Re: Cyradm - can't locate Shell.pm
On Tue, Jan 16, Karlheinz Blank wrote: > I've successfully (partially) installed Cyrus 2.0.9 on SuSE 7.0. Imtest > is working. But so far I've been unable to execute cyradm. > The following error message appears: > > Can't locate Cyrus/IMAP/Shell.pm in @INC (@INC contains: >/usr/lib/perl5/5.00503/i586-linux /usr/lib/perl5/5.00503 >/usr/lib/perl5/site_perl/5.005/i586-linux /usr/lib/perl5/site_perl/5.005 .). > BEGIN failed--compilation aborted. do the following within cyrus-imapd source: for i in imap sieve/acap sieve/managesieve; do cd perl/$i make install done -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com
Re: IDLE problem, and unsafe copy command
Ken
Thanks for the quick fix, which has solved the IDLE problem.
I should probably point out though that this fix does not address the
problem I reported last week. It seems to me that under different
circumstances the copy command could still fail in an unsafe way, leading to
loss of messages. (Not that I'm expecting you to be the one to fix it!)
Cheers, John
--
John Holman
Head of Central Servers Team
Queen Mary. Universitly of London
UK
- Original Message -
From: "Ken Murchison" <[EMAIL PROTECTED]>
To: "John Holman" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, January 16, 2001 4:55 PM
Subject: Re: IDLE problem
>
>
> John Holman wrote:
> >
> > (Follow up to last message)
> >
> > In fact the IDLE problem is quite general. If the client has used the
IDLE
> > command, it seems that the imapd process will be killed and the
connection
> > closed with "signalled to death by 14"
> > whenever more than about 50 seconds passes between commands sent by the
> > client. Unless I misunderstand something, this shouldn't be happening.
> >
> > eg
> >
> > ...
> > 4 IDLE
> > + go ahead
> > done
> > 4 OK Completed
> >
> >
> >
> > server closes imap connection and reports "signalled to death by 14"
>
> John,
>
> Forget about my last message, here is the fix. This was stupid, I don't
> know how I missed this. I must have changed the signal disposition at
> the last minute without testing it. I apologize for any problems that
> this caused. This fix (and a similar one for idle_idled.c) is in CVS
> and will be in the next release.
>
> Ken
>
> diff -c -r1.1 -r1.2
> *** idle_poll.c 2000/12/14 19:26:48 1.1
> --- idle_poll.c 2001/01/16 16:54:26 1.2
> ***
> *** 88,92
> void idle_done(struct mailbox *mailbox)
> {
> /* Remove the polling function */
> ! signal(SIGALRM, SIG_DFL);
> }
> --- 88,92
> void idle_done(struct mailbox *mailbox)
> {
> /* Remove the polling function */
> ! signal(SIGALRM, SIG_IGN);
> }
>
> --
> Kenneth Murchison Oceana Matrix Ltd.
> Software Engineer 21 Princeton Place
> 716-662-8973 x26 Orchard Park, NY 14127
> --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
>
cyrus imap/SASL + sendmail/SASL
Hi there.
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 17, 2001 5:10 AM
Subject: Re: Authentication Cyrus/sasl
> Sendmail and cyrus don't cooperate very well with file access.
I've encountered the following problem in trying to use sendmail w/ SASL and
cyrus' imap w/ SASL at the same time:
Per default both will want readaccess to the /etc/sasldb.
Furthermore sendmail usually will not allow this file to be write or
readable by any other user than the one which it is running as.
This, at first, seems unsolvable, as my sendmail daemon is running as a
privileged user, as opposed to cyrus imap.
But sendmail is kind enough to offer an option which will allow for the
/etc/sasldb to be groupreadable.
So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the
default group for user cyrus, with no other users in it.
I supposed this to work, as
# su cyrus
$ cat /etc/sasldb
did work, too.. but it did not. Cyrus imap, even though running as cyrus,
did not have the permission to read the file. chown'ing would have worked
though, but was not an option as it would not have been accepted by
sendmails security checks.
Well, I have changed the source code of `master`, and now it works. But I
don't know whether it will impose any security risks or the general
operability of cyrus imap.
These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c :
int become_cyrus(void)
{
struct passwd *p;
static int uid = 0;
+static int gid = 0;
-if (uid) return setuid(uid);
+if (uid&&gid) return (setgid(gid) || setuid(uid)) ;
p = getpwnam(CYRUS_USER);
if (p == NULL) {
syslog(LOG_ERR, "no entry in /etc/passwd for %s", CYRUS_USER);
return -1;
}
uid = p->pw_uid;
+gid = p->pw_gid;
-return setuid(uid);
+return (setgid(gid) | setuid(uid)) ;
}
Any comment on whether this course of action is acceptable is welcome.
Thanks, Robert.
---
The universe is filled with dark letters even though we can't see them. 90%
of all letters are dark.
Re: Authentication Cyrus/sasl
The only way I had netscape to authenticate using PLAINTEXT was by removing the LOGIN method from SASL. It seems that Netscape will use LOGIN if it is available, otherwise it uses PLAINTEXT. Anyone can confirm this? -- marc - (http://register4less.com) If marriage is outlawed, only outlaws will have inlaws. Juan Leon wrote: > > I have tried about a million things. I am going to rant a bit > hoping that something rings a bell and some advice miraculously > pours forth. This is with SASL 1.5.24, cyrus 1.6.24 and 2.0.9, > Linux 2.2.16 (RH 7.0). I will be eternally grateful if you can > help. > > I am trying to install a cyrus that works with Mulberry and > Netscape. I got both 2.0.9 and 1.6.24 working with Mulberry > with DIGEST-MD5, etc. But none gives me PLAIN for Netscape (or > Mulberry). SASL's sample-server reports that SASL is offering > everything except ANONYMOUS, so that would not appear to be the > problem. > > So I read in the docs for cyrus 1.5. that PLAIN > won't show up but that it works as LOGIN. I am not sure what > this means: does cyrus' LOGIN become SASL's PLAIN? Does Cyrus > LOGIN become SASL's LOGIN? Neither? Apparently the latter: > my /usr/lib/sasl/Cyrus.conf (and imap.conf and cyrus.conf for > good measure) has pwcheck_method: sasldb. I check via ldd > and strace that, indeed, this is the right config directory. > Yet per the auth.log (which PAM, unlike SASL, is civilized > enough to use) cyrus insists on trying to authenticate > LOGIN through PAM, which fails because it is user cyrus requesting > the auth. > > OK, in the cyrus docs for version 2.0.9 I read that I need to > enable STARTTLS in order for PLAIN to show up (another approach). > I have enabled STARTTLS as far as I know, but Netscape is still > failing. Does cyrus pretend to not grok TLS if there is no > certificate? I will put one in, but there are only so many > things I can try in a week. > > On a mostly unrelated note, sendmail is failing to authenticate via > DIGEST-MD5 or anything else (I have recompiled it with > GroupWriteUnsafeSASL or whatever). This, and the above, makes > me want BAD to put a trace on SASL. I have tried redefining the > VL macro to syslog, but this makes everything fail. Is there > a way of finding out what SASL is doing? It certainly doesn't > output anything to auth.log (or any other log) of its own will. > I will ask this in the sasl list, but I thought you might know. > > Thanks a lot for any help. If I resolve this, I promise I will > write an answer to some of those future FAQs that are pending. > > Juan
Re: Cyradm - can't locate Shell.pm
In redhat the installation prefix of perl is /usr. So if you do a standard cyrus --prefix=/usr/local (default one), all you need to do to have the perl extensions install properly is: make PREFIX=/usr install the PREFIX (note must be all caps) effects only the perl extension installation. Ciao Stefano Carsten Hoeger wrote: > On Tue, Jan 16, Karlheinz Blank wrote: > > > I've successfully (partially) installed Cyrus 2.0.9 on SuSE 7.0. Imtest > > is working. But so far I've been unable to execute cyradm. > > The following error message appears: > > > > Can't locate Cyrus/IMAP/Shell.pm in @INC (@INC contains: >/usr/lib/perl5/5.00503/i586-linux /usr/lib/perl5/5.00503 >/usr/lib/perl5/site_perl/5.005/i586-linux /usr/lib/perl5/site_perl/5.005 .). > > BEGIN failed--compilation aborted. > > do the following within cyrus-imapd source: > > for i in imap sieve/acap sieve/managesieve; do > cd perl/$i > make install > done > > -- > With best regards, > > Carsten Hoeger > > SuSE, The Linux Experts, http://www.suse.com
Re: IDLE problem, and unsafe copy command
John Holman wrote: > > Ken > > Thanks for the quick fix, which has solved the IDLE problem. No problem. > I should probably point out though that this fix does not address the > problem I reported last week. It seems to me that under different > circumstances the copy command could still fail in an unsafe way, leading to > loss of messages. (Not that I'm expecting you to be the one to fix it!) Yes, you're correct. Larry and I talked about this last night, and one of us should be able to figure this out before the next release. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: IDLE problem
> ! signal(SIGALRM, SIG_DFL);
> }
> --- 88,92
> void idle_done(struct mailbox *mailbox)
> {
> /* Remove the polling function */
> ! signal(SIGALRM, SIG_IGN);
In my case (Solaris 8, outlook client) the problem of dying imapds
isn't fixed yet. I think it dies in the second call to idle_poll()
(alarm timer). This might be related to ...
According to the signal(3C) man page on Solaris 8:
void (*signal (int sig, void (*disp)(int)))(int);
If signal() is
used, disp is the address of a signal handler, and sig is
not SIGILL, SIGTRAP, or SIGPWR, the system first sets the
signal's disposition to SIG_DFL before executing the signal
handler.
SIG_DFL remains after idle_poll() is first called by the alarm timer.
There should be at least two ways to fix the problem:
1) add the signal() call in idle_init() to idle_poll() also
idle_update(IDLE_MAILBOX|IDLE_ALERT);
+ signal(SIGALRM, idle_poll);
alarm(idle_period);
2) use sigset() instead of signal() in idle_init() (on Solaris (?, 7, 8))
Is this an appropriate fix? (either one is working for me ... I think,-)
Cheers, ws
New with questions about Cyrus
Hi All !! I have installed a RedHat 7.0 machine with the latest rpm for cyrus-imapd from Raw Hide. I want to know a little more about the features of this server. Until now I'm using QMail as POP3/SMTp server, and have the following questions: 1.- Which one is the better MTA for use with Cyrus, sendmail or postfix ? 2.- Can I handle virtual domains under Cyrus ? ([EMAIL PROTECTED], [EMAIL PROTECTED], etc.. as different users) How ? 3.- Can I maintain my actual login userid for Qmail under POP3 (user%domain.tld or [EMAIL PROTECTED]) ? 4.- Can I allow some users to use only POP3 and other to use IMAp and POP3 ? Best regards, Antonio Navarro Navarro BemarNet Management http://www.bemarnet.es [EMAIL PROTECTED] Tlf. +34-96-1656644 Fax. +34-96-1656514
Re: IDLE problem
Walter Steiner wrote:
>
> In my case (Solaris 8, outlook client) the problem of dying imapds
> isn't fixed yet. I think it dies in the second call to idle_poll()
> (alarm timer). This might be related to ...
>
> According to the signal(3C) man page on Solaris 8:
>
> void (*signal (int sig, void (*disp)(int)))(int);
>
> If signal() is
> used, disp is the address of a signal handler, and sig is
> not SIGILL, SIGTRAP, or SIGPWR, the system first sets the
> signal's disposition to SIG_DFL before executing the signal
> handler.
>
> SIG_DFL remains after idle_poll() is first called by the alarm timer.
Damn! My Linux development system treats unreliable signals as
reliable, so I never caught this glaring error. I just verified that
the current code will NOT work correctly on Solaris 7+ and IRIX 6.x.
Thanks for pointing this out.
> There should be at least two ways to fix the problem:
>
> 1) add the signal() call in idle_init() to idle_poll() also
>
> idle_update(IDLE_MAILBOX|IDLE_ALERT);
>
> + signal(SIGALRM, idle_poll);
> alarm(idle_period);
>
> 2) use sigset() instead of signal() in idle_init() (on Solaris (?, 7, 8))
>
> Is this an appropriate fix? (either one is working for me ... I think,-)
Either solution will work, except Linux apparently doesn't have
sigset(). So I checked in a different fix (below) which uses POSIX
signal sets (to conform with similar code in master.c)
Ken
*** idle_poll.c 2001/01/16 16:54:26 1.2
--- idle_poll.c 2001/01/17 17:26:59
***
*** 40,47
--- 40,50
/* $Id: idle_poll.c,v 1.2 2001/01/16 16:54:26 ken3 Exp $ */
+ #include
#include
+ #ifdef HAVE_UNISTD_H
#include
+ #endif
#include
#include "idle.h"
***
*** 75,85
int idle_init(struct mailbox *mailbox, idle_updateproc_t *proc)
{
idle_update = proc;
/* Setup the mailbox polling function to be called at
'idle_period'
seconds from now */
! signal(SIGALRM, idle_poll);
alarm(idle_period);
return 1;
--- 78,100
int idle_init(struct mailbox *mailbox, idle_updateproc_t *proc)
{
+ struct sigaction action;
+
idle_update = proc;
/* Setup the mailbox polling function to be called at
'idle_period'
seconds from now */
! sigemptyset(&action.sa_mask);
! action.sa_flags = 0;
! #ifdef SA_RESTART
! action.sa_flags |= SA_RESTART;
! #endif
! action.sa_handler = idle_poll;
! if (sigaction(SIGALRM, &action, NULL) < 0) {
! syslog(LOG_ERR, "sigaction: %m");
! return 0;
! }
!
alarm(idle_period);
return 1;
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
One more question about Cyrus
Hi again !! Is possible to create usernames containing dots ? ([EMAIL PROTECTED]) ? If not, is possible to create the mail in the IMAP server like [EMAIL PROTECTED] (or similar) and write a rule in postfix or sendmail in order to deliver the e-mail to the correct account (changing the '.' for a '+')? Regards, Antonio Navarro Navarro BemarNet Management http://www.bemarnet.es [EMAIL PROTECTED] Tlf. +34-96-1656644 Fax. +34-96-1656514
Re: IDLE problem
Kenneth Murchison writes: > >Damn! My Linux development system treats unreliable signals as >reliable, so I never caught this glaring error. I just verified that >the current code will NOT work correctly on Solaris 7+ and IRIX 6.x. This may be unrelated, but I notice that idled disappears a day or so after it's started. I get these messages: Jan 3 21:12:50 setup16 master[3226]: [ID 392559 local6.debug] about to exec /usr/local/cyrus/bin/idled Jan 4 09:37:31 setup16 lmtpd[3766]: [ID 840128 local6.error] error sending to idled: 2 This is cyrus-imapd-2.0.9 under Solaris-8. I didn't notice any cores. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking-
Re: IDLE problem
[EMAIL PROTECTED] wrote: > > Kenneth Murchison writes: > > > >Damn! My Linux development system treats unreliable signals as > >reliable, so I never caught this glaring error. I just verified that > >the current code will NOT work correctly on Solaris 7+ and IRIX 6.x. > > This may be unrelated, but I notice that idled disappears a day or > so after it's started. I get these messages: > > Jan 3 21:12:50 setup16 master[3226]: [ID 392559 local6.debug] about to exec >/usr/local/cyrus/bin/idled > Jan 4 09:37:31 setup16 lmtpd[3766]: [ID 840128 local6.error] error sending to >idled: 2 > > This is cyrus-imapd-2.0.9 under Solaris-8. I didn't notice any cores. Hmmm... it's run for weeks here on my linux box. Is idled truely not running, or it just isn't accepting any messages via the socket? Any messages in the imapd.log about idled dying or having problems? Do you have a lot of users using clients which support IDLE (Outlook)? Just out of curiosity, when idled dies, are the clients still able to use IDLE? It should fall back to idle_poll functionality in this case (unless you set imapidlepoll=0 in imapd.conf) Thanks, Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: IDLE problem
Kenneth Murchison writes: > >Hmmm... it's run for weeks here on my linux box. > >Is idled truely not running, or it just isn't accepting any messages via >the socket? The process disappears. I can start it by hand, and it will run for a while. I can keep a closer watch on it. >Any messages in the imapd.log about idled dying or having problems? Not a whisper. >Do you have a lot of users using clients which support IDLE (Outlook)? Probably none. It looked like a good idea, so I configured cyrus to use it. >Just out of curiosity, when idled dies, are the clients still able to >use IDLE? It should fall back to idle_poll functionality in this case >(unless you set imapidlepoll=0 in imapd.conf) It's on a pre-production system, so we have very few users just now. Nobody has complained. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking-
Netscape and STARTTLS
Netscape doesn't seem to show the "locked lock" icon when I access a STARTTLS-enabled cyrus, even though it does process the certificate. Is this a netscape omission, or am I in trouble? Thanks, Juan
Re: Authentication Cyrus/sasl
Thank you very much. This helped clear up the confusion between LOGIN and AUTH=LOGIN. In fact, I got cyrus to work with netscape, though, weirdly, the fix required eliminating LOGIN from the mechanisms supported by SASL. Does Netscape confuse IMAP LOGIN with AUTH=LOGIN? It might seem that when netscape sees AUTH=LOGIN it instead issues an IMAP LOGIN command, which cyrus sends to PAM, which fails. Taking AUTH=LOGIN out forced netscape to use PLAIN, which cyrus correctly sent to SASL, which correctly used the sasldb. This response also gave the the motivation I needed to try creating a certificate next, which enabled STARTTLS. Thanks again, Juan [EMAIL PROTECTED] wrote: > Juan Leon writes: > > > > I am trying to install a cyrus that works with Mulberry and > >Netscape. I got both 2.0.9 and 1.6.24 working with Mulberry > >with DIGEST-MD5, etc. But none gives me PLAIN for Netscape (or > >Mulberry). SASL's sample-server reports that SASL is offering > >everything except ANONYMOUS, so that would not appear to be the > >problem. > > Part of the problem is that there are two authentication methods > that are called LOGIN. One is the pre-SASL IMAP command called > LOGIN, which should be available on all IMAP servers, unless it > is specifically disabled, but is never advertized. The other is > the SASL AUTH=LOGIN mechanism, which is also a plain-text authentication > method. By default, Cyrus will not advertize this mechanism > unless it's using a secure communications channel, such as SSL > or STARTTLS. Sendmail, on the other hand, will advertize this > mechanism if you add it to the list of mechanisms to be advertized. > I believe that it's only used by Microsoft mail clients and by pine. > Netscape uses the pre-SASL LOGIN command. > > > So I read in the docs for cyrus 1.5. that PLAIN > >won't show up but that it works as LOGIN. I am not sure what > >this means: does cyrus' LOGIN become SASL's PLAIN? Does Cyrus > >LOGIN become SASL's LOGIN? Neither? > > The pre-SASL LOGIN command is also known as plain. > > > Apparently the latter: > >my /usr/lib/sasl/Cyrus.conf (and imap.conf and cyrus.conf for > >good measure) has pwcheck_method: sasldb. I check via ldd > >and strace that, indeed, this is the right config directory. > >Yet per the auth.log (which PAM, unlike SASL, is civilized > >enough to use) cyrus insists on trying to authenticate > >LOGIN through PAM, which fails because it is user cyrus requesting > >the auth. > > This seems to be a Linux feature. If PAM requires access to the > shadow file, you have to ensure that the cyrus user can read that > file so that cyrus can authenticate other users. Otherwise, PAM > will only authenticate cyrus. > > > OK, in the cyrus docs for version 2.0.9 I read that I need to > >enable STARTTLS in order for PLAIN to show up (another approach). > >I have enabled STARTTLS as far as I know, but Netscape is still > >failing. Does cyrus pretend to not grok TLS if there is no > >certificate? I will put one in, but there are only so many > >things I can try in a week. > > It needs a certificate, but it can be a self-signed one. > > > On a mostly unrelated note, sendmail is failing to authenticate via > >DIGEST-MD5 or anything else (I have recompiled it with > >GroupWriteUnsafeSASL or whatever). This, and the above, makes > >me want BAD to put a trace on SASL. I have tried redefining the > >VL macro to syslog, but this makes everything fail. Is there > >a way of finding out what SASL is doing? It certainly doesn't > >output anything to auth.log (or any other log) of its own will. > >I will ask this in the sasl list, but I thought you might know. > > The sendmail web site has some information on it. Generally, you > can bump up the sendmail logging level, and find out what is wrong. > Sendmail and cyrus don't cooperate very well with file access. > > -- > -Gary Mills--Unix Support--U of M Academic Computing and Networking-
Re: Authentication Cyrus/sasl
Yes, I can confirm. And if it hadn't been for your message, I wouldn't have gotten Netscape to work with cyrus. What I don't understand is why should LOGIN, as provided by SASL, translate into an IMAP LOGIN command, which cyrus sends directly to PAM, instead of trying it with SASL. Thanks again, Juan Marc Jauvin wrote: > The only way I had netscape to authenticate using PLAINTEXT was by > removing the LOGIN method from SASL. It seems that Netscape will use > LOGIN if it is available, otherwise it uses PLAINTEXT. > > Anyone can confirm this? > > -- > marc - (http://register4less.com) > > If marriage is outlawed, only outlaws will have inlaws. > > Juan Leon wrote: > > > > I have tried about a million things. I am going to rant a bit > > hoping that something rings a bell and some advice miraculously > > pours forth. This is with SASL 1.5.24, cyrus 1.6.24 and 2.0.9, > > Linux 2.2.16 (RH 7.0). I will be eternally grateful if you can > > help. > > > > I am trying to install a cyrus that works with Mulberry and > > Netscape. I got both 2.0.9 and 1.6.24 working with Mulberry > > with DIGEST-MD5, etc. But none gives me PLAIN for Netscape (or > > Mulberry). SASL's sample-server reports that SASL is offering > > everything except ANONYMOUS, so that would not appear to be the > > problem. > > > > So I read in the docs for cyrus 1.5. that PLAIN > > won't show up but that it works as LOGIN. I am not sure what > > this means: does cyrus' LOGIN become SASL's PLAIN? Does Cyrus > > LOGIN become SASL's LOGIN? Neither? Apparently the latter: > > my /usr/lib/sasl/Cyrus.conf (and imap.conf and cyrus.conf for > > good measure) has pwcheck_method: sasldb. I check via ldd > > and strace that, indeed, this is the right config directory. > > Yet per the auth.log (which PAM, unlike SASL, is civilized > > enough to use) cyrus insists on trying to authenticate > > LOGIN through PAM, which fails because it is user cyrus requesting > > the auth. > > > > OK, in the cyrus docs for version 2.0.9 I read that I need to > > enable STARTTLS in order for PLAIN to show up (another approach). > > I have enabled STARTTLS as far as I know, but Netscape is still > > failing. Does cyrus pretend to not grok TLS if there is no > > certificate? I will put one in, but there are only so many > > things I can try in a week. > > > > On a mostly unrelated note, sendmail is failing to authenticate via > > DIGEST-MD5 or anything else (I have recompiled it with > > GroupWriteUnsafeSASL or whatever). This, and the above, makes > > me want BAD to put a trace on SASL. I have tried redefining the > > VL macro to syslog, but this makes everything fail. Is there > > a way of finding out what SASL is doing? It certainly doesn't > > output anything to auth.log (or any other log) of its own will. > > I will ask this in the sasl list, but I thought you might know. > > > > Thanks a lot for any help. If I resolve this, I promise I will > > write an answer to some of those future FAQs that are pending. > > > > Juan
