Re: Conversion/Migration

[John A. Tamplin]

Rob Siemborski wrote:


This really shouldn't be necessary.  admins can authorize as any user
(e.g. login as user cyrus with the password for them, but get rights as
rjs3).  Most SASL mechanisms allow this, though the regular imap LOGIN
command does not.
 

As far as I know, UW imap-utils mbxcvt can only do login (with or 
without TLS, so perhaps you could do client certificates and external 
authentication to get around it).  For my purposes, it was easier just 
to hack saslauthd temporarily.

--
John A. Tamplin
Unix Systems Administrator

Re: Conversion/Migration

[Rob Siemborski]

On Tue, 28 Jan 2003, John Alton Tamplin wrote:

> able to authenticate as the user when you convert.  What I did was a
> temporary hack to saslauthd which allowed a backdoor password to work
> for all accounts and hacked mbxcvt to accept the password on the command
> line (no user accounts on this machine to watch ps).  A wrapper script

This really shouldn't be necessary.  admins can authorize as any user
(e.g. login as user cyrus with the password for them, but get rights as
rjs3).  Most SASL mechanisms allow this, though the regular imap LOGIN
command does not.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

OT: Re: PHP 4.2.3 for Redhat 7.3

[Brian]

Simon Brady said:
> On Tue, 28 Jan 2003, Brian wrote:
>
>> ... and first try rebuilding the php from Rawhide:
>>
>> rpmbuild --rebuild
>> ftp://rpmfind.net/linux/rawhide/1.0/SRPMS/SRPMS/php-4.2.2-13.src.rpm
>
> Except that according to the original message Web-Cyradm requires 4.2.3,
>  which is why I didn't suggest this as an option.

Yes I saw that but many times Redhat won't update the actual version
number but will backport the fixes from later releases.  There is no
official 4.2.2-13 version from the PHP folks either.

> However, PHP is big and hairy and  insanely configurable, and even if I
> took the time to package it up would  anyone else actually be happy with
> my configuration choices?

That's why you also provide a good SRPM ;-)

-- 
Brian

cyrus-imspd-v1.6a3 fixed buffer size for options?

[Gloria Rom]

Hi All,

We are testing the Mulberry client with an aged Cyrus (1.4 something)
IMSP server and occasionally getting this error
Could not set an option:command
'set' requires 2 properly formed argument(s)
Account: imsp.library.ucla.edu
which Mulberry support suggests is due to our a fixed input buffer size
for the options file. He says it is easy to increment that size and
recompile the IMSP server.

I'm not going to change that old server, but I would like to know if
cyrus-imspd-v1.6a3 has a fixed input size for the options file, and if
so, how I could increment it.

Thanks,

Glo

-- 
Gloria Rom
UCLA Library Information Systems
[EMAIL PROTECTED]

Re: PHP 4.2.3 for Redhat 7.3

[Simon Brady]

On Tue, 28 Jan 2003, Brian wrote:

> ... and first try rebuilding the php from Rawhide:
> 
> rpmbuild --rebuild
> ftp://rpmfind.net/linux/rawhide/1.0/SRPMS/SRPMS/php-4.2.2-13.src.rpm

Except that according to the original message Web-Cyradm requires 4.2.3, 
which is why I didn't suggest this as an option.

That nitpick aside, I take your point - in an ideal world we'd all have 
time to do things properly, and the fruits of our packaging labours would 
flow back to the rest of the community. However, PHP is big and hairy and 
insanely configurable, and even if I took the time to package it up would 
anyone else actually be happy with my configuration choices?

I know this attitude is short-sighted, and I have a lot of respect for 
people who do put the effort into package creation. But sadly, in an 
environment where time is (someone else's) money, kludges sometimes make 
the best sense.

Until you go to upgrade, of course :-)

--
Simon Brady mailto:[EMAIL PROTECTED]
ITS Technical Services
University of Otago, Dunedin, New Zealand

Re: Conversion/Migration

[John Alton Tamplin]

Peter Lawler wrote:


OK, thanks to those who replied. I've gone this far:
http://batleth.sapienti-sat.org/projects/mb2md/

It's a pretty neato script, although I haven't tested the version 
released yesterday. It converts just as we want.

Now, the trick after the conversion that the new files are in, say 
~/Maildir/new/, so that they need to get moved into the cyrus store 
for the user. That's no problem. However

I've got stuck at the next bit. OK, I can work out that the messages 
in the INBOX are individually numbered (eg, 52., 53., 54.). So, the 
converted mail files need to be renamed, one would guess. Can someone 
suggest the best method for renaming these files? Is the order of 
numbering of the files important (eg, datestamping), or is it irrelevant.

Next thing is that only occasionally have I been able to rebuild the 
cyrus DB to have these converted messages appear in the INBOX. It was 
late last night, so I can't recall ALL the details. However, I do 
suspect that it *MAY* have something to do with the naming of the 
files mentioned above. Additionally, it *COULD* have something to do 
with the cyrus commands I'm issuing to try and rebuild the cyrus DB.

Thirdly, when (on only two occasions, mind you) the converted messages 
did pop up, they are being displayed as 'read'. How can I set their 
status to 'unread'. I did suspect that *MAYBE* the fullstop (period) 
at the end of the filename might be the clue, but since I didn't 
manage to get the messages appearing again, I could work it out.

Any comments, suggestions, flames, greatly appreciated.

I think you would be much better off going through IMAP rather than 
trying to put the files in there correctly and then reconstructing it. 
You won't be able to maintain seen state (or any other flags for that 
matter) unless you build all the cyrus files correctly during the 
conversion.  If you use mbxcvt from UW imap-utils, it will preserve the 
flags as part of the transfer.  The only catch is you will have to be 
able to authenticate as the user when you convert.  What I did was a 
temporary hack to saslauthd which allowed a backdoor password to work 
for all accounts and hacked mbxcvt to accept the password on the command 
line (no user accounts on this machine to watch ps).  A wrapper script 
went through all the accounts to transfer (one by one) and updated the 
database used by perdition (imap/pop proxy) to show the account was 
being used and killed all active sessions.  It then converted each 
mailbox using the hacked mbxcvt, connected as the admin account to set 
the quota, and connected as the user to set the subscription list.  When 
the account was moved, update the perdition database so new connections 
go to the new server (and LMTP deliveries via proxy) and go to the next 
one.  If you don't need to do the transfer while everything is up, 
obviously you don't have to fool with the database for the proxies.

--
John A. Tamplin   Unix System Administrator
Emory University, School of Public Health +1 404/727-9931

Re: PHP 4.2.3 for Redhat 7.3

[Brian]

Simon Brady said:
> On Tue, 28 Jan 2003, crab ravi wrote:
>
>> I'm in a process of setting up Postfix-Cyrus-Web-Cyradm on Redhat 7.3
>> Server. As per Mr Luc's Howto, PHP-4.2.3 is needed, but RH 7.3 is
>> shipped with PHP-4.1.2-7. I could not able to find RPM in the
>> internet.
>
> The easiest solution is to build PHP from source.

If by "easiest" you mean "easiest way to break your native package
management".

Everyone:  Please, please, please stop telling the Redhat (and RPM)
newbies to build everything from source only.  If you want to break your
package management, build from source (./configure; make; make install)

New RPM users, please learn how to build your own RPM's instead.  Your
system will thank you for it.

http://freshrpms.net/docs/fight.html
http://www.redhat.com/docs/books/max-rpm/max-rpm-html/

Go here ...
http://rpmfind.net/linux/rpm2html/search.php?query=php&submit=Search+...

... and first try rebuilding the php from Rawhide:

rpmbuild --rebuild
ftp://rpmfind.net/linux/rawhide/1.0/SRPMS/SRPMS/php-4.2.2-13.src.rpm

> An alternative would be to take an SRPM from another distribution
> (www.rpmfind.net lists a few) and do an rpm --recompile, but that may
> introduce subtle problems of its own.

The problems should be less severe than breaking RPM though.

-- 
Brian

Re: Request for cyrus-announce mailing list.

[Rob Siemborski]

On Mon, 27 Jan 2003, Erik Enge wrote:

> The traffic on info-cyrus is quite substantial if all one is interested
> in are new releases and/or patches (especially security-related ones).

I've gone ahead and done a variety of things to our mailing lists.

1. I've created [EMAIL PROTECTED] and
[EMAIL PROTECTED], as a low-traffice announcements list and
a developer's list, respectively.

2. I've created digest versions of info-cyrus and cyrus-sasl (and
cyrus-devel), so now you can subscribe to info-cyrus-digets and
cyrus-sasl-digest instead, if that is what you prefer.

Details are at:

http://asg.web.cmu.edu/cyrus/mailing-list.html

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

Re: PHP 4.2.3 for Redhat 7.3

[Simon Brady]

On Tue, 28 Jan 2003, crab ravi wrote:

> I'm in a process of setting up Postfix-Cyrus-Web-Cyradm on Redhat 7.3
> Server. As per Mr Luc's Howto, PHP-4.2.3 is needed, but RH 7.3 is
> shipped with PHP-4.1.2-7. I could not able to find RPM in the internet.

The easiest solution is to build PHP from source. This is what I do on our 
RH7 webservers, and it works fine with the Apache RPMs (although you will 
need to install apache-devel so PHP can find the APXS tool, and you may 
need other -devel packages so it can find headers).

An alternative would be to take an SRPM from another distribution
(www.rpmfind.net lists a few) and do an rpm --recompile, but that may
introduce subtle problems of its own.

--
Simon Brady mailto:[EMAIL PROTECTED]
ITS Technical Services
University of Otago, Dunedin, New Zealand

Re: URGENT Mailboxes.db

[Wander]

Really thanks to Edward Rudd. With this script I could successfully create a 
standard mailboxes file from the users directories, but still when creating the 
mailboxes.db using ctl_mboxlist -u < mailboxes, it converts just 1 record with 
just 1 folder inside it. I´ve tried ctl_cyrusdb -r also, but no success.

Details:

cyrus-sasl-2.1.10:
./configure --disable-krb4 --enable-login  --enable-plain  --enable-anon  --
enable-digest --enable-cram  with-dbpath=/rede/newmail/etc/sasldb2

cyrus-imapd-2.1.11:
./configure --disable-krb4 --disable-gssapi --enable-login --with-
sasldir=/usr/lib/sasl2 --with-dbdir=/usr/local/BerkeleyDB.4.1 --with-mboxlist-
db=skiplist --with-duplicate-db=db3_nosync --with-seen-db=skiplist --with-subs-
db=flat --with-tls

Re: mysql auxprop redhat 8.0 authentication problems

[Luke Johnson]

Hmmm, looks like that was it, thanks much for the second pair of eyes!
Just can't seem to see those things at 4am!?!? Ohh well, some more wasted disk space for the archives... :)

Thanks again,
LukeJ.


Chris Hilts wrote:

sasl_mysql_statement: select pass from email where eaddr ='%u' and mid=1
and active=1"



Well, assuming this isn't a transcription typo, you've got an unbalanced
quote at the end of your statement.

Re: TLS error

[Steve Huston]

On Tue, 28 Jan 2003, Paul Christie wrote:
> imap 2.0.17, openssl 0.9.6d
> Clients (Pine, Mulberry) connecting using STARTTLS generate messages like 
> the one below. So it looks as though the server is looking for local 
> certificates. SSL connections cause no such error message.
> All seems to work but I would like to know why this happens. Since there 
> seems to very little correspondence on this I suspect I have configured 
> something incorrectly. Anyone else seen this?
> imapd[17369]: [ID 432150 local6.error] TLS engine: No CA file specified. 
> Client side certs may not work

I get this one constantly; it's Mostly Harmless.

If the client machine was to provide a cert that would normally facilitate
authentication (ie, instead of using a password you were using client-side
certs, signed by your own CA or by a higher authority), then Cyrus would need
to have a copy of the signer's cert (the CA file) in order to verify the
signature.

Since you're probably using STARTTLS (and/or SSL) simply for encryption, you
don't really care if the client sends a cert, and you wouldn't authenticate
against it anyway, so the fact that Cyrus can't verify a client's cert is no
big deal.

Interestingly, I had tried to set this up properly with 2.1.11, using the
ca-bundle that comes with RedHat 8.0's openssl RPM, and the TLS engine would
fail every time I used STARTTLS on a connection (but SSL worked just fine).
Confused the hell outta me until I removed the offending line from the config
file, and just let it keep complaining about not having a CA file.

-- 
Steve Huston - Unix Systems Administrator, Dept. of Astrophysical Sciences
 Princeton University  | ICBM Address: 40.346525   -74.651285
   126 Peyton Hall |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375  | headlong into mystery."  -Rush, 'Cygnus X-1'

Change adresse

[cassandre]

Hello,

Please change my subscription adres

from [EMAIL PROTECTED]

to:

[EMAIL PROTECTED]

I change ISP

Thank you

Alain Barthélemy

Re: SASL 1 + SASL 2 + sendmail + cyrus21

[Ken Murchison]

Marcus Schopen wrote:
> 
> Hi Ken,
> 
> Ken Murchison wrote:
> >
> > Marcus Schopen wrote:
> >>I installed Henrique's ( http://people.debian.org/~hmh/ ) Debian woody
> >>backport for cyrus21.
> >>
> >>Problem is that Debain's sendmail is build with SASL 1 and cyrus21 comes
> >>with SASL 2. Now I have two different user databases. SASL 1 is used for
> >>sendmail's SMTP_AUTH, SASL 2 is used for cyrus21 authentification. Both
> >>SASL versions are working fine, but now I have to manage to differnet
> >>databases.
> >>
> >>Is there a way to authenticate sendmail and cyrus21 against the same
> >>user-database?
> >
> >
> > I ported Sendmail to use SASLv2 back around 8.12.4.  Its an undocumented
> > FFR and won't be officially supported until 8.13, but several people are
> > using it, including me.  You'll have to compile it yourself using a
> > config such as:
> >
> > APPENDDEF(`confENVDEF', `-DSASL=2')
> > APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
> 
> Hmmm, if I build sendmail myself, I have to leave Debain's package
> manager. That's what I wanted to avoid.
> 
> What about using something else but sasl for SMTP_AUTH and cyrus21
> authentification?


Nope.  Both use SASL.

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: SASL 1 + SASL 2 + sendmail + cyrus21

[Rob Siemborski]

On Tue, 28 Jan 2003, Marcus Schopen wrote:

> BTW: is it a problem to run SASL 1 and SASL 2 on the same system?

No, other than the problem you notice (that is, they can't share a
sasldb [or saslauthd, for that matter]).

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

Re: SASL 1 + SASL 2 + sendmail + cyrus21

[Marcus Schopen]

Hi Ken,

Ken Murchison wrote:


Marcus Schopen wrote:

I installed Henrique's ( http://people.debian.org/~hmh/ ) Debian woody
backport for cyrus21.

Problem is that Debain's sendmail is build with SASL 1 and cyrus21 comes
with SASL 2. Now I have two different user databases. SASL 1 is used for
sendmail's SMTP_AUTH, SASL 2 is used for cyrus21 authentification. Both
SASL versions are working fine, but now I have to manage to differnet
databases.

Is there a way to authenticate sendmail and cyrus21 against the same
user-database?



I ported Sendmail to use SASLv2 back around 8.12.4.  Its an undocumented
FFR and won't be officially supported until 8.13, but several people are
using it, including me.  You'll have to compile it yourself using a
config such as:

APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')



Hmmm, if I build sendmail myself, I have to leave Debain's package 
manager. That's what I wanted to avoid.

What about using something else but sasl for SMTP_AUTH and cyrus21 
authentification?

:-))
Marcus


--

Marcus Schopen(0>
P.O. Box 10 25 25 //\ Deutsche Zope User Group
D-33525 Bielefeld V_/_www.dzug.org

Re: TLS error

[Ken Murchison]

Paul Christie wrote:
> 
> imap 2.0.17, openssl 0.9.6d
> 
> Clients (Pine, Mulberry) connecting using STARTTLS generate messages like
> the one below. So it looks as though the server is looking for local
> certificates. SSL connections cause no such error message.
> 
> All seems to work but I would like to know why this happens. Since there
> seems to very little correspondence on this I suspect I have configured
> something incorrectly. Anyone else seen this?
> 
> imapd[17369]: [ID 432150 local6.error] TLS engine: No CA file specified.
> Client side certs may not work

You didn't specify the tls_ca_file and/or tls_ca_path options in
imapd.conf.

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: Sendmail + LMTP AUTH

[Ken Murchison]

Scott Adkins wrote:
> 
> Ah, sorry... version 8.12.5.  I did not use the new cyrusv2.m4 file used
> in the mailer directory.

You don't need to, but it looks cleaner:

# mailers
define(`confLOCAL_MAILER', `cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS', `TCP localhost lmtp')dnl
MAILER(`cyrusv2')dnl
MAILER(`smtp')dnl


Anyway, to do LMTP AUTH, you need to setup Sendmail to have client auth
info.  You can do this either via the access database or the authinfo
database.  I do this in the access database because I already have it
setup for SMTP AUTH relaying.

In sendmail.mc:

FEATURE(`access_db')dnl


In /etc/mail/access:

# client AUTH
AuthInfo:   "I:" "P:"

where  can be a hostname, domain name, IPv4 or IPv6,  is
an admin or lmtp_admin (I use 'cyrus') and  is the admins's
password.  If you don't want to have the plaintext password in this
file, then you can use a BASE64-encoded version by specifying
"P=".  You can also list the mechanisms to try with the optional
"M:  ..."

Once you have this setup, remember to remake your sendmail.cf and to run
makemap on your access database.

If you want to use the authinfo database instead, then use
FEATURE(authinfo) and /etc/mail/authinfo.  The format of the line(s) in
the authinfo database are the same.

I _believe_ that all of this stuff is in the Sendmail docs, but the
latest bat book (3rd ed.) has AUTH and STARTTLS documented.


> --On Tuesday, January 28, 2003 10:06 AM -0500 Ken Murchison
> <[EMAIL PROTECTED]> wrote:
> >
> > Scott Adkins wrote:
> >>
> >> Okay, I must be clueless here... I have looked through the docs, looked
> >> through the archives, done google searches, etc.  I just plain don't
> >> understand how to configure sendmail to do LMTP authentication correctly.
> >
> > What version of Sendmail?  The config varies slightly between 8.10/11
> > and 8.12.
> >
> > --
> > Kenneth Murchison Oceana Matrix Ltd.
> > Software Engineer 21 Princeton Place
> > 716-662-8973 x26  Orchard Park, NY 14127
> > --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
> 
> --
>  +---+
>   Scott W. Adkinshttp://www.cns.ohiou.edu/~sadkins/
>UNIX Systems Engineer  mailto:[EMAIL PROTECTED]
> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
>  +---+
>  PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
> 
>   
> 
>Part 1.2Type: application/pgp-signature
>Encoding: 7bit

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: SASL 1 + SASL 2 + sendmail + cyrus21

[Ken Murchison]

Marcus Schopen wrote:
> 
> Hi,
> 
> I installed Henrique's ( http://people.debian.org/~hmh/ ) Debian woody
> backport for cyrus21.
> 
> Problem is that Debain's sendmail is build with SASL 1 and cyrus21 comes
> with SASL 2. Now I have two different user databases. SASL 1 is used for
> sendmail's SMTP_AUTH, SASL 2 is used for cyrus21 authentification. Both
> SASL versions are working fine, but now I have to manage to differnet
> databases.
> 
> Is there a way to authenticate sendmail and cyrus21 against the same
> user-database?

I ported Sendmail to use SASLv2 back around 8.12.4.  Its an undocumented
FFR and won't be officially supported until 8.13, but several people are
using it, including me.  You'll have to compile it yourself using a
config such as:

APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')


-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

SASL 1 + SASL 2 + sendmail + cyrus21

[Marcus Schopen]

Hi,

I installed Henrique's ( http://people.debian.org/~hmh/ ) Debian woody 
backport for cyrus21.

Problem is that Debain's sendmail is build with SASL 1 and cyrus21 comes 
with SASL 2. Now I have two different user databases. SASL 1 is used for 
sendmail's SMTP_AUTH, SASL 2 is used for cyrus21 authentification. Both 
SASL versions are working fine, but now I have to manage to differnet 
databases.

Is there a way to authenticate sendmail and cyrus21 against the same 
user-database?

BTW: is it a problem to run SASL 1 and SASL 2 on the same system?

Thank you
Marcus


--

Marcus Schopen(0>
P.O. Box 10 25 25 //\ Deutsche Zope User Group
D-33525 Bielefeld V_/_www.dzug.org

Re: Sendmail + LMTP AUTH

[Ken Murchison]

Scott Adkins wrote:
> 
> Okay, I must be clueless here... I have looked through the docs, looked
> through the archives, done google searches, etc.  I just plain don't
> understand how to configure sendmail to do LMTP authentication correctly.

What version of Sendmail?  The config varies slightly between 8.10/11
and 8.12.

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: mysql auxprop redhat 8.0 authentication problems

[Chris Hilts]

> sasl_mysql_statement: select pass from email where eaddr ='%u' and mid=1
> and active=1"

Well, assuming this isn't a transcription typo, you've got an unbalanced
quote at the end of your statement.

-- 
Chris Hilts
[EMAIL PROTECTED]

Convert rules.dat to sieve rules?

[John Lederer]

Does anyone know of a script or method to convert a Mozilla/Netscape 
rules.dat file to a set of sieve rules?

Thanks,

John Lederer

Convert rules.dat to sieve rules?

[John Lederer]

Does anyone know of a script or method to convert a Mozilla/Netscape 
rules.dat file to a set of sieve rules?

Thanks,

John Lederer

PHP 4.2.3 for Redhat 7.3

[crab ravi]

Dear All,
I'm in a process of setting up Postfix-Cyrus-Web-Cyradm on Redhat 7.3 Server. As per Mr Luc's Howto, PHP-4.2.3 is needed, but RH 7.3 is shipped with PHP-4.1.2-7. I could not able to find RPM in the internet.
Can anyone help regarding the same?
Thanks in anticipation
A Ravi Babu
ICFAI, Hyderabad
IndiaDo you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now

mysql auxprop redhat 8.0 authentication problems

[Luke Johnson]

Howdy,

Problem:
So, I'm setting up a new Cyrus server, pretty standard config (see below)
It seems that in Simon's mysql auxprop code, the mysql_query() is failing.  I'm always getting back a -1 (error) result
I'm about to write a test program, to try the mysql libs away from sasl, and see if I can isolate the problem.
So guess I'm just wondering if anybody else has this setup and ran into a similar situation???
Be real nice if there was something small missing, and my authentication would start working tomorrow... ;)
(incidentally, I'm trying against a mysql server that is currently authenticating corectly now for a similar setup: RH7.3, cyrus-imapd-2.19, sasl-2.1.7 w/mysql auxprop)
Finally, I did check both the cyrus-sasl and info-cyrus lists, didn't seem to see any mention of a similar problem...

Hmmm, any advice appreciated, and thanks in advance,
LukeJ.

cyrus-sasl-2.1.10
./configure \
--sysconfdir=/usr/local/etc \
--disable-krb4 \
--with-dbpath=/usr/local/etc/sasldb \
--includedir=/usr/local/include \
--enable-plain \
--enable-login \
--disable-java \
--disable-gssapi \
--with-mysql=/usr \
--without-pam \
--with-rc4=openssl \
--with-mysqlauxprop \
--with-saslauthd \
--with-bdb-incdir=/usr/local/include/db4 \
--with-bdb-libdir=/usr/local/lib

cyrus-imapd-2.1.11
./configure \
--prefix=/usr/include \
--with-cyrus-prefix=/usr/cyrus \
--with-dbdir=/usr/local \
--with-cyrus-group=mail \
--with-cyrus-user=cyrus \
--with-auth=unix \
--without-zephyr \
--with-com-err \
--with-ucdsnmp=/usr/lib \
--with-sasl=/usr/include

[root@mail cyrus-sasl-2.1.10]# rpm -qa | grep mysql
mysql-3.23.54a-4
mysql-devel-3.23.54a-4
mysql-server-3.23.54a-4

...and RedHat 8.0 with errata RPMs (mysql, etc...),
...and of course followed the setup guides (ie /usr/lib/sasl2 -> /usr/local/lib/sasl2)...

--

imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
umask: 077
quotawarn: 90
#going to use mysql... don't need saslauthd
#sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: auxprop

### Get auth directly from xxx - START ###
sasl_mysql_hostnames: 208.xxx.xxx.xxx
sasl_mysql_user: authuser
sasl_mysql_passwd: xxx
sasl_mysql_database: xxx
sasl_mysql_statement: select pass from email where eaddr ='%u' and mid=1 and active=1"
### Get auth directly from xxx - END ###

sasl_mysql_verbose: true

--

code (sorry if it wraps badly):
/* create a statment that we will use */
query = mysql_create_statement(sparams, settings->mysql_statement, realname,escap_userid, escap_realm);
if (settings->mysql_verbose)
   sparams->utils->log(NULL, SASL_LOG_WARN, "mysql plugin doing query: %s\n", query);

/* run the query */
int qresult;
if ( (qresult = mysql_query(sock,query)) < 0 || !(result=mysql_store_result(sock))) {
   sparams->utils->free(query);
   if (settings->mysql_verbose)
   sparams->utils->log(NULL, SASL_LOG_WARN, "LHJ - mysql query returned:  result:%i store:%i\n", qresult,result);
   continue;
}

--

logs:
Jan 28 04:11:22 bhmail imapd[4375]: mysql auxprop plugin has been requested
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin Parse the username luke
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin try and connect to a host
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin try and connect to 208.xxx.xxx.xxx
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin create statement from realname:userPassword uid:luke realm:mail.xxx.com
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin doing query: select pass from email where eaddr ='luke' and mid=1 and active=1"
Jan 28 04:11:22 bhmail imapd[4375]: LHJ - mysql query returned:  result:-1 store:0
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin create statement from realname:cmusaslsecretPLAIN uid:luke realm:mail.xxx.com
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin doing query: select pass from email where eaddr ='luke' and mid=1 and active=1"
Jan 28 04:11:22 bhmail imapd[4375]: LHJ - mysql query returned:  result:-1 store:0
Jan 28 04:11:22 bhmail imapd[4375]: unable to open Berkeley db /usr/local/etc/sasldb: No such file or directory
Jan 28 04:11:22 bhmail imapd[4375]: unable to open Berkeley db /usr/local/etc/sasldb: No such file or directory
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin Parse the username luke
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin try and connect to a host
Jan 28 04:11:22 bhmail imapd[4375]: mysql plugin try and connect to 208.xxx.xxx.xxx
Jan 28 04:11:22 bhmail imapd[4375]: badlogin: localhost.localdomain[127.0.0.1] plaintext luke SASL(-13): user not found: checkpass failed

--

Re: Problem with cyrus and deleting a message with a virus.

[Additive GmbH System Admin]

Mark London schrieb:

  

  Hi - We are running uvscan, and it will delete a cyrus message file that
contains a virus.  Of course, cyrus doesn't know that the message is deleted,
so it still shows that message, albeit it shows up as being from Unknown with
(no subject).  The problem is that this message can't be deleted, no matter
what method the user tries.  The only solution we have found is to replace the
deleted message with a dummy file, and then it can be deleted.  We can't be
the only one having this problem.  Do other people run virus scanning
software, like uvscan, on their server?  Thanks. -   Mark
  

If you're messing around with the internal data stores of a program, and
then you get upset when the program doesn't work, I'd say that you've
created your own problem.

  
  
I'm not messing with it, uvscan is doing it.  Is there a better software
alternative that will delete viruses on the server?  Are we the only people
using cyrus that are running virus scanning software on the server?

Btw, I would think cyrus should be able to handle the simple case of a missing
single file.  I should be able to delete a message for which the message file
is already missing.  We're not talking about a complex database file structure
here.  It's a single file with a single message.

  

Did I get you right that you simply run the scanner via cron to delete infected
files? Why - if you don't want to put it on a proxy - don't you run amavis
together with uvscan when sendmail attempts to deliver the mail locally via
cyrus-deliver? This is what we're doing here, and it works really fine. Infected
Mails won't reach the cyrus spool area and therefore cause no problem. One
thing left: when a user moves a mail into the imap folders from his email
client, it could possibly be infected. So we do two things about that: Every
user has a server-controlled Anti-Virus System (Symatec AV Corporate) running
that makes sure the clients itself are clean. Second is, we run uvscan via
cronjob also, but don't let it quarantine oder delete infected files automatically.
If it really should find a virus that has stolen itself into a client or
the cyrus spool, we delete it manually. This never happened up till now,
it's just a second 'Line of Defense' for absolute safety.
Running this system really works quite perfect, never had any problem up
till now.

Regards,
Andreas Grimmel