Sorry, I need your help. I spend a lot of hours with my cyrus server, but I sill have no idea how to solve my problem.
I cannot authenticate. I installed cyrus21-admin cyrus21-common, cyrus21-imapd, sasl2-bin on a debian system. I want to set up an autentification via sasldb, cause it seems to be the easiest way. I changed the permission of /etc/sasldb2 to cyrus. I set up imapd.conf ################# # Debian Cyrus imapd.conf # See imapd.conf(5) for more information and more options # Configuration directory configdirectory: /var/lib/cyrus # Which partition to use for default mailboxes defaultpartition: default partition-default: /var/spool/cyrus/mail # News setup partition-news: /var/spool/cyrus/news newsspool: /var/spool/news # Alternate namespace # If enabled, activate the alternate namespace as documented in # /usr/share/doc/cyrus2-common/html/altnamespace.html, where an user's # subfolders are in the same level as the INBOX altnamespace: no # UNIX Hierarchy Convention # Set to yes, and cyrus will accept dots in names, and use the forward # slash "/" to delimit levels of the hierarchy. This is done by converting # internally all dots to "^", and all "/" to dots. So the "rabbit.holes" # mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes" # # WARNING: This option does NOT apply to admin tools such as cyradm # (admins ONLY), reconstruct, quota, etc., NOR does it affect LMTP delivery # of messages directly to mailboxes via plus-addressing. # See also userprefix and sharedprefix on imapd.conf(5) unixhierarchysep: no # Munging illegal characters in headers # Headers of RFC2882 messages must not have characters with the 8th bit # set. However, too many badly-written MUAs generate this, including most # spamware. Disable this if you want Cyrus to leave the crappage untouched # and you don't care that IMAP SEARCH won't work right anymore. #munge8bit: no # Forcing recipient user to lowercase # Cyrus 2.1 is case-sensitive. If all your mail users are in lowercase, it is # probably a very good idea to set lmtp_downcase_rcpt to true. The default is # to assume the user knows what he is doing, and not downcase anything. #lmtp_downcase_rcpt: yes # Uncomment the following and add the space-separated users who # have admin rights for all services. admins: cyrus # Space-separated list of users that have lmtp "admin" status (i.e. that # can deliver email through TCP/IP lmtp) in addition to those in the # admins: entry above #lmtp_admins: postman # Space-separated list of users that have mupdate "admin" status, in # addition to those in the admins: entry above. Note that mupdate slaves and # backends in a Murder cluster need to autenticate against the mupdate master # as admin users. #mupdate_admins: mupdateman # Space-separated list of users that have imapd "admin" status, in # addition to those in the admins: entry above #imap_admins: cyrus # Space-separated list of users that have sieve "admin" status, in # addition to those in the admins: entry above #sieve_admins: cyrus # List of users and groups that are allowed to proxy for other users, # seperated by spaces. Any user listed in this will be allowed to login # for any other user. Like "admins:" above, you can have imap_proxyservers # and sieve_proxyservers. #proxyservers: cyrus # No anonymous logins allowanonymouslogin: no # Minimum time between POP mail fetches in minutes popminpoll: 1 # If nonzero, normal users may create their own IMAP accounts by creating # the mailbox INBOX. The user's quota is set to the value if it is positive, # otherwise the user has unlimited quota. autocreatequota: 0 # umask used by Cyrus programs umask: 077 # Sendmail binary location (used by sieve) #sendmail: /usr/sbin/sendmail # If enabled, cyrdeliver will look for Sieve scripts in user's home # directories: ~user/.sieve. sieveusehomedir: false # If sieveusehomedir is false, this directory is searched for Sieve scripts. sievedir: /var/spool/sieve # notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL" # notifications are disabled. Valid methods are: null, log, zephyr #mailnotifier: zephyr # notifyd(8) method to use for "SIEVE" notifications. If not set, "SIEVE" # notifications are disabled. This method is only used when no method is # specified in the script. Valid methods are null, log, zephyr, mailto #sievenotifier: zephyr # DRAC (pop-before-smtp, imap-before-smtp) support # Set dracinterval to the time in minutes to call DRAC while a user is # connected to the imap/pop services. Set to 0 to disable DRAC (default) # Set drachost to the host where the rpc drac service is running #dracinterval: 0 #drachost: localhost # If enabled, the partitions will also be hashed, in addition to the hashing # done on configuration directories. This is recommended if one partition has a # very bushy mailbox tree. hashimapspool: true # Allow plaintext logins by default (SASL PLAIN) allowplaintext: yes # Force PLAIN/LOGIN authentication only # (you need to uncomment this if you are not using an auxprop-based SASL # mechanism. saslauthd users, that means you!). And pay attention to # sasl_minimum_layer below, too. #sasl_mech_list: PLAIN # The minimum SSF that the server will allow a client to negotiate. A # value of 1 requires integrity protection; any higher value requires some # amount of encryption. #sasl_minimum_layer: 0 # The maximum SSF that the server will allow a client to negotiate. A # value of 1 requires integrity protection; any higher value requires some # amount of encryption. #sasl_maximum_layer: 256 # List of remote realms whose users may log in using cross-realm # authentications. Seperate each realm name by a space. A cross-realm # identity is considered any identity returned by SASL with an "@" in it. #loginrealms: # # SASL library options (these are handled directly by the SASL libraries, # refer to SASL documentation for an up-to-date list of these) # # The mechanism(s) used by the server to verify plaintext passwords. Possible # values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They # are tried in order, you can specify more than one, separated by spaces. # # Do note that, since sasl will be run as user cyrus, you may have a lot of # trouble to set this up right. sasl_pwcheck_method: auxprob # What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop # by default, all plugins are tried (which is probably NOT what you want). sasl_auxprop_plugin: sasldb # If enabled, the SASL library will automatically create authentication secrets # when given a plaintext password. Refer to SASL documentation sasl_auto_transition: no # # SSL/TLS Options # # File containing the global certificate used for ALL services (imap, pop3, # lmtp, sieve) #tls_cert_file: /etc/ssl/certs/cyrus-global.pem # File containing the private key belonging to the global server certificate. #tls_key_file: /etc/ssl/private/cyrus-global.key # File containing the certificate used for imap. If not specified, the global # certificate is used. A value of "disabled" will disable SSL/TLS for imap. #tls_imap_cert_file: /etc/ssl/certs/cyrus-imap.pem # File containing the private key belonging to the imap-specific server # certificate. If not specified, the global private key is used. A value of # "disabled" will disable SSL/TLS for imap. #tls_imap_key_file: /etc/ssl/private/cyrus-imap.key # File containing the certificate used for pop3. If not specified, the global # certificate is used. A value of "disabled" will disable SSL/TLS for pop3. #tls_pop3_cert_file: /etc/ssl/certs/cyrus-pop3.pem # File containing the private key belonging to the pop3-specific server # certificate. If not specified, the global private key is used. A value of # "disabled" will disable SSL/TLS for pop3. #tls_pop3_key_file: /etc/ssl/private/cyrus-pop3.key # File containing the certificate used for lmtp. If not specified, the global # certificate is used. A value of "disabled" will disable SSL/TLS for lmtp. #tls_lmtp_cert_file: /etc/ssl/certs/cyrus-lmtp.pem # File containing the private key belonging to the lmtp-specific server # certificate. If not specified, the global private key is used. A value of # "disabled" will disable SSL/TLS for lmtp. #tls_lmtp_key_file: /etc/ssl/private/cyrus-lmtp.key # File containing the certificate used for sieve. If not specified, the global # certificate is used. A value of "disabled" will disable SSL/TLS for sieve. #tls_sieve_cert_file: /etc/ssl/certs/cyrus-sieve.pem # File containing the private key belonging to the sieve-specific server # certificate. If not specified, the global private key is used. A value of # "disabled" will disable SSL/TLS for sieve. #tls_sieve_key_file: /etc/ssl/private/cyrus-sieve.key # File containing one or more Certificate Authority (CA) certificates. #tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem # Path to directory with certificates of CAs. tls_ca_path: /etc/ssl/certs # The length of time (in minutes) that a TLS session will be cached for later # reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will # disable session caching. tls_session_timeout: 1440 # The list of SSL/TLS ciphers to allow. The format of the string is described # in ciphers(1). THIS DISABLES THE WEAK 'FOR EXPORT' CRAP! tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH # Require a client certificate for ALL services (imap, pop3, lmtp, sieve). #tls_require_cert: false # Require a client certificate for imap ONLY. #tls_imap_require_cert: false # Require a client certificate for pop3 ONLY. #tls_pop3_require_cert: false # Require a client certificate for lmtp ONLY. #tls_lmtp_require_cert: false # Require a client certificate for sieve ONLY. #tls_sieve_require_cert: false # # Cyrus Murder cluster configuration # # Set the following options to the values needed for this server to # autenticate against the mupdate master server: # mupdate_server # mupdate_port # mupdate_username # mupdate_authname # mupdate_realm # mupdate_password # mupdate_retry_delay ## ## KEEP THESE IN SYNC WITH cyrus.conf ## # Unix domain socket that lmtpd listens on. lmtpsocket: /var/run/cyrus/socket/lmtp # Unix domain socket that idled listens on. idlesocket: /var/run/cyrus/socket/idle # Unix domain socket that the new mail notification daemon listens on. notifysocket: /var/run/cyrus/socket/notify ## ## DEBUGGING ## # Debugging hook. See /usr/share/doc/cyrus21-common/README.Debian.debug # Keep the hook disabled when it is not in use # # gdb Back-traces #debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 & # # system-call traces #debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 & # # library traces #debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 & ############################################ I used saslpasswd2 to create user cyrus. sasldblistuser2 lists all users. imtest can connect to the server. But I cannot login with cyradm. ################################## peter@server:~$ su cyrus Password: cyrus@server:/home/peter$ cyradm cyradm> connect localhost ##################### nothing happens, until I hit return for 3 times ############### server: localhost: cannot authenticate ################ My auth.log ########### Feb 4 00:37:45 server cyrus/imapd[9996]: OTP unavailable because can't read/wri te key database /etc/opiekeys: No such file or directory Feb 4 00:37:45 server cyrus/imapd[9996]: DIGEST-MD5 server step 1 Feb 4 00:37:45 server perl: DIGEST-MD5 client step 2 Feb 4 00:38:01 server PAM_unix[9997]: (cron) session opened for user mail by (u id=0) Feb 4 00:38:01 server PAM_unix[9997]: (cron) session closed for user mail Feb 4 00:39:20 server cyrus/imapd[9996]: DIGEST-MD5 server step 2 Feb 4 00:39:20 server cyrus/imapd[9996]: client response doesn't match what we generated Feb 4 00:39:23 server perl: NTLM client step 1 Feb 4 00:39:23 server cyrus/imapd[9996]: NTLM server step 1 Feb 4 00:39:23 server perl: NTLM client step 2 Feb 4 00:39:23 server perl: No worthy mechs found Feb 4 00:41:30 server su[10029]: + pts/0 cyrus-root Feb 4 00:41:30 server PAM_unix[10029]: (su) session opened for user root by pet er(uid=101) ######################## here my syslog: #################### Feb 4 00:36:56 server cyrus/master[9983]: about to exec /usr/lib/cyrus/bin/lmtpd Feb 4 00:36:56 server cyrus/lmtpunix[9983]: executed Feb 4 00:36:56 server cyrus/lmtpd[9983]: telling master 2 Feb 4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 0 workers Feb 4 00:36:56 server cyrus/lmtpd[9983]: accepted connection Feb 4 00:36:56 server cyrus/lmtpd[9983]: telling master 3 Feb 4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 0 workers Feb 4 00:36:56 server cyrus/lmtpd[9983]: lmtp connection preauth'd as postman Feb 4 00:36:56 server cyrus/lmtpd[9983]: telling master 1 Feb 4 00:36:56 server cyrus/master[9921]: service lmtpunix now has 1 workers Feb 4 00:37:35 server wu-ftpd[9971]: FTP session closed Feb 4 00:37:45 server cyrus/master[9996]: about to exec /usr/lib/cyrus/bin/imapd Feb 4 00:37:45 server cyrus/imap[9996]: executed Feb 4 00:37:45 server cyrus/imapd[9996]: telling master 2 Feb 4 00:37:45 server cyrus/master[9921]: service imap now has 0 workers Feb 4 00:37:45 server cyrus/imapd[9996]: accepted connection Feb 4 00:37:45 server cyrus/imapd[9996]: telling master 3 Feb 4 00:37:45 server cyrus/master[9921]: service imap now has 0 workers Feb 4 00:37:56 server cyrus/lmtpd[9983]: telling master 2 Feb 4 00:37:56 server cyrus/master[9921]: service lmtpunix now has 0 workers Feb 4 00:37:56 server cyrus/master[9921]: process 9983 exited, status 0 Feb 4 00:38:01 server /USR/SBIN/CRON[9998]: (mail) CMD ( if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi) Feb 4 00:39:20 server cyrus/imapd[9996]: badlogin: localhost[127.0.0.1] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated] Feb 4 00:41:09 server cyrus/imapd[9996]: telling master 1 Feb 4 00:41:09 server cyrus/master[9921]: service imap now has 1 workers Feb 4 00:42:09 server cyrus/imapd[9996]: telling master 2 Feb 4 00:42:09 server cyrus/master[9921]: service imap now has 0 workers Feb 4 00:42:09 server cyrus/master[9921]: process 9996 exited, status 0 ########################################## When I login with imtest: ####################### cyrus@server:/var/log$ imtest localhost S: * OK server Cyrus IMAP4 v2.1.11-Debian-8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + a lot of caracters Please enter your password: C: a lot of caracters S: + a lot of caracters C: S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 128 ################################### So for me it seems, imtest is OK. What can I do. What is my mistake. I thank you for your help!!!!! Greetings Peter
