CentOS sieve authentication using saslauthd

Quick solution to an infuriating problem.

Cyrus IMAP server is installed and authenticating just fine using saslauthd to my Active Directory:

/etc/imapd.conf:

...snip...
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
...snip...

/etc/sysconfig/saslauthd:

SOCKETDIR=/run/saslauthd
MECH=ldap
FLAGS="-r"

However I can’t get my sieve clients including sieveshell to authenticate:

[root@mailserver /]# sieveshell --user="first.last@example.com" --authname="first.last@example.com" localhost
connecting to localhost
connect: Connection refused
unable to connect to server at /bin/sieveshell line 170.

Telnet-ing in yielded no auth mech’s presented:

[root@mailserver /]# telnet localhost sieve
Trying ::1...
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "Cyrus timsieved v2.4.17-Fedora-RPM-2.4.17-8.el7_1"
"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy"
"STARTTLS"
"UNAUTHENTICATE"
OK

No auth mech’s listed, e.g. PLAIN, LOGIN, etc. What gives? The search string “timsieved sasl_auth_mech” yielded 3 results on Google, luckily this page was one of them. How often is it simply that some package you need isn’t installed?

[root@mailserver /]# yum -y install cyrus-sasl-plain

That’s it:

[root@mailserver /]# telnet localhost sieve
Trying ::1...
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "Cyrus timsieved v2.4.17-Fedora-RPM-2.4.17-8.el7_1"
"SASL" "PLAIN LOGIN"
"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy"
"STARTTLS"
"UNAUTHENTICATE"
OK

Another takeaway I learned – if you want disable TLS for just Cyrus sieve adjust your /etc/cyrus.conf as such:

  sieve         cmd="timsieved" -C /etc/sieve.conf listen="sieve" prefork=0

And just modify the /etc/sieve.conf file to suit your needs. I know this has caused me issues in the past and never knew it could be tuned separate of imapd.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>