SLES 10 sp2, Cyrus IMAP and '@' in usernames

Virtualmin
1

According to http://www.virtualmin.com/component/option,com_openwiki/Itemid,48/id,frequently_asked_questions/#what_s_the_deal_with_in_mailbox_usernames it’s a bad idea to use '@'s in usernames, but my client really wants it.

I’ve configured postfix and cyrus nicely and can login with webmin and usermin on IMAP. However, if I try to connect with a mailclient I get a login error:

saslauthd[23135]: do_auth : auth failure: [user=testuser] [service=imap] [realm=boor.ebrius.nl] [mech=pam] [reason=PAM auth error]

I’ve tried the suggestion in the above mentioned article and this is my
/etc/sysconfig/saslauthd:

File Edit Options Buffers Tools Help

Path: System/Security/SASL

Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap)

Default: pam

ServiceRestart: saslauthd

Authentication mechanism to use by saslauthd.

See man 8 saslauthd for available mechanisms.

SASLAUTHD_AUTHMECH=pam
PARAMS=-r
FLAGS=-r

(I don’t know which option applies for my OS, so I’ve tried all permutations).

So, I’m kind of stuck and hope to hear from someone how to continue.

2

Yeah, using an ‘@’ in the username should work.

What does this show:

ps auxw | grep saslauth

Also, what’s the full username that you’re attempting to use in the example above?
-Eric

3

Boor:/home/ths # ps auxw | grep saslauth
root 23134 0.0 0.0 22504 1024 ? Ss 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23135 0.0 0.0 26872 1644 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23136 0.0 0.0 22504 660 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23137 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 23138 0.0 0.0 22504 592 ? S 00:59 0:00 /usr/sbin/saslauthd -a pam
root 30074 0.0 0.0 3928 792 pts/0 S+ 12:30 0:00 grep saslauth
Boor:/home/ths #

full username: thijs@boor.ebrius.nl (maybe because it’s a subdomain it doesn’t work?)

4

nope, on a testdomain without subdomain logging in also fails.

5

Okay, first, I’m not seeing the “-r” option being passed into saslauthd above.

When you say a “test domain without a subdomain fails”, are you saying a user without an “@” in it’s name can’t log in either?

Are you seeing any other errors in the mail log? Or just the one you showed in your first post with the "PAM auth error"?
-Eric

6

That’s strange, because I’ve specified it in /etc/sysconfig/saslauthd with the FLAGS and the PARAMS option.

With the testdomain I’ve used a username@sub.domain.tld instead of username@domain.tld, but I don’t think it makes a difference.

7

And the error is still the same. It looks like you’re right and the -r option is ignored.

btw, I tried to edit, but the forum claimed it had a bug…

8

Sweet, Joe said I get a nickel for every forum bug run into – and I’ve been pretty financially sound ever since :slight_smile:

Just to be sure – did you restart saslauthd after adding in the -r param?
-Eric

9

off course :smiley:

10

Yeah, I’m not sure why that’s not taking then :slight_smile:

Perhaps just to get things started, you might consider adding the "-r" param directly to the init script in /etc/init.d?

That’s certainly not desirable for the long term, but might at least help you get that up and running :slight_smile:
-Eric

11

Okay, I’ve changed the line (in )

[code:1]
/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH > /dev/null 2>&1
[/code:1]

into

[code:1]
/sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH $FLAGS > /dev/null 2>&1
[/code:1]

and now the -r flag is accepted:

Starting service saslauthd done
Boor:/home/ths # ps auxw | grep saslauth
root 14905 0.0 0.0 22500 1024 ? Ss 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14906 0.0 0.0 22500 660 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14907 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14908 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14909 0.0 0.0 22500 592 ? S 11:43 0:00 /usr/sbin/saslauthd -a pam -r
root 14911 0.0 0.0 3928 780 pts/0 S+ 11:43 0:00 grep saslauth

However, when I try to login I recieve another error:

Mar 14 11:41:02 Boor imap[14849]: cross-realm login test@testdomein.nl denied
Mar 14 11:41:02 Boor imap[14849]: badlogin: s559081f3.adsl.wanadoo.nl [85.144.129.243] plaintext test@testdomein.nl SASL(-13): authentication failure: cross-realm login test@testdomein.nl denied

So a whole new error…

I’ve also tried enabling imaps in /etc/cyrus.conf and login with that, but I first have to arange certs etc.

12

Aaaaaaand… I’ve fixed it!

Just add virtdomains: on
in the /etc/imapd.conf file and restart cyrus :smiley:

13

Only problem now is that my Mail client (Thunderbird) doesn’t show the mails correctly…

14

I’m glad you got sending email going.

What do you mean by it doesn’t show them correctly?
-Eric

15

Well, mail is generated when I send it through webmin, in maildir format. However, Thunderbird seems to save the mail in another format, because I can’t see maildir mails in thunderbird and when I save a draft for example, they don’t show up in the maildir.

So it looks like Cyrus doesn’t use the same mailfolders?

16
thunderbird and when I save a draft for example, they don't show up in the maildir.

Thunderbird can be configured to use local storage for folders…e.g. on the client machine. This might also explain the behavior you’re seeing.

17

No, because IonCube (an webmail client) also shows this behaviour. I think Cyrus uses different folders then webmin.

18

Should I use dovecot or courier instead?

19

Well, Dovecot is part of the standard Virtualmin stack, it’s known to work pretty well in conjunction with Virtualmin.

That said, I imagine any IMAP server should work fine. You just need to make sure that Postfix, Usermin, and Cyrus all agree on where emails should be stored.
-Eric

20

Yeah… I’m kind of doubtfull- should I either:

-Try to install Dovecot although it isn’t supported by SLES or
-Use Cyrus which is supplied by SLES but isn’t supported by virtualmin.