That fixed it; thanks!
I did need "novalidate-cert" for localhost; still got the same failure to authenticate without it. Does that context have a variable with my actual IP address that I could use instead of the "novalidate-cert" qualifier? Seems like that would be cleaner / more secure if available.
As always, thanks for the great support.
John
--
John Wilkes
john@wilkes.com
One can ignore reality, but one cannot ignore
the consequences of ignoring reality. --Ayn Rand
On Jan 15, 2013, at 12:26 AM, Surgemail Support (Marijn) wrote: Ah very good spotting, I'll see if I can make the error response a bit more sensible.
Editing surgemail/phplib/netwin/NWAuth_sabre.php should do the trick to force sabredav to use ssl: $imap = imap_open("{127.0.0.1:993/ssl}INBOX", $username, $password, OP_HALFOPEN);
And if the certs do not match the url (which they probably won't even for valid signed certificates due to using the localhost ip address) you can use the following: $imap = imap_open("{127.0.0.1:993/ssl/novalidate-cert}INBOX", $username, $password, OP_HALFOPEN);
I have just confirmed the above to work for me on my development testbox.
Marijn
On Tuesday 15/01/2013 at 10:04 am, John Wilkes wrote: The problem appears to be that I require all users to use SSL; i.e. g_ssl_require_login = *
This setting forces all matching IP addresses to use SSL for any action that requires a user login. eg: POP, IMAP and SMTP authentication but not plain SMTP. So this is ideal if you want all users to use SSL but still want email to come in from non SSL SMTP servers. If I unset g_ssl_require_login, the CalDAV authentication verification test passes. If I set g_ssl_require_login to the wildcard "*"; i.e. require all users from all IP addresses to use SSL, the CalDAV authentication verification test fails. The test also fails if I set g_ssl_require instead.
I tried g_ssl_try_not = 127.0.0.1 (i.e. localhost) but that had no effect and CalDAV authentication verification still fails when g_ssl_require_login is set to the wildcard.
This appears to be 100% reproducible on my test setup with a fresh Surgemail installation and default configuration settings, and on my live server and mirror with my configuration.
It seems that CalDAV authentication does not support SSL and requires an unencrypted connection.
John
-- John Wilkes john@wilkes.comDefinition of Fascism: Everything in the State, nothing outside the State, nothing against the State. --Benito Mussolini, 1927
On Jan 12, 2013, at 3:28 PM, John Wilkes wrote: My firewall is a standalone system, separate from the surgemail server.
I also run a surgemail mirror, if that matters.
I don't think it's network related; I get the same error running locally on the server.
I can telnet to 127.0.0.1:143 and imap responds:
divHIDDEN@ail:~> telnet 127.0.0.1 143Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'.
John
On Jan 12, 2013, at 2:48 AM, Surgemail Support (Marijn) wrote: Right... provided your firewall is not running on the surge mail server that should be irrelevant to this issue.
Is surgemail actually listening on the localhost ip address (127.0.0.1) and you have not configured it to just listen on the network ip address? If so you would need to use that ip address instead obviously.
Else next step is to try manually doing a telnet to 127.0.0.1:143 and seeing what sort of response you get.
Also port intercepting virus scanners on the server running surgemail just may be interfering.
Anyway let us know if you do / do not make any progress in fixing.
Marijn On Friday 11/01/2013 at 2:31 pm, John Wilkes wrote: Marijn,
That did not fix it; I get the same error.
I realized that my firewall blocks port 143, but Surgemail itself is configured to use it: g_imap_port = 143.
I can login to Surgeweb, but SabreDAV authentication integration fails. I give the same user name and password that I use for Surgeweb and my imap client, but the browser pop-up says:
The user name or password you entered for area “SabreDAV” on mail.wilkes.com:7025 was incorrect.
When I click cancel to close that pop-up, I see this message in the browser window:
Sabre_DAV_Exception_NotAuthenticated No basic authentication headers were found 1.6.2 The surgemail/scripts/cal.log file:
01/11/13 01:16:43 [10914] Sabre CAL 01/11/13 01:16:43 [10914] need auth beforeMethod [GET-] 01/11/13 01:16:43 [10914] NWAUTH user=john@wilkes.com pass={hidden} hash=1c74855d13c34eb9421fcbc4d47a1192 01/11/13 01:16:43 [10914] No cached login, trying IMAP 01/11/13 01:16:43 [10914] Imap login exception imap_open(): Couldn't open stream {127.0.0.1:143/notls}INBOX 01/11/13 01:16:43 [10914] NWAUTH authorised=[NO] 01/11/13 01:16:43 [10914] Sabre CAL END 01/11/13 01:17:53 [10923] ---- 01/11/13 01:17:53 [10923] Sabre CAL 01/11/13 01:17:53 [10923] need auth beforeMethod [GET-] 01/11/13 01:17:53 [10923] Sabre CAL END
I verified that php is running, and I verified that that the SabreDAV environment is valid. It's just authentication that's not working.
I did a test installation on a fresh system, and I am able to verify SabreDAV authentication integration on it, so it's something in my mail server configuration that's messing things up.
Thanks, John
-- John Wilkes
After 50 is when life can be, finally, your own. The first 50 years is all about figuring it out! On Jan 7, 2013, at 2:31 PM, Surgemail Support (Marijn) wrote: Yep just point the authentication php script at the actual imap port you are using.
In file: surgemail\phplib\netwin\nwauth_sabre.php suitably edit this line: $imap = imap_open("{127.0.0.1:143/notls}INBOX", $username, $password, OP_HALFOPEN);
and it should do the trick I believe.
Marijn
On Monday 07/01/2013 at 4:08 pm, John Wilkes wrote: I'm getting an error when I test CalDAV authentication integration.
I am running Surgemail version 63c2. I verified that PHP integration is valid, and I verified that the SabreDAV environment is valid: NetWin Test for PHP, SabreDAV, and other related implementation: SERVER_NAME = wilkes.com Debug log file = /usr/local/surgemail/scripts/cal.log SabreDAV root = /usr/local/surgemail/phplib/SabreDAV PHP ENVIRONMENT:
PHP version = 5.3.15 IMAP module = INSTALLED
PDO database module = INSTALLED
PDO_SQLITE database module = INSTALLED
MBSTRING module = INSTALLED
I click the link to test authentication: 3. Verify authentication integration test php (need to login with full "user@domain.com")
I login with my full user name and password (same as I use for imap/webmail access) but the authentication fails:
The user name or password you entered for area “SabreDAV” on mail.wilkes.com:7025 was incorrect.
The surgemail/scripts/cal.log file logs the failure:
01/07/13 02:50:17 [5883] ---- 01/07/13 02:50:17 [5883] Sabre CAL 01/07/13 02:50:17 [5883] need auth beforeMethod [GET-] 01/07/13 02:50:17 [5883] Sabre CAL END 01/07/13 02:50:41 [5888] ---- 01/07/13 02:50:41 [5888] Sabre CAL 01/07/13 02:50:41 [5888] need auth beforeMethod [GET-] 01/07/13 02:50:41 [5888] NWAUTH user=john@wilkes.com pass={hidden} hash=1c74855d13c34eb9421fcbc4d47a1192 01/07/13 02:50:41 [5888] No cached login, trying IMAP 01/07/13 02:50:41 [5888] Imap login exception imap_open(): Couldn't open stream {127.0.0.1:143/notls}INBOX 01/07/13 02:50:41 [5888] NWAUTH authorised=[NO] 01/07/13 02:50:41 [5888] Sabre CAL END
It looks like the authentication fails, but I login to SurgeWeb with the same login/password. My IMAP clients can login, too; so I know the user name and password are valid and correct.
However, I use an alternate port instead of 143. Do I need to configure that someplace for CalDAV / SabreDAV?
Thanks, John
-- John Wilkes
"I object to violence because when it appears to do good, the good is
only temporary; the evil it does is permanent." -- Mahatma Ghandi
|
