Re: MTAs that pass SMTP AUTH?
Scott Balmos wrote: My question is, where is Sendmail getting, or even sending to the deliver program, the information that says to match against username msmith, johndoe, or whatnot? I know of the -a switch for deliver, but pretty much all the other MTAs (including Postfix) say that there can only exist a "blanket" Cyrus user, designated to the MTA, for posting to shared folders. This is intended to be used in a secure localized installation, with the users using SMTP AUTH to authenticate themselves to the MTA. The MTA then records this information and passes it along via LMTP AUTH to the Cyrus lmtpd. Where's everything come from, authentication-wise? The only thing I can think of is the user creates a message, saves to their local drafts folder, then manually "moves" the message into the proper folder on IMAP. But that seems really icky, and essentially like "IMAP Send". Well, in my case, we're not actually using SMTP AUTH to deliver the messages to the MTA. Rather, I have set up mail delivery such that a message that arrives at my MTA address to "[EMAIL PROTECTED]" is delivered as if it had been AUTH'd as "user". This means that messages can be delivered directly to any user's folders, without having to give anonymous "p" rights on those folders. Yes, this does mean that someone out there could abuse it, but all they could do is put random stuff directly into a folder, instead of into the user's INBOX. If we had shared folders set up, then I would have to implement SMTP AUTH so that the the folders could have reasonable (i.e. non-anonymous) rights.
Re: Unexistent user
Quoting Igor Brezac <[EMAIL PROTECTED]>: > > If you have define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_', `1')dnl and a > mailertable entry for domain.com, this will work. > I did that and that's what I've got: Mar 31 16:45:21 mail sm-mta[90664]: h2VNjL2r090664: SYSERR(root): rewrite: map macro not found Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdX090663: [EMAIL PROTECTED], [EMAIL PROTECTED] ( 80/80), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30668, relay= [127.0.0.1] [127.0.0.1], dsn=5.0.0, st at=Service unavailable Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdX090663: h2VNjLdY090663: DSN: Service unavailable Mar 31 16:45:21 mail sm-mta[90664]: h2VNjL2s090664: SYSERR(root): rewrite: map macro not found Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdY090663: [EMAIL PROTECTED], delay=00:00:00, xdelay=00:00: 00, mailer=relay, pri=33081, relay=[127.0.0.1], dsn=5.3.0, stat=Service unavailable Mar 31 16:45:21 mail sm-mta[90664]: h2VNjL2s090664: from=<>, size=3081, class=0, nrcpts=0, proto=ESMTP, daemon =MTA, relay=localhost [127.0.0.1] Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdY090663: h2VNjLdZ090663: return to sender: Service unavailable Mar 31 16:45:21 mail sm-mta[90664]: h2VNjL2u090664: SYSERR(root): rewrite: map macro not found Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdZ090663: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=r elay, pri=34105, relay=[127.0.0.1] [127.0.0.1], dsn=5.3.0, stat=Service unavailable Mar 31 16:45:21 mail sm-mta[90664]: h2VNjL2u090664: from=<>, size=4105, class=0, nrcpts=0, proto=ESMTP, daemon =MTA, relay=localhost [127.0.0.1] Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdY090663: Losing ./qfh2VNjLdY090663: savemail panic Mar 31 16:45:21 mail sendmail[90663]: h2VNjLdY090663: SYSERR(www): savemail: cannot save rejected email anywhe re Mar 31 16:45:23 mail sm-mta[90659]: h2VNjN2q090659: SYSERR(root): rewrite: map macro not found Mar 31 16:49:39 mail sm-mta[90706]: h2VNnd2q090706: SYSERR(root): rewrite: map macro not found .. and so on May be that feature conflicts with other features/settings in my sendmail.mc? This is my senmdmail.mc file: divert(0)dnl OSTYPE(freebsd4)dnl DOMAIN(generic)dnl define(`confAUTH_MECHANISMS',`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confCACERT_PATH', `/etc/mail')dnl define(`confCACERT', `/etc/mail/newcert.pem')dnl define(`confSERVER_CERT', `/etc/mail/server.pem')dnl define(`confSERVER_KEY', `/etc/mail/server.pem')dnl define(`_USE_CT_FILE_', `/etc/mail/trusted-users')dnl define(`_FFR_MILTER',1) MAIL_FILTER(`mimedefang', `S=local:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=C:15m;S:4m;R:4m;E:10m')dnl MAIL_FILTER(`drweb-filter', `S=local:/var/run/drweb/drweb-smf.sock, F=T, T=C:1m;S:5m;R:5m;E:1h')dnl define(`confINPUT_MAIL_FILTERS', `mimedefang,drweb-filter')dnl define(`confMILTER_LOG_LEVEL',`6')dnl FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl FEATURE(`mailertable', `hash /etc/mail/mailertable')dnl FEATURE(`nocanonify')dnl FEATURE(`always_add_domain')dnl define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_', `1')dnl MAILER(`smtp')dnl MAILER(`local')dnl MAILER(`cyrusv2')dnl define(`confLOCAL_MAILER', `cyrusv2')dnl > You are confused because LHS and RHS are the same, but they mean two > different things. LHS is an email address, RHS is a mailbox. You can > also use this as one-to-one and many-to-one alias table. > > > > -- > Igor >
Re: MTAs that pass SMTP AUTH?
Okay, maybe this might be a better question... In the O'Reilly "Managing IMAP" example (http://www.oreilly.com/catalog/mimap/chapter/ch09.html#91630), it discusses the setup I need, where some folders have per-user +p access. In the example case, msmith and johndoe. It says that msmith & johndoe, sending to the submission address of [EMAIL PROTECTED], can go through fine, while others' submissions get dumped to announce's inbox. This is all supposedly "standard" through the deliver(8) program, and that a Sendmail config script handles it all. My question is, where is Sendmail getting, or even sending to the deliver program, the information that says to match against username msmith, johndoe, or whatnot? I know of the -a switch for deliver, but pretty much all the other MTAs (including Postfix) say that there can only exist a "blanket" Cyrus user, designated to the MTA, for posting to shared folders. Where's everything come from, authentication-wise? The only thing I can think of is the user creates a message, saves to their local drafts folder, then manually "moves" the message into the proper folder on IMAP. But that seems really icky, and essentially like "IMAP Send". Am I missing something? Thanks. -- Scott Balmos
Re: Unexistent user
On Mon, 31 Mar 2003 [EMAIL PROTECTED] wrote: > You mean I should have records in virtusertable for all my users? If I want to > forward all mail coming to unexistent users I must have records for all valid > users in that domain, right? > Like this: > [EMAIL PROTECTED][EMAIL PROTECTED] > ??? > But it doesn't make sense. > If you have define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_', `1')dnl and a mailertable entry for domain.com, this will work. You are confused because LHS and RHS are the same, but they mean two different things. LHS is an email address, RHS is a mailbox. You can also use this as one-to-one and many-to-one alias table. > > Quoting Igor Brezac <[EMAIL PROTECTED]>: > > > > > You should still use virtusertable, otherwise lmtp will be dealing with > > all the junk that sendmail can turn away during 'rcpt to'. In addition, > > sendmail will be trying to deliver bounced messages from lmtp for days. > > > > -- > > Igor > > > > > -- Igor
Groups
I'm using 'saslauthd -a pam' for IMAP authentication (pam_pgsql actually) and compiled cyrus-imapd22 --with-auth=unix Should I still use /etc/groups for group membership? Best regards, Dmitry
Re: Unexistent user
You mean I should have records in virtusertable for all my users? If I want to forward all mail coming to unexistent users I must have records for all valid users in that domain, right? Like this: [EMAIL PROTECTED][EMAIL PROTECTED] ??? But it doesn't make sense. Quoting Igor Brezac <[EMAIL PROTECTED]>: > > You should still use virtusertable, otherwise lmtp will be dealing with > all the junk that sendmail can turn away during 'rcpt to'. In addition, > sendmail will be trying to deliver bounced messages from lmtp for days. > > -- > Igor >
Re: Unexistent user
On Mon, 31 Mar 2003, Ken Murchison wrote: > > > [EMAIL PROTECTED] wrote: > > > > How can I configure Curus IMAP v 2.2 to forward all incoming mail to unexistent > > users in specific domain to specific email address. > > Since v 2.2 supports virtual domains I'm not using Sendmail's virtusertable any > > more. But I'm missing this important feature :-( > > In virtusertable I could do this: > > @domain.com [EMAIL PROTECTED] > > > > Is there similar config option in Cyrus IMAP Server? > > No. > You should still use virtusertable, otherwise lmtp will be dealing with all the junk that sendmail can turn away during 'rcpt to'. In addition, sendmail will be trying to deliver bounced messages from lmtp for days. -- Igor
Re: Unexistent user
[EMAIL PROTECTED] wrote: > > How can I configure Curus IMAP v 2.2 to forward all incoming mail to unexistent > users in specific domain to specific email address. > Since v 2.2 supports virtual domains I'm not using Sendmail's virtusertable any > more. But I'm missing this important feature :-( > In virtusertable I could do this: > @domain.com [EMAIL PROTECTED] > > Is there similar config option in Cyrus IMAP Server? No. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Unexistent user
How can I configure Curus IMAP v 2.2 to forward all incoming mail to unexistent users in specific domain to specific email address. Since v 2.2 supports virtual domains I'm not using Sendmail's virtusertable any more. But I'm missing this important feature :-( In virtusertable I could do this: @domain.com [EMAIL PROTECTED] Is there similar config option in Cyrus IMAP Server? Best regards, Dmitry
Re: MTAs that pass SMTP AUTH?
Scott Balmos wrote: Does anyone know of any other MTAs that can pass SMTP AUTH info along to Cyrus, other than Sendmail? I'm thinking in the base case here, of a single server, for an intranet. We've already, unfortunately, ruled out Postfix earlier last week, I think I remember reading. Exim, as of version 4.14 for sure, can do this. I am using it this way, with Exim speaking LMTP over a TCP/IP port to Cyrus lmtpd. Any ideas, pointers to docs for things like this, anyone else done this somewhere, sometime? :( I do not have shared folders set up here, but I don't see any reason why that would matter. If you decide to seriously consider Exim, email me off-list and I'll forward you the relevant parts of my configuration file.
MTAs that pass SMTP AUTH?
(originally sent with wrong email address. Sorry to the human who has to clear out the moderation mailbox. :( ) Hi all, Does anyone know of any other MTAs that can pass SMTP AUTH info along to Cyrus, other than Sendmail? I'm thinking in the base case here, of a single server, for an intranet. We've already, unfortunately, ruled out Postfix earlier last week, I think I remember reading. I'm just trying to find a way to do the fabled per-user posting rights ACL matching for shared folders. Indeed, I'm not sure, maybe someone could clarify this for me. What good is having +p if you can't match it to specific users? The question is not counting normal users' private Inboxes. Besides, not having +p at all means the mailbox is basically read only... which defeats the purpose again because then you wouldn't have any content to put in, but that's a logic loop. :D Earlier, a week or so ago, I posted my current hack, which was to set the deliver program to read the username from the user portion of the user+folder email address. But, of course, that's not real authentication, since anyone could grab a username with posting rights by reading the message (since the username is in the email address, which is in the To or Cc field of the message). Plus that's using the deliver agent, and not LMTP. Any ideas, pointers to docs for things like this, anyone else done this somewhere, sometime? :( Thanks. -- Scott Balmos
Re: Which Database backend to use?
Wow, completely missed this in the archives. Thanks for the quick response and link. It is very informative. :) Christopher S. Pallone Michaels Stores, Inc. --On Monday, March 31, 2003 12:22:21 -0500 Rob Siemborski <[EMAIL PROTECTED]> wrote: On Mon, 31 Mar 2003, Christopher S. Pallone wrote: I have noticed a couple of threads recently about the use of different database backends with cyrus IMAPd. Can anyone explain when and where a specific DB backend should and shouldn't be be used? Are the current default values found in configure.in still considered the best options for most installations? http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg =2311 The current defaults for 2.1.12 are set to the following: duplicate delivery database:db3_nosync mailbox list database: db3 seen state database:flat subscriptions list database:flat TLS cache database: db3_nosync When should I consider switching to the skiplist backend? As soon as possible. We can't change the defaults in 2.1 because that would pretty much break existing installs. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Which Database backend to use?
On Mon, 31 Mar 2003, Christopher S. Pallone wrote: > I have noticed a couple of threads recently about the use of different > database backends with cyrus IMAPd. Can anyone explain when and where a > specific DB backend should and shouldn't be be used? Are the current > default values found in configure.in still considered the best options for > most installations? http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=2311 > The current defaults for 2.1.12 are set to the following: > duplicate delivery database: db3_nosync > mailbox list database:db3 > seen state database: flat > subscriptions list database: flat > TLS cache database: db3_nosync > > When should I consider switching to the skiplist backend? As soon as possible. We can't change the defaults in 2.1 because that would pretty much break existing installs. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Which Database backend to use?
I have noticed a couple of threads recently about the use of different database backends with cyrus IMAPd. Can anyone explain when and where a specific DB backend should and shouldn't be be used? Are the current default values found in configure.in still considered the best options for most installations? The current defaults for 2.1.12 are set to the following: duplicate delivery database:db3_nosync mailbox list database: db3 seen state database:flat subscriptions list database:flat TLS cache database: db3_nosync When should I consider switching to the skiplist backend? Thanks for the help, Christopher S. Pallone Michaels Stores, Inc.
Re: interesting limitation
Dave O wrote: 2 level hashing would work, but I don't know if Cyrus supports that. It would most likely be trivial to implement. eg spool/s/sm/user/smith Or in the case of full dir hashing, have a second hash function and hash the names that get assigned to one bin into an additional set of bins. As was previously mentioned, having multiple partitions also solves this problem but since the trend seems to be consolidating storage it would be nice to be able to handle the large numbers of users in a single partition rather than creating multiple partitions in the same filesystem with the associated administrative hassle. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: skiplist vs. Berkeley
On Mon, 31 Mar 2003, Dmitry Alyabyev wrote: > Which the advantages are in skiplist comparing with BerkeleyDB ? Its significantly faster for enumeration operations, which are very common with the mailbox list. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: interesting limitation
On Mon, 31 Mar 2003 10:42:39 -0500 (EST) Dave O <[EMAIL PROTECTED]> wrote: > > 2 level hashing would work, but I don't know if Cyrus supports that. It > would most likely be trivial to implement. > > eg spool/s/sm/user/smith Yes, i was thinking about that too ... In fact i would prefer it over fulldir hash code, because this way i always know where on disk the user's mailbox is. -- Jure Pecar
Re: interesting limitation
2 level hashing would work, but I don't know if Cyrus supports that. It would most likely be trivial to implement. eg spool/s/sm/user/smith On Sat, 29 Mar 2003, Jure Pecar wrote: > > Hi all, > > Recently i was testing a 2.2 branch on linux with Veritas vxfs. I wanted to > create 20 users in the form of userN, where n is 1..20. I soon found > out that vxfs won't let me create more than 32k subdirs in one dir. > > This is clearly a limitation of the filesystem. How does other filesystems > handle this? > > The solution here is full dir hash. But, the next limit is at 26*32k users. > Is anyone actually nearing this number of users on a single box? Probably > not, but who knows what the future may bring ... > > > -- > > Jure Pecar > > >
Re: skiplist vs. Berkeley
Florian Hars wrote: > Dmitry Alyabyev wrote: >> Which the advantages are in skiplist comparing with BerkeleyDB ? > > It doesn't show seen messages as new tree times a day. Hmm, sounds good ... Do you know why it happens ? -- Dimitry
Re: skiplist vs. Berkeley
Dmitry Alyabyev wrote: Which the advantages are in skiplist comparing with BerkeleyDB ? It doesn't show seen messages as new tree times a day. Yours, Florian.
Re: strange quota problem...
Hello, Been here done this. The first place I would look is at the quota allotted to the folder. I'd bet real money that you haven't set a quota for the folder yet. Regards, Earl Shannon Andrzej Kwiatkowski wrote: I have installed postfix 2.0.7 with Cyrus Imapd 2.1.12. My problem is a bit strange.. I can send only one message for test account: for example after creating imap account: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 0 20971520 and when i send mail to this account : Mar 31 14:31:15 junak postfix/qmgr[50240]: 1BA027B0CE3: from=<[EMAIL PROTECTED]>, size=488, nrcpt=1 (queue active) Mar 31 14:31:15 junak postfix/pipe[50697]: 1BA027B0CE3: to=<[EMAIL PROTECTED]>, relay=cyrus, delay=0, status=sent (junak.mydomain.com) and then: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 673 20971520 and why i try to send second message: ar 31 14:32:14 junak postfix/qmgr[50240]: 182F27B0CE3: from=<[EMAIL PROTECTED]>, size=488, nrcpt=1 (queue active) Mar 31 14:32:14 junak postfix/pipe[50697]: 182F27B0CE3: to=<[EMAIL PROTECTED]>, relay=cyrus, delay=0, status=bounced (data format error. Command output: test123: Over quota Where i should look for error ?? Thanks in advance Andrzej Kwiatkowski
strange quota problem...
I have installed postfix 2.0.7 with Cyrus Imapd 2.1.12. My problem is a bit strange.. I can send only one message for test account: for example after creating imap account: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 0 20971520 and when i send mail to this account : Mar 31 14:31:15 junak postfix/qmgr[50240]: 1BA027B0CE3: from=<[EMAIL PROTECTED]>, size=488, nrcpt=1 (queue active) Mar 31 14:31:15 junak postfix/pipe[50697]: 1BA027B0CE3: to=<[EMAIL PROTECTED]>, relay=cyrus, delay=0, status=sent (junak.mydomain.com) and then: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 673 20971520 and why i try to send second message: ar 31 14:32:14 junak postfix/qmgr[50240]: 182F27B0CE3: from=<[EMAIL PROTECTED]>, size=488, nrcpt=1 (queue active) Mar 31 14:32:14 junak postfix/pipe[50697]: 182F27B0CE3: to=<[EMAIL PROTECTED]>, relay=cyrus, delay=0, status=bounced (data format error. Command output: test123: Over quota Where i should look for error ?? Thanks in advance Andrzej Kwiatkowski
skiplist vs. Berkeley
Hello According to changes to the Cyrus IMAP Server since 2.1.x: ... - The default mailbox list and seen state database formats have changed to skiplist from Berkeley and Flat, respectively. Which the advantages are in skiplist comparing with BerkeleyDB ? What about size of cache that can be customised in Berkley ? -- Dimitry
