Re: Can't authorize as different user in cyradm and sieveshell
Dan, You nailed it. Mere presence of sasldb plugin makes it work. The code doesn't look kosher to me though. In sasl_server_new() there's a line: serverconn->sparams->canon_user = &_sasl_canon_user_lookup; which unconditionally set canon_user callback to the function that performs both canonicalization and auxprop lookup. In case there's no auxprop plugins it results in SASL_NOMECH. I guess it should check whether auxprop plugins are available in the system and either set it to _sasl_canon_user_lookup() or _sasl_canon_user(). Anyway installing sasldb plugin is easy enough workaround. Thanks everybody, Michael On Monday, November 21, 2016 04:36:01 PM Dan White wrote: > In the absence of an [sasl_]auxprop_plugins statement, all plugins will be > queried. For example, running pluginviewer (or saslpluginviewer on debian) > should typically list sasldb if it's installed on your system. > > The canon_user plugins and auxprop plugins are coded within the same code, > and so are tied together somewhat, although I haven't dug into the code to > explain the error Michael is experiencing. > > Michael, > > I'd suggest installing the sasldb auxprop to see if that clears up the > issue. That may not even require a configuration change. > > On 11/21/16 13:43 -0800, Andrew Morgan via Info-cyrus wrote: > >I'm using Debian packages for sasl. Here is what libsasl2-modules > >includes: > > > >/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 > >/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 > > > >But in my imapd.conf, I'm not specifying an auxprop plugins: > > > ># grep sasl /etc/imapd.conf > >sasl_mech_list: PLAIN > >sasl_minimum_layer: 0 > >#sasl_maximum_layer: 256 > >sasl_pwcheck_method: saslauthd > > > >Since we are using saslauthd, we don't use auxprop plugins, I think... > > > > Andy > > > >On Mon, 21 Nov 2016, Michael Ulitskiy wrote: > > > >>I'm trying to read the code and it seems that it tries to lookup > >>authorization id > >>in auxprop plugin. since I don't have any auxprop plugins that returns > >>SASL_NOMECH and results > >>in the error I'm seeing. > >> > >>By any chance do you have any auxprop plugin defined? > > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't authorize as different user in cyradm and sieveshell
In the absence of an [sasl_]auxprop_plugins statement, all plugins will be queried. For example, running pluginviewer (or saslpluginviewer on debian) should typically list sasldb if it's installed on your system. The canon_user plugins and auxprop plugins are coded within the same code, and so are tied together somewhat, although I haven't dug into the code to explain the error Michael is experiencing. Michael, I'd suggest installing the sasldb auxprop to see if that clears up the issue. That may not even require a configuration change. On 11/21/16 13:43 -0800, Andrew Morgan via Info-cyrus wrote: I'm using Debian packages for sasl. Here is what libsasl2-modules includes: /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 But in my imapd.conf, I'm not specifying an auxprop plugins: # grep sasl /etc/imapd.conf sasl_mech_list: PLAIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd Since we are using saslauthd, we don't use auxprop plugins, I think... Andy On Mon, 21 Nov 2016, Michael Ulitskiy wrote: I'm trying to read the code and it seems that it tries to lookup authorization id in auxprop plugin. since I don't have any auxprop plugins that returns SASL_NOMECH and results in the error I'm seeing. By any chance do you have any auxprop plugin defined? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't authorize as different user in cyradm and sieveshell
I'm using Debian packages for sasl. Here is what libsasl2-modules
includes:
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
But in my imapd.conf, I'm not specifying an auxprop plugins:
# grep sasl /etc/imapd.conf
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
#sasl_maximum_layer: 256
sasl_pwcheck_method: saslauthd
Since we are using saslauthd, we don't use auxprop plugins, I think...
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
I'm trying to read the code and it seems that it tries to lookup authorization
id
in auxprop plugin. since I don't have any auxprop plugins that returns
SASL_NOMECH and results
in the error I'm seeing.
By any chance do you have any auxprop plugin defined?
On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
Maybe there is something wrong with your saslauthd parameters or PAM
config?
Here is what I use:
saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service
authsufficient pam_ldap.so
authrequiredpam_unix.so
account sufficient pam_ldap.so
account requiredpam_unix.so
(pretty simple!)
In your original email, you showed that you could authenticate as the
target user successfully. Can you connect to sieve as the admin user (no
proxy-auth)?
Thanks,
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
Andrew,
Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:
root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify
envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}
S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0
while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN
no mechanism available
the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?
Thanks,
Michael
On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
This works for me under v2.4.18. I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).
Against a frontend:
# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
Against a backend:
# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
My imapd.conf settings:
admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1
Have you tried using the "sivtest" program? It will show you the protocol
handshakes, which might help. Here is an example for me:
# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}
S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.
Andy
On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup
or may be that feature isn't functional at all?
Thanks in advance,
Michael
On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus
wrote:
Hello,
I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.
imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
Re: Can't authorize as different user in cyradm and sieveshell
I'm trying to read the code and it seems that it tries to lookup authorization
id
in auxprop plugin. since I don't have any auxprop plugins that returns
SASL_NOMECH and results
in the error I'm seeing.
By any chance do you have any auxprop plugin defined?
On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
> Maybe there is something wrong with your saslauthd parameters or PAM
> config?
>
> Here is what I use:
>
> saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
>
> # cat /etc/pam.d/sieve
> # PAM configuration file for Cyrus IMAP service
>
> authsufficient pam_ldap.so
> authrequiredpam_unix.so
>
> account sufficient pam_ldap.so
> account requiredpam_unix.so
>
>
> (pretty simple!)
>
> In your original email, you showed that you could authenticate as the
> target user successfully. Can you connect to sieve as the admin user (no
> proxy-auth)?
>
> Thanks,
> Andy
>
>
> On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
>
> > Andrew,
> >
> > Thanks for the reply. It's good to know it works for someone.
> > I've tried to downgrade cyrus to 2.4.18, but that didn't help.
> > sivtest doesn't provide much clue:
> >
> > root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
> > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
> > S: "SASL" "PLAIN"
> > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> > notify envelope imap4flags relational regex subaddress copy"
> > S: "UNAUTHENTICATE"
> > S: OK
> > Please enter your password:
> > C: AUTHENTICATE "PLAIN" {48+}
> >
> > S: NO "Authentication Error"
> > Authentication failed. generic failure
> > Security strength factor: 0
> >
> > while log is saying:
> > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
> > 'proxyadmin' granted access
> > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1]
> > PLAIN no mechanism available
> >
> > the same happens if I use admin user.
> > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure
> > no authentication problems stand in the way, but that also didn't help.
> > I'm at loss now. Anymore troubleshooting clues?
> >
> > Thanks,
> > Michael
> >
> > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
> >> This works for me under v2.4.18. I'm able to run sieveshell against a
> >> frontend or backend authenticating as a cyrus "admins" user or a
> >> "proxyservers" user (on the backend).
> >>
> >> Against a frontend:
> >>
> >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
> >> connecting to imap.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real <- active script
> >>> quit
> >>
> >>
> >> Against a backend:
> >>
> >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
> >> connecting to cyrus-be1.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real <- active script
> >>> quit
> >>
> >>
> >> My imapd.conf settings:
> >>
> >> admins: cyrus
> >> allowplaintext: 0
> >> sasl_mech_list: PLAIN
> >> sasl_minimum_layer: 0
> >> sasl_pwcheck_method: saslauthd
> >> sieve_allowreferrals: 0
> >> sieve_allowplaintext: 1
> >>
> >>
> >> Have you tried using the "sivtest" program? It will show you the protocol
> >> handshakes, which might help. Here is an example for me:
> >>
> >> # sivtest -u morgan -a cyrus localhost
> >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
> >> S: "SASL" "PLAIN"
> >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> >> notify envelope body relational regex subaddress copy"
> >> S: "STARTTLS"
> >> S: "UNAUTHENTICATE"
> >> S: OK
> >> Please enter your password:
> >> C: AUTHENTICATE "PLAIN" {28+}
> >>
> >> S: OK
> >> Authenticated.
> >> Security strength factor: 0
> >> C: LOGOUT
> >> OK "Logout Complete"
> >> Connection closed.
> >>
> >>
> >>Andy
> >>
> >> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
> >>
> >>> Since nobody answered, I guess, nobody has any idea.
> >>> I wonder if anybody uses this feature and it works for you?
> >>> I mean I'd like to know if that's just me and something is wrong with my
> >>> setup or may be that feature isn't functional at all?
> >>> Thanks in advance,
> >>>
> >>> Michael
> >>>
> >>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via
> >>> Info-cyrus wrote:
> Hello,
>
> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
> i'm trying to use sieveshell to setup users sieve scripts, but since
> i don't know users passwords i want to use a special user for
> authentication
> and authorize as the target user.
> Here's what I have.
>
> imapd.conf:
> admins: mailadmin
> proxyservers: proxyadmin
> sasl_pwcheck_method: saslauthd
> #sasl_pwcheck_method: alwaystrue
> sasl_mech_list: PLAIN
> allowplaintext: yes
>
> here's what i do:
>
>
Re: Can't authorize as different user in cyradm and sieveshell
i run saslauthd as follows:
/usr/sbin/saslauthd -a pam -m /var/state/saslauthd -n 4 -r
i guess the notable difference is option '-r', which combines realm with login
username.
i've tried to create a couple of unqualified users and run saslauthd without it
with the same result - proxyauth doesn't work.
pam:
root@rway-imap-vm:~# cat /etc/pam.d/sieve
authrequiredpam_warn.so
authrequiredpam_userdb.so db=/etc/mail/virtpasswd crypt=crypt
account requiredpam_warn.so
account requiredpam_userdb.so db=/etc/mail/virtpasswd crypt=crypt
yes i can connect as target user or admin user or proxy user. proxyauth is the
only problematic scenario.
that's what puzzles me the most
On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:
> Maybe there is something wrong with your saslauthd parameters or PAM
> config?
>
> Here is what I use:
>
> saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
>
> # cat /etc/pam.d/sieve
> # PAM configuration file for Cyrus IMAP service
>
> authsufficient pam_ldap.so
> authrequiredpam_unix.so
>
> account sufficient pam_ldap.so
> account requiredpam_unix.so
>
>
> (pretty simple!)
>
> In your original email, you showed that you could authenticate as the
> target user successfully. Can you connect to sieve as the admin user (no
> proxy-auth)?
>
> Thanks,
> Andy
>
>
> On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
>
> > Andrew,
> >
> > Thanks for the reply. It's good to know it works for someone.
> > I've tried to downgrade cyrus to 2.4.18, but that didn't help.
> > sivtest doesn't provide much clue:
> >
> > root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
> > S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
> > S: "SASL" "PLAIN"
> > S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> > notify envelope imap4flags relational regex subaddress copy"
> > S: "UNAUTHENTICATE"
> > S: OK
> > Please enter your password:
> > C: AUTHENTICATE "PLAIN" {48+}
> >
> > S: NO "Authentication Error"
> > Authentication failed. generic failure
> > Security strength factor: 0
> >
> > while log is saying:
> > Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
> > 'proxyadmin' granted access
> > Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1]
> > PLAIN no mechanism available
> >
> > the same happens if I use admin user.
> > i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure
> > no authentication problems stand in the way, but that also didn't help.
> > I'm at loss now. Anymore troubleshooting clues?
> >
> > Thanks,
> > Michael
> >
> > On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
> >> This works for me under v2.4.18. I'm able to run sieveshell against a
> >> frontend or backend authenticating as a cyrus "admins" user or a
> >> "proxyservers" user (on the backend).
> >>
> >> Against a frontend:
> >>
> >> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
> >> connecting to imap.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real <- active script
> >>> quit
> >>
> >>
> >> Against a backend:
> >>
> >> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
> >> connecting to cyrus-be1.onid.oregonstate.edu
> >> Please enter your password:
> >>> list
> >> onid-web
> >> real <- active script
> >>> quit
> >>
> >>
> >> My imapd.conf settings:
> >>
> >> admins: cyrus
> >> allowplaintext: 0
> >> sasl_mech_list: PLAIN
> >> sasl_minimum_layer: 0
> >> sasl_pwcheck_method: saslauthd
> >> sieve_allowreferrals: 0
> >> sieve_allowplaintext: 1
> >>
> >>
> >> Have you tried using the "sivtest" program? It will show you the protocol
> >> handshakes, which might help. Here is an example for me:
> >>
> >> # sivtest -u morgan -a cyrus localhost
> >> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
> >> S: "SASL" "PLAIN"
> >> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> >> notify envelope body relational regex subaddress copy"
> >> S: "STARTTLS"
> >> S: "UNAUTHENTICATE"
> >> S: OK
> >> Please enter your password:
> >> C: AUTHENTICATE "PLAIN" {28+}
> >>
> >> S: OK
> >> Authenticated.
> >> Security strength factor: 0
> >> C: LOGOUT
> >> OK "Logout Complete"
> >> Connection closed.
> >>
> >>
> >>Andy
> >>
> >> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
> >>
> >>> Since nobody answered, I guess, nobody has any idea.
> >>> I wonder if anybody uses this feature and it works for you?
> >>> I mean I'd like to know if that's just me and something is wrong with my
> >>> setup or may be that feature isn't functional at all?
> >>> Thanks in advance,
> >>>
> >>> Michael
> >>>
> >>> On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via
> >>> Info-cyrus wrote:
> Hello,
>
> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
> i'm trying to use sieveshell
Re: Can't authorize as different user in cyradm and sieveshell
Maybe there is something wrong with your saslauthd parameters or PAM
config?
Here is what I use:
saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5
# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service
authsufficient pam_ldap.so
authrequiredpam_unix.so
account sufficient pam_ldap.so
account requiredpam_unix.so
(pretty simple!)
In your original email, you showed that you could authenticate as the
target user successfully. Can you connect to sieve as the admin user (no
proxy-auth)?
Thanks,
Andy
On Mon, 21 Nov 2016, Michael Ulitskiy wrote:
Andrew,
Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:
root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify
envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}
S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0
while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN
no mechanism available
the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?
Thanks,
Michael
On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
This works for me under v2.4.18. I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).
Against a frontend:
# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
Against a backend:
# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
My imapd.conf settings:
admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1
Have you tried using the "sivtest" program? It will show you the protocol
handshakes, which might help. Here is an example for me:
# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}
S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.
Andy
On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup
or may be that feature isn't functional at all?
Thanks in advance,
Michael
On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus
wrote:
Hello,
I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.
imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
sasl_mech_list: PLAIN
allowplaintext: yes
here's what i do:
root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost
connecting to localhost
Please enter your password:
unable to connect to server at /usr/bin/sieveshell line 191, line 1.
here's the log:
Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN
no mechanism available
Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
as you can see user proxyadmin authenticated successfully, but then something
(authorization?) went wrong
and it says "PLAIN no mechanism available".
this only happens if i try to authorize as different user. if i don't
everything works fine:
root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com
localhost
connecting to localhost
Please enter your password:
log:
Nov 17 18:24:11
Re: Can't authorize as different user in cyradm and sieveshell
Andrew,
Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:
root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}
S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0
while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN
no mechanism available
the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?
Thanks,
Michael
On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:
> This works for me under v2.4.18. I'm able to run sieveshell against a
> frontend or backend authenticating as a cyrus "admins" user or a
> "proxyservers" user (on the backend).
>
> Against a frontend:
>
> # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
> connecting to imap.onid.oregonstate.edu
> Please enter your password:
> > list
> onid-web
> real <- active script
> > quit
>
>
> Against a backend:
>
> # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
> connecting to cyrus-be1.onid.oregonstate.edu
> Please enter your password:
> > list
> onid-web
> real <- active script
> > quit
>
>
> My imapd.conf settings:
>
> admins: cyrus
> allowplaintext: 0
> sasl_mech_list: PLAIN
> sasl_minimum_layer: 0
> sasl_pwcheck_method: saslauthd
> sieve_allowreferrals: 0
> sieve_allowplaintext: 1
>
>
> Have you tried using the "sivtest" program? It will show you the protocol
> handshakes, which might help. Here is an example for me:
>
> # sivtest -u morgan -a cyrus localhost
> S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
> S: "SASL" "PLAIN"
> S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
> notify envelope body relational regex subaddress copy"
> S: "STARTTLS"
> S: "UNAUTHENTICATE"
> S: OK
> Please enter your password:
> C: AUTHENTICATE "PLAIN" {28+}
>
> S: OK
> Authenticated.
> Security strength factor: 0
> C: LOGOUT
> OK "Logout Complete"
> Connection closed.
>
>
> Andy
>
> On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
>
> > Since nobody answered, I guess, nobody has any idea.
> > I wonder if anybody uses this feature and it works for you?
> > I mean I'd like to know if that's just me and something is wrong with my
> > setup or may be that feature isn't functional at all?
> > Thanks in advance,
> >
> > Michael
> >
> > On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus
> > wrote:
> >> Hello,
> >>
> >> I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
> >> i'm trying to use sieveshell to setup users sieve scripts, but since
> >> i don't know users passwords i want to use a special user for
> >> authentication
> >> and authorize as the target user.
> >> Here's what I have.
> >>
> >> imapd.conf:
> >> admins: mailadmin
> >> proxyservers: proxyadmin
> >> sasl_pwcheck_method: saslauthd
> >> #sasl_pwcheck_method: alwaystrue
> >> sasl_mech_list: PLAIN
> >> allowplaintext: yes
> >>
> >> here's what i do:
> >>
> >> root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com
> >> localhost
> >> connecting to localhost
> >> Please enter your password:
> >> unable to connect to server at /usr/bin/sieveshell line 191, line
> >> 1.
> >>
> >> here's the log:
> >> Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
> >> Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
> >> 'proxyadmin' granted access
> >> Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1]
> >> PLAIN no mechanism available
> >> Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client --
> >> exiting
> >>
> >> as you can see user proxyadmin authenticated successfully, but then
> >> something (authorization?) went wrong
> >> and it says "PLAIN no mechanism available".
> >> this only happens if i try to authorize as different user. if i don't
> >> everything works fine:
> >>
> >> root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u
> >> t...@virtualcrap.com localhost
> >> connecting to localhost
> >> Please enter your password:
> >>>
> >>
> >> log:
> >> Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
> >> Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user
> >> 't...@virtualcrap.com' granted access
> >> Nov 17 18:24:15 rway-imap-vm sieve[2247]: login:
Re: Can't authorize as different user in cyradm and sieveshell
This works for me under v2.4.18. I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).
Against a frontend:
# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
Against a backend:
# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:
list
onid-web
real <- active script
quit
My imapd.conf settings:
admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1
Have you tried using the "sivtest" program? It will show you the protocol
handshakes, which might help. Here is an example for me:
# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}
S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.
Andy
On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:
Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup
or may be that feature isn't functional at all?
Thanks in advance,
Michael
On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus
wrote:
Hello,
I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.
imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
sasl_mech_list: PLAIN
allowplaintext: yes
here's what i do:
root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost
connecting to localhost
Please enter your password:
unable to connect to server at /usr/bin/sieveshell line 191, line 1.
here's the log:
Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user
'proxyadmin' granted access
Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN
no mechanism available
Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting
as you can see user proxyadmin authenticated successfully, but then something
(authorization?) went wrong
and it says "PLAIN no mechanism available".
this only happens if i try to authorize as different user. if i don't
everything works fine:
root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com
localhost
connecting to localhost
Please enter your password:
log:
Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user
't...@virtualcrap.com' granted access
Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1]
t...@virtualcrap.com PLAIN User logged in
the same happends to cyradm:
root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com
--auth=plain localhost
Password:
IMAP Password:
log:
Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user
'proxyadmin' granted access
Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN
[SASL(-4): no mechanism available: Unable to find a callback: 32773]
but ok without trying to authorize as different user:
root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost
Password:
localhost>
Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user
't...@virtualcrap.com' granted access
Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1]
t...@virtualcrap.com PLAIN User logged in
SESSIONID=
Can somebody tell me what I am doing wrong?
Thanks a lot,
Michael
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't authorize as different user in cyradm and sieveshell
Since nobody answered, I guess, nobody has any idea. I wonder if anybody uses this feature and it works for you? I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? Thanks in advance, Michael On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: > Hello, > > I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. > i'm trying to use sieveshell to setup users sieve scripts, but since > i don't know users passwords i want to use a special user for authentication > and authorize as the target user. > Here's what I have. > > imapd.conf: > admins: mailadmin > proxyservers: proxyadmin > sasl_pwcheck_method: saslauthd > #sasl_pwcheck_method: alwaystrue > sasl_mech_list: PLAIN > allowplaintext: yes > > here's what i do: > > root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com > localhost > connecting to localhost > Please enter your password: > unable to connect to server at /usr/bin/sieveshell line 191, line 1. > > here's the log: > Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. > Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user > 'proxyadmin' granted access > Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] > PLAIN no mechanism available > Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting > > as you can see user proxyadmin authenticated successfully, but then something > (authorization?) went wrong > and it says "PLAIN no mechanism available". > this only happens if i try to authorize as different user. if i don't > everything works fine: > > root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u > t...@virtualcrap.com localhost > connecting to localhost > Please enter your password: > > > > log: > Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available. > Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user > 't...@virtualcrap.com' granted access > Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] > t...@virtualcrap.com PLAIN User logged in > > the same happends to cyradm: > root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com > --auth=plain localhost > Password: > IMAP Password: > > log: > Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user > 'proxyadmin' granted access > Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] > PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773] > > but ok without trying to authorize as different user: > root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost > Password: > localhost> > Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user > 't...@virtualcrap.com' granted access > Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] > t...@virtualcrap.com PLAIN User logged in > SESSIONID= > > Can somebody tell me what I am doing wrong? > Thanks a lot, > > Michael Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
