[horde] User not authorized for Mail

Maurício José T. Tecles mtecles at biof.ufrj.br
Tue Jul 11 18:38:40 UTC 2017 

Citando James Mohr <horde at jimmo.com>:

> Sorry about the previous message. I am not sure what happened.
>
> Quoting "Maur=C3=ADcio Jos=C3=A9 T. Tecles" <mtecles at biof.ufrj.br>:
>
>> Citando James Mohr <horde at jimmo.com>:
>>
>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>> What authentication backend are you using for Horde? Are you   
>>>> really  using HTTP authentication?
>>>
>>> On the page Authentication Settings in the Horde cconfiguration under
>>> "$conf[auth][driver]" I have "HTTP (Basic Authentication/.htpasswd)
>>> authentication".  Is there something else I need to change?
>>>
>>
>> Why use .htpasswd if you intend to use an IMAP server?  See below (*).
>
> Sorry for the misunderstanding. I obviously forget an important aspect
> of this configuration. The entire server is protected using HTTP basic
> authentication. Each user must first login through the HTTP basic
> authentication before accessing Horde. Login through apache is
> successful and I can access all of the other applications. Only access
> to imp is not working. (User jimmo is not authorized for Mail)
>

OK, but understand that those users may use Horde applications other  
than IMP. IMP is an application to use mail (POP, IMAP, SMTP) and, for  
that to work, IMP must use the credetials of your mail user, wich may  
differ from your ".htpasswd". Because you configured IMP 'protocol' =>  
'imap', the user must be (login as) an IMAP user. In other words, you  
are requiring your users to login separately to Email (IMP).

Your configuration: Horde -> .htpasswd, IMP -> IMAP.
(1*) See below.

Can user jimmo  from ".htpasswd" login with the same credentials to  
your IMAP server?

>
>>>>> In the system logs (journalctl) I see:
>>>>>
>>>>> [imp] [login] Server does not support TLS connections.
>>>>>
>>>>> That seems clear enough so after googling I changed    
>>>>> backends.local.php so it now looks like this:
>>>>>
>>>>> // IMAP server
>>>>> $servers['imap'] =3D array(
>>>>> 'disabled' =3D> false,
>>>>> 'name' =3D> 'localhost',
>>>>> 'hostspec' =3D> 'myhost.mydomain.'tld,
>>>>> 'hordeauth' =3D> false,
>>>>> 'protocol' =3D> 'imap',
>>>>> 'secure' =3D> 'false',
>>>>> );
>>>>

(1*) begin

>>>> Are you requiring your users to login separately to Email?
>>>
>>> Not intentionally. I have looked through the Horde and Imp
>>> confifuration and I do not find any place to require users to login
>>> separately to email.
>
> What I meant was *IF* Horde is somehow configured so it is "requiring
> your users to login separately to Email", it was unintentional on my
> part. I do not what a separate login. I want users to login with the
> basic http authentication and not have to login a second time. I have
> a very old system where this worked and I am trying to get the same
> configuration on a new system.
>

(1*) end

>>
>> Either you did not understand the question or I did not understand   
>> what you want. If you are not going to to login separately to  
>> Email,  I suggest configuring a Horde application (imp) to  
>> authenticate. Go  to the "Authentication" tab and configure:
>>
>> $conf[auth][driver]: Let a Horde application handle authentication
>>
>> $conf[auth][params][app]: imp
>>
>> $conf[auth][admins]: "your_login"
>
> To test the configuration I tried that. I get the login prompt but
> cannot login.
>
> Unfortunately, I cannot do anything at all at the moment, because I
> cannot login at all. That is,whenj I load the Horder URL, I get the
> login form but cannot login. I cannot change the authentication method
> back to HTTP basic. I cannot find a file where this is changed. :-(
>

Whenever you modify Horde configuration by web it generates  
conf.bak.php. Copy it to conf.php or edit it (driver)  
(~webmail/config/conf.php or ~horde/config/conf.php) to login to  
.htpasswd as before.

>
>> (*) And that answers the question above. You are going to use Imp  
>> to  authenticate against an IMAP server. As I understand, your  
>> users are  Mail users, not HTTP users (although they are going to  
>> use a web  interface - imp - to the mail service). See below (**).
>>
>> Be sure that your web server uses encryption (https) and configure   
>> Horde to do so:
>>
>> URL Settings * $conf[use_ssl]:
>
> Is this absolutely necessary in that this configuration will not work
> without it? I would like to get this running first, before I add any
> additional configuration.
>

No, it is not necessary, wait until you are done with basic  
configuration and authentication.

>>> Does it make a different if true/false are included in single-quotes?
>>>
>>>>> 'disabled' =3D> false,
>>>>> 'secure' =3D> 'false',
>>>
>>>>> No change. My biggest question at this point is to what exactly   
>>>>> is  Horde connecting. IMAP? POP3? My assumption is IMAP because   
>>>>> of the  complete log entry:
>>>>
>>>> Yes, according to the above configuration stanza, you are   
>>>> connecting  to an IMAP server running on 'myhost.mydomain.tld'.   
>>>> I'm assuming the  misplaced quotation mark in your stanza is a   
>>>> typo, as that would  cause a parse error in PHP when loaded.
>>>
>>> Yes. That was I typo when I changed the real domain in the email.
>>>
>>>>> Jun 24 16:32:37 sonne-new HORDE[3058]: [imp] [login] Server does  
>>>>>   not support TLS connections. [pid 3058 on line 730 of    
>>>>> "/data/home/user/public_html/horde/imp/lib/Imap.php"]
>>>>
>>>> You either need to configure your IMAP server to use TLS or   
>>>> disable  it in your configuration.
>>>
>>> I though that I disabled it in backends.local.php with this line:
>>>  'secure' =3D> 'false',
>>>
>>>> The password for the http authentication, the local user, are all
>>>>> the same. sasldblistusers2 shows the user. My question here is   
>>>>> what  format the users should have:
>>>>> username at localhost
>>>>> username at hostname
>>>>> username at hostname.domain.tld
>>>>> username at domain.tld
>>>>
>>>> I am confused as to exactly what authentication backend you are    
>>>> using in Horde. As far as the general question about thr format  
>>>> of   the users, that depends entirely on what the authentication   
>>>> backend  is expecting. There is no one right answer.
>>>
>>> What would be correct for HTTP authentication?
>>>
>>
>> Again, I think you did not understand the question.
>> (**) You should authenticate via imap that you already tested.
>> If you are going to use "username" or "username at ..." is up to you.
>
> Obviously I cannot use one form of the login in the sasl DB
> (saslpasswd2 -c) and then another form when I login. Where/how do make
> changes if it "is up to you"? Where exactly is Horde getting error
> message? From the imap server?
>

Remember your configuration: Horde -> .htpasswd, IMP -> IMAP. So, IMP  
users will login the same way they login to your IMAP server. See  
below (2*).

>> Depending on what you want, you might need a different   
>> authentication backend. Just try imp to handle authentication, as   
>> explained above.
>>
>>>>> The mailbopx was created using cyradm and the permissions look like th=
> is:
>>>>> localhost.localdomain> listacl user.myuser
>>>>> user.myuser lrswipkxtecda
>>>>>
>>>>> I have successully tested the username using telnet to connect  
>>>>> to   ports 110(POP3) and 143 (IMAP), as well as with  
>>>>> testsaslauthd.
>>>>
>>>> Port 143 is the TLS port for IMAP, so it seems that your server    
>>>> *does* support this?
>>>
>>> Hmmmm.....Why then am I getting the error message "Server does not
>>> support TLS connections"?
>>>
>>
>> Port 143 can be used to login as plain text or with encryption.  
>> SASL  and TLS are not the same thing.
>
> Understood. So where exactly is Horde connecting at this point? To the
> imap server?

(2*) Yes, you configured IMP to login to your IMAP server ('protocol'  
=> 'imap'). I can see an error log above stating "Server does not  
support TLS connections". Increase Horde log level to debug and maybe  
your IMAP log too, and try to find out what is wrong. Provide us with  
some logs.

>
>> Are the webserver with Horde and the imap server one the same machine?
> Yes. This is a single machine.
>

If this is a single machine and IMP is configured to login to the  
local IMAP then use localhost.

'hostspec' => 'localhost';

Mauricio

>>
>> Mauricio
>>
>>>> -- 
>>>> mike
>>>> The Horde Project
>>>> http://www.horde.org
>>>> https://www.facebook.com/hordeproject
>>>> https://www.twitter.com/hordeproject
>>>
>>> Regards,
>>> James
>>>
>>>
>>> -- 
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>> -- 
>>
>> Maur=C3=ADcio Jos=C3=A9 T. Tecles
>> Instituto de Biof=C3=ADsica Carlos Chagas Filho/UFRJ
>> Av. Carlos Chagas Filho, 373
>> N=C3=BAcleo de Inform=C3=A1tica
>> CCS, Bloco G, sala G1-006
>> Cidade Universit=C3=A1ria - Ilha do Fund=C3=A3o
>> 21941-902, Rio de Janeiro - RJ
>>
>> mtecles at biof.ufrj.br
>> Tel.: (21) 3938-6526 ou 3938-6544
>>
>> -- 
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
> -- 
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org


-- 

Maurício José T. Tecles
Instituto de Biofísica Carlos Chagas Filho/UFRJ
Av. Carlos Chagas Filho, 373
Núcleo de Informática
CCS, Bloco G, sala G1-006
Cidade Universitária - Ilha do Fundão
21941-902, Rio de Janeiro - RJ

mtecles at biof.ufrj.br
Tel.: (21) 3938-6526 ou 3938-6544

More information about the horde mailing list