Timsieved fails to perform proxy authorization (?)

[brong]

From: Jeroen van Meeuwen (Kolab Systems) Bugzilla-Id: 3500 Version: 2.4.10 Owner: Bron Gondwana

[brong]

From: Jeroen van Meeuwen (Kolab Systems)

Scenario:

• Discrete murder, backends firewalled to only allow frontends.

• 'sieve_allowreferrals: 0', to have the frontends proxy the connection through to the backend.

• 'cyrus-murder' admin user for internal Murder connections

Symptoms:

• user 'lucy.meier' connects to frontend on sieve port,
• attempting to login causes the following log messages:

Aug 4 09:33:28 frontend1 sieve[18581]: accepted connection Aug 4 09:33:30 frontend1 sieve[18581]: ptload(): fetched cache record (lucy.meier@kolab.org)(mark 1312463327, current 1312464810, limit 1312454010) Aug 4 09:33:30 frontend1 sieve[18581]: ptload returning data Aug 4 09:33:30 frontend1 sieve[18581]: canonified lucy.meier@kolab.org -> lucy.meier@kolab.org Aug 4 09:33:30 frontend1 sieve[18581]: ptload(): pinging ptloader Aug 4 09:33:30 frontend1 sieve[18581]: connected with no delay Aug 4 09:33:30 frontend1 sieve[18581]: ptload(): connected Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select: sock = 10, rp = 0x0, wp = 0x7fff75593490, sec = 30 Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select exiting. r = 1; errno = 0 Aug 4 09:33:30 frontend1 sieve[18581]: ptload sent data Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select: sock = 10, rp = 0x7fff75593510, wp = 0x0, sec = 30 Aug 4 09:33:30 frontend1 ptloader[10660]: accepted connection Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select exiting. r = 1; errno = 0 Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select: sock = 10, rp = 0x7fff75593510, wp = 0x0, sec = 30 Aug 4 09:33:30 frontend1 sieve[18581]: timeout_select exiting. r = 1; errno = 0 Aug 4 09:33:30 frontend1 sieve[18581]: ptload read data back Aug 4 09:33:30 frontend1 sieve[18581]: ptload(): bad response from ptloader server: identifier not found Aug 4 09:33:30 frontend1 sieve[18581]: No data available at all from ptload() Aug 4 09:33:30 frontend1 sieve[18581]: ptload completely failed: unable to canonify identifier: lucy^meier@kolab.org Aug 4 09:33:30 frontend1 sieve[18581]: couldn't authenticate to backend server: authentication failure Aug 4 09:33:30 frontend1 sieve[18581]: couldn't authenticate to backend server

Logs on backend:

Aug 4 09:33:30 backend1 sieve[18400]: executed Aug 4 09:33:30 backend1 sieve[18400]: accepted connection Aug 4 09:33:30 backend1 sieve[18400]: Lost connection to client -- exiting

Workaround:

• allow connections to the backends (open up firewall),
• allow sieve to use referrals

[brong]

From: Dan White

Do you see any sasl syslog output in your auth syslog facility (e.g. /var/log/auth.log)?

Do you know what sasl mechnism your frontend it attempting to use? A few mechanisms do not support proxy authentication. You might want to explicitly define a list of mechanisms on the backend, such as:

neo:~# grep timsieved /etc/cyrus.conf sieve cmd="timsieved" listen="sieve" prefork=0 maxchild=100 neo:~# cat >> /etc/imapd.conf << EOF > sieve_sasl_mech_list: DIGEST-MD5 EXTERNAL GSSAPI PLAIN > sieve_sasl_log_level: 7 > EOF

see: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.23/mechanisms.php

And increase your auth syslog facility to 'debug' for (potentially) useful syslogging.

Do you have proxyservers or sieve_proxyservers configured on the backend?

[brong]

From: Jeroen van Meeuwen (Kolab Systems)

Hi Dan,

(In reply to comment #1) > Do you see any sasl syslog output in your auth syslog facility (e.g. > /var/log/auth.log)? >

On the frontend's /var/log/messages:

Aug 4 09:33:28 frontend1 sieve[18581]: auxpropfunc error invalid parameter supplied Aug 4 09:33:29 frontend1 sieve[18585]: auxpropfunc error invalid parameter supplied Aug 4 09:33:30 frontend1 sieve[18587]: auxpropfunc error invalid parameter supplied Aug 4 09:33:30 frontend1 sievefilter[18588]: auxpropfunc error invalid parameter supplied Aug 4 09:33:30 frontend1 sieve[18581]: bad userid authenticated Aug 4 09:33:32 trprkofe1 sieve[18581]: attempting server step after doneflag Aug 4 09:33:32 trprkofe1 kernel: timsieved[18581]: segfault at 0000000000000000 rip 0000000000000000 rsp 00007fff75595fe8 error 14

On the backend's /var/log/messages:

Aug 4 09:33:30 backend1 sieve[18400]: auxpropfunc error invalid parameter supplied

> Do you know what sasl mechnism your frontend it attempting to use?

Frontend's /etc/imapd.conf:

sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN allowplaintext: 1 auth_mech: pts pts_module: ldap serverlist: backend1.kolab.org backend2.kolab.org proxy_authname: kolabmdr proxy_password: ****

Backend's /etc/imapd.conf:

sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN allowplaintext: 1 auth_mech: pts pts_module: ldap proxyservers: kolabmdr proxy_authname: kolabmdr proxy_password: ****

> A few > mechanisms do not support proxy authentication. You might want to explicitly > define a list of mechanisms on the backend, such as: >

I can set / increase the sieve_sasl_log_level to a higher level later today, and possibly generate some more useful output.