Re: cyrus-2.2-cvs: virtualdomains and sendmail virtusertable (cyrusv2as local mailer)
Ilan Rabinovitch schrieb: Hello Christian, Any chance I can get a look at your sendmail.mc or sendmail.cf files. Im trying to accomplish the same as you but following your thread of e-mails on the list I cant seem to reach the same poitn as you. Thanks, Ilan I solved it! I tried to deliver to a local alias by using localalias@machine all the time and if I only use localalias the expansion also works for me. I modified your patch a bit to get the default domain (mainly the hostname of the machine) not appended to local names by simply putting one rule before yours: R$+ < @ $j . > $#_LOCAL_ $: $1 So all email beeing sent to the local machine will not get the @domain appended to theire names and so cyrus can expand aliases to this domain also! Now I am able to map to localaliases in virtusertable by specifying @domain.itlocalalias@machinename You really helped me a lot! Thanks! --Christian-- Modified patch: I am sure that changing the syntax of local usernames to containing a non-allowed @ character in rule 0 for the whole sendmail installation will definetly become strange when it comes to UUCP mailers or whatever other mailers used, but I really read a lot of sendmail documentation of where to get the @domain part into local usernames and I cannot find a better place to do it elsewhere. Only using MAILER(smtp) and MAILER(cyrusv2) in sendmail.mc with cyrusv2 beeing defined as the local mailer everything works for me as I needed it to but complex sites who have to deal with many other mailers in theire sendmail.mc files will get into problems I think. So I would not recommend to use this for such sites! 1094,1097c1094,1096 < R< > $+ < $+ > $#_LOCAL_ $: @ $1 nope, local address', < `R$=L < @ $=w . > $#_LOCAL_ $: @ $1`@'$2 special local names < R$+ < @ $j . > $#_LOCAL_ $: $1 < R$+ < @ $=w . > $#_LOCAL_ $: $1`@'$2 regular local name') --- R< > $+ < $+ > $#_LOCAL_ $: @ $1 nope, local address', `R$=L < @ $=w . > $#_LOCAL_ $: @ $1 special local names R$+ < @ $=w . > $#_LOCAL_ $: $1 regular local name')
CVS 2.2 no longer compilable under Red Hat 7.3?
Something in CVS 2.2 changed since 26 Sept 2002 that apparently makes for trouble compiling it under Red Hat 7.3. (1) The first issue is probably just the a lack of a #include before using a struct tm in lib/mkgmtime.c (make output at end of message). There is a similar omission (of #include ) in lib/gmtoff_tm.c as well. Why wouldn't a .c file include its own .h file? Must be an 'in progress' minor buglet. (2) Hacking those in gets me slightly further, but then I get gcc -c -I.. -I/usr/include/et -I/usr/local/include -I/usr/include -DHAVE_CONFIG_H -I. -I. -Wall -O2 -march=i386 -mcpu=i686 -fPIC \ cyrusdb.c cyrusdb.c: In function `cyrusdb_init': cyrusdb.c:77: `FNAME_DBDIR' undeclared (first use in this function) cyrusdb.c:77: (Each undeclared identifier is reported only once cyrusdb.c:77: for each function it appears in.) make: *** [cyrusdb.o] Error 1 which I have not (yet?) figured out. FNAME_DBDIR is defined in acconfig.h but nowhere else. Hacking its value (of "/db") into the end of lib/cyrusdb.h gets me further... but I know that's a bad approach! Do I have an underlying autoconf or configure problem? (3) Even then, I soon get something about MASTER_PIDFILE in master.c ... Is CVS for 2.2 currently intentionally unusable? If so, when is it likely to become reasonably safe to grab and use once more? Or, am I just being (even) more dense than usual? If so, help getting the current CVS tree to compile would be welcomed :-) Thanks, Jonathan PS. There is also an issue with the search for libdes failing if I try to compile with Kerberos support, which I think is an older issue that has returned to haunt me? RH 7.3 lacks a libdes.a library, the needed functions are in libdes425.a instead. Looks like the configure checks got stricter, and now break on RH 7.3, though in September they worked OK? make[1]: Entering directory `/home/jonathan/cyrus-imapd-2.2/lib' gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ acl.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ assert.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ bsearch.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ charset.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ glob.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ retry.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ util.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ libcyr_cfg.c gcc -c -I.. -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 \ mkgmtime.c mkgmtime.c: In function `tmcomp': mkgmtime.c:102: dereferencing pointer to incomplete type mkgmtime.c:102: dereferencing pointer to incomplete type mkgmtime.c:103: dereferencing pointer to incomplete type mkgmtime.c:103: dereferencing pointer to incomplete type mkgmtime.c:104: dereferencing pointer to incomplete type mkgmtime.c:104: dereferencing pointer to incomplete type mkgmtime.c:105: dereferencing pointer to incomplete type mkgmtime.c:105: dereferencing pointer to incomplete type mkgmtime.c:106: dereferencing pointer to incomplete type mkgmtime.c:106: dereferencing pointer to incomplete type mkgmtime.c:107: dereferencing pointer to incomplete type mkgmtime.c:107: dereferencing pointer to incomplete type mkgmtime.c:100: warning: `result' might be used uninitialized in this function mkgmtime.c: In function `mkgmtime': mkgmtime.c:119: storage size of `yourtm' isn't known mkgmtime.c:121: dereferencing pointer to incomplete type mkgmtime.c:137: warning: implicit declaration of function `gmtime' mkgmtime.c:137: warning: assignment makes pointer from integer without a cast mkgmtime.c:119: warning: unused variable `yourtm' mkgmtime.c:117: warning: `saved_seconds' might be used uninitialized in this function make[1]: *** [mkgmtime.o] Error 1 make[1]: Leaving directory `/home/jonathan/cyrus-imapd-2.2/lib' make: *** [all] Error 1
Experimental LDAP ptloader support
I've just committed the initial version of the LDAP ptloader code to the 2.2 CVS branch. Many caveats: a) no documentation yet (other than the imapd.conf options, which should be most of what you need). b) I'm not quite sure what to do with realms. c) I want some of the people more experienced with writing LDAP applications to take a look at what I've done here, and give their opinions on how to fix it (especially with patches). I've noted particularly questionable sections of ptclient/ldap.c with "xxx" if you're feeling adventurous. Quick summary: give --with-auth=pts and --with-pts=ldap to configure Then, fill in the appropriate imapd.conf options, and away you go (hopefully). Note that if you don't use ptloader now, you will need to create the ptclient directory in the imap configdirectory. ptloader should be configured (in cyrus.conf) to listen on /ptloader/ptsock On the LDAP server side, we want to be able to fetch a multivalued attribute that contains all the groups that a dn is a member of. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski | Andrew Systems Group * Research Systems Programmer PGP:0x5CE32FCC | Cyert Hall 207 * [EMAIL PROTECTED] * 412.268.7456 -BEGIN GEEK CODE BLOCK Version: 3.12 GCS/IT/CM/PA d- s+: a-- C$ ULS$ P+++$ L+++() E W+ N o? K- w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e h r- y? --END GEEK CODE BLOCK-
Re: Why are only admins allowed to AUTH to lmtpd?
Rob Siemborski wrote: On Fri, 3 Jan 2003, Kevin P. Fleming wrote: >This is all working fine, except that I had to add my dummy authentication user >(which I create solely for Exim to authenticate itself to lmtpd with) to the >"admins" entry in /etc/imapd.conf. I had to do this because lmptd specifically >allows only admins to authenticate. use lmtp_admins if you don't want to give that user full admin rights. OK, I hadn't found that option yet. It's perfect for what I need. >Is there any particular reason why? It's not a big deal for me, but when >I document this configuration for other people I'm sure this will raise >some eyebrows. There's no reason regular users should be submitting to the LMTP server, they should be submitting using SMTP to an SMTP server, and then the LMTP server trusts the SMTP server. This (admitedly marginaly) simplifies the authorization code in lmtpd. True enough. In my case, the LMTP server listens only on a TCP socket on the loopback interface, and there are no shell accounts on this system, so it's fairly secure already.
Re: Why are only admins allowed to AUTH to lmtpd?
Lawrence Greenfield wrote: --On Friday, January 03, 2003 12:48 PM -0700 "Kevin P. Fleming" wrote: > This is all working fine, except that I had to add my dummy > authentication user (which I create solely for Exim to authenticate > itself to lmtpd with) to the "admins" entry in /etc/imapd.conf. I had to > do this because lmptd specifically allows only admins to authenticate. > > Is there any particular reason why? It's not a big deal for me, but when > I document this configuration for other people I'm sure this will raise > some eyebrows. Allowing anonymous users to directly submit via LMTP would defeat any accounting done in the MTA and allow for perfectly forged Received headers. Allowing arbitrary users to authenticate could be just as bad with the current code, though it could be modified---but it's not clear it's worth it. Since there are some LMTP extensions like IGNOREQUOTA that require administrative rights, it doesn't seem worthwhile to try to get finer grained authorization than "lmtp_admins". I responded to most of that in my reply to Rob, but thanks for the additional information. lmtp_admins will do exactly what I need.
Re: Why are only admins allowed to AUTH to lmtpd?
--On Friday, January 03, 2003 12:48 PM -0700 "Kevin P. Fleming" <[EMAIL PROTECTED]> wrote: This is all working fine, except that I had to add my dummy authentication user (which I create solely for Exim to authenticate itself to lmtpd with) to the "admins" entry in /etc/imapd.conf. I had to do this because lmptd specifically allows only admins to authenticate. Is there any particular reason why? It's not a big deal for me, but when I document this configuration for other people I'm sure this will raise some eyebrows. Allowing anonymous users to directly submit via LMTP would defeat any accounting done in the MTA and allow for perfectly forged Received headers. Allowing arbitrary users to authenticate could be just as bad with the current code, though it could be modified---but it's not clear it's worth it. Since there are some LMTP extensions like IGNOREQUOTA that require administrative rights, it doesn't seem worthwhile to try to get finer grained authorization than "lmtp_admins". Larry
Re: Why are only admins allowed to AUTH to lmtpd?
On Fri, 3 Jan 2003, Amos Gouaux wrote: > rs> There's no reason regular users should be submitting to the LMTP server, > rs> they should be submitting using SMTP to an SMTP server, and then the LMTP > rs> server trusts the SMTP server. This (admitedly marginaly) simplifies the > rs> authorization code in lmtpd. > > How does the posting ("p") right fit in? Each message in an LMTP session gets its own authorization identity, which is checked agains the ACL of the mailbox. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Why are only admins allowed to AUTH to lmtpd?
> On Fri, 3 Jan 2003 14:55:10 -0500 (EST), > Rob Siemborski <[EMAIL PROTECTED]> (rs) writes: rs> There's no reason regular users should be submitting to the LMTP server, rs> they should be submitting using SMTP to an SMTP server, and then the LMTP rs> server trusts the SMTP server. This (admitedly marginaly) simplifies the rs> authorization code in lmtpd. How does the posting ("p") right fit in? -- Amos
Why are only admins allowed to AUTH to lmtpd?
I have modified my configuration here so that now my MTA (Exim 4.12) uses RFC2554 authentication to identify itself to lmtpd. This was done so that Exim could supply AUTH= on the MAIL FROM: line, thus eliminating the need to add "anyone p" ACLs to subfolders in order to allow direct subfolder delivery. This is all working fine, except that I had to add my dummy authentication user (which I create solely for Exim to authenticate itself to lmtpd with) to the "admins" entry in /etc/imapd.conf. I had to do this because lmptd specifically allows only admins to authenticate. Is there any particular reason why? It's not a big deal for me, but when I document this configuration for other people I'm sure this will raise some eyebrows.
Re: Why are only admins allowed to AUTH to lmtpd?
On Fri, 3 Jan 2003, Kevin P. Fleming wrote: > This is all working fine, except that I had to add my dummy authentication user > (which I create solely for Exim to authenticate itself to lmtpd with) to the > "admins" entry in /etc/imapd.conf. I had to do this because lmptd specifically > allows only admins to authenticate. use lmtp_admins if you don't want to give that user full admin rights. > Is there any particular reason why? It's not a big deal for me, but when > I document this configuration for other people I'm sure this will raise > some eyebrows. There's no reason regular users should be submitting to the LMTP server, they should be submitting using SMTP to an SMTP server, and then the LMTP server trusts the SMTP server. This (admitedly marginaly) simplifies the authorization code in lmtpd. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Yet another mail-restore question...
Has anybody on the list made a detailed doc about howto restore the maildb in case of disaster ? I mean a short, quick note with step-by-step commands to execute, to quickly get back in business ? If for some reason the system crashes, it sure would have been nice to have a doc at hand to quickly restore the imap-system, saving time, and not having to browse the whole documentation when the sweat are dripping and the stress- level are at a dangerous level :-) A copy of such doc would have been reassuring (Running Cyrus imap/sasl 2.1.5 on RedHat 7.3) Regards bryntez
Re: restoring from backup individual messages/folders
Hello, This is practically verbatim what we do at NCSU. We create a folder named BACKUP in their regular inbox and then restore their account from the requested date to that folder. Subscriptions need to be updated and quotas set for the BACKUP folder. We then delete it after two weeks. :) We do limit the number of restoration attempts to find something though, to two. We also only keep four weeks of data on tape. We use Veritas with a tape library for the backups. Worlds away better than what we were doing with ufsdump/ufsrestore. The idea of not actually deleting a message when a user flags it to go away has other implications besides easy restoration. How does that affect user quota, for example? File space usage for the machine in general, ie, how much data should you keep? Measure that in terms of time or space, or some mix of the two? Satisfactory answers to these questions would probably require a substantion redesign of the IMAP server software. Regards, Earl Shannon -- Systems Programmer, Computing Services, Information Technology NC State University. http://www.earl.ncsu.edu Dave McMurtrie wrote: > > On Thu, 2 Jan 2003, Hein Roehrig wrote: > > > I would be interested in what kind of services&strategies admins here > > offer to users regarding restoring accidentally deleted (&expunged) > > messages. > > > > In particular, while it is relatively safe to backup a running Cyrus > > and in the case of desaster reconstruct all mailboxes, stopping Cyrus > > for reconstructing a single mailbox seems unacceptable. > > I'd prefer it if we only did disaster recovery restores here (if we delete > your data, we'll get if back -- if you delete it, tough rocks) but that's > not the case. > > When a user requests a restore, we create (via IMAP protocol) a subfolder > in their INBOX and give it a separate quota root. This subfolder will > contain their restored INBOX and all restored subfolders. The mail files > are copied into the filesystem and then the restore folders are > reconstructed (which doesn't require us to stop cyrus). The user is then > free to browse through their restore subfolders and copy any messages they > need. After 14 days, their entire restore hierarchy is deleted. > > Even though this whole process is automated, it's still a pain. > > Thanks, > > Dave > -- > Dave McMurtrie, Systems Programmer > University of Pittsburgh > Computing Services and Systems Development, > Development Services -- UNIX and VMS Services > 717P Cathedral of Learning > (412)-624-6413 -- Systems Programmer, Computing Services, Information Technology NC State University. http://www.earl.ncsu.edu
Re: Problems with authentication
Hi, > If you're just going to use sasldb, use the "auxprop" pwcheck_method, and > don't bother with saslauthd. > ok. This has solved my problem ;-) Thx. Regards, Michael Obster
Re: is there any patch for mails with big5 charset message header?
hunt wrote: > > H, > I am wondering if there has been any patch for the big5 charset > message header. > ( I mean always use big5 charset to encode/decode message header). > For chinese usage, this is kind of obvious issue. But I can not find > any. > > Any help is appreciated. Thaks. AFAICT, Cyrus has big5 support (look in lib/charset/ in the distro), but this is only used for SEARCH. If you want the headers to be decoded in your client, that is a client issue. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: cyrus imapd + multiple domains
> Danny Garcia Hernandez wrote: > > hello list!!! > > the year begun, but for me it´s time to go and work :( . > > well, here is my problem. i have a linux box running cyrus imapd > server (2.1.9) with cyrus-sasl (2.1.9)and compiled with > "--with-auth=unix". all is working fine!!!. > > right now, we are hosting another domains and we want to give them > mail service throught the actual imap server. i was reading and > looking for docs, and i have found a very similar situation but using > ip alias (i can´t use that). please, can any body expose a solution to > configure cyrus imapd with multiple domains. Take a look at the Cyrus 2.2 branch in CVS. Here is a link to the relevant doc: http://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/~checkout~/src/cyrus/doc/Attic/install-virtdomains.html?rev=1.1.2.5&content-type=text/html&hideattic=0&only_with_tag=cyrus-imapd-2_2 -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Problems with authentication
On Fri, 3 Jan 2003, Michael Obster wrote: > where can I say which one saslauthd should use. > Btw. I have tried to give saslauthd the mechanism by: > saslauthd -a sasldb ... > but i get an unknown mechanism error. other methods also tried and there i get the >same. If you're just going to use sasldb, use the "auxprop" pwcheck_method, and don't bother with saslauthd. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Problems with authentication
Hi, > Are you logging cyrus (local6.debug) and SASL (auth.debug)? If so, what do > they say? auth.log: Jan 3 11:16:06 gutmann saslauthd[1536]: START: saslauthd 2.1.10 Jan 3 11:16:06 gutmann saslauthd[1536]: FATAL: no authentication mechanism specified Jan 3 11:16:53 gutmann imapd[1544]: unknown password verifier where can I say which one saslauthd should use. Btw. I have tried to give saslauthd the mechanism by: saslauthd -a sasldb ... but i get an unknown mechanism error. other methods also tried and there i get the same. Regards, Michael
is there any patch for mails with big5 charset message header?
H, I am wondering if there has been any patch for the big5 charset message header. ( I mean always use big5 charset to encode/decode message header). For chinese usage, this is kind of obvious issue. But I can not find any. Any help is appreciated. Thaks. hunt
is there any patch for mails with big5 charset message header?
Hi, I am wondering if there has been any patch for the big5 charset message header. ( I mean always use big5 charset to encode/decode message header). For chinese usage, this is kind of obvious issue. But I can not find any. Any help is appreciated. Thaks. hunt
cyrus imapd + multiple domains
hello list!!! the year begun, but for me it´s time to go and work :( . well, here is my problem. i have a linux box running cyrus imapd server (2.1.9) with cyrus-sasl (2.1.9)and compiled with "--with-auth=unix". all is working fine!!!. right now, we are hosting another domains and we want to give them mail service throught the actual imap server. i was reading and looking for docs, and i have found a very similar situation but using ip alias (i can´t use that). please, can any body expose a solution to configure cyrus imapd with multiple domains. thank in advanced danny