SLES 10 sp2, Cyrus IMAP and '@' in usernames

27 posts / 0 new
Last post
#1 Thu, 03/12/2009 - 15:09
mnt_schred

SLES 10 sp2, Cyrus IMAP and '@' in usernames

According to http://www.virtualmin.com/component/option,com_openwiki/Itemid,48/id,fre... it's a bad idea to use '@'s in usernames, but my client really wants it.

I've configured postfix and cyrus nicely and can login with webmin and usermin on IMAP. However, if I try to connect with a mailclient I get a login error:

saslauthd[23135]: do_auth : auth failure: [user=testuser] [service=imap] [realm=boor.ebrius.nl] [mech=pam] [reason=PAM auth error]

I've tried the suggestion in the above mentioned article and this is my /etc/sysconfig/saslauthd:

File Edit Options Buffers Tools Help

Path: System/Security/SASL

Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap)

Default: pam

ServiceRestart: saslauthd

#

Authentication mechanism to use by saslauthd. See man 8 saslauthd for available mechanisms.

# SASLAUTHD_AUTHMECH=pam PARAMS=-r FLAGS=-r

(I don't know which option applies for my OS, so I've tried all permutations).

So, I'm kind of stuck and hope to hear from someone how to continue.

Thu, 03/12/2009 - 18:19
andreychek

Yeah, using an '@' in the username should work.

What does this show:

ps auxw | grep saslauth

Also, what's the full username that you're attempting to use in the example above?
-Eric

Fri, 03/13/2009 - 02:31
mnt_schred

Boor:/home/ths # ps auxw | grep saslauth
root 23134 0.0 0.0 22504 1024 ? Ss 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23135 0.0 0.0 26872 1644 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23136 0.0 0.0 22504 660 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23137 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23138 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 30074 0.0 0.0 3928 792 pts/0 S+ 12:30 0:00 grep saslauth
Boor:/home/ths #

full username: thijs@boor.ebrius.nl (maybe because it's a subdomain it doesn't work?)

Fri, 03/13/2009 - 02:35
mnt_schred

nope, on a testdomain without subdomain logging in also fails.

Fri, 03/13/2009 - 05:10 (Reply to #4)
andreychek

Okay, first, I'm not seeing the "-r" option being passed into saslauthd above.

When you say a "test domain without a subdomain fails", are you saying a user without an "@" in it's name can't log in either?

Are you seeing any other errors in the mail log? Or just the one you showed in your first post with the "PAM auth error"?
-Eric

Fri, 03/13/2009 - 05:39
mnt_schred

That's strange, because I've specified it in /etc/sysconfig/saslauthd with the FLAGS and the PARAMS option.

With the testdomain I've used a username@sub.domain.tld instead of username@domain.tld, but I don't think it makes a difference.

Fri, 03/13/2009 - 05:53
mnt_schred

And the error is still the same. It looks like you're right and the -r option is ignored.

btw, I tried to edit, but the forum claimed it had a bug...

Fri, 03/13/2009 - 06:00 (Reply to #7)
andreychek

Sweet, Joe said I get a nickel for every forum bug run into -- and I've been pretty financially sound ever since :-)

Just to be sure -- did you restart saslauthd after adding in the -r param?
-Eric

Fri, 03/13/2009 - 06:29
mnt_schred

off course :D

Fri, 03/13/2009 - 19:51 (Reply to #9)
andreychek

Yeah, I'm not sure why that's not taking then :-)

Perhaps just to get things started, you might consider adding the "-r" param directly to the init script in /etc/init.d?

That's certainly not desirable for the long term, but might at least help you get that up and running :-)
-Eric

Sat, 03/14/2009 - 02:17
mnt_schred

Okay, I've changed the line (in )

[code:1]
/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH > /dev/null 2>&1
[/code:1]

into

[code:1]
/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH $FLAGS > /dev/null 2>&1
[/code:1]

and now the -r flag is accepted:

Starting service saslauthd done
Boor:/home/ths # ps auxw | grep saslauth
root 14905 0.0 0.0 22500 1024 ? Ss 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14906 0.0 0.0 22500 660 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14907 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14908 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14909 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14911 0.0 0.0 3928 780 pts/0 S+ 11:43 0:00 grep saslauth

However, when I try to login I recieve another error:

Mar 14 11:41:02 Boor imap[14849]: cross-realm login test@testdomein.nl denied
Mar 14 11:41:02 Boor imap[14849]: badlogin: s559081f3.adsl.wanadoo.nl [85.144.129.243] plaintext test@testdomein.nl SASL(-13): authentication failure: cross-realm login test@testdomein.nl denied

So a whole new error...

I've also tried enabling imaps in /etc/cyrus.conf and login with that, but I first have to arange certs etc.

Sat, 03/14/2009 - 02:23
mnt_schred

Aaaaaaand.... I've fixed it!

Just add virtdomains: on
in the /etc/imapd.conf file and restart cyrus :D

Sat, 03/14/2009 - 04:27
mnt_schred

Only problem now is that my Mail client (Thunderbird) doesn't show the mails correctly..

Sat, 03/14/2009 - 04:52 (Reply to #13)
andreychek

I'm glad you got sending email going.

What do you mean by it doesn't show them correctly?
-Eric

Sat, 03/14/2009 - 04:55
mnt_schred

Well, mail is generated when I send it through webmin, in maildir format. However, Thunderbird seems to save the mail in another format, because I can't see maildir mails in thunderbird and when I save a draft for example, they don't show up in the maildir.

So it looks like Cyrus doesn't use the same mailfolders?

Sat, 03/14/2009 - 08:25 (Reply to #15)
Joe
Joe's picture

<div class='quote'>thunderbird and when I save a draft for example, they don't show up in the maildir.</div>

Thunderbird can be configured to use local storage for folders...e.g. on the client machine. This might also explain the behavior you're seeing.

--

Check out the forum guidelines!

Sat, 03/14/2009 - 08:27
mnt_schred

No, because IonCube (an webmail client) also shows this behaviour. I think Cyrus uses different folders then webmin.

Sat, 03/14/2009 - 08:31
mnt_schred

Should I use dovecot or courier instead?

Sat, 03/14/2009 - 08:48 (Reply to #18)
andreychek

Well, Dovecot is part of the standard Virtualmin stack, it's known to work pretty well in conjunction with Virtualmin.

That said, I imagine any IMAP server should work fine. You just need to make sure that Postfix, Usermin, and Cyrus all agree on where emails should be stored.
-Eric

Sat, 03/14/2009 - 08:58
mnt_schred

Yeah.. I'm kind of doubtfull- should I either:

-Try to install Dovecot although it isn't supported by SLES or
-Use Cyrus which is supplied by SLES but isn't supported by virtualmin.

Sat, 03/14/2009 - 09:03 (Reply to #20)
andreychek

Virtualmin doesn't need to know much about the IMAP server running on your machine -- I wouldn't be too worried about that aspect.

What I would do is:

1. Figure out where on the filesystem Postfix/procmail are delivering emails.

2. Setup Cyrus to store/retrieve emails at that same location.

3. Verify that Usermin is either reading the emails from the correct location on disk, or maybe even set it up to grab emails via the IMAP server rather than looking at the disk directly.

Sat, 03/14/2009 - 09:07
mnt_schred

Okay, I'll digg into Cyrus first- maybe it's just an configuration option somewhere.

Sat, 03/14/2009 - 09:11
mnt_schred

Yeah, Cyrus does store mail elsewhere: /var/spool/imap/domain contains my domains. And it doesn't seem to use maildir either- it makes folders with thingy.cyrus in it. So reconfiguring Cyrus is essential.

Sat, 03/14/2009 - 11:15
mnt_schred

All right, I've solved it by using Dovecot and waved bye-bye to Cyrus. Now everything works.

Sat, 03/14/2009 - 11:27 (Reply to #24)
Joe
Joe's picture

<div class='quote'>All right, I've solved it by using Dovecot and waved bye-bye to Cyrus. Now everything works.</div>

Hehehe...Funny how that works. Probably wise. ;-)

Dovecot, in my experience, is dramatically easier to use than any other POP/IMAP servers I've met.

--

Check out the forum guidelines!

Sat, 03/14/2009 - 11:30
mnt_schred

Well, it looks nice all right. Can you modify my first post and add 'solved' in the header?

Sat, 03/14/2009 - 13:31 (Reply to #26)
Joe
Joe's picture

No need to clutter up the title. Things cycle pretty quickly on the forums, so it'll be completely forgotten in a week. ;-)

--

Check out the forum guidelines!

Topic locked