Re: SASL Docs
On Mon, 4 Nov 2002, David H. Lynch Jr. wrote: My problems seem to come from a weak understanding of SASL. I have searched the net, the archives, and while there are RFC's and programming information I have not found anything that approximates a users guide to using SASL. You mean something like doc/sysadmin.html in the distribution, or something more specific? If you think something is missing, we're willing to add it, though, based on some of your questions I'm guessing you didn't look in the doc subdirectory at all. Of course, a guide for the ground up with SASL will be hard to write so that it will work in any enviornment, since authentication and authorization is almost always a site-specific thing. The SASL library does its best to work everywhere, but in some ways it's a tremendously difficult problem to get right. I'll try to answer your questions though: If I select a particular authentication module - say GSSAPI or NTLM, where does it get any configuration information it might need, and how do I figure out what options there are ? I have even looked through the source for some of the modules and cursory looks are not revealing. doc/options.html lists all the options for anything that is included in the library. Can someone point me to some kind of user docs for libsasl 2.1.9 ? Look in the doc subdirectory, but... Something that would answer questions like: Do all methods depend on sasldb ? No. No mechanisms depend on sasldb. A number of them do depend on the presense of an auxprop plugin, of which sasldb is one. There is also an included mysql auxprop plugin, as well as a LDAP auxprop patch that is on surf.org.uk. The ones that don't need any backend support: ANONYMOUS The ones that can get by with just saslauthd (but can use auxprop): PLAIN LOGIN The ones that need auxprop support: CRAM-MD5 DIGEST-MD5 NTLM OTP SRP The ones that require a separate infrastructure: KERBEROS_V4 GSSAPI What are the options for each module and how do you set them ? Again, doc/options.html. You set them in an application-specific way (in Cyrus IMAP, you set sasl_[optionname] in imapd.conf). You can also specify them in a file that is /usr/lib/sasl2/servicename.conf What is the difference between LOGIN and PLAIN ? LOGIN is not a standards-track mechanism. It also doesn't support proxy authorization. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
/var/imap/socket/lmtp: makeconnection_ds
Hi, I'm trying to set up Cyrus with sendmail. Thus far, without success. With MAILER(`cyrusv2`) in the .mc file, an attempt to send email locally gets this error: Nov 5 14:36:15 breakme sendmail[686]: gA5EaFvE000686: from=[EMAIL PROTECTED], size=611, class=0, nrcpts=1, msgid=04fc01c284d8$a67b5c60$5c01a8c0@IanM, proto=ESMTP, daemon=MTA, relay=mysql.internal.globalvison.com [192.168.1.10] (may be forged) Nov 5 14:36:15 breakme sendmail[688]: gA5EaFvE000686: SYSERR(root): makeconnection_ds: unsafe domain socket Nov 5 14:36:15 breakme sendmail[688]: gA5EaFvE000686: to=[EMAIL PROTECTED], delay=00:00:00, xdelay=00:00:00, mailer=cyrusv2, pri=30604, relay=localhost, dsn=4.3.5, stat=Deferred: No such file or directory Looking at the archives, it sounds like the default CYRUSV2_MAILER_ARGS, /var/imap/socket/lmtp, should be an existing socket file. It is nowhere to be seen. Presumably, this is the problem. I would appreciate any help you can give. uname -a: Linux breakme 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux [root@breakme mail]# telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK breakme Cyrus IMAP4 v2.1.9 server ready 220 breakme.internal.globalvision.com ESMTP Sendmail 8.12.6/8.12.6; Tue, 5 Nov 2002 15:59:59 GMT QUIT 221 2.0.0 breakme.internal.globalvision.com closing connection Connection closed by foreign host. [root@breakme mail]# telnet localhost lmtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 breakme LMTP Cyrus v2.1.9 ready QUIT 221 2.0.0 bye Connection closed by foreign host. This is my sendmail.mc (I compile it along with cf.m4, as instructions suggest): divert(-1) dnl This is the sendmail macro config file. If you make changes to this file, dnl you need the sendmail-cf rpm installed and then have to generate a dnl new /etc/mail/sendmail.cf by running the following command: dnl dnlm4 /etc/mail/sendmail.mc /etc/mail/sendmail.cf dnl include(`/usr/share/sendmail-cf/m4/cf.m4') VERSIONID(`linux setup for Red Hat Linux')dnl OSTYPE(`linux') dnl Uncomment and edit the following line if your mail needs to be sent out dnl through an external mail server: dnl define(`SMART_HOST',`smtp.your.provider') define(`confDEF_USER_ID',``8:12'')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl define(`UUCP_MAILER_MAX', `200')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLA IN')dnl dnl define(`confCACERT_PATH',`/usr/share/ssl/certs') dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') dnl define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_IDENT', `0')dnl define(`confLOCAL_MAILER', `cyrusv2')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl The '-t' option will retry delivery if e.g. the user runs over his quota. FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -TTMPF -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl This changes sendmail to only listen on the loopback device 127.0.0.1 dnl and not on any other network devices. Comment this out if you want dnl to accept email over the network. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. However, the laptop and users on computers that do dnl not have 24x7 DNS do need this. FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl MAILER(smtp)dnl dnl MAILER(procmail)dnl MAILER(`cyrusv2')dnl Cwlocalhost.localdomain
What creates the /var/imap/socket/lmtp file?
Hi, Subject line says it all. Thanks, Ian
Re: What creates the /var/imap/socket/lmtp file?
It should be created by the master process when it starts up. Ian McDonald wrote: Hi, Subject line says it all. Thanks, Ian -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: /var/imap/socket/lmtp: makeconnection_ds
Maybe I'm off-base here, but this [rootbreakme mail]# telnet localhost lmtp indicates lmtpd is listening on a TCP port, and /var/imap/socket/lmtp is a UNIX socket. Not the same thing, right? Maybe check your cyrus.conf to make sure you have the right lmtp service started? Greg
Re: /var/imap/socket/lmtp: makeconnection_ds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], Greg Roberts writes: Maybe I'm off-base here, but this [root@breakme mail]# telnet localhost lmtp indicates lmtpd is listening on a TCP port, and /var/imap/socket/lmtp is a UNIX socket. BTW, this reminds me. Are there any handy utilities out there that will assist you in interfacing with a UNIX socket? - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE9yAnqoayJfLoDSdIRAsNZAJ4iSoCOFZ/GAP6UtY5YbdWJ561bXACgzhJ1 9D1K+eOZt0/VMNcU6E5pktg= =LDe3 -END PGP SIGNATURE-
Re: /var/imap/socket/lmtp: makeconnection_ds
Ted Cabeen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], Greg Roberts writes: Maybe I'm off-base here, but this [root@breakme mail]# telnet localhost lmtp indicates lmtpd is listening on a TCP port, and /var/imap/socket/lmtp is a UNIX socket. BTW, this reminds me. Are there any handy utilities out there that will assist you in interfacing with a UNIX socket? I don't know of any general utilities, but in the context of Cyrus lmtpd, you can use the deliver program in LMTP mode (deliver -l) to open a telnet-style connection to lmtpd listening on a UNIX socket. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: /var/imap/socket/lmtp: makeconnection_ds
On Tue, 05 Nov 2002, Ted Cabeen wrote: BTW, this reminds me. Are there any handy utilities out there that will assist you in interfacing with a UNIX socket? http://www.dest-unreach.org/socat/ -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: Murder / LDAP / SASL Problem... END
Just to give this thread some closure... I've abandoned the effort to get this to work for now... Since I can always add it on later... I'll just wait a bit until these issues are shaken out a little more... I would think that in a large environment where a murder might be used... it will be common to use an LDAP backend... so I'll be lurking.. seeing what others come up with. In the mean time... I'll be putting in a virtualized san.. with the ability to do local mirrors and long distance replication... making the boot disk and data 'portable' and that should be enough to cover for single machine hardware failures.. and there is always per user transport ldap lookups in postfix for multiple cyrus stores... that should cover my bases for the next year or two. Thanks for the input... jared Rob Siemborski wrote: On Thu, 31 Oct 2002, Jared Watkins wrote: Do you have a copy of the entire log I could look at (since you've already sent the passwords to a public list, I'm guessing you don't really care about them any more)? The only log entry I get on the backend.. even with CYRUS_VERBOSE turned up... is this: Oct 31 11:30:53 is8000new imapd[19749] badlogin: [10.10.100.42] PLAIN [SASL (-4): no mechanism available: security flags do not match required] The tcpdump log for this action follows... ignore the differences in time stamps.. This is all I've been able to go by for logs... if there is some way of getting more detailed logs from cyrus.. let me know and I'll try that. Oh and no I'm not concerned with passwords.. these are all test systems on a private network. Is imtest selecting PLAIN as its mechanism? I have a feeling you're getting screwed because in general you can't use PLAIN without an external security layer (e.g. TLS) present. One thing you can try is removing the backend1_mechs line from your frontend's imapd.conf, and see if that makes it do the same thing that imtest is doing. I'm not sure what the correct approach is in your situation with currently-written code, since you really want to be using DIGEST-MD5 or another challenge-response mechanism that supports proxying to authenticate to the backends, but you need to keep the full user database in LDAP (and the full user list needs to be able to authenticate to the backends, as referrals are always a possibility). It may be worthwhile to look into the LDAP auxprop patch to make this possible (or you can try having a sasldb2 with just the frontend's id's in it, and fall back to PLAIN for the rest, but this requires clients to not get upset when authenticating via DIGEST-MD5 fails). The bad way to fix this is to change this line in imapd.c: secprops = mysasl_secprops(SASL_SEC_NOPLAINTEXT); to: secprops = mysasl_secprops(0); (it occurs twice) -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
250 IGNOREQUOTA configuration
Hello, I think this could be a stupid question, but why Cyrus responds IGNOREQUOTA to sendmail when mail transaction begins? C 220 sinclair LMTP Cyrus v2.1.9 ready S LHLO mail.palermo.edu.ar C 250-sinclair C 250-8BITMIME C 250-ENHANCEDSTATUSCODES C 250-PIPELINING C 250-SIZE C 250-AUTH EXTERNAL C 250 IGNOREQUOTA This is my first lines in an email transaction process [this was readed using my own perl script to do a bridge between cyrus and sendmail to filter mails]. I know this message is only for sendmail, but in fact Cyrus is not checking email quota. Where can I configure that? thanks a lot Felix -- Felix Cuello [EMAIL PROTECTED] Qodiga/its Av.Santa Fe 882 P.13 Of. E C.P. ABP1059C Tel.: (54) 011 - 4312-1698 Buenos Aires - Argentina