Re: Best distro for Exim/Cyrus

Wed, 19 Feb 2014 21:03:13 -0800

Another strange this. The encrypted passwords would not be a problem if I could get TLS working, I could auth with *login_sasl_server* but even though exim appears to be advertising STARTTLS none of the MUA clients I've tested recognise the TLS. (Thunderbird and Outlos 2013) 

When I use swaks to test the connection I get:

   root@vm-manager:~# swaks -a -tls -q HELO -s
   chemainus.mjbrownloos.com -au hire -ap '<>'
   === Trying chemainus.mjbrownloos.com:25...
   === Connected to chemainus.mjbrownloos.com.
   <-  220 blmail.chemainus.mjbrownloos.com ESMTP Exim 4.80 Wed, 19 Feb
   2014 20:57:30 -0800
     -> EHLO vm-manager.chemaimus.tracker-software.com
   <-  250-blmail.chemainus.mjbrownloos.com Hello
   vm-manager.chemaimus.tracker-software.com [192.168.4.254]
   <-  250-SIZE 52428800
   <-  250-8BITMIME
   <-  250-PIPELINING
   <-  250-STARTTLS
   <-  250 HELP
     -> STARTTLS
   <-  220 TLS go ahead
   === TLS started w/ cipher DHE-RSA-AES256-SHA
   === TLS peer subject DN="/C=CA/ST=British Columbia/L=Chemainus/O=MJ
   Brown Ltd/OU=Brown Loos/CN=blmail.chemainus.mjbrownloos.com"
     ~> EHLO vm-manager.chemaimus.tracker-software.com
   <~  250-blmail.chemainus.mjbrownloos.com Hello
   vm-manager.chemaimus.tracker-software.com [192.168.4.254]
   <~  250-SIZE 52428800
   <~  250-8BITMIME
   <~  250-PIPELINING
   <~  250-AUTH DIGEST-MD5
   <~  250 HELP
     ~> QUIT
   <~  221 blmail.chemainus.mjbrownloos.com closing connection
   === Connection closed with remote host.
so why would clients not be able to use TLS? Auto-config in both clients returns with no TLS options. 

confused but determined to get there...
*Paul O'Rorke* Tracker Software Products p...@tracker-software.com <mailto:paul.oro...@tracker-software.com> 

On 2/19/2014 8:50 PM, Paul O'Rorke wrote:

Hi again guys,
thanks for the help thus far. I have managed to get cyrus talking with exim to deliver mail (the -a inside the quotes did this) and I have the cyrus_sasl driver authenticating using DIGEST-MD5: 

    digest_md5_sasl_server:
       driver = cyrus_sasl
       public_name = DIGEST-MD5
       server_realm = chemainus.mjbrownloos.com
       server_set_id = $auth1
       .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
       server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
       .endif
I can receive mail OK, exim passes it to cyrus and I can work with mailboxes in Thunderbird however I don't seem to be able to authenticate to the SMTP server when sending. Do I need to specify a separate auth for sending through SMTP?
If I turn on *AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes* I can send if I enable *login_sasl_server* but I'm sending plaintext passwords. :-(
If I turn off *AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes* then I cannot send using *login_sasl_server* because it obviously needs an encrypted password but I keep getting the message relay not permitted.
If I disable login_sasl_server leaving only the *digest_md5_sasl_server* I still get relay not permitted so it seems it's not authenticating on send.
If it can authenticate for IMAP using *digest_md5_sasl_server* why would it fail when sending? 

regards

*Paul O'Rorke*
Tracker Software Products p...@tracker-software.com <mailto:paul.oro...@tracker-software.com> 

On 2/17/2014 12:42 AM, Vladislav Kurz wrote:


On Saturday 15 of February 2014 00:05:59 Paul O'Rorke wrote:

> If I don't use any encrypted passwords I can log in, work with

> mailboxes, receive mail but not send (relay not permitted which I

> suspect is so as to not be an open relay..?)
You can always set relay_nets (using "dpkg-reconfigure exim4-config") to your local subnet. 

> What do I need to do to authenticate with the cyrus_sasl db? Why would

> the authenticator driver "cyrus_sasl" not be available? Do I need to

> enable that somewhere?

I'm not sure but check if you have installed these packages:

sasl2-bin, libsasl2-modules and exim4-daemon-heavy (instead of -light).

> I've read so many conflicting pages I've completely confused myself.

> Maybe I should be looking at TLS/SSL now...
If you are on secure net, try setting AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes (in conf.d/main/00_whatever), to allow plaintext auth. 

--

S pozdravem

Vladislav Kurz

=== WebStep, s.r.o. (Ltd.) ========= a step to the Web ===

address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711

=== www.webstep.net ======= vladislav.k...@webstep.net ===



----
Cyrus Home Page:http://www.cyrusimap.org/
List Archives/Info:http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus





----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Reply via email to