Friday I upgraded my server to breezy. After that, I got problems with
authentication in cyrus/imap.
I'm using sasl to authenticate clients; in turn, sasl use pam_ldap.
Before upgrade all worked fine; after, sometimes auth succeeded while other
times failed.
Finally, I discovered where was the problem: each instance of imapd correctly
authenticate only its first connection. All subsequent connections will get a
'badlogin' reply, like that row, grepped from /var/log/syslog:
Oct 17 11:25:04 localhost cyrus/imapd[20650]: badlogin:
net84-253-166-106.mclink.it[84.253.166.106] plaintext ece SASL(-13): user not
found: checkpass failed
So, I set my /etc/cyrus.conf with lines like this one:
imaps cmd="imapd -s -U 1" listen="imaps" prefork=0 babysit=5
where the -U flag tells imapd to use each instance for one connection only and
then exit.
Doing this, things goes better: connection now don't crash, even if from time to
time, I get on my syslog lines these ones:
Oct 18 18:30:52 localhost cyrus/imapd[19506]: starttls: TLSv1 with cipher
AES256-SHA (256/256 bits new) no authentication
Oct 18 18:31:00 localhost cyrus/imapd[19506]: badlogin:
net84-253-166-106.mclink.it[84.253.166.106] plaintext lte SASL(-13):
authentication failure: checkpass failed
Oct 18 18:31:16 localhost cyrus/imapd[19506]: login:
net84-253-166-106.mclink.it[84.253.166.106] lte plaintext+TLS
That 'badlogin', however, seems not to cause problems to the connection (except
some delay...)
Matthias, is this possibly? related to your gnutls fix?