Core dumped / how to identify reason

[Leo L.]

Hello,

I use FreeBSD 14.0 release.
I installed Cyrus-IMAPd v3.8 with Cyrus-SASLauthd v2.1.28 : I've built them from ports or from packages but I ultimately face the same issue : When I reach the moment where I have to configure cyradm, there's an error that I cannot understand or debug.

cyradm -u cyrus localhost
Password: ********
Segmentation fault (core dumped)

I don't know where to start investigation, I went to the logs but there only was the same error without any pointers.

tail -f /var/log/messages
Dec 16 22:13:25 *** imap[65949]: SASL couldn't init cipher
Dec 16 22:13:25 *** imap[65949]: login: localhost [127.0.0.1] cyrus DIGEST-MD5 User logged in SESSIONID=<****.****.***-1702761200-65949-1-11910669555581225800>
Dec 16 22:13:25 *** kernel: pid 65948 (perl), jid 0, uid 0: exited on signal 11 (core dumped)

Someone has any clue about how identify that problem here ?
Google didn't help on that one...

Thanks,

--
Leo.

 

[SirDice]

Don't know the exact answer (don't use Cyrus) but this message probably has something to do with it:

Dec 16 22:13:25 *** imap[65949]: SASL couldn't init cipher

 

[Leo L.]

Hey there,

Thanks SirDice
I had time to dig into it today, and here's what I've found.

The security/cyrus-sasl2 pkg is built with "OTP" mechanism enabled by default.
So if I build mail/cyrus-imapd38 from pkg, the security/cyrus-sasl2 is built with it and it leads to the core dump error I mentioned.

If I build mail/cyrus-imapd38 from ports with the exact same port configuration, I get the same error.
But if I build mail/cyrus-imapd38 from ports and its dependancies with disabling "OTP" from security/cyrus-sasl2 port, the error is gone and everything runs smoothly.

When I create a user with sasl with OTP activated I get :

# sasldblistusers2
cyrus@******.net: cmusaslsecretOTP
cyrus@******.net: userPassword

But without OTP it only has :

# sasldblistusers2
cyrus@******.net: userPassword

It seems that there's something wrong with the use of OTP and packages have it enabled by default.

Therefore I think I have three choices :
- Build everything from ports BUT I was challenging myself to have only packages installed on that box (that's a very small VPS and using ports on it is very slow).
- Build my own security/cyrus-sasl2 package with the OTP option disabled (but I don't know if it's recommended and if that doesn't have other side-effects..)
- Stick with pkg, and not use Cyrus anymore ; what alternative should I look at ?

Any advice would be appreciated

Regards,

--
Léo.

 

[Leo L.]

Hello everyone,

Any advice anyone ?
Thanks,

—
Léo.

 

[richardtoohey2]

Been a while since I tried it, but you could try and track down where in the code things are going wrong to see if you can figure out what it is complaining about.

Could try installing gdb then run the command that crashes and see if any clues at all.

Dec 16 22:13:25 *** kernel: pid 65948 (perl), jid 0, uid 0: exited on signal 11 (core dumped)

That looks like a perl process is crashing - so that might make it a bit easier if just some perl code to look at (but might be a call into a binary library so you might not get too far).

cyradm — Cyrus IMAP 3.9.0-alpha0 (dev) documentation

Can you find the cyradm source perl script and put some print statements in there - narrow it down a bit to where it is going wrong.

Then maybe if you don't need the code where it goes astray, comment that out?

Probably not very helpful suggestions but at least with open source you can start to look at the source code.

 

[_martin]

I don't use cyrus. It would help if you could provide steps how to easily reproduce this (i.e. install this, configure that and launch this). I tried to download packages you mentioned but was not able to reproduce the error.

I don't know where to start investigation, I went to the logs but there only was the same error without any pointers.

Basically you have two options: a) investigate from application/configuration side b) look at the code

I can't help you with a) as I'm not familiar with the program. Guys provides some suggestions already though.

Now the b) approach .. Program crashed on SIGSEGV and dumped the core. It could be many things; generally program tried to use memory address it has no access to.

Install gdb if you don't have it yet. If you can reproduce this crash with cyradm from ports look here: debugging ports (set /etc/make.conf as described there) and recompile the ports in question.

You can debug this either live or do a post mortem analysis with the core at hand.

Live debugging with gdb:
1) start gdb: gdb `which cyradm`
2) run program from gdb: r -u cyrus localhost
3) once it crashes gives us the output of following gdb commands:

bt
i r
x/3i $pc

With the later approach, post mortem analysis, locate the current core dump (probably named cyradm.core), execute gdb `which cyradm` /path/to/cyradm.core and paste the commands from 3) I mentioned above.

 

[Leo L.]

Hi Richard,

Thanks for your input, I was on holiday and I didn't get a chance to check this forum earlier.

Been a while since I tried it, but you could try and track down where in the code things are going wrong to see if you can figure out what it is complaining about.
[...]
Can you find the cyradm source perl script and put some print statements in there - narrow it down a bit to where it is going wrong.

I'll try that this week, I hope I'll be able to tweak the perl script to make it more verbose.

Probably not very helpful suggestions but at least with open source you can start to look at the source code.

Thanks again, all suggestions are welcome on that one ; it's been a while since I'm nothing but stuck in a problem...

I'll keep you posted ; have a great day and happy new year

--
Léo.

 

[Leo L.]

Hi Martin,

Thanks also for your feedback and input. Sorry for not answering sooner, but I was on holiday last week.

I don't use cyrus. It would help if you could provide steps how to easily reproduce this (i.e. install this, configure that and launch this). I tried to download packages you mentioned but was not able to reproduce the error.

You're right.
Here is what I do (100% reproducible).

First, install the packages :

pkg install cyrus-imapd38
sysrc cyrus_imapd_enable="YES"
pkg install cyrus-sasl-saslauthd
sysrc saslauthd_enable="YES"

Then create working directories ( /var/imap + /var/spool/imap/ + /var/imap/sieve ) and give them correct permissions :

cd /var/
mkdir imap
chown cyrus:mail imap && chmod 755 imap
cd /var/spool/
mkdir imap
chown cyrus:mail imap && chmod 750 imap
cd /var/imap/
mkdir sieve
chown cyrus:mail sieve && chmod 755 sieve
su cyrus
% /usr/local/cyrus/sbin/mkimap
% exit

Then go edit imapd.conf :

vim /usr/local/etc/imapd.conf

Change some settings to make it work :

servername: xxx.yyy.net
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: cram-md5 digest-md5

Start the deamon :

/usr/local/etc/rc.d/imapd start

Create cyrus (admin) account :

saslpasswd2 -c cyrus
cyradm -u cyrus localhost
Password: ********
Segmentation fault (core dumped)

Now the b) approach .. Program crashed on SIGSEGV and dumped the core. It could be many things; generally program tried to use memory address it has no access to.
Install gdb if you don't have it yet. If you can reproduce this crash with cyradm from ports look here: debugging ports (set /etc/make.conf as described there) and recompile the ports in question.

Thanks, I'll install gdb and give it a try.
I'll read the article "debugging ports" also, surely worth it.

You can debug this either live or do a post mortem analysis with the core at hand.

Live debugging with gdb:
1) start gdb: gdb `which cyradm`
2) run program from gdb: r -u cyrus localhost
3) once it crashes gives us the output of following gdb commands:

bt
i r
x/3i $pc

With the later approach, post mortem analysis, locate the current core dump (probably named cyradm.core), execute gdb `which cyradm` /path/to/cyradm.core and paste the commands from 3) I mentioned above.

Looks like a plan, I'll get back to you with everything I found !
Have a great day and... happy new year

--
Léo.

 

[_martin]

HNY 2024

Thanks for the additional info. I followed your example on 14 but I'm not getting the expected results.
The setup is there:

# pkg info cyrus\*
cyrus-imapd38-3.8.1
cyrus-sasl-2.1.28
cyrus-sasl-saslauthd-2.1.28
#

# ls -lad /var/imap /var/imap/sieve /var/spool/imap
drwxr-xr-x  12 cyrus cyrus 14 Jan  1 23:22 /var/imap
drwxr-xr-x   2 cyrus cyrus  2 Jan  1 20:45 /var/imap/sieve
drwxr-x---   4 cyrus cyrus  4 Jan  1 20:45 /var/spool/imap
#

# grep -vE '^$|^#' /usr/local/etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: host.example.com
admins: cyrus
sieveusehomedir: false
sievedir: /var/imap/sieve
sasl_pwcheck_method: saslauthd
sasl_mech_list: cram-md5 digest-md5
#

# /usr/local/etc/rc.d/imapd status
cyrus_imapd is running as pid 1454.
#

# sockstat -4|grep cyrus
cyrus    master      1454 9   tcp4   *:143                 *:*
cyrus    master      1454 21  tcp4   *:110                 *:*
cyrus    master      1454 33  tcp4   *:4190                *:*
#

But my attempt ends up with an error. Tried both localhost and my host during tests. Syslog is not happy either:

# cyradm -u cyrus localhost
Password:
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
cyradm: cannot authenticate to server as cyrus
#

# tail /var/log/messages
Jan  1 23:30:09 host imap[2084]: SASL unable to canonify user and get auxprops
Jan  1 23:30:09 host imap[2084]: badlogin: localhost [127.0.0.1] DIGEST-MD5 (-notset-) [SASL(-13): user not found: unable to canonify user and get auxprops]
Jan  1 23:30:12 host imap[2084]: Connection reset by peer, closing connection

 

[Leo L.]

Hello Martin

That's weird.
I just made a fresh FreeBSD 14 install and I strictly followed my own step by step.

# pkg info cyrus\*
cyrus-imapd38-3.8.1
cyrus-sasl-2.1.28
cyrus-sasl-saslauthd-2.1.28

(same packages)

# ls -lad /var/imap /var/imap/sieve /var/spool/imap
drwxr-xr-x  11 cyrus cyrus 512 Jan  2 11:36 /var/imap
drwxr-xr-x   2 cyrus cyrus 512 Jan  2 11:34 /var/imap/sieve
drwxr-x---   4 cyrus cyrus 512 Jan  2 11:34 /var/spool/imap

(same output)

# grep -vE '^$|^#' /usr/local/etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: ***.*****.net
admins: cyrus
sieveusehomedir: false
sievedir: /var/imap/sieve
sasl_pwcheck_method: saslauthd
sasl_mech_list: cram-md5 digest-md5

(same config)

# /usr/local/etc/rc.d/imapd status
cyrus_imapd is running as pid 54549.

# sockstat -4|grep cyrus
cyrus    master     54549 9   tcp4   *:143                 *:*
cyrus    master     54549 15  tcp4   *:993                 *:*
cyrus    master     54549 21  tcp4   *:110                 *:*
cyrus    master     54549 27  tcp4   *:995                 *:*
cyrus    master     54549 33  tcp4   *:4190                *:*

(differences between mine and yours, maybe you tweaked the imapd.conf to avoid opening some network ports)

My attempt reproduce the same error :

# cyradm -u cyrus localhost
Password:
Segmentation fault (core dumped)

BUT if I intentionnally enter a wrong password for user cyrus I get your output :

# cyradm -u cyrus localhost
Password:
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
cyradm: cannot authenticate to server as cyrus

Please try that :
Remove user cyrus from sasldb :

# saslpasswd2 -d cyrus

Then check that the sasldb is empty by running :

# sasldblistusers2
#

Then recreate the user cyrus :

# saslpasswd2 -c cyrus

Then retry to run :

# cyradm -u cyrus localhost

You should get the :

Password:
Segmentation fault (core dumped)

 

[Leo L.]

Martin,

Also, I installed gdb.
It's my first time with this tool, I read some introduction documentation about it but I'm not so much familiar with it so please be patient

I followed your step by step and installed it with packages :

# pkg install gdb

Then run the commands you told me :

# gdb `which cyradm`
GNU gdb (GDB) 13.2 [GDB v13.2 for FreeBSD]
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd14.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
"/usr/local/bin/cyradm": not in executable format: file format not recognized
(gdb) r -u cyrus localhost
Starting program:  -u cyrus localhost
No executable file specified.

I noticed two errors :
1. "/usr/local/bin/cyradm": not in executable format: file format not recognized
2. No executable file specified

I think the 2 is because of 1, but I don't know how to debug 1.
Thanks for your precious help.

--
Léo.

 

[_martin]

To first issue: that's strange. I deployed fresh 14 and installed it again.

root@fbsd14:~ # sockstat -4|grep cyru
cyrus    imapd       1524 4   tcp4   *:143                 *:*
cyrus    master      1512 9   tcp4   *:143                 *:*
cyrus    master      1512 15  tcp4   *:993                 *:*
cyrus    master      1512 21  tcp4   *:110                 *:*
cyrus    master      1512 27  tcp4   *:995                 *:*
cyrus    master      1512 33  tcp4   *:4190                *:*
root@fbsd14:~ #

root@fbsd14:~ # grep -vE '^$|^#' /usr/local/etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: fbsd14.happycamper.local
admins: cyrus
sieveusehomedir: false
sievedir: /var/imap/sieve
sasl_pwcheck_method: saslauthd
sasl_mech_list: cram-md5 digest-md5
root@fbsd14:~ #

I re-created the cyrus user with very simple password but still it just doesn't work. Quick truss on that shows:

select(4,{ 3 },{ },0x0,0x0)             = 1 (0x1)
read(3,"+ PDM2NTg0MTY4ODkuOTcwNjM4OUBmYn"...,4096) = 64 (0x40)
getpeername(3,{ AF_INET 172.31.1.183:143 },0x820bf7aec) = 0 (0x0)
getsockname(3,{ AF_INET 172.31.1.183:39260 },0x820bf7aec) = 0 (0x0)
write(3,"*\r\n5 STARTTLS\r\n",15)         = 15 (0xf)
select(4,{ 3 },{ },0x0,0x0)             = 1 (0x1)
read(3,"4 BAD Client canceled authentica"...,4096) = 38 (0x26)
select(4,{ 3 },{ },0x0,0x0)             = 1 (0x1)
read(3,"5 BAD Unrecognized command\r\n",4096)     = 28 (0x1c)

Don't you need to configure the SSL/TLS side of things too ? As mentioned, I'm not familiar with cyrus so I'm not sure.

Now to the issue 2). Oh, right. The cyradm is a perl script, not an elf executable. That's why you can't use it directly with gdb. What does file /path/to/coredump say? If it's comming from perl you have to use gdb `which perl` /path/to/coredump.
It's possible to attach gdb and debug it but for that I'd rather want to replicate that on my own setup (it would be easier that way).

 

[_martin]

I dug around a bit and that STARTTLS is a problem as cyrus in not configured to use it by default. When I allowed allowplaintext in /usr/local/etc/imapd.conf I was able to trigger a segfault.

[root@fbsd14 ~]# cyradm -u cyrus localhost
Password:
cyradm: cannot authenticate to server as cyrus
Segmentation fault (core dumped)
[root@fbsd14 ~]#

The TLS command is still a problem:

[root@fbsd14 ~]# telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR] fbsd14.happycamper.local Cyrus IMAP 3.8.1 server ready
STARTTLS
* BAD Invalid tag

I can login with plaintext:

[root@fbsd14 ~]# telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR] fbsd14.happycamper.local Cyrus IMAP 3.8.1 server ready
1 LOGIN cyrus asd
1 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1 BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT LIST-EXTENDED LIST-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND MULTISEARCH NAMESPACE OBJECTID PREVIEW QRESYNC QUOTA RIGHTS=kxten SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS UNSELECT URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME SCAN SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION X-SIEVE-MAILBOX X-REPLICATION-ARCHIVE XLIST XMOVE LOGINDISABLED UNAUTHENTICATE COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE APPENDLIMIT=2147483647] User logged in SESSIONID=<fbsd14.happycamper.local-1704232725-34587-1-3245356666739471020>

But it's not that important here, my focus was only to trigger the fault.

Sigsegv is, to no surprise, on some bogus adress. To make my life easier I wanted to have debug symbols, i.e. I needed to rebuilt it all from ports.
You mentioned:

If I build mail/cyrus-imapd38 from ports with the exact same port configuration, I get the same error.
But if I build mail/cyrus-imapd38 from ports and its dependancies with disabling "OTP" from security/cyrus-sasl2 port, the error is gone and everything runs smoothly.

But I was not able to reproduce this with or without OTP. It was working either way.
I installed packages from pkg and did debug it without symbols. It seems it's failing during the cleanup phase in lib/perl5/site_perl/mach/5.34/auto/Cyrus/IMAP/IMAP.so. Most likely some sort of buffer overflow is happening as frame has corrupted frame just before the return.

Out of curiosity state before it crashes:

(gdb) bt
#0  0x0000000800adbdf6 in imclient_close () from /usr/local/lib/perl5/site_perl/mach/5.34/auto/Cyrus/IMAP/IMAP.so
#1  0x0000000800000003 in ?? ()
#2  0x0000000800e1d000 in ?? ()
#3  0x00000008014a87b0 in ?? ()
#4  0x0000000000000001 in ?? ()
#5  0x000000080085a060 in ?? () from /lib/libc.so.7
#6  0x00007fffffffe640 in ?? ()
#7  0x00000008004fd782 in Perl_pp_entersub () from /usr/local/lib/perl5/5.34/mach/CORE/libperl.so.5.34
Backtrace stopped: frame did not save the PC
(gdb)
(gdb) x/3i $pc
=> 0x800adbdf6 <imclient_close+390>:    ret
   0x800adbdf7 <imclient_close+391>:    call   0x800aebb60 <__stack_chk_fail@plt>
   0x800adbdfc:    nop    DWORD PTR [rax+0x0]
(gdb)

(gdb) x/2xg $rsp
0x7fffffffe598:    0x0000000800000003    0x0000000800e1d000
(gdb)
(gdb) x/3i 0x800000003
   0x800000003:    Cannot access memory at address 0x800000003
(gdb)

Now I did have a quick look into mail/cyrus-imapd38/work-basic/cyrus-imapd-3.8.1/lib/imclient.c where imclient_close is defined. Overflow is happening within the struct imclient, triggered by the fini functions.
I was able to make it drop to shell, though it's not that useful.

$ echo $$
25666
$ cyradm -u cyrus localhost
IMAP Password:
              localhost> echo $$
25702
localhost> id
uid=1001(martin) gid=1001(martin) groups=1001(martin)
localhost>

I verified the current version in ports (PORTVERSION= 3.8.1; PORTREVISION= 2 ) works just fine with or without OTP being used.
Don't use one from pkg, use one from ports.
Can you test it again and verify it is indeed working for you?

 

[Leo L.]

Hi Martin,

Thanks for dugging out with so much expertise.
I read you carefully, but some things are puzzling me :

1. With fresh FreeBSD 14-RELEASE install, how is it possible that we don't have the same behavior ?
I'm quite concerned about that ; after all maybe I'm doing something wrong at every install since... years
Maybe some hardening options (I always tick them all) have that kind of consequences.

2. Debug phase / One word : wow.
I thought I handled debugging, but when I see how you're digging into everything, I have to confess I was impressed.

3. Cyrus allowplaintext setting.
I made the same modification inside /usr/local/etc/imapd.conf

# grep -vE '^$|^#' /usr/local/etc/imapd.conf | grep plain
allowplaintext: yes

Then restarted the daemon, but same old error :

# cyradm -u cyrus localhost
Password:
Segmentation fault (core dumped)

It fixed the issue for you, but not for me, again that's quite disturbing.
You mentioned that "cyrus in not configured to use it by default".
But I thought the line sasl_pwcheck_method: saslauthd in /usr/local/etc/imapd.conf was for ?

4. The telnet test
You showed me how the server is answering, I did the exact same but I don't get the same behaviour :

# telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR] chatelet.hyod.net Cyrus IMAP 3.8.1 server ready
1 LOGIN cyrus test
1 NO Login failed: authentication failure

Again, same config, but not the same behaviour, I'm losing hope...

Out of curiosity what's your output for that command ?
# sasldblistusers2

5. The error in pkg
You wrote :

I installed packages from pkg and did debug it without symbols. It seems it's failing during the cleanup phase in lib/perl5/site_perl/mach/5.34/auto/Cyrus/IMAP/IMAP.so. Most likely some sort of buffer overflow is happening as frame has corrupted frame just before the return.

Do I need to report that bug to the maintainer ?
Would someone be interested about it ?

6. The final recommandation
You mentioned :

I verified the current version in ports (PORTVERSION= 3.8.1; PORTREVISION= 2 ) works just fine with or without OTP being used.
Don't use one from pkg, use one from ports.
Can you test it again and verify it is indeed working for you?

Last time I tested it, it seems to me that I encountered the same issue, like I said in my message.
But I'll fresh install again FreeBSD 14 and will build everything from ports and with the same configuration we have now.
I usually install FreeBSD with these options only : see here
It will take a day and a half approximately to compile everything (the VPS I'm renting is very slow so building from ports takes forever with all these default dependancies selected) and I'll get back to you.

Again, a big thanks for being a real support in this adventure

--
Léo.

 

[_martin]

Let's go by points then:

1) I used default install (only renamed zfs zpool to rpool as it should be ). No hardening was done. Quite the opposite - I allowed root to SSH in.
That's why I asked about the steps to reproduce this: all steps you did to modify/create setup. But maybe you missed some step you did ?
As a common ground we could both use the prebuilt image and test it there.

3) This helped me to interact with the cyradm. Note from my example even with segfault I was still getting auth failure. So something's off in the actual setup. Allowing plaintext login allowed me to interact with telnet (1 LOGIN .. is the actual plaintext login).
I'm not familiar with the program; but the saslauthd is the passwd backend (what will be used to check for auth). This was never the problem. But in the steps you provided I was not able to trigger it. This could be maybe tied to the BoF bug.

4) Can you telnet and do the STARTTLS as a very first command in that session? If it works you have SSL/TLS configured; you had to have some sort of cert setup done then. In my strace output you can see cyrus server replying "BAD Client canceled authent .. which means I can't use it.

[root@fbsd14 ~]# sasldblistusers2
cyrus@fbsd14: userPassword
martin@fbsd14: cmusaslsecretOTP
cyrus@fbsd14: cmusaslsecretOTP
martin@fbsd14: userPassword
[root@fbsd14 ~]#

I created martin and cyrus users. But only cyrus is set as admin in the config.

5) This bug is not reproducible in the port version so I think this bug was caught already. Unfortunatelly very neat tool portdowngrade is no longer working under FreeBSD, it was very easy to trace these things there. I was not feeling like downloading the whole git history of ports. Maybe I'm missing here something, meaybe there's a better/easier way to trace this.
As I was writting this point I realised I was using quarterly (default) versions of packages. I changed that to latest:

[root@fbsd14 ~]# grep url /etc/pkg/FreeBSD.conf
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
[root@fbsd14 ~]#

Did an update and the error was gone - I was not able to reproduce it. Consider upgrading your packages this way then.

6) Just note only these 3 packages need to be installed from ports. It doesn't take too long to do so.

yw

 

[Leo L.]

Let's go by points then:

1) I used default install (only renamed zfs zpool to rpool as it should be ). No hardening was done. Quite the opposite - I allowed root to SSH in.
That's why I asked about the steps to reproduce this: all steps you did to modify/create setup. But maybe you missed some step you did ?
As a common ground we could both use the prebuilt image and test it there.

It could be useful just to understand why the hell we have different behaviours, just out of curiosity
I leave everything to default except the deamons : I add ntpd. And about hardening options : I activate them all.
But.... (look the next paragraph)

5) This bug is not reproducible in the port version so I think this bug was caught already. Unfortunatelly very neat tool portdowngrade is no longer working under FreeBSD, it was very easy to trace these things there. I was not feeling like downloading the whole git history of ports. Maybe I'm missing here something, meaybe there's a better/easier way to trace this.
As I was writting this point I realised I was using quarterly (default) versions of packages. I changed that to latest:

[root@fbsd14 ~]# grep url /etc/pkg/FreeBSD.conf
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
[root@fbsd14 ~]#

Did an update and the error was gone - I was not able to reproduce it. Consider upgrading your packages this way then.

Wow, I wasn't familiar at all with that quarterly branch.
I decided to fresh install again, change to latest just after the first boot and.... the error was gone ! Even with OTP activated... and with no SSL / TLS configuration at first (this comes later in the configuration process).

# sieveshell -u gorby -a gorby localhost
Empty compile time value given to use lib at /usr/local/bin/sieveshell line 60.
Empty compile time value given to use lib at /usr/local/bin/sieveshell line 61.
connecting to localhost
Please enter your password:
> quit

Thanks for that tip, that help a lot. The bug was, as you mentioned, probably already known and fixed in a new version.

I'll be able to follow my own Cyrus-IMAP howto on FreeBSD (it was efficient until FreeBSD 13.2 but I'm updating it as we speak).
Now I'm wondering if this isn't the time to move from Cyrus to Dovecot, but that's another subject

Thank you again for your patience and kind help.

--
Léo.

 

[_martin]

It could be useful just to understand why the hell we have different behaviours, just out of curiosity

I don't mind testing it just for kicks of it. As mentioned the best way then would be to download the current preinstalled image, e.g. this one (chose your poison when it comes to hypervisor) and share exact commands that you execute.

4) Can you telnet and do the STARTTLS as a very first command in that session?

But can you do this ? This would remove any doubts whether you had it configured or not.

np, glad I could help.