imtest problems
Hello List, I´m trying to install a cyrus imapd server to control mail for multiple domains, after install cyrus-sasl, i was testing then saslauthd daemon using testsaslauthd, all working fine. testsaslauthdauthenticate user + realm succefully (./testsaslauthd -u test -p test -r .com). The problems is with imtest after install cyrus-imapd, imtest fail (./imtest -m login -a [EMAIL PROTECTED] 192.168.1.170). In thelog file i can see the authfail command from saslauthd. I have added another user without realm to sasldb2 database to do the same test, and right now then system pass the testsaslauthd and imetest test. I´m using the 2.1.9 version of cyrus-imad and cyrus-sasl, then sasdblistuser2 look like this [EMAIL PROTECTED]:userPassword test@server:userPassword Have any body any idea about what´s happen ? Thank in advanced Danny
Working Vacation??
Hi, Has anyone got sieve's vacation notifications to work? If you have, can you post your imapd.conf and cyrus.conf files and a sieve script? Haven't been able to get it to work, think everything has been tried and have run out of hair... ;) Regards, Mark Keasling [EMAIL PROTECTED]
LMTP said: 451 4.3.0 System I/O error
Hi, I'm runing Cyrus Imapd and Postfix, and I have a error message : Jan 9 07:05:00 mail postfix/lmtp[25297]: AFFCB272D42: to=[EMAIL PROTECTED], relay=public/lmtp[public/lmtp], delay=44688, status=deferred (host public/lmtp[public/lmtp] said: 451 4.3.0 System I/O error) mail:/var/spool/postfix/public # ls -latotal 8drwxr-xr-x 2 postfix root 4096 Dec 26 16:38 .drwxr-xr-x 17 root postfix 4096 Nov 16 2001 ..srwxrwxrwx 1 root root 0 Dec 18 13:08 lmtpsrw-rw-rw- 1 postfix postfix 0 Dec 26 16:38 pickupsrw-rw-rw- 1 postfix postfix 0 Dec 26 16:38 qmgrsrw-rw-rw- 1 postfix postfix 0 Dec 26 16:38 showqmail:/var/spool/postfix/public # mail:/var/spool/postfix/public # rpm -q cyrus-imapdcyrus-imapd-2.0.16-327 mail:/var/spool/postfix/public # rpm -q cyrus-sasl cyrus-sasl-1.5.24-184 I have a lot of disk space. Do you have an idea ? The problem occur just for one mail, but I don't know why. Can you help me ? Thanks a lot, Sebastien.
Re: saslauthd performance anxiety
On Wed, 1 Jan 2003, Igor Brezac wrote: On Wed, 1 Jan 2003 [EMAIL PROTECTED] wrote: [...] Can anyone offer advice on tuning the saslauthd pool? Are there particular options, either on the command line or in saslauthd.conf, which I should be looking at? Try using 'ldap_auth_method: custom'. It is up to three times faster than the 'bind' method. Thanks for the suggestion. Unfortunately 'custom' wasn't an option for us, although we certainly could have benefited from it. The reason we can't use it is that to support password migration our shell back-end does mad things like: try binding to new server; if (failure) { try binding to old server; if (success) update user password in new server for next time; } Don't look at me, I just inherited it :-) This logic (to use the term loosely) makes it impossible to return a sensible response to a search on userPassword. Instead, I committed a gross hack and implemented a new method called auth_fastbind. It does away with the search and extra anonymous bind in auth_bind by making two assumptions: 1. Expanding the ldap_filter expression gives the fully-qualified DN 2. There is no cost to staying bound as a named user These held for our shell back-end, but I don't know how applicable they are to wider use. Still, if anyone's interested I've attached the patch (against 2.1.10). Simon Brady mailto:[EMAIL PROTECTED] Systems Specialist Ph. +64 3 479-5217 ITS Technical Services Fax +64 3 479-5080 University of Otago, Dunedin, New Zealand Mobile +64 27 411-6045 diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.c cyrus-sasl-2.1.10/saslauthd/lak.c --- cyrus-sasl-2.1.10.orig/saslauthd/lak.c Fri Dec 6 02:54:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.c Fri Jan 10 00:19:45 2003 @@ -70,6 +70,7 @@ static int lak_search(LAK *, const char *, const char **, LDAPMessage **); static int lak_auth_custom(LAK *, const char *, const char *, const char *); static int lak_auth_bind(LAK *, const char *, const char *, const char *); +static int lak_auth_fastbind(LAK *, const char *, const char *, const char *); static int lak_result_add(LAK *lak, const char *, const char *, LAK_RESULT **); static int lak_check_password(const char *, const char *, void *); static int lak_check_crypt(const char *, const char *, void *); @@ -179,6 +180,8 @@ } else if (!strcasecmp(key, ldap_auth_method)) { if (!strcasecmp(p, custom)) { conf-auth_method = LAK_AUTH_METHOD_CUSTOM; + } else if (!strcasecmp(p, fastbind)) { + conf-auth_method = LAK_AUTH_METHOD_FASTBIND; } } else if (!strcasecmp(key, ldap_timeout)) { conf-timeout.tv_sec = lak_config_int(p); @@ -917,6 +920,24 @@ } +static int lak_auth_fastbind(LAK *lak, const char *user, const char *realm, const +char *password) +{ + int rc; + char *dn = NULL; + + rc = lak_filter(lak, user, realm, dn); + if (rc != LAK_OK || dn == NULL) { + syslog(LOG_WARNING|LOG_AUTH, lak_filter failed.); + return LAK_FAIL; + } + + rc = lak_bind(lak, LAK_BIND_AS_USER, dn, password); + + free(dn); + return rc; +} + + int lak_authenticate(LAK *lak, const char *user, const char *realm, const char *password) { int rc; @@ -932,8 +953,10 @@ if (lak-conf-auth_method == LAK_AUTH_METHOD_BIND) { rc = lak_auth_bind(lak, user, realm, password); - } else { + } else if (lak-conf-auth_method == LAK_AUTH_METHOD_CUSTOM) { rc = lak_auth_custom(lak, user, realm, password); + } else { + rc = lak_auth_fastbind(lak, user, realm, password); } return rc; diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.h cyrus-sasl-2.1.10/saslauthd/lak.h --- cyrus-sasl-2.1.10.orig/saslauthd/lak.h Fri Oct 18 10:30:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.h Fri Jan 10 00:19:45 2003 @@ -53,6 +53,7 @@ #define LAK_AUTH_METHOD_BIND 0 #define LAK_AUTH_METHOD_CUSTOM 1 +#define LAK_AUTH_METHOD_FASTBIND 2 typedef struct lak_conf { char *path;
Re: saslauthd performance anxiety
On Wed, 1 Jan 2003, Kervin L. Pierre wrote: Maybe you should seriously consider moving from back-shell to back-perl, which you can optimize much more and is probably quicker right of the bat, since it does not spawn a separate process for the interpreter. Better still, have you thought of back-meta or back-ldap? These were designed for ldap routing. Hmmm, good suggestions. I'd looked at the OpenLDAP 2.1 Admin Guide early on, and nothing in it jumped out at me as justifying going beyond 2.0.27 (the words latest stable have a warm glow about them...). If I'd known about these other back-ends I would probably have decided differently. Given that 2.1 is a big unknown to us (and it seems to want things like DB4 which we don't have experience with), I'm not keen on dropping it into production without some serious testing. Still, it sounds like just what we need. (On the subject of OpenLDAP and back-shell, I should also mention that we uncovered a nasty race condition that can lead to deadlocked shell subprocesses. The bug report and fix are at http://www.OpenLDAP.org/its/index.cgi?findid=2262) I suspect you're optimizing the the wrong bottleneck. You are sooo right - I upped the saslauthd pool enough to prevent exhaustion, and we were fine for the first few days until the users came back. By about 9am Friday the CPU overhead of spawning all those perl processes had authentication timing out horribly (and the above-mentioned deadlock issue didn't help either). And that was just the start... In the end I reduced the load by hacking saslauthd (as described in my reply to Igor), which bought us time to write and test a C replacement for the perl. Of course the perl is much easier to understand and maintain, so going to a smart back-end is a better long-term solution. Oh well, live and learn... Thanks for the advice all the same! Simon Brady mailto:[EMAIL PROTECTED] Systems Specialist Ph. +64 3 479-5217 ITS Technical Services Fax +64 3 479-5080 University of Otago, Dunedin, New Zealand Mobile +64 27 411-6045
lmtpd NUL rejection
I've recently upgraded imapd from 1.5.19 to 2.1.11, and instead of having sendmail invoke deliver it now talks to lmtpd over a Unix socket. All is well, except that lmtpd is much more scrupulous about checking its input than deliver was - in the space of a week, it's detected three otherwise normal messages containing embedded NULs and has rejected them with DSN 554 5.6.0 Message contains NUL characters (status IMAP_MESSAGE_CONTAINSNULL in imap/lmtpengine.c). OK, fair enough, except that sendmail responds to the bounce by trying to copy the message to postmaster. Via lmtpd. Oops. Clearly the input is bad and lmtpd is justified in rejecting it. However, broken mail clients (or whatever - we haven't identified any common factor yet) are a fact of life, and having mail stuck in a non-delivery loop isn't very helpful for our users. What's the Right Thing to do here? Should sendmail (8.11.2) be configured to somehow report the failure without forwarding the message, or perhaps do NUL filtering on the fly? Or is there some way of configuring the lmtp mailer definition to get around this problem? And out of general curiosity, have other sites moving to lmtpd encountered this, or are we just particularly weird? Thanks... Simon Brady mailto:[EMAIL PROTECTED] Systems Specialist Ph. +64 3 479-5217 ITS Technical Services Fax +64 3 479-5080 University of Otago, Dunedin, New Zealand Mobile +64 27 411-6045
Re: Cyrus - PAM? - Win2K authentication
--On Friday, July 12, 2002 12:25 PM -0400 Ken Murchison [EMAIL PROTECTED] wrote: Chris Wiegand wrote: Is it possible to configure cyrus to authenticate (via PAM, possibly) against a Win2000 Active Directory/Domain? We are currently usin pam_smb to auth against a NT4 box. I haven't tried it with 2000 yet, we are upgrading in the next few weeks. We've been using pam_smb against a 2000 box for our Cyrus authentication for a while, but have terrible problems with it from time to time. So, I thought about trying pam_krb5 instead. I had hoped that (with the necessary underlying OS configuration done - verified by being able to login using telnet and ftp) it would simply be a case of changing the references to pam_smb in the pam.conf file (Cyrus platform is Solaris 8) to pam_krb5 and away we'd go. Not so, though; authentication always fails and what I see logged is... Jan 9 12:57:15 tench PAM: [ID 705685 auth.debug] PAM-KRB5: pam_sm_authenticate Jan 9 12:57:15 tench PAM: [ID 729219 auth.debug] PAM-KRB5: pam_sm_auth prompting for password Jan 9 12:57:15 tench PAM: [ID 427203 auth.debug] pam_authenticate: error Authentication failed ...logged Does anyone know what the problem(s) might be? Cheers, Richard Hopkins, Information Services, Computer Centre, University of Bristol, Bristol, BS8 1UD, UK Tel +44 117 928 7859 Fax +44 117 929 1576
Re: Including UCD-SNMP support in Cyrus IMAPD
Thanks, it looks like that worked, I now compiled Cyrus IMAP with the following: LIBS=-Wl,-zignore and I've checked with ldd to see if the kstat and kvm library where display and they are not anymore so it looks fine. Now an important question, how can I check that UCD-SNMP is really working with my Cyrus IMAP ? Regards Marc Igor Brezac To: [EMAIL PROTECTED] [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Sent by: Subject: Re: Including UCD-SNMP support in Cyrus IMAPD [EMAIL PROTECTED] ew.cmu.edu 01/08/03 10:51 PM Please respond to info-cyrus On Wed, 8 Jan 2003 [EMAIL PROTECTED] wrote: I must have mis-understood you. You need to use this option to compile cyrus-imapd. -Wl,-zignore will ignore libraries not referenced by the link process. If you want to fix UCD-SNMP libs, you need to pass -Wl,-zdefs to LDFLAGS and then add neccessary libs to the link process until everything compiles fine. Actually, you may need to use -zdefs because libtool on solaris uses 'ld' for link-edit. This is a libtool bug, but this is a subject for a different forum. Oh ok this is for Cyrus IMAP, then I misunderstood you... So now from the two solutions you gave what do you think is the best to do: You do not have to do either. What you have works. ;) You asked me if cyrus binaries can be compiled without all these unneccessary libraries? Option 1) will do this. 1) - use -Wl,-zignore to compile Cyrus IMAP or I would not go through the effort of fixing UCD libs unless you are familiar with the link-edit process. Do not bother with 2). 2) - use -Wl,-zdefs to compile UCD SNMP Hope this helps. -Igor
Re: Working Vacation??
Mark Keasling wrote: Hi, Has anyone got sieve's vacation notifications to work? If you have, Yes. Since I fixed it in 1.6.x. :) can you post your imapd.conf and cyrus.conf files and a sieve script? Haven't been able to get it to work, think everything has been tried and have run out of hair... ;) Why don't you post your configs, along with any relevant imapd.log and maillog entries? What MTA are you using? Have you tried a redirect or reject? This will verify that you can send out responses, vacation has more complexity. Have you tried passing a message and your script through the sieve test program (sieve/test.c)? 9 times out of 10, this problem is because your MTA chokes on the sendmail command line passed to it, or the address matching in Sieve fails. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
using ctl-mboxlist
I have just converted from 1.6.24 to 2.0.17 I have a large number of folders in the database which do not really exist. This is because I had tested the procedure for converting the 1.6.24 mailboxes file to the 2.0.17 mailbox.db a month ago and failed to remove the db files on doing this on the recent copy of the mailboxes file. I had expected the database to get overwritten. I intend to do ctl_mboxlist -d mailboxes Then run a script to check each folder in this file and only write out the line if it exists in the mail hierarchy. Then do ctl_moxlist -u mailboxes.clean My question is should I remove everything in the db directory before doing the ctl_mboxlist -u ? Paul Christie Bath University Computing Services
Cyrus IMAP ; case studies, success stories, ... I need them
Hi all, I have set up a test machine with cyrus imapd 2.1.11 and everything that goes with it. Very nice system, working perfectly, in a test environment of some 30 people. Today, I went to see management, to get money for the production system hardware (I'm thinking about a full Sun Fire 280R with a full Sun StorEdge 3310 SCSI Array), ... only to hear that some other people are working on a solution based on MS Exchange, because they want the groupware functionality. I might be able to convince them to adopt Cyrus imapd, if only I can assure them that it will peacefully coexist with MS exchange. They can agree on using Cyrus for e-mail, and Exchange for the groupware stuff. But, being a full time unix admin, I have no clue about exchange. Is such a setup possible ? Or does Exchange rely on its own e-mail system ? Together with information, I could also use any Cyrus imapd success stories that I can get. If you're running Cyrus for a reasonably sized company or institution, please let me know, including the hardware you're using, number of (simultaneous) users, level of satisfaction, and other useful information. Maybe we could collect this data in some kind of registry. Looking forward to your replies, Piet Ruyssinck -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Piet RUYSSINCKe-mail: [EMAIL PROTECTED] Unix Systeem Administratie tel: +32 9 264 4733 Directie Informatie- en Communicatietechnologie (ICT) fax: +32 9 264 4994 Universiteit Gent (RUG) Krijgslaan 281, gebouw S9 - 9000 Gent, Belgie -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Please avoid sending me Word or PowerPoint attachments See http://www.fsf.org/philosophy/no-word-attachments.html
Re: Cyrus IMAP ; case studies, success stories, ... I need them
Piet Ruyssinck [EMAIL PROTECTED] writes: If you're running Cyrus for a reasonably sized company or institution, please let me know, including the hardware you're using, number of (simultaneous) users, level of satisfaction, and other useful information. We've been using Cyrus 2.1.9 in production for about one or two months now. I am very satisfied with how well it's doing. The hardware we are running on are Compaq boxes (RAID 5, 1GHz, 1GB RAM) and our server running the Cyrus and Exim software is most likely quite bored at the moment with load averages of 0.60, 0.97, 0.55 (it's running Horde and some other stuff too). We have roughly 30 users. I think it's safe to say (watching the logs) that at any time there are at least two users talking with Cyrus. Currently, we have about 1.5GB on the Cyrus partition and accessing our mailboxes is a snappy as ever. I have many thousands of emails in my mailbox and it seems to be as fast as ever to access any of them. And I cannot praise the Sieve implementation enough. I use it for all my mail filtering and have had absolutely no problems with it. You'll want to test your clients before rolling it out. Outlook Express and Outlook versions prior to Office 2002 have been giving me serious headaches with how utterly broken they are. We are moving away from them as fast as we can. Erik.
Re: Cyrus IMAP ; case studies, success stories, ... I need them
Piet, We use a mix of Cyrus and MeetingMaker to appoximate the groupware aspects, and it does work quite wekk...as to making Cyrus and Exchange co-exist...I've only heard of people sticking Unix MTA's in front of Exchange to allow for less of a risk on their internet gateway, however as far as I know the mail still needs to sit on the exchange server. You may be able to get around this by setting up 2 different accounts in Outlook simotaniously but it would be ugly. Introduce them to some of the other options out there, MM isn't bad, nor is it expensive. -David _ David Chait Sys Admin - Facilities Operations 333 Bonair Siding Road #107 Stanford CA, 94305 [EMAIL PROTECTED] - Original Message - From: Piet Ruyssinck [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Piet Ruyssinck [EMAIL PROTECTED] Sent: Thursday, January 09, 2003 7:37 AM Subject: Cyrus IMAP ; case studies, success stories, ... I need them Hi all, I have set up a test machine with cyrus imapd 2.1.11 and everything that goes with it. Very nice system, working perfectly, in a test environment of some 30 people. Today, I went to see management, to get money for the production system hardware (I'm thinking about a full Sun Fire 280R with a full Sun StorEdge 3310 SCSI Array), ... only to hear that some other people are working on a solution based on MS Exchange, because they want the groupware functionality. I might be able to convince them to adopt Cyrus imapd, if only I can assure them that it will peacefully coexist with MS exchange. They can agree on using Cyrus for e-mail, and Exchange for the groupware stuff. But, being a full time unix admin, I have no clue about exchange. Is such a setup possible ? Or does Exchange rely on its own e-mail system ? Together with information, I could also use any Cyrus imapd success stories that I can get. If you're running Cyrus for a reasonably sized company or institution, please let me know, including the hardware you're using, number of (simultaneous) users, level of satisfaction, and other useful information. Maybe we could collect this data in some kind of registry. Looking forward to your replies, Piet Ruyssinck -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Piet RUYSSINCKe-mail: [EMAIL PROTECTED] Unix Systeem Administratie tel: +32 9 264 4733 Directie Informatie- en Communicatietechnologie (ICT) fax: +32 9 264 4994 Universiteit Gent (RUG) Krijgslaan 281, gebouw S9 - 9000 Gent, Belgie -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Please avoid sending me Word or PowerPoint attachments See http://www.fsf.org/philosophy/no-word-attachments.html
Re: Cyrus IMAP ; case studies, success stories, ... I need them
On Thu, 09 Jan 2003, Piet Ruyssinck wrote: Together with information, I could also use any Cyrus imapd success stories that I can get. We are running the City Hall of Campinas/SP/Brazil (middle-sized city, circa 1M people), using a two machine cluster, one with two cpus running postfix-tls 2.0.0.1, and another one with a single PIII-800 cpu, and Cyrus 2.1.11 (Debian). We have about 1000 users right now, and most of them prefer to connect to cyrus using pop3 (!), but the webmail system (Squirrelmail) likes to use imap. Usually we have 2-3 simultaneous imap users (99% of them are squirrelmail sessions), and about 1 pop3 download per second. The system handles about 33k new messages/week. We never had any real problems with the Cyrus setup: not a single one instance of trouble, actually. It is a *heavily* patched Cyrus IMAPd, though (the one in Debian) which is more stable in Linux machines than CMU's upstream version in Linux machines (IMHO, and AFAIK). You will have to test your setup against the outcrook clients your users will be using, and you will need to patch Cyrus 2.1.11 with at least the seen state flush stuff. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: Cyrus IMAP ; case studies, success stories, ... I need them
On Thu, Jan 09, 2003 at 04:37:21PM +0100, Piet Ruyssinck wrote: If you're running Cyrus for a reasonably sized company or institution, please let me know, including the hardware you're using, number of (simultaneous) users, level of satisfaction, and other useful information. Maybe we could collect this data in some kind of registry. We use Cyrus 2.1.x to support 99 users today with capacity to scale to 500 users in the future. Hardware is IBM xSeries x240 with ServeRAID 4H and plenty of RAID5 storage. The OS is Red Hat 7.3 + errata. We don't have a client side policy since our user base is 'Linux smart'. This allows the users to pick clients they feel comfortable with. We recommend Mozilla, Evolution, and fetchmail however. In the Feb 2003 LinuxJournal has a feature story on replacing Exchange. The story is not online as far as I an tell but here are the resources: Exchange Server HOWTO http://www.arrayservices.com/projects/Exchange-HOWTO/ Bynari InsightServer http://www.bynari.net/insightserver.html From what I understand Bynari has a produt that works with Outlook (Express?) to handle the groupware features such as calendars. The mail store is of course Cyrus IMAPd. -- Scott Russell ([EMAIL PROTECTED]) Linux Technology Center, System Admin, RHCE. Dial 877-735-8200 then ask for 919-543-9289 (TTY) msg10286/pgp0.pgp Description: PGP signature
Re: saslauthd performance anxiety
On Fri, 10 Jan 2003 [EMAIL PROTECTED] wrote: On Wed, 1 Jan 2003, Igor Brezac wrote: On Wed, 1 Jan 2003 [EMAIL PROTECTED] wrote: [...] Can anyone offer advice on tuning the saslauthd pool? Are there particular options, either on the command line or in saslauthd.conf, which I should be looking at? Try using 'ldap_auth_method: custom'. It is up to three times faster than the 'bind' method. Thanks for the suggestion. Unfortunately 'custom' wasn't an option for us, although we certainly could have benefited from it. The reason we can't use it is that to support password migration our shell back-end does mad things like: try binding to new server; if (failure) { try binding to old server; if (success) update user password in new server for next time; } Don't look at me, I just inherited it :-) This logic (to use the term loosely) makes it impossible to return a sensible response to a search on userPassword. Instead, I committed a gross hack and implemented a new method called auth_fastbind. It does away with the search and extra anonymous bind in auth_bind by making two assumptions: 1. Expanding the ldap_filter expression gives the fully-qualified DN 2. There is no cost to staying bound as a named user These held for our shell back-end, but I don't know how applicable they are to wider use. Still, if anyone's interested I've attached the patch (against 2.1.10). I like this patch. This can work well for quite a few people. Rob, can you apply this patch? -- Igor diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.c cyrus-sasl-2.1.10/saslauthd/lak.c --- cyrus-sasl-2.1.10.orig/saslauthd/lak.c Fri Dec 6 02:54:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.c Fri Jan 10 00:19:45 2003 @@ -70,6 +70,7 @@ static int lak_search(LAK *, const char *, const char **, LDAPMessage **); static int lak_auth_custom(LAK *, const char *, const char *, const char *); static int lak_auth_bind(LAK *, const char *, const char *, const char *); +static int lak_auth_fastbind(LAK *, const char *, const char *, const char *); static int lak_result_add(LAK *lak, const char *, const char *, LAK_RESULT **); static int lak_check_password(const char *, const char *, void *); static int lak_check_crypt(const char *, const char *, void *); @@ -179,6 +180,8 @@ } else if (!strcasecmp(key, ldap_auth_method)) { if (!strcasecmp(p, custom)) { conf-auth_method = LAK_AUTH_METHOD_CUSTOM; + } else if (!strcasecmp(p, fastbind)) { + conf-auth_method = LAK_AUTH_METHOD_FASTBIND; } } else if (!strcasecmp(key, ldap_timeout)) { conf-timeout.tv_sec = lak_config_int(p); @@ -917,6 +920,24 @@ } +static int lak_auth_fastbind(LAK *lak, const char *user, const char *realm, const +char *password) +{ + int rc; + char *dn = NULL; + + rc = lak_filter(lak, user, realm, dn); + if (rc != LAK_OK || dn == NULL) { + syslog(LOG_WARNING|LOG_AUTH, lak_filter failed.); + return LAK_FAIL; + } + + rc = lak_bind(lak, LAK_BIND_AS_USER, dn, password); + + free(dn); + return rc; +} + + int lak_authenticate(LAK *lak, const char *user, const char *realm, const char *password) { int rc; @@ -932,8 +953,10 @@ if (lak-conf-auth_method == LAK_AUTH_METHOD_BIND) { rc = lak_auth_bind(lak, user, realm, password); - } else { + } else if (lak-conf-auth_method == LAK_AUTH_METHOD_CUSTOM) { rc = lak_auth_custom(lak, user, realm, password); + } else { + rc = lak_auth_fastbind(lak, user, realm, password); } return rc; diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.h cyrus-sasl-2.1.10/saslauthd/lak.h --- cyrus-sasl-2.1.10.orig/saslauthd/lak.h Fri Oct 18 10:30:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.h Fri Jan 10 00:19:45 2003 @@ -53,6 +53,7 @@ #define LAK_AUTH_METHOD_BIND 0 #define LAK_AUTH_METHOD_CUSTOM 1 +#define LAK_AUTH_METHOD_FASTBIND 2 typedef struct lak_conf { char *path;
Re: trouble with auths on cyrus imap
I tried your suggestion. I added to pam.conf imapauthrequiredpam_unix.so try_first_pass imapaccount requiredpam_unix.so imappassword required pam_permit.so imapsession requiredpam_permit.so still can't authenticate. jg On Wed, 2003-01-08 at 11:35, Erik Enge wrote: jonathan giles [EMAIL PROTECTED] writes: Jan 7 14:20:10 popper2 saslauthd[113]: AUTHFAIL: user=user service=imap realm= [PAM auth error] I believe I had the same problem until I added /etc/pam.d/imap with the contents just like my /etc/pam.d/sshd (IIRC). Erik. -- Jonathan Giles Senior Unix Administrator Cline Davis Mann, Inc. -- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: saslauthd performance anxiety
On Thu, 9 Jan 2003, Rob Siemborski wrote: Done. Someone should sanity-check the documentation I put in LDAP_SASLAUTHD. Looks good. I do not see when '2. There is no cost to staying bound as a named user' would be false. Maybe for backends other then ldbm|bdb. It will cause extra disconnect|reconnect to the ldap server for LDAPv2 connections. Saslauthd will always try to connect LDAPv3 first. But this is the case for the bind method as well. -Igor -Rob On Thu, 9 Jan 2003, Igor Brezac wrote: On Fri, 10 Jan 2003 [EMAIL PROTECTED] wrote: On Wed, 1 Jan 2003, Igor Brezac wrote: On Wed, 1 Jan 2003 [EMAIL PROTECTED] wrote: [...] Can anyone offer advice on tuning the saslauthd pool? Are there particular options, either on the command line or in saslauthd.conf, which I should be looking at? Try using 'ldap_auth_method: custom'. It is up to three times faster than the 'bind' method. Thanks for the suggestion. Unfortunately 'custom' wasn't an option for us, although we certainly could have benefited from it. The reason we can't use it is that to support password migration our shell back-end does mad things like: try binding to new server; if (failure) { try binding to old server; if (success) update user password in new server for next time; } Don't look at me, I just inherited it :-) This logic (to use the term loosely) makes it impossible to return a sensible response to a search on userPassword. Instead, I committed a gross hack and implemented a new method called auth_fastbind. It does away with the search and extra anonymous bind in auth_bind by making two assumptions: 1. Expanding the ldap_filter expression gives the fully-qualified DN 2. There is no cost to staying bound as a named user These held for our shell back-end, but I don't know how applicable they are to wider use. Still, if anyone's interested I've attached the patch (against 2.1.10). I like this patch. This can work well for quite a few people. Rob, can you apply this patch? -- Igor -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper -- Igor
Re: trouble with auths on cyrus imap
Just tried that and it didn't help. Thanks for the help, tho. jg On Wed, 2003-01-08 at 12:39, Ken Murchison wrote: jonathan giles wrote: Hi: I have been looking around for the answer to this, and have not found it. I am running... 4.7-RELEASE FreeBSD with... cyrus-imapd-2.1.10 cyrus-sasl-2.1.9_1 installed as ports. Compilation and installation seems fine but... I trying to authenticate with the standard shadow password, but keep getting this in the log... Jan 7 14:20:10 popper2 saslauthd[113]: AUTHFAIL: user=user service=imap realm= [PAM auth error] Jan 7 14:20:10 popper2 imapd[158]: badlogin: localhost.clinedavis.com[127.0.0.1] plaintext user SASL(-13): authentication failure: checkpass failed imapd.conf includes the following... sasl_pwcheck_method: saslauthd saslauthd is started using -a pam in /usr/local/etc/rc.d/saslauthd.sh I checked the processes, and it shows up. /etc/pam.conf is standard conf for FreeBSD with only one line for imap... imapauthrequiredpam_unix.so try_first_pass try adding: imap account sufficient pam_permit.so -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- Jonathan Giles Senior Unix Administrator Cline Davis Mann, Inc. -- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: lmtpd NUL rejection
[EMAIL PROTECTED] wrote: I've recently upgraded imapd from 1.5.19 to 2.1.11, and instead of having sendmail invoke deliver it now talks to lmtpd over a Unix socket. All is well, except that lmtpd is much more scrupulous about checking its input than deliver was - in the space of a week, it's detected three otherwise normal messages containing embedded NULs and has rejected them with DSN 554 5.6.0 Message contains NUL characters (status IMAP_MESSAGE_CONTAINSNULL in imap/lmtpengine.c). OK, fair enough, except that sendmail responds to the bounce by trying to copy the message to postmaster. Via lmtpd. Oops. Clearly the input is bad and lmtpd is justified in rejecting it. However, broken mail clients (or whatever - we haven't identified any common factor yet) are a fact of life, and having mail stuck in a non-delivery loop isn't very helpful for our users. What's the Right Thing to do here? Should sendmail (8.11.2) be configured to somehow report the failure without forwarding the message, or perhaps do NUL filtering on the fly? Or is there some way of configuring the lmtp mailer definition to get around this problem? And out of general curiosity, have other sites moving to lmtpd encountered this, or are we just particularly weird? I noticed it here as well after switching from UW IMAP to Cyrus 2.1.11, and I am currently still running everything through a perl delivery program which does a number of clean-ups including stripping NUL characters. The problem is that a number of large mailing lists (such as some on Yahoo Groups) include NULs, so just dropping the mail wasn't an option. Eventually, I want to get back to the stock deliver but I will need to patch it to include an option to strip NULs similarly (as well as other issues currently being handled in the perl script) before I can. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Outlook wont work with secure Password
Hi, i have big problems getting outlook working with Secure password (dunno how its called in english) turned on. The only Problem is that outlook sends AUTH \r\n instead of AUTH\r\n (note the space). The Cyrus POP3 then says Syntax error. Any help? thanx - David 'esi' Brandt - wakka.de staff [EMAIL PROTECTED] - irc://irc.wakka.de/#wakka - icq:13272332 http://www.wakka.de Get your wheep
Re: Outlook wont work with secure Password
David Brandt wrote: Hi, i have big problems getting outlook working with Secure password (dunno how its called in english) turned on. The only Problem is that outlook sends AUTH \r\n instead of AUTH\r\n (note the space). The Cyrus POP3 then says Syntax error. Any help? The AUTH command expects the SASL mechanism to follow the AUTH command, ie AUTH NTLM\r\n Check RFC 1734. In any case if you're trying to use the checkbox in Outlook that I think you are, you'll have to have the user's passord in /etc/sasldb. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: saslauthd performance anxiety
On Thursday 09 January 2003 03:55 pm, Paul M Fleming wrote: Timing out the passwords is simple ( I think ) I would store the time when the entry is added and force a reauth if the password has been cached longer than a timeout (for example one hour ). That forces a reauth at least every timeout period of time. If an entry isn't in the cache (or if it is different the entry would be removed and ) a reauth would be forced. Every successfull auth would be added to the cache. Some time ago I wrote a plugin for the Netscape/iPlanet Directory server that intercepted bind authentications and passed them off to a kerberos backend. It allowed us to integrate LDAP services with our Kerberos environment. Anyhow, it implemented just this, with the timeouts and all. I also implemented a checkpoint feature where the hash table was periodically dumped to a file. That way if you restarted the LDAP server you wouldn't lose you're cached entries. You can grab a copy of the plugin at: ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/krbdirp-1.2.0.tar.gz Look in the file krbdirp.c, specifically at the function validate_with_cache(). The text file CACHE also has some thoughts and ideas. The LDAP directory was used for an iPlanet mail setup to store user information. The idea of the credential cache has worked quite well. Implementing it for saslauthd would be a nice feature. I'd be more than willing to help/contribute to the effort. Cheers, Jeremy
Re: imtest question again..
Chama estas enredao??? - Original Message - From: Danny García Hernández To: [EMAIL PROTECTED] Sent: Thursday, January 09, 2003 4:51 PM Subject: imtest question again.. Please!!, Passed 12 hours from my first question about imtest using domains inside sasldb2 and no body have answered my question. Can any body help me? Thanks Danny
Re: Working Vacation??
Hi Ken, I can get a rejection; but, I can't get a vacation. Here's the info you requested. -sieve script- require [fileinto, notify, vacation, reject]; if allof( header :contains :comparator i;octet [Subject] [TEST] ) { vacation :subject I wanna vacation Yes, I really wanna vacation ; } if allof( header :contains :comparator i;octet [Subject] [Reject] ) { reject This is a rejection notice; } -cyrus.conf- START { recover cmd=ctl_cyrusdb -r } SERVICES { imap cmd=imapd listen=imap prefork=0 imaps cmd=imapd -s listen=imaps prefork=0 pop3 cmd=pop3d listen=pop3 prefork=0 pop3s cmd=pop3d -s listen=pop3s prefork=0 lmtp cmd=lmtpd listen=lmtp prefork=0 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 sieve cmd=timsieved listen=sieve prefork=3 notifycmd=notifyd listen=/var/imap/socket/notify proto=udp prefork=1 } EVENTS { checkpointcmd=ctl_cyrusdb -cperiod=30 delprune cmd=ctl_deliver -E 3 period=1440 tlsprune cmd=tls_prune period=1440 } -imapd.conf- configdirectory: /export/home/cyrus/imap/config partition-default: /export/home/cyrus/imap/default sasl_pwcheck_method: auxprop hashimapspool: yes sievedir: /export/home/cyrus/imap/sieve # usually # sievenotifier: null # mailnotifier: null # but currently sievenotifier: log mailnotifier: log notifysocket: /var/imap/socket/notify admins: cyrus circus allowplaintext: false altnamespace: false unixhierarchysep: false -imapd.log- Jan 10 10:27:39 air master[11328]: [ID 965400 local6.notice] process started Jan 10 10:27:39 air master[11330]: [ID 392559 local6.debug] about to exec /opt/imap/bin/ctl_cyrusdb Jan 10 10:27:39 air ctl_cyrusdb[11330]: [ID 702911 local6.notice] recovering cyrus databases Jan 10 10:27:46 air ctl_cyrusdb[11330]: [ID 127214 local6.notice] done recovering cyrus databases Jan 10 10:27:46 air master[11328]: [ID 139525 local6.notice] ready for work Jan 10 10:27:46 air master[11360]: [ID 392559 local6.debug] about to exec /opt/imap/bin/tls_prune Jan 10 10:27:46 air master[11361]: [ID 392559 local6.debug] about to exec /opt/imap/bin/ctl_deliver Jan 10 10:27:46 air master[11362]: [ID 392559 local6.debug] about to exec /opt/imap/bin/ctl_cyrusdb Jan 10 10:27:46 air ctl_cyrusdb[11362]: [ID 702911 local6.notice] checkpointing cyrus databases Jan 10 10:27:46 air master[11363]: [ID 392559 local6.debug] about to exec /opt/imap/bin/timsieved Jan 10 10:27:46 air sieve[11363]: [ID 518349 local6.debug] executed Jan 10 10:27:46 air master[11364]: [ID 392559 local6.debug] about to exec /opt/imap/bin/notifyd Jan 10 10:27:46 air notify[11364]: [ID 518349 local6.debug] executed Jan 10 10:27:46 air tls_prune[11360]: [ID 275131 local6.notice] skiplist: recovered /export/home/cyrus/imap/config/tls_sessions.db (0 records, 144 bytes) in 0 seconds Jan 10 10:27:46 air tls_prune[11360]: [ID 383969 local6.notice] tls_prune: purged 0 out of 0 entries Jan 10 10:27:46 air master[11328]: [ID 310780 local6.debug] process 11360 exited, status 0 Jan 10 10:27:46 air master[11365]: [ID 392559 local6.debug] about to exec /opt/imap/bin/timsieved Jan 10 10:27:46 air sieve[11365]: [ID 518349 local6.debug] executed Jan 10 10:27:47 air ctl_cyrusdb[11362]: [ID 578205 local6.debug] archiving database file: /export/home/cyrus/imap/config/mailboxes.db Jan 10 10:27:47 air ctl_cyrusdb[11362]: [ID 448116 local6.debug] archiving log file: /export/home/cyrus/imap/config/db/log.01 Jan 10 10:27:48 air ctl_cyrusdb[11362]: [ID 127214 local6.notice] done checkpointing cyrus databases Jan 10 10:27:48 air master[11328]: [ID 310780 local6.debug] process 11362 exited, status 0 Jan 10 10:27:48 air master[11370]: [ID 392559 local6.debug] about to exec /opt/imap/bin/timsieved Jan 10 10:27:48 air sieve[11370]: [ID 518349 local6.debug] executed Jan 10 10:27:53 air ctl_deliver[11361]: [ID 275131 local6.notice] skiplist: recovered /export/home/cyrus/imap/config/deliver.db (53 records, 2834412 bytes) in 7 seconds Jan 10 10:27:53 air ctl_deliver[11361]: [ID 730478 local6.notice] duplicate_prune: pruning back 3 days Jan 10 10:27:53 air ctl_deliver[11361]: [ID 371192 local6.notice] duplicate_prune: purged 0 out of 53 entries Jan 10 10:27:53 air master[11328]: [ID 310780 local6.debug] process 11361 exited, status 0 Jan 10 10:30:21 air master[11383]: [ID 392559 local6.debug] about to exec /opt/imap/bin/lmtpd Jan 10 10:30:21 air lmtpunix[11383]: [ID 518349 local6.debug] executed Jan 10 10:30:21 air lmtpd[11383]: [ID 921384 local6.debug] accepted connection Jan 10 10:30:21 air lmtpd[11383]: [ID 685068 local6.debug] lmtp connection preauth'd as postman Jan 10 10:30:21 air lmtpd[11383]: [ID 100061 local6.debug] duplicate_check: [EMAIL PROTECTED] user.testuser2 0 Jan 10 10:30:21 air notifyd[11364]: [ID 921384 local6.debug] accepted connection Jan 10 10:30:21 air notifyd[11364]: [ID 414469 local6.debug] do_notify using method 'log'
Re: DBERROR: archive
On Thu, 9 Jan 2003, Bob Meader wrote: I get these recurring lines in log: Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: checkpointing cyrus databases Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: DBERROR: archive /var/imap/db: cyrusdb error Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: done checkpointing cyrus databases I am running NetBSD 1.6, I installed cyrus-imap-2.1.9 via I kept getting those errors while using Cyrus-IMAP on NetBSD 1.6 too except I was using 2.1.11 instead. Chris Gilbert was kind enough to point me to a new patch in pkgsrc which resolved the problem. You might want to consider updating your pkgsrc tree and upgrading Cyrus-IMAP to 2.1.11 and see if that helps you too. Here are the archived posts.. http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=netbsdmsg=19606 http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=netbsdmsg=19929 http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=netbsdmsg=19935 Good luck.
Digest version of list??
Is there a digest version of this list? -- Oliver Jones Senior Software Engineer Deeper Design Limited. [EMAIL PROTECTED] www.deeperdesign.com +64 (21) 41-2238
Cyrus and Virtual Domains
Hello! I have two servers in two different works :-). One of this server are running Cyrus 2.1.9 with SASL 2.1.9 with an LDAP. [this server works fine!] [under RedHat 7.3] The second server [the problem :-)] are running a Debian Linux welll... Debian have Cyrus 1.5.19... using apt-get but in this server I must install virtual domains. Does Cyrus support virtual domains?, what can I read to start with Virtual Domains? regards... Felix -- Felix Cuello [EMAIL PROTECTED] Buenos Aires, ARGENTINA Qodiga/its http://www.qodiga.com
Re: saslauthd performance anxiety
On Thu, 9 Jan 2003, Jeremy Rumpf wrote: On Thursday 09 January 2003 03:55 pm, Paul M Fleming wrote: Timing out the passwords is simple ( I think ) I would store the time when the entry is added and force a reauth if the password has been cached longer than a timeout (for example one hour ). That forces a reauth at least every timeout period of time. If an entry isn't in the cache (or if it is different the entry would be removed and ) a reauth would be forced. Every successfull auth would be added to the cache. Some time ago I wrote a plugin for the Netscape/iPlanet Directory server that intercepted bind authentications and passed them off to a kerberos backend. It allowed us to integrate LDAP services with our Kerberos environment. Anyhow, it implemented just this, with the timeouts and all. I also implemented a checkpoint feature where the hash table was periodically dumped to a file. That way if you restarted the LDAP server you wouldn't lose you're cached entries. You can grab a copy of the plugin at: ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/krbdirp-1.2.0.tar.gz Look in the file krbdirp.c, specifically at the function validate_with_cache(). The text file CACHE also has some thoughts and ideas. The LDAP directory was used for an iPlanet mail setup to store user information. The idea of the credential cache has worked quite well. Implementing it for saslauthd would be a nice feature. I'd be more than willing to help/contribute to the effort. Cheers, Jeremy I agree. I know Simon would like this feature. :) Openldap APIs have client side cache, but I think it has some issues. saslauthd needs to remain a 'light' process. It is really a helper program for 'big' servers such as cyrus, sendmail, postfix, etc.. You might want to check out http://www.ossp.org/pkg/lib/mm/ for a portable IPC library. -- Igor
Re: lmtpd NUL rejection
On Fri, 10 Jan 2003 [EMAIL PROTECTED] wrote: I've recently upgraded imapd from 1.5.19 to 2.1.11, and instead of having sendmail invoke deliver it now talks to lmtpd over a Unix socket. All is well, except that lmtpd is much more scrupulous about checking its input than deliver was - in the space of a week, it's detected three otherwise normal messages containing embedded NULs and has rejected them with DSN 554 5.6.0 Message contains NUL characters (status IMAP_MESSAGE_CONTAINSNULL in imap/lmtpengine.c). OK, fair enough, except that sendmail responds to the bounce by trying to copy the message to postmaster. Via lmtpd. Oops. Clearly the input is bad and lmtpd is justified in rejecting it. However, broken mail clients (or whatever - we haven't identified any common factor yet) are a fact of life, and having mail stuck in a non-delivery loop isn't very helpful for our users. What's the Right Thing to do here? Should sendmail (8.11.2) be configured to somehow report the failure without forwarding the message, or perhaps do NUL filtering on the fly? Or is there some way of configuring the lmtp mailer definition to get around this problem? Have you tried F=1 mailer flag? This may only work in Sendmail 8.12.x. From op.txt: 1 Don't send null characters ('\0') to this mailer. I have not tried this flag yet, so I am not sure if NULL chars are removed or if the message is rejected. And out of general curiosity, have other sites moving to lmtpd encountered this, or are we just particularly weird? This is not new, Cyrus 1.6.x 'deliver' rejects such messages as well. -- Igor
imtest question again..
Please!!, Passed 12 hours from my first question about imtest using domains inside sasldb2 and no body have answered my question. Can any body help me? Thanks Danny
Re: saslauthd performance anxiety
Correct.. John Alton Tamplin wrote: Paul M Fleming wrote: Timing out the passwords is simple ( I think ) I would store the time when the entry is added and force a reauth if the password has been cached longer than a timeout (for example one hour ). That forces a reauth at least every timeout period of time. If an entry isn't in the cache (or if it is different the entry would be removed and ) a reauth would be forced. Every successfull auth would be added to the cache. Also, if the authentication against the cached entry fails it should be refreshed and tried against the new one, so that if the user changes their password the caching is transparent. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
SML-Acap and saslauthd
Im trying to get sml-acap to work, but instead of authenticating against /etc/sasldb, i want it to use saslauthd for the rimap mech.. I have searched all the docs i can find, and Ive noticed there is very little documentation of ACAP... --- Robert R. George
Re: saslauthd performance anxiety
Paul M Fleming wrote: Timing out the passwords is simple ( I think ) I would store the time when the entry is added and force a reauth if the password has been cached longer than a timeout (for example one hour ). That forces a reauth at least every timeout period of time. If an entry isn't in the cache (or if it is different the entry would be removed and ) a reauth would be forced. Every successfull auth would be added to the cache. Also, if the authentication against the cached entry fails it should be refreshed and tried against the new one, so that if the user changes their password the caching is transparent. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
DBERROR: archive
I get these recurring lines in log: Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: checkpointing cyrus databases Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: DBERROR: archive /var/imap/db: cyrusdb error Jan 9 15:08:27 tuba ctl_cyrusdb[28368]: done checkpointing cyrus databases I am running NetBSD 1.6, I installed cyrus-imap-2.1.9 via the packages collection feature of Netbsd. The auto build configured cyrus-imap as follows: # ./configure --with-cyrus-user=cyrus --with-cyrus-group=mail --with-cyrus-pr ef ix=/usr/pkg/cyrus --with-statedir=/var/run --with-dbdir=/usr/pkg --with-open ssl= /usr --with-sasl=/usr/pkg --without-ucdsnmp --without-notify --without-zephy r -- enable-netscapehack --with-libwrap=/usr --with-com_err= --with-auth=unix --w itho ut-krb --host=i386--netbsdelf --prefix=/usr/pkg The imap mailboxes work OK. One other item I noticed the /var/imap/db had the files listed below immediately after installation BEFORE any mailbox was created and any mail delivered/picked up. Why did I get a 17 meg db file? tuba# ls -l total 11584 -rw--- 1 cyrus mail 8192 Jan 9 14:18 __db.001 -rw--- 1 cyrus mail270336 Jan 9 14:18 __db.002 -rw--- 1 cyrus mail 98304 Jan 9 14:18 __db.003 -rw--- 1 cyrus mail 17063936 Jan 9 14:18 __db.004 -rw--- 1 cyrus mail 32768 Jan 9 14:18 __db.005 -rw--- 1 cyrus mail256513 Jan 9 14:19 log.01 tuba#