Re: [exim] cyrus sasl authentication problems

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Phil Pennock
Dátum:  
Címzett: Ross Boylan
CC: exim-users
Tárgy: Re: [exim] cyrus sasl authentication problems
On 2008-01-10 at 18:07 -0500, Ross Boylan wrote:
> I have been trying to authenticate using the same account database as my
> Cyrus imap server. I can't even seem to get very useful debugging
> output. I would appreciate any help.
>
> Following suggestions earlier on this list, I run (as root)
> exim -d -oX 198.144.201.14.27 -bd 2>&1
> and ran swaks on the client.


Try -d+auth to turn on more authentication debugging.

Since you saw nothing thereafter, not even a connection from the client,
are you sure that you told the client to connect to port 27 instead of
the default port?

> -------------- exim config -------------------------
>
> cram_md5_sasl_server:
> driver = cyrus_sasl
> public_name = CRAM-MD5
> server_realm = betterworld.us
> server_set_id = $auth1


Since you're setting server_realm, are you sure that the user
identifiers in the DB are all realm-qualified?

I can't directly help; I vaguely remember all sorts of "interesting"
debugging issues using sasldb back when I did that; these days, I use
cyrus_sasl for GSSAPI and use an Exim-specific password file for
password-based mail-sending.

As an side: at $previous_employer, I set the policy that as an exception
to the normal rule, email-sending passwords could be written down
because they were generated for the user as pure randomness to protect
against spammers using dictionary attacks; compromise of this
mail-sending-only password would not give the ability to read any email,
"only" send new email as that user. Since people configured their
password in, eg, whatever MTA they used at home, this password
separation policy seemed to work well.

> Cyrus SASL knows about: CRAM-MD5
> Cyrus SASL driver cram_md5_sasl_server: CRAM-MD5 initialised


That looks good.

> 4186 local_interfaces overridden by -oX:
> 4186 <: 198.144.201.14.27
> 4186 listening on 198.144.201.14 port 27
> 4186 changed uid/gid: running as a daemon
> 4186 uid=103 gid=103 pid=4186
> 4186 auxiliary group list: 45 103
> 4186 LOG: MAIN
> 4186 exim 4.68 daemon started: pid=4186, no queue runs, listening for
> SMTP on [198.144.201.14]:27
> 4186 set_process_info: 4186 daemon: no queue runs, listening for SMTP
> on [198.144.201.14]:27
> 4186 daemon running with uid=103 gid=103 euid=103 egid=103
> 4186 Listening...
> # everything above here preceded client connection
> # and nothing more appears after that.


There should be something showing when someone connects. Since it made
it into other logs, I strongly suspect that the client software wasn't
using port 27.

To confirm this, it's useful to have the pid in the log lines; it's not
by default, but you can turn that on with log_selector in the main
config section:
log_selector = +pid

If you want to test manually, I'mm attaching a short program to let you
cut&paste challenge responses. You could then telnet and run this in a
separate window.

-Phil
#!/usr/bin/perl
#
# $HeadURL: https://svn.spodhuis.org/ksvn/pdp-bincommon/cram_auth_calc $
# $Id: cram_auth_calc 12 2005-06-16 01:23:17Z pdp $
#
# CRAM-<HMAC-HASH> calculator for interactive logins.
# Assumes base64.
#
use strict;
use warnings;
use vars qw/ $progname $algorithm $algorithm_uc $hmac_func $do_hmac /;

BEGIN {
    my %hmacs = ( # keys lower-case
        md5    => [ 'Digest::HMAC_MD5', 'hmac_md5_hex' ],
        sha1    => [ 'Digest::HMAC_SHA1', 'hmac_sha1_hex' ],
    );
    my $hmac_re = join('|', keys %hmacs);
    ($progname = $0) =~ s!^.*/!!;


    if ($progname =~ /^(?:.*?[_.-])? ($hmac_re) (?:[_.-].*)?$/ix) {
        $algorithm = lc $1;
    } else {
        $algorithm = undef;
    }


    unless (defined $algorithm) {
        if (defined $ARGV[0] and exists $hmacs{lc $ARGV[0]}) {
            $algorithm = lc $ARGV[0];
            shift @ARGV;
        }
    }
    unless (defined $algorithm) {
        warn "No HMAC algorithm determined.  Please supply one of:\n";
        warn "\t" . join(' ', map {uc $_} sort keys %hmacs) . "\n";
        exit 1;
    }


    $algorithm_uc = uc $algorithm;
    $hmac_func = $hmacs{$algorithm};
    my $hmac_module = $hmac_func->[0];
    $hmac_module =~ s!::!/!g; $hmac_module .= '.pm';
    require $hmac_module;
    $do_hmac = \&{$hmac_func->[0] . '::' . $hmac_func->[1]};
}


use MIME::Base64;
use Term::ReadLine;
use Term::ReadPassword;

my $term = new Term::ReadLine "cram_auth_calc_$algorithm";
die "No terminal initialisation" unless defined $term;
$term->ornaments(0);

my $challenge = $term->readline("CRAM-$algorithm_uc Challenge (base64 encoded): ");
my $usercode = $term->readline('Usercode to authenticate as: ');
my $password = read_password('Password: ');

my $raw_challenge = decode_base64($challenge);
my $authdata = $do_hmac->($raw_challenge, $password);
my $raw_response = $usercode . ' ' . $authdata;
my $response = encode_base64($raw_response);

$response .= "\n" unless $response =~ /\n\z/;

print $response;