Discussion:
imapd is not talking to saslauthd
Michael Rüger
2018-01-30 22:06:41 UTC
Permalink
Hi

(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)

I’m trying to set up imapd to use saslauthd for authentication.

I have already a running saslauthd which uses PAM. I can run this

***@cyrus3:/ # testsaslauthd -u mike -p mike
0: OK "Success.“

and if i run

***@cyrus3:/ # testsaslauthd -u mike -p abc
0: NO "authentication failed“

i get that logged in auth.log like this

Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

In imapd.conf i have

sasl_pwcheck_method: saslauthd

Now i’m authenticate against imapd

***@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256

Nothing is reported in auth.conf

If i do this

***@cyrus3:~ # saslpasswd2 -c ***@cyrus3.intern.rueger.me

<entering „mike“ twice here>
***@cyrus3:~ # imtest -t "" -u mike -a mike -w mike localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256

it is working against local db BUT NOT against saslauthd.

How do i setup imapd to talk to saslauthd?

BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1

Thank you for any help,
Mike
Ken Murchison
2018-01-30 22:23:20 UTC
Permalink
Hi Michael,

What are the permissions on the socket that saslauthd is listening on?
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to
introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth
failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM
auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM
SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me>
Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT
SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN
QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE
DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1
bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM
SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me>
Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Michael Rüger
2018-01-30 22:25:44 UTC
Permalink
***@cyrus3:~ # ls -la /var/run/saslauthd/
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Michael Rüger
2018-01-30 22:34:05 UTC
Permalink
Ken, thank you for jumping in!

Some more info: the apps run as the following users and groups

***@cyrus3:~ # ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d

***@cyrus3:~ # su - cyrus
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Ken Murchison
2018-01-30 22:41:51 UTC
Permalink
Hmm.

I just switched my dev box to using saslauthd and it just worked.  I'm
sure your problem is something simple, but its escaping me at the moment.

When imtest fails, what is logged in the Cyrus IMAP log (wherever local6
is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02
/usr/sbin/syslogd -s
root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07
/usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Am 30.01.2018 um 23:25 schrieb Michael RÃŒger
total 13
drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
-rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
-rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to
introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth
failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM
auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY
SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT
THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1
METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA
WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE
DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1
bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Michael Rüger
2018-01-30 23:03:45 UTC
Permalink
Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line

local6.* /var/log/local6


***@cyrus3:/var/log # cat local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Hmm.
I just switched my dev box to using saslauthd and it just worked. I'm sure your problem is something simple, but its escaping me at the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Ken Murchison
2018-01-30 23:09:03 UTC
Permalink
Has Cyrus IMAP been restarted since switching to saslauthd?  It doesn't
look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new syslog
output file before restarting syslog with this new line
local6.* /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
get auxprops]
Post by Ken Murchison
Hmm.
I just switched my dev box to using saslauthd and it just worked. 
I'm sure your problem is something simple, but its escaping me at the
moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  88686  0.0  0.0  10500 2044  -  SsJ  21:40 0:00.02
/usr/sbin/syslogd -s
root  88717  0.0  0.1  43928 4360  -  IsJ  21:40 0:00.01
/usr/local/sbin/saslauthd -a pam
root  88718  0.0  0.1  43928 4360  -  IJ   21:40 0:00.01
/usr/local/sbin/saslauthd -a pam
root  88720  0.0  0.1  43928 4276  -  IJ   21:40 0:00.00
/usr/local/sbin/saslauthd -a pam
root  88721  0.0  0.1  43928 4360  -  IJ   21:40 0:00.01
/usr/local/sbin/saslauthd -a pam
root  88722  0.0  0.1  43928 4276  -  IJ   21:40 0:00.00
/usr/local/sbin/saslauthd -a pam
cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40 0:00.07
/usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Am 30.01.2018 um 23:25 schrieb Michael RÃŒger
total 13
drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
-rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
-rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to
introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth         : auth
failure: [user=mike] [service=imap] [realm=] [mech=pam]
[reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH
SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE
ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS
LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE
SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH
URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE
X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE
X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1
bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Michael Rüger
2018-01-30 23:31:25 UTC
Permalink
Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is not calling saslauthd at all. I wondered if saslauthd support is even compiled in.

But if i understand the architecture correctly (and please correct me if i’m wrong), imap is using the sasl lib, and the sasl lib should have saslauthd support compiled in. This is as far as i can see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that

config.h:#define HAVE_SASLAUTHD /**/

is enabled and

***@cyrus3:/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.26/ # strings /usr/local/lib/libsasl2.so | grep saslauthd
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m

gives me confidence that it is compiled in.

I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace has some problems inside a jail.

So i guess i miss something tiny but important ;)

Thx again for your support.
Mike
Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line
local6.* /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Hmm.
I just switched my dev box to using saslauthd and it just worked. I'm sure your problem is something simple, but its escaping me at the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Ken Murchison
2018-01-30 23:39:02 UTC
Permalink
You're understanding is correct.  Can you run saslauthd with the -d
(debug) command line option and see if it sheds any light?
Post by Michael Rüger
Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd
is not calling saslauthd at all. I wondered if saslauthd support is
even compiled in.
But if i understand the architecture correctly (and please correct me
if i’m wrong), imap is using the sasl lib, and the sasl lib should
have saslauthd support compiled in. This is as far as i can see
configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib
myself to verify that
config.h:#define HAVE_SASLAUTHD /**/
is enabled and
strings /usr/local/lib/libsasl2.so | grep saslauthd
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m
gives me confidence that it is compiled in.
I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s
dtrace has some problems inside a jail.
So i guess i miss something tiny but important ;)
Thx again for your support.
Mike
Post by Ken Murchison
Has Cyrus IMAP been restarted since switching to saslauthd?  It
doesn't look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new
syslog output file before restarting syslog with this new line
local6.*   /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and
get auxprops]
Post by Ken Murchison
Hmm.
I just switched my dev box to using saslauthd and it just worked. 
I'm sure your problem is something simple, but its escaping me at
the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02
/usr/sbin/syslogd -s
root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88718  0.0  0.1  43928 4360  -  IJ 21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88720  0.0  0.1  43928 4276  -  IJ 21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
root  88721  0.0  0.1  43928 4360  -  IJ 21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88722  0.0  0.1  43928 4276  -  IJ 21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07
/usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Am 30.01.2018 um 23:25 schrieb Michael RÃŒger
total 13
drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
drwxr-xr-x  6 root   wheel     15 Jan 30 21:40 ..
srwxrwxrwx  1 root   saslauth   0 Jan 30 21:40 mux
-rw-------  1 root   saslauth   0 Jan 30 21:40 mux.accept
-rw-------  1 root   saslauth   6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is
listening on?
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to
introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth   : auth
failure: [user=mike] [service=imap] [realm=] [mech=pam]
[reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH
SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED
LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN
XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1
bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Michael Rüger
2018-01-30 23:51:14 UTC
Permalink
After enabling debug and restarting saslauthd and retrigger imtest, saslauthd gets no request.

***@cyrus3:/etc # /usr/local/etc/rc.d/saslauthd restart
Stopping saslauthd.
Waiting for PIDS: 88717.
Starting saslauthd.
saslauthd[90858] :main : num_procs : 5
saslauthd[90858] :main : mech_option: NULL
saslauthd[90858] :main : run_path : /var/run/saslauthd
saslauthd[90858] :main : auth_mech : pam
saslauthd[90858] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[90858] :detach_tty : master pid is: 0
saslauthd[90858] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[90858] :main : using process model
saslauthd[90858] :have_baby : forked child: 90859
saslauthd[90859] :get_accept_lock : acquired accept lock
saslauthd[90858] :have_baby : forked child: 90860
saslauthd[90858] :have_baby : forked child: 90861
saslauthd[90858] :have_baby : forked child: 90862
You're understanding is correct. Can you run saslauthd with the -d (debug) command line option and see if it sheds any light?
Post by Michael Rüger
Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is not calling saslauthd at all. I wondered if saslauthd support is even compiled in.
But if i understand the architecture correctly (and please correct me if i’m wrong), imap is using the sasl lib, and the sasl lib should have saslauthd support compiled in. This is as far as i can see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that
config.h:#define HAVE_SASLAUTHD /**/
is enabled and
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m
gives me confidence that it is compiled in.
I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace has some problems inside a jail.
So i guess i miss something tiny but important ;)
Thx again for your support.
Mike
Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line
local6.* /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Hmm.
I just switched my dev box to using saslauthd and it just worked. I'm sure your problem is something simple, but its escaping me at the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Ken Murchison
2018-01-31 00:29:32 UTC
Permalink
OK.  Major brain fart, since I'm trying to do 5 things at once.
saslauthd will only be using for verifying plaintext passwords --
meaning its only used for plaintext authentication methods.  Your imtest
is trying to use SCRAM by default.

Add '-m plain' to your imtest and see what happens.

If you want to do your auth using only PAM, you will have to disable
non-plaintext SASL mechs for Cyrus.  Add the following to imapd.conf:

sasl_mech_list: PLAIN LOGIN
Post by Michael Rüger
After enabling debug and restarting saslauthd and retrigger imtest,
saslauthd gets no request.
Stopping saslauthd.
Waiting for PIDS: 88717.
Starting saslauthd.
saslauthd[90858] :main            : num_procs  : 5
saslauthd[90858] :main            : mech_option: NULL
saslauthd[90858] :main            : run_path   : /var/run/saslauthd
saslauthd[90858] :main            : auth_mech  : pam
/var/run/saslauthd/mux.accept
saslauthd[90858] :detach_tty      : master pid is: 0
/var/run/saslauthd/mux
saslauthd[90858] :main            : using process model
saslauthd[90858] :have_baby       : forked child: 90859
saslauthd[90859] :get_accept_lock : acquired accept lock
saslauthd[90858] :have_baby       : forked child: 90860
saslauthd[90858] :have_baby       : forked child: 90861
saslauthd[90858] :have_baby       : forked child: 90862
Post by Ken Murchison
You're understanding is correct.  Can you run saslauthd with the -d
(debug) command line option and see if it sheds any light?
Post by Michael Rüger
Yes, Ken. The whole jail is freshly fired up. Yes it seems that
imapd is not calling saslauthd at all. I wondered if saslauthd
support is even compiled in.
But if i understand the architecture correctly (and please correct
me if i’m wrong), imap is using the sasl lib, and the sasl lib
should have saslauthd support compiled in. This is as far as i can
see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib
myself to verify that
config.h:#define HAVE_SASLAUTHD /**/
is enabled and
# strings /usr/local/lib/libsasl2.so | grep saslauthd
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m
gives me confidence that it is compiled in.
I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s
dtrace has some problems inside a jail.
So i guess i miss something tiny but important ;)
Thx again for your support.
Mike
Post by Ken Murchison
Has Cyrus IMAP been restarted since switching to saslauthd?  It
doesn't look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new
syslog output file before restarting syslog with this new line
local6.*   /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user
and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user
and get auxprops]
Post by Ken Murchison
Hmm.
I just switched my dev box to using saslauthd and it just
worked.  I'm sure your problem is something simple, but its
escaping me at the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever
local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER    PID %CPU %MEM    VSZ  RSS TT  STAT STARTED    TIME COMMAND
root  88686  0.0  0.0  10500 2044  -  SsJ  21:40   0:00.02
/usr/sbin/syslogd -s
root  88717  0.0  0.1  43928 4360  -  IsJ  21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88718  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88720  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
root  88721  0.0  0.1  43928 4360  -  IJ   21:40   0:00.01
/usr/local/sbin/saslauthd -a pam
root  88722  0.0  0.1  43928 4276  -  IJ   21:40   0:00.00
/usr/local/sbin/saslauthd -a pam
cyrus 88724  0.0  0.1  65504 5884  -  SsJ  21:40   0:00.07
/usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Am 30.01.2018 um 23:25 schrieb Michael RÃŒger
total 13
drwxr-x---  2 cyrus  saslauth   5 Jan 30 21:40 .
drwxr-xr-x  6 root wheel     15 Jan 30 21:40 ..
srwxrwxrwx  1 root saslauth   0 Jan 30 21:40 mux
-rw-------  1 root saslauth   0 Jan 30 21:40 mux.accept
-rw-------  1 root saslauth   6 Jan 30 21:40 saslauthd.pid
Am 30.01.2018 um 23:23 schrieb Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to
introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth   : auth
failure: [user=mike] [service=imap] [realm=] [mech=pam]
[reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE
ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID
THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED
LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN
XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1
X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1
bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS
LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5
AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me
<http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
Michael Rüger
2018-01-31 22:41:16 UTC
Permalink
Hello Ken,

thank you very much. Adding „-m plain“ did it.

Now i also get it now that enabling mech’s thru sasl_mech_list must be supported the backing auth providers.

Thx again for your support.

BTW i’m very pleased that cyrus still has such an active and supportive community. I’m convinced that i have picked the right dovecot successor for me :-)

Mike
OK. Major brain fart, since I'm trying to do 5 things at once. saslauthd will only be using for verifying plaintext passwords -- meaning its only used for plaintext authentication methods. Your imtest is trying to use SCRAM by default.
Add '-m plain' to your imtest and see what happens.
sasl_mech_list: PLAIN LOGIN
Post by Michael Rüger
After enabling debug and restarting saslauthd and retrigger imtest, saslauthd gets no request.
Stopping saslauthd.
Waiting for PIDS: 88717.
Starting saslauthd.
saslauthd[90858] :main : num_procs : 5
saslauthd[90858] :main : mech_option: NULL
saslauthd[90858] :main : run_path : /var/run/saslauthd
saslauthd[90858] :main : auth_mech : pam
saslauthd[90858] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[90858] :detach_tty : master pid is: 0
saslauthd[90858] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[90858] :main : using process model
saslauthd[90858] :have_baby : forked child: 90859
saslauthd[90859] :get_accept_lock : acquired accept lock
saslauthd[90858] :have_baby : forked child: 90860
saslauthd[90858] :have_baby : forked child: 90861
saslauthd[90858] :have_baby : forked child: 90862
You're understanding is correct. Can you run saslauthd with the -d (debug) command line option and see if it sheds any light?
Post by Michael Rüger
Yes, Ken. The whole jail is freshly fired up. Yes it seems that imapd is not calling saslauthd at all. I wondered if saslauthd support is even compiled in.
But if i understand the architecture correctly (and please correct me if i’m wrong), imap is using the sasl lib, and the sasl lib should have saslauthd support compiled in. This is as far as i can see configured by HAVE_SASLAUTHD. I have compiled the cyrus-sasl lib myself to verify that
config.h:#define HAVE_SASLAUTHD /**/
is enabled and
saslauthd_path
/var/run/saslauthd
cannot create socket for saslauthd: %m
cannot connect to saslauthd server: %m
gives me confidence that it is compiled in.
I also tried to „dtrace“ into imapd, but had no success. FreeBSD’s dtrace has some problems inside a jail.
So i guess i miss something tiny but important ;)
Thx again for your support.
Mike
Has Cyrus IMAP been restarted since switching to saslauthd? It doesn't look like Cyrus is even trying to use saslauthd.
Post by Michael Rüger
Struggled with enabling local6. The trick was to touch the new syslog output file before restarting syslog with this new line
local6.* /var/log/local6
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: accepted connection
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() incomplete -> wait
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: SSL_accept() succeeded -> done
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: SASL no user in db
Jan 30 22:59:51 cyrus3 imap[90156]: SASL unable to canonify user and get auxprops
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan 30 22:59:51 cyrus3 imap[90156]: badlogin: [192.168.178.210] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops]
Hmm.
I just switched my dev box to using saslauthd and it just worked. I'm sure your problem is something simple, but its escaping me at the moment.
When imtest fails, what is logged in the Cyrus IMAP log (wherever local6 is logged)
Post by Michael Rüger
Ken, thank you for jumping in!
Some more info: the apps run as the following users and groups
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 88686 0.0 0.0 10500 2044 - SsJ 21:40 0:00.02 /usr/sbin/syslogd -s
root 88717 0.0 0.1 43928 4360 - IsJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88718 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88720 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
root 88721 0.0 0.1 43928 4360 - IJ 21:40 0:00.01 /usr/local/sbin/saslauthd -a pam
root 88722 0.0 0.1 43928 4276 - IJ 21:40 0:00.00 /usr/local/sbin/saslauthd -a pam
cyrus 88724 0.0 0.1 65504 5884 - SsJ 21:40 0:00.07 /usr/local/cyrus/libexec/master -d
% id
uid=60(cyrus) gid=60(cyrus) groups=60(cyrus),1003(saslauth)
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
Post by Ken Murchison
Hi Michael,
What are the permissions on the socket that saslauthd is listening on?
Post by Michael Rüger
Hi
(btw. i was Guest39278 on IRC yesterday and got the chance to introduce myself on googletalk)
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
and if i run
0: NO "authentication failed“
i get that logged in auth.log like this
Jan 30 21:43:53 cyrus3 saslauthd[88721]: do_auth : auth failure: [user=mike] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
In imapd.conf i have
sasl_pwcheck_method: saslauthd
Now i’m authenticate against imapd
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=18:self signed certificate
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE
S: C01 OK Completed
C: A01 AUTHENTICATE SCRAM-SHA-1 bixhPW1pa2Usbj1taWtlLHI9Z2Z1Ukp1cVc1Z1BybHhaWTdFcjVYUDR2WUtuMVhRNHc=
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 256
Nothing is reported in auth.conf
If i do this

<entering „mike“ twice here>
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM SASL-IR] cyrus3.intern.rueger.me <http://cyrus3.intern.rueger.me/> Cyrus IMAP 3.0.5 server ready
C: S01 STARTTLS


Authenticated.
Security strength factor: 256
it is working against local db BUT NOT against saslauthd.
How do i setup imapd to talk to saslauthd?
BTW i’m using
* cyrus-imapd30-3.0.5
* cyrus-sasl-2.1.26_13
* cyrus-sasl-saslauthd-2.1.26_3
on FreeBSD 11.1
Thank you for any help,
Mike
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
<murch.vcf>
Dan White
2018-01-31 14:44:03 UTC
Permalink
Post by Michael Rüger
total 13
drwxr-x--- 2 cyrus saslauth 5 Jan 30 21:40 .
drwxr-xr-x 6 root wheel 15 Jan 30 21:40 ..
srwxrwxrwx 1 root saslauth 0 Jan 30 21:40 mux
-rw------- 1 root saslauth 0 Jan 30 21:40 mux.accept
-rw------- 1 root saslauth 6 Jan 30 21:40 saslauthd.pid
I’m trying to set up imapd to use saslauthd for authentication.
I have already a running saslauthd which uses PAM. I can run this
0: OK "Success.“
Michael,

A permissions issue with saslauthd is typically on the containing
directory. Try:

ls -ld /var/run/saslauthd

And adjust permissions or group membership. Try running testsaslauthd as
the cyrus user to verify permissions.
Post by Michael Rüger
After enabling debug and restarting saslauthd and retrigger imtest, saslauthd gets no request.
Stopping saslauthd.
Waiting for PIDS: 88717.
Starting saslauthd.
saslauthd[90858] :main : num_procs : 5
saslauthd[90858] :main : mech_option: NULL
saslauthd[90858] :main : run_path : /var/run/saslauthd
saslauthd[90858] :main : auth_mech : pam
saslauthd[90858] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[90858] :detach_tty : master pid is: 0
saslauthd[90858] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[90858] :main : using process model
saslauthd[90858] :have_baby : forked child: 90859
saslauthd[90859] :get_accept_lock : acquired accept lock
saslauthd[90858] :have_baby : forked child: 90860
saslauthd[90858] :have_baby : forked child: 90861
saslauthd[90858] :have_baby : forked child: 90862
If not a permissions issue, then you may need to explicitly configured the
path to the mux in imapd.conf with:

sasl_saslauthd_path: /var/run/saslauthd/mux

But this is unlikely if testsaslauthd has knowledge of the correct mux
location.
--
Dan White
Loading...