Other posts about Postfix and Cyrus
  1. Your Own Mail Host – Postfix, Cyrus, FreeBSD
  2. Setting up SMTP authorization for Postfix using Cyrus SASL
  3. Setting up secure Cyrus
  4. Multidomain mail system with Postfix & Cyrus
  5. Cyrus & SASL – «No Mechanism Available»

This one has been troubling me since my very first setup of the Postfix/Cyrus mail host. Due to some reason both Postfix and Cyrus would refuse to let me in when using LOGIN or PLAIN auth mechanisms («mechs» in SASL terms).

What I did to finally solve this was this:

  1. Stopped Postfix ( shpostfix stop) and Cyrus ( sh/usr/local/etc/rc.d/imapd stop).
  2. Removed all 3 ports: cyrus-sasl2, cyrus-imapd22 and postfix-current with shmake deinstall clean.
  3. Installed them again in this order:
    1. security/cyrus-sasl2 – with options AUTHDAEMOND, LOGIN, PLAIN, CRAM, DIGEST, OTP, NTLM
    2. mail/cyrus-imapd22 – with no options
    3. mail/postfix-current – with no options PCRE, SASL2, TLS
  4. Configured per-application SASL settings:
    1. For Postfix they reside in /usr/local/lib/sasl2/smtpd.conf and contain this:
lines:pwcheck_method: auxprop
auxprop_plugin: sasldb
    1. Cyrus doesn’t look like reading them from anywhere except its own config (/usr/local/etc/imapd.conf) where they’re prefixed with sasl_. See the full config below.
  2. Started Postfix ( shpostfix start) and Cyrus ( sh/usr/local/etc/rc.d/imapd start) – before the latter make sure /usr/local/cyrus/bin has rwx perms for others as port installed tends to reset them.

Note: when using SASL database (auxprop + sasldb) you need to make sure it stores plain-text passwords for some auth mechs to work (they include LOGIN, PLAIN and MD5 versions). You can open /usr/local/etc/sasldb2.db in a text editor and Search for your password (they are indeed visible in plain text); to make sure you can also recreate the database (delete it and fill anew using shsaslpasswd2 -c or shsaslpasswd2 -c -a smtpd to use Postfix’ settings file that contains auxprop/sasldb values).

Full IMAPd config: 

conf; SASL
sasl_minimum_layer: 0
sasl_log_level: 7
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_auto_transition: no

; authentication-specific
allowanonymouslogin: no
allowplaintext: yes
plaintextloginpause: 2
noplaintextwithouttls: no

; TLS/SSL security
tls_ca_file: /var/imap/tls/server.pem
tls_cert_file: /var/imap/tls/server.pem
tls_key_file: /var/imap/tls/server.pem

; paths
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/imap/sieve
sendmail: /usr/local/sbin/sendmail

; other
sieveusehomedir: false
admins: cyroot

; virtual domains
virtdomains: userid
defaultdomain: i-forge.net

Probably not all of the above settings are required but you can always refine them when you’ve got a working setup.

Testing

Now let’s try and connect to Postfix (smtptest) and Cyrus (imtest): 

shell$ smtptest -m login -a 'somewho@i-forge.net'
WARNING: no hostname supplied, assuming localhost

S: 220 I, the i-forge.net mailer, greet thou.
C: EHLO example.com
S: 250-i-forge.net
S: 250-PIPELINING
S: 250-SIZE 104857600
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH NTLM LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
S: 250-AUTH=NTLM LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
C: AUTH LOGIN
S: 334 theiy4Ththei
Please enter your password:
C: AhS1oogoAhS1oogoAhS1oogo
S: 334 theiy4Ththei
C: abaiR3ah
S: 235 2.7.0 Authentication successful
Authenticated.
Security strength factor: 0
^DC: QUIT
221 2.0.0 Bye
Connection closed.

$ imtest -s -m plain -a 'somewho@i-forge.net'
WARNING: no hostname supplied, assuming localhost

verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK my.i-forge.net Cyrus IMAP4 v2.2.13p1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=GSSAPI AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Puadio6fChe9Eifochahth3Achahth3Ach==
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
^DC: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.

For the reference, misconfiguration results in the following output: 

shell$ imtest -s -m login -a 'somewho@i-forge.net'
WARNING: no hostname supplied, assuming localhost

verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK my.i-forge.net Cyrus IMAP4 v2.2.13p1 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=GSSAPI AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN somewho@i-forge.net {0}
S: + go ahead
C: <omitted>
S: L01 NO Login failed: no mechanism available
Authentication failed. generic failure
Security strength factor: 256
^CC: Q01 LOGOUT
Connection closed.

Also, note that login/plain authentication only works when using some encryption – no matter what I’ve tried I couldn’t make it work over unencrypted channel (for Postfix it works, though). You’ll know you’re running into this problem from an output like this: 

shell$ imtest -m plain -a 'somewho@i-forge.net'
...
C: A01 AUTHENTICATE PLAIN Puadio6fChe9Eifochahth3Achahth3Ach==
S: A01 NO encryption needed to use mechanism
Authentication failed. generic failure
Security strength factor: 0
^DC: Q01 LOGOUT
* BYE LOGOUT received
Q01 OK Completed
Connection closed.