Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: nicolasfr
nicolasfr Author
User level: Level 1
0 points

Pop3 sasl AUTH PLAIN not supported over TLS?

Hi,

Thunberbird does not work with Mac OS X server 10.5.5 POP3 because SASL AUTH PLAIN method is not supported when TLS or SSL is used.

According to RFC5034:
"To ensure interoperability, client and server implementations of this extension MUST implement the PLAIN SASL mechanism [RFC4616] running over TLS [RFC2595]."

I have looked throught Cyrus documentation but I cannot find a find to enable AUTH PLAIN over TLS.

Any clue how to make the server RFC compliant?

Best regards,
Nicolas.

Windows XP Pro

Posted on Dec 15, 2008 1:33 AM

Reply
10 replies
User profile for user: nicolasfr
nicolasfr Author
User level: Level 1
0 points

Dec 15, 2008 8:04 AM in response to pterobyte

My problem is that Thunberbird will not work with such settings and requires AUTH PLAIN to be supported when SASL is announced in CAPA.

My point was that the RFC states that AUTH PLAIN MUST be supported when SASL is announced on TLS connections.

I have filed a bug on Thunderbird bugtracker, but this looks more like a bug on the Cyrus implementation on Mac OS X 10.5.5.
Reply
User profile for user: nicolasfr
nicolasfr Author
User level: Level 1
0 points

Dec 16, 2008 4:50 AM in response to pterobyte

Really? Well I'd really like to dig through this. Could you post more info about your setup so that we can compare and check where the problem is on my side?

My setup: Mac OS X Server 10.5.5 running Cyrus POP3 v2.3.8-OS X Server 10.5. SSL and TLS are enabled but not required. Port 995 is only port open for outside clients.
Thunberbird version 2.0.0.18 and 3 beta 1 cannot connect to POP over SSL or TLS. The error I get is: 'authentication failure'.
Non encrypted connection works (Thunberbird will issue a USER/PASS and will not use the AUTH PLAIN method).
SASL and Kerberos are enabled on the server.

If I connect with openssl on command line to port 995, then issue a CAPA command here is the result:
CAPA
+OK List of capabilities follows
SASL GSSAPI
EXPIRE NEVER
LOGIN-DELAY 0
TOP
UIDL
PIPELINING
RESP-CODES
AUTH-RESP-CODE
USER

Could you please post the result of the same test?
('openssl> s_client -connect 10.1.1.1:995', then type 'CAPA').

Thanks to help on this,
Nicolas.
Reply
User profile for user: pterobyte
pterobyte
User level: Level 6
11,098 points

Dec 16, 2008 5:04 AM in response to nicolasfr

I use both 10.4.11 and 10.5.5 OS X Server. Thunderbird 2.0.0.18
The CAPA output is the same as yours, except I do not use Kerberos.

While trying to connect with Thunderbird, check /var/log/mailaccess.log for clues (you may need to increase the logging level first).

Also, check /etc/imapd.conf and check the settings in Server Admin are reflected correctly and that clear is not disabled.
Reply
User profile for user: nicolasfr
nicolasfr Author
User level: Level 1
0 points

Dec 16, 2008 5:23 AM in response to pterobyte

The CAPA output is the same as yours, except I do not use Kerberos.


Do you mean that you do not have the SASL GSSAPI line? If so this is the clue to my problem.
If SASL is not announced, Thunberbird will not issue the AUTH PLAIN, etc (see RFC).
I guess disabling Kerberos will solve my problem (I want to be sure before doing so, this is a production server).
Reply

Pop3 sasl AUTH PLAIN not supported over TLS?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up