
user root
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: skiplist: clean shutdown file
missing, updating recovery stamp
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: recovering cyrus databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9157]: done recovering cyrus databases
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: ldapdb
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: Expired 0 and expunged 0 out of 0
messages from 2 mailboxes
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: pruning back
3.00 days
Nov 03 21:55:09 nexus cyrus/cyr_expire[9160]: duplicate_prune: purged 0 out of
0 entries
Nov 03 21:55:09 nexus cyrus/tls_prune[9163]: tls_prune: purged 0 out of 38
entries
Nov 03 21:55:09 nexus cyrus/master[9156]: unable to bind to imaps/ipv6 socket:
Invalid argument
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: checkpointing cyrus databases
Nov 03 21:55:09 nexus cyrus/ctl_cyrusdb[9166]: done checkpointing cyrus
databases
Nov 03 21:55:14 nexus imtest[9170]: ldapdb
Nov 03 21:55:14 nexus imtest[9170]: _sasl_plugin_load failed on
sasl_canonuser_init
*Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb
Nov 03 21:55:14 nexus cyrus/imaps[9171]: auxpropfunc error invalid parameter
supplied
Nov 03 21:55:14 nexus cyrus/imaps[9171]: ldapdb*
Nov 03 21:55:14 nexus cyrus/imaps[9171]: inittls: Loading hard-coded DH
parameters
Nov 03 21:55:14 nexus cyrus/imaps[9171]: TLS server engine: No client CA certs
specified. Client side certs may not work
Nov 03 21:55:14 nexus cyrus/imaps[9171]: starttls: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 parse_server_challenge()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 client step 2
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 ask_user_info()
Nov 03 21:55:14 nexus imtest[9170]: DIGEST-MD5 make_client_response()
Nov 03 21:55:14 nexus cyrus/imaps[9171]: SASL unable to canonify user and get
auxprops
Nov 03 21:55:14 nexus cyrus/imaps[9171]: *badlogin: nexus
[fec0::5054:ff:fe12:3456] DIGEST-MD5 [SASL(-4): no mechanism available: unable
to canonify user and get auxprops]*
If I change the "imtest" command line to use then PLAIN mech, I get:
$ /usr/lib/cyrus/bin/imtest -s -m PLAIN -u [email protected] -w xxxxx
nexus
Nov 03 22:14:45 nexus imtest[9303]: ldapdb
Nov 03 22:14:45 nexus imtest[9303]: _sasl_plugin_load failed on
sasl_canonuser_init
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
*Nov 03 22:14:45 nexus cyrus/imaps[9304]: auxpropfunc error invalid parameter
supplied*
Nov 03 22:14:45 nexus cyrus/imaps[9304]: ldapdb
Nov 03 22:14:45 nexus cyrus/imaps[9304]: inittls: Loading hard-coded DH
parameters
Nov 03 22:14:45 nexus cyrus/imaps[9304]: TLS server engine: No client CA certs
specified. Client side certs may not work
Nov 03 22:14:45 nexus cyrus/imaps[9304]: starttls: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits new) no authentication
*Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL unknown password verifier(s)
auxprop-hashed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: SASL Password verification failed
Nov 03 22:14:45 nexus cyrus/imaps[9304]: badlogin: nexus
[fec0::5054:ff:fe12:3456] PLAIN [SASL(-4): no mechanism available: Password
verification failed]*
More Info:
ubuntu@nexus:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
ubuntu@nexus:~$ dpkg -l | grep cyru\\\|sasl
ii cyrus-admin 3.0.13-5
ii cyrus-caldav 3.0.13-5
ii cyrus-clients 3.0.13-5
ii cyrus-common 3.0.13-5
ii cyrus-imapd 3.0.13-5
ii libcyrus-imap-perl:amd64 3.0.13-5
ii libsasl2-2:amd64 2.1.27+dfsg-2
ii libsasl2-modules:amd64 2.1.27+dfsg-2
ii libsasl2-modules-db:amd64 2.1.27+dfsg-2
ii libsasl2-modules-ldap:amd64 2.1.27+dfsg-2
ii sasl2-bin 2.1.27+dfsg-2
------------------------------------------
Cyrus: SASL
Permalink:
https://cyrus.topicbox.com/groups/sasl/T2c60ca246b64197b-Mbd9313c5600d1269a9ac5049
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
