# Cyrus-IMAP, SASL login problem

## Ullrich

Hi alltogether,

i tried to set up a mail server.

i mainly followed the HOWTO from http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/t1.html - but i dont need mysql support so i would like to get it working only with sasl password check for both:

 - postfix (smtp-auth against sasl with tls)

 - cyrus-imap (sasl password check) splitted like the HOWTO said in localhost and external network

The problem is that cyradm dont let me in =) ... i mean im able to send mail (wahey), encrypted and password check against sasl is fine.

But im not able to login on console to cyradm and to create any mailbox. If doing so i get this:

```

hermes etc # cyradm --user cyrus --server localhost --auth plain

Password:

IMAP Password:

              Login only available under a layer at /usr/lib/perl5/site_perl/5.8.6/i686-linux/Cyrus/IMAP/Admin.pm line 118

cyradm: cannot authenticate to server with plain as cyrus

hermes etc #

```

The log says:

```

Oct 29 14:04:52 hermes imaplocal[5586]: executed

Oct 29 14:04:52 hermes imaplocal[5586]: accepted connection

Oct 29 14:04:53 hermes imaplocal[5586]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required]

Oct 29 14:04:56 hermes perl: No worthy mechs found

Oct 29 14:04:58 hermes imap(pam_unix)[5033]: check pass; user unknown

Oct 29 14:04:58 hermes imap(pam_unix)[5033]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Oct 29 14:05:00 hermes saslauthd[5033]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure

Oct 29 14:05:00 hermes saslauthd[5033]: do_auth         : auth failure: [user=cyrus] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

Oct 29 14:05:00 hermes imaplocal[5586]: badlogin: localhost [127.0.0.1] plaintext cyrus SASL(-13): authentication failure: checkpass failed

```

I dont know why it asks me twice for a password - ok, the HOWTO said the first is from sasl and the second from mysql but i dont setup the mysql authentication (i guess). Another point is that i dont like to create unix users for each email account ... maybe thats why pam_unix cant find the user ???

Here is my configuration:

Im running a gentoo box (Linux hermes 2.6.12-gentoo-r10 #1 SMP Fri Sep 16 18:53:56 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux) with:

cyrus.conf

```

hermes etc # cat cyrus.conf

# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/files/cyrus.conf,v 1.4 2004/07/18 04:02:23 dragonheart Exp $

# Standard standalone server configuration.

START {

  # Do not delete this entry!

  recover       cmd="ctl_cyrusdb -r"

  # This is only necessary if using idled for IMAP IDLE.

  #idled                cmd="idled"

}

# UNIX sockets start with a slash and are put into /var/imap/socket.

SERVICES {

  # Add or remove based on preferences.

  #imap         cmd="imapd" listen="imap" prefork=0

  imap          cmd="imapd" listen="192.168.10.133:imap" prefork=0

  imaplocal     cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0

  pop3          cmd="pop3d" listen="pop-3" prefork=0

  # Don't forget to generate the needed keys for SSL or TLS

  # (see doc/html/install-configure.html).

  #imaps                cmd="imapd -s" listen="imaps" prefork=0

  imaps         cmd="imapd -s" listen="192.168.10.133:imaps" prefork=0

  imapslocal    cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0

  pop3s         cmd="pop3d -s" listen="192.168.10.133:pop3s" prefork=0

  #sieve                cmd="timsieved" listen="sieve" prefork=0

  sieve         cmd="timsieved" listen="192.168.10.133:sieve" prefork=0

  sievelocal    cmd="timsieved -C /etc/imapd-local.conf" listen="127.0.0.1:sieve" prefork=0

  # at least one LMTP is required for delivery

  #lmtp         cmd="lmtpd" listen="localhost:lmtp" prefork=0

  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0

  # this is only necessary if using notifications

  #notify       cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1

}

EVENTS {

  # This is required.

  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # This is only necessary if using duplicate delivery suppression.

  delprune      cmd="ctl_deliver -E 3" period=1440

  # This is only necessary if caching TLS sessions.

  tlsprune      cmd="tls_prune" period=1440

}

```

hermes etc # cat imapd.conf

```

# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/files/imapd.conf,v 1.5 2004/08/27 06:02:45 langthang Exp $

postmaster: postmaster

servername: imap.intranet

loginrealms: suntrips.de

configdirectory:        /var/imap

partition-default:      /var/spool/imap

sievedir:               /var/imap/sieve

sendmail:               /usr/sbin/sendmail

lmtpsocket:             /var/imap/socket/lmtp

srvtab:                 /var/lib/imap/srvtab

admins:                 cyrus

#tls_ca_path:           /etc/ssl/certs

tls_ca_file:            /etc/ssl/cyrus/cacert.pem

tls_cert_file:          /etc/ssl/cyrus/cert.pem

tls_key_file:           /etc/ssl/cyrus/key.pem

hashimapspool:          yes

allowanonymouslogin:    no

allowplaintext:         no

sasl_pwcheck_method: saslauthd

sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5

autocreatequota: 512000

quotawarn:      90

timeout: 30

poptimeout: 10

```

hermes etc # cat imapd-local.conf

```

# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/files/imapd.conf,v 1.5 2004/08/27 06:02:45 langthang Exp $

postmaster: postmaster

servername: imap.intranet

loginrealms: suntrips.de

configdirectory:        /var/imap

partition-default:      /var/spool/imap

sievedir:               /var/imap/sieve

sendmail:               /usr/sbin/sendmail

admins:                 cyrus

hashimapspool:          yes

allowanonymouslogin:    no

allowplaintext:         yes

sasl_pwcheck_method: saslauthd

sasl_mech_list: PLAIN

autocreatequota: 512000

quotawarn:      90

timeout: 30

poptimeout: 10

hermes sasl2 # ls -lisah

total 55K

279228    0 drwxr-xr-x   2 root  root  128 Oct  6 15:02 .

  5268 3.0K drwxr-xr-x  36 root  root 3.2K Oct 29 13:49 ..

279112    0 -rw-r--r--   1 root  root    0 Sep 15 09:48 .keep

167254  48K -rw-rw-r--   1 cyrus mail  48K Oct 29 13:20 sasldb2

380687 4.0K -rw-r--r--   1 root  root  206 Sep 22 14:05 smtpd.conf

```

So i hope u understand my problem

If u need more information please ask for =)

Grüße, Ullrich

----------

## Ullrich

good morning all together ... i dont know if its liked here to answer its own post to get it back on top but im very serious about this problem - maybe someone find some time to look at it again  :Wink: 

rgds, Ullrich

----------

## langthang

 *Ullrich wrote:*   

> The log says:
> 
> ```
> Oct 29 14:04:53 hermes imaplocal[5586]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required]
> ```
> ...

 

try with "allowplaintext: yes", see if it works?

----------

## Ullrich

Hi,

dont know if it does (i will try it) but after some time i tried to give a unix password to cyrus - and see: it works if i entered the unix password as first and the sasl secret as second one when cyradm asks me. =)

its kind a strange to me because now i was able to setup my mailboxes in the "user/user@domain.tld" format (had to change the separator too in imapd-local.conf - anyway) without creating a unix user for that ... but maybe the cyradm only works with "real" accounts ...

btw - how do i change the topic to [SOLVED]?

Grüße, Ullrich

----------

