Would appreciate help with cyrus imapd/sasl authentication.

[nl]

Despite having previously installed cyrus-sasl and cyrus-imapd three times, including twice with compilation from CMU sources on debian systems and once using pre-packaged debian version, making sasl work properly still gives me headaches.

I installed last night via emerge, and cyrus itself runs fine, and with some work I got cyradm working as well. The problem is with authentication - I am thus far only able to connect from email clients using PLAINTEXT passwords, which while probably not that big a deal since I am using this on my own home LAN behind a (hopefully effective) firewall, I still want it done right with CRAM-MD5 passwords.

From reviewing config files, it appears that the problem is that the default result of the emerge is for authentication to somehow use PAM, which I assume then makes the call to cyrus-sasl to read sasldb2, and PAM does not appear to support CRAM-MD5 or DIGEST-MD5 (in fact, the config file says as much).

The whole interaction between PAM and sasl is a mystery to me, so if someone has experience with this I'd appreciate help on how to make sasl non-PAM so I can use CRAM-MD5 passwords.

Thanks.

BTW: Another aside: if anyone is using cyrus-imapd, you may see a difference between how gentoo's version of cyradm works compared with, at least, what I am used to on debian.

After installing last night, I could not get cyradm to work right - when connecting to server localhost, authentication would fail, claiming it could not authenticate root. Knowing that only the user "cyrus" was set to be an imap admin (/etc/imapd.conf), I tried to "su cyrus" but could not; at that point I discovered that the cyrus account, while extant in /etc/passwd, had shell /bin/false and therefore could not log in. This is different than under debian where cyrus is a bona-fide account, and I was accustomed to su'ing to cyrus before using cyradm.

So, I tried usermod'ing cyrus to a real shell; no help. I reset the password in sasldb2 (saslpasswd2); no help. I tried to reset the password in /etc/passwd (passwd cyrus) but that did not work with an error getting authentication token.

After pooting around a bit, I realized that this last error was due to there being no entry in /etc/shadow for cyrus, and so PAM was failing on the password. I deluser'd cyrus and adduser'd to get a password into /etc/shadow (did you know that if you set the password in /etc/shadow via the -p <password> option to adduser it appears in plaintext in /etc/shadow, but if you set it with the passwd command it appears in encrypted form? Bug or intentional, I don't know). Still no help.

After a while I found that you need to issue "cyradm --user cyrus <server>" which works fine, so apparently the verson of cyradm in gentoo tries to authenticate as _root_ without this flag - because even if I logged in at this point as cyrus, cyradm STILL failed because root could not be authenticated - which suggests to me a bug in the code not senting the correct uid unless the user is specified on the command line.

I'll try to figure this out further when I have time to review the code (not a perl wizard, though, so I may not make progress), but in the meantime maybe someone knows a bit more about this than I...

Thanks for reading all of this!
nl