SLES 10 sp2, Cyrus IMAP and '@' in usernames

27 posts / 0 new
Last post
#1 Thu, 03/12/2009 - 15:09

SLES 10 sp2, Cyrus IMAP and '@' in usernames

According to,com_openwiki/Itemid,48/id,fre... it's a bad idea to use '@'s in usernames, but my client really wants it.

I've configured postfix and cyrus nicely and can login with webmin and usermin on IMAP. However, if I try to connect with a mailclient I get a login error:

saslauthd[23135]: do_auth : auth failure: [user=testuser] [service=imap] [] [mech=pam] [reason=PAM auth error]

I've tried the suggestion in the above mentioned article and this is my /etc/sysconfig/saslauthd:

File Edit Options Buffers Tools Help

Path: System/Security/SASL

Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap)

Default: pam

ServiceRestart: saslauthd


Authentication mechanism to use by saslauthd. See man 8 saslauthd for available mechanisms.


(I don't know which option applies for my OS, so I've tried all permutations).

So, I'm kind of stuck and hope to hear from someone how to continue.

Thu, 03/12/2009 - 18:19

Yeah, using an '@' in the username should work.

What does this show:

ps auxw | grep saslauth

Also, what's the full username that you're attempting to use in the example above?

Fri, 03/13/2009 - 02:31

Boor:/home/ths # ps auxw | grep saslauth
root 23134 0.0 0.0 22504 1024 ? Ss 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23135 0.0 0.0 26872 1644 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23136 0.0 0.0 22504 660 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23137 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23138 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 30074 0.0 0.0 3928 792 pts/0 S+ 12:30 0:00 grep saslauth
Boor:/home/ths #

full username: (maybe because it's a subdomain it doesn't work?)

Fri, 03/13/2009 - 02:35

nope, on a testdomain without subdomain logging in also fails.

Fri, 03/13/2009 - 05:10 (Reply to #4)

Okay, first, I'm not seeing the "-r" option being passed into saslauthd above.

When you say a "test domain without a subdomain fails", are you saying a user without an "@" in it's name can't log in either?

Are you seeing any other errors in the mail log? Or just the one you showed in your first post with the "PAM auth error"?

Fri, 03/13/2009 - 05:39

That's strange, because I've specified it in /etc/sysconfig/saslauthd with the FLAGS and the PARAMS option.

With the testdomain I've used a username@sub.domain.tld instead of username@domain.tld, but I don't think it makes a difference.

Fri, 03/13/2009 - 05:53

And the error is still the same. It looks like you're right and the -r option is ignored.

btw, I tried to edit, but the forum claimed it had a bug...

Fri, 03/13/2009 - 06:00 (Reply to #7)

Sweet, Joe said I get a nickel for every forum bug run into -- and I've been pretty financially sound ever since :-)

Just to be sure -- did you restart saslauthd after adding in the -r param?

Fri, 03/13/2009 - 06:29

off course :D

Fri, 03/13/2009 - 19:51 (Reply to #9)

Yeah, I'm not sure why that's not taking then :-)

Perhaps just to get things started, you might consider adding the "-r" param directly to the init script in /etc/init.d?

That's certainly not desirable for the long term, but might at least help you get that up and running :-)

Sat, 03/14/2009 - 02:17

Okay, I've changed the line (in )

/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH > /dev/null 2>&1


/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH $FLAGS > /dev/null 2>&1

and now the -r flag is accepted:

Starting service saslauthd done
Boor:/home/ths # ps auxw | grep saslauth
root 14905 0.0 0.0 22500 1024 ? Ss 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14906 0.0 0.0 22500 660 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14907 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14908 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14909 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14911 0.0 0.0 3928 780 pts/0 S+ 11:43 0:00 grep saslauth

However, when I try to login I recieve another error:

Mar 14 11:41:02 Boor imap[14849]: cross-realm login denied
Mar 14 11:41:02 Boor imap[14849]: badlogin: [] plaintext SASL(-13): authentication failure: cross-realm login denied

So a whole new error...

I've also tried enabling imaps in /etc/cyrus.conf and login with that, but I first have to arange certs etc.

Sat, 03/14/2009 - 02:23

Aaaaaaand.... I've fixed it!

Just add virtdomains: on
in the /etc/imapd.conf file and restart cyrus :D

Sat, 03/14/2009 - 04:27

Only problem now is that my Mail client (Thunderbird) doesn't show the mails correctly..

Sat, 03/14/2009 - 04:52 (Reply to #13)

I'm glad you got sending email going.

What do you mean by it doesn't show them correctly?

Sat, 03/14/2009 - 04:55

Well, mail is generated when I send it through webmin, in maildir format. However, Thunderbird seems to save the mail in another format, because I can't see maildir mails in thunderbird and when I save a draft for example, they don't show up in the maildir.

So it looks like Cyrus doesn't use the same mailfolders?

Sat, 03/14/2009 - 08:25 (Reply to #15)
Joe's picture

<div class='quote'>thunderbird and when I save a draft for example, they don't show up in the maildir.</div>

Thunderbird can be configured to use local storage for folders...e.g. on the client machine. This might also explain the behavior you're seeing.


Check out the forum guidelines!

Sat, 03/14/2009 - 08:27

No, because IonCube (an webmail client) also shows this behaviour. I think Cyrus uses different folders then webmin.

Sat, 03/14/2009 - 08:31

Should I use dovecot or courier instead?

Sat, 03/14/2009 - 08:48 (Reply to #18)

Well, Dovecot is part of the standard Virtualmin stack, it's known to work pretty well in conjunction with Virtualmin.

That said, I imagine any IMAP server should work fine. You just need to make sure that Postfix, Usermin, and Cyrus all agree on where emails should be stored.

Sat, 03/14/2009 - 08:58

Yeah.. I'm kind of doubtfull- should I either:

-Try to install Dovecot although it isn't supported by SLES or
-Use Cyrus which is supplied by SLES but isn't supported by virtualmin.

Sat, 03/14/2009 - 09:03 (Reply to #20)

Virtualmin doesn't need to know much about the IMAP server running on your machine -- I wouldn't be too worried about that aspect.

What I would do is:

1. Figure out where on the filesystem Postfix/procmail are delivering emails.

2. Setup Cyrus to store/retrieve emails at that same location.

3. Verify that Usermin is either reading the emails from the correct location on disk, or maybe even set it up to grab emails via the IMAP server rather than looking at the disk directly.

Sat, 03/14/2009 - 09:07

Okay, I'll digg into Cyrus first- maybe it's just an configuration option somewhere.

Sat, 03/14/2009 - 09:11

Yeah, Cyrus does store mail elsewhere: /var/spool/imap/domain contains my domains. And it doesn't seem to use maildir either- it makes folders with thingy.cyrus in it. So reconfiguring Cyrus is essential.

Sat, 03/14/2009 - 11:15

All right, I've solved it by using Dovecot and waved bye-bye to Cyrus. Now everything works.

Sat, 03/14/2009 - 11:27 (Reply to #24)
Joe's picture

<div class='quote'>All right, I've solved it by using Dovecot and waved bye-bye to Cyrus. Now everything works.</div>

Hehehe...Funny how that works. Probably wise. ;-)

Dovecot, in my experience, is dramatically easier to use than any other POP/IMAP servers I've met.


Check out the forum guidelines!

Sat, 03/14/2009 - 11:30

Well, it looks nice all right. Can you modify my first post and add 'solved' in the header?

Sat, 03/14/2009 - 13:31 (Reply to #26)
Joe's picture

No need to clutter up the title. Things cycle pretty quickly on the forums, so it'll be completely forgotten in a week. ;-)


Check out the forum guidelines!

Topic locked