Re: Problem with RENAME
On Wed, 5 Nov 2003, Etienne Goyer wrote: Hi, On the system I work, it is being considered to backup mailbox instead of destroying them when a user is deleted from the system. The idea is that instead of deleting the mailbox, it would be moved somewhere else, possible to be restored. I know I could just dump the mailbox somewhere and delete it within Cyrus, but I would prefer to do this within IMAP. When logged on as an admin, here is what I get when trying to RENAME a top-level mailbox to a special backup mailbox : * OK mail Cyrus IMAP4 v2.1.13 server ready . login admin * . OK User logged in . rename user.gwb user.backup.gwb . NO Operation is not supported on mailbox admin have ACL lrswipcda on both user.gwb and user.backup. If this is of any importance, this is being done in a Murder. What does the Operation is not supported on mailbox mean ? Is there any other way to achieve the same result ? Thanks for your insight ! Cyrus 2.1.x does not support renaming user.xxx mailboxes. I don't know if Cyrus 2.2.x does or not. I've written a pair of perl scripts that we use here when someone asks to have their username changed. One script copies a mailbox to a new mailbox. The other script deletes a mailbox. I'm willing to share these scripts if there is interest. I'd be interested to put them into contrib in my rpms, if the license permits it. Simon Andy
Re: map of authentication methods for cyrus
Hi Craig, I just wanted to say that such a 'big picture' is VERY useful. One picture says more than thousand words. Thanks, Simon I posted a little while ago with a graphical map of the Cyrus authentication methods - missing the Mechanism layer completely. I think I have a better understanding of that now, and have updated the document appropriately. Comments would be appreciated. I'm about as far from an expert on Cyrus as there is, so apologies if I'm dead wrong about something. I do think that a document like this will be useful in showing people how things fit together, and the various different paths through which Cyrus can handle authentication/authorization . There are enough of them, after all ;-) Later I'd like to collect and document some common working configurations for the wiki, if folks are OK with that. I suspect that the majority of users, at least Linux/BSD users, will probably want to either hook Cyrus up to their existing PAM setup or plug it directly into an LDAP directory. (If LDAP can be used for authentication against MS Active Directory, that's cool ... otherwise NTLM will probably be another common config). A few starting-point configs might be very useful here, including an end-to-end explanation of how things fit together. I plan to write up my config here (cyrus-sasl-saslauthd-pam-ldap) as an example to start things off. Again, of course, this is only if it's likely to be useful and if people think it's a good idea. Anyway, the updated diagram is at: http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd It's not an explanation of Cyrus's authentication on it's own, but should be informative in combination with the existing docs. As I personally found the hardest part about Cyrus to be figuring out how all the various bits of the auth scheme fit together, perhaps this can help others with that. Craig Ringer
Re: Problem with RENAME
- Original Message - From: Andrew Morgan [EMAIL PROTECTED] To: Etienne Goyer [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:28 AM Subject: Re: Problem with RENAME On Wed, 5 Nov 2003, Etienne Goyer wrote: Hi, On the system I work, it is being considered to backup mailbox instead of destroying them when a user is deleted from the system. The idea is that instead of deleting the mailbox, it would be moved somewhere else, possible to be restored. I know I could just dump the mailbox somewhere and delete it within Cyrus, but I would prefer to do this within IMAP. When logged on as an admin, here is what I get when trying to RENAME a top-level mailbox to a special backup mailbox : * OK mail Cyrus IMAP4 v2.1.13 server ready . login admin * . OK User logged in . rename user.gwb user.backup.gwb . NO Operation is not supported on mailbox admin have ACL lrswipcda on both user.gwb and user.backup. If this is of any importance, this is being done in a Murder. What does the Operation is not supported on mailbox mean ? Is there any other way to achieve the same result ? Thanks for your insight ! Cyrus 2.1.x does not support renaming user.xxx mailboxes. I don't know if Cyrus 2.2.x does or not. I've written a pair of perl scripts that we use here when someone asks to have their username changed. One script copies a mailbox to a new mailbox. The other script deletes a mailbox. I'm willing to share these scripts if there is interest. Andy Cyrus 2.2.2 BETA supports mailbox deletion. in /etc/imapd.conf allowusermoves: yes I tested it and it works. I don't know if it can cater sieve scripts. Patrick
Re: Problem with RENAME
- Original Message - From: Simon Matter [EMAIL PROTECTED] To: Andrew Morgan [EMAIL PROTECTED] Cc: Etienne Goyer [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 3:58 PM Subject: Re: Problem with RENAME On Wed, 5 Nov 2003, Etienne Goyer wrote: Hi, On the system I work, it is being considered to backup mailbox instead of destroying them when a user is deleted from the system. The idea is that instead of deleting the mailbox, it would be moved somewhere else, possible to be restored. I know I could just dump the mailbox somewhere and delete it within Cyrus, but I would prefer to do this within IMAP. When logged on as an admin, here is what I get when trying to RENAME a top-level mailbox to a special backup mailbox : * OK mail Cyrus IMAP4 v2.1.13 server ready . login admin * . OK User logged in . rename user.gwb user.backup.gwb . NO Operation is not supported on mailbox admin have ACL lrswipcda on both user.gwb and user.backup. If this is of any importance, this is being done in a Murder. What does the Operation is not supported on mailbox mean ? Is there any other way to achieve the same result ? Thanks for your insight ! Cyrus 2.1.x does not support renaming user.xxx mailboxes. I don't know if Cyrus 2.2.x does or not. I've written a pair of perl scripts that we use here when someone asks to have their username changed. One script copies a mailbox to a new mailbox. The other script deletes a mailbox. I'm willing to share these scripts if there is interest. I'd be interested to put them into contrib in my rpms, if the license permits it. Simon Andy What about sieve script? If the perl script can move script and compile it, it is useful. Best Regards Patrick Tsang
Re: digest-md5 problems with imapd, saslauthd and openldap
Some delving into the tangled mess that is documentation, the mailing
lists, and the Cyrus wiki, has taught me the following:
* saslauthd can't do digest type authentications. OK, this seems
to be a genuine design restriction
* imapd falls back to using sasldb access if digest authentication
is tried
* Getting sasl to use an auxprop method that calls an LDAP server is
possible, but tricky. Various patches exist, but are non trivial
to install and configure.
Some other things the developers might wish to consider:
* More debugging output IN THE LOGS when an unconfigured authetication
mechanism is attempted, rather than falling back to sasldb.
* Overhauling the docs, to make sure everything in the code is in the
docs, and everything in the docs is still in the code.
* Making saslpasswd2 work properly. I get error logs full of
Nov 6 09:32:54 4.5 fermat saslpasswd2: Couldn't update db
and
Nov 6 09:32:15 4.5 fermat imapd[15755]: no user in db
* Integrating the current LDAP auxprop patches into the core code
My options seem to be:
* Not bother with digest authentication at all for now
* Struggle with patches, and get a auxprop method configured that looks
up plain text passwords from my LDAP server, and uses these in digest
authentication
* Write a perl script that takes my LDAP plaintext password data and
creates sasldb entries as needed. Hack hack hackity-hack.
Advice and opinions welcome.
Jon
On Wed, 5 Nov 2003, Jon Wilson wrote:
I am having trouble getting Cyrus Imapd to authenticate properly against
an OpenLDAP database when using digest-md5 authentication.
I have the following software installed on FreeBSD 4.8 (from the ports
collection):
openldap-server-2.1.22
cyrus-imapd-2.1.15
cyrus-sasl-2.1.15
cyrus-sasl-saslauthd-2.1.15 (compiled with LDAP support)
My imapd.conf file has the following:
sasl_pwcheck_method: saslauthd
My saslauthd.conf file has:
ldap_servers: ldap://127.0.0.1/
ldap_bind_dn: cn=Manager,dc=mydomain,dc=com
ldap_bind_pw: XX
ldap_auth_method: custom
ldap_password_attr: mailPassword
ldap_filter: mailLocalAddress=%u
ldap_search_base: dc=mydomain,dc=com
I start the saslauthd daemon with flags -a ldap.
A sample LDAP record looks like this:
dn: cn=Jon Wilson,dc=mydomain,dc=com
ou: employees
cn: Jon Wilson
mail: [EMAIL PROTECTED]
givenname: Jon
sn: Wilson
objectClass: top
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: mydomainPerson
mailLocalAddress: itjpw
mailPassword: test
Essentially mailLocalAddress and mailPassword are the tokens used
for any mail authentication. I am using them succesfully to allow
relaying for remote authenticated users on our Exim SMTP server.
Now, here's where it gets interesting. Firstly, I start both the
saslauthd and OpenLdap's slapd in debugging mode, so I can see what is
going on. Then I try the following:
imtest -a itjpw -m login localhost
This logs me in successfully with the password 'test'. Using the
plain login mechanism also works. During these tests I can see the
saslauthd and openldap happily doing the right thing.
Now I try:
[EMAIL PROTECTED] itjpw]$ imtest -s -a itjpw -m digest-md5 localhost
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK mailtest.mydomain.com Cyrus IMAP4 v2.1.15 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE
UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S: +
bm9uY2U9IlFSV3c2RUJyN0RDbHF6VUpBQ0wyT05TVjltV2dYVnh4MDF2enUzclZSNWM9IixyZWFsbT0ibWFpbHRlc3QudWsuYXNwZXh0ZWNobm9sb2d5LmNvbSIscW9wPSJhdXRoIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
Please enter your password:
C:
dXNlcm5hbWU9Iml0anB3IixyZWFsbT0ibWFpbHRlc3QudWsuYXNwZXh0ZWNobm9sb2d5LmNvbSIsbm9uY2U9IlFSV3c2RUJyN0RDbHF6VUpBQ0wyT05TVjltV2dYVnh4MDF2enUzclZSNWM9Iixjbm9uY2U9Ild3dnJpWUREc1pFK0hHODVWZFEvTlhnZm1pQlh4VmJJamhqdWZGN1BuWUk9IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJpbWFwL2xvY2FsaG9zdCIscmVzcG9uc2U9N2E1NzA3OWM1MzgxYWU5ZDkxNDExYzE0MzQxZWUzYmI=
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 256
The same thing happens when I try to use cram-md5 as the mechanism.
During both these tests, the saslauthd and openldap daemons appear to
be doing nothing at all. Zilch, nothing, nada.
Questions:
(1) How can I get saslauthd to correctly process digest-md5 IMAP
logins?
(2) Do I need a different format for the mailPassord LDAP entry
(e.g. something like mailPassword: {MD5}ad23d23d2d2= ). If so,
what format?
(3) Is there a better way of doing this? I have to use
Re: Large deliver.db file
On Tue, 4 Nov 2003, Igor Brezac wrote: Is your deliver.db continually growing? Yes it is. In just a couple of days it has grown from 180M to 195M -- Leena Heino University of Tampere / Computer Centre ( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk )
RE: Cyrus-SASL-WINBIND/KERBEROS
Title: RE: Cyrus-SASL-WINBIND/KERBEROS Samba services are the only thing that work at the present. I do have saslauthd with PAM. I did create a config file in pam.d It follows: linux:/etc/pam.d # cat saslauthd auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so linux:/etc/pam.d # -Original Message- From: Wil Cooley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 05, 2003 8:14 PM To: Tim Branson Cc: '[EMAIL PROTECTED]' Subject: Re: Cyrus-SASL-WINBIND/KERBEROS On Wed, 2003-11-05 at 08:01, Tim Branson wrote: I am trying to do an exchange replacement. I need the clients to be able to use their network names and passwords as the email username and password. ... I currently have SAMBA automatically authenticating, but SASLAUTH isn't working. Is saslauthd set to use PAM? Does it's PAM configuration use pam_winbind? Do other servies than Samba work? Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consulting http://nakedape.cc * * * * Linux, UNIX, Networking and Security Solutions * * * * * Naked Ape Consulting http://nakedape.cc *
Re: Large deliver.db file
On Thu, 6 Nov 2003, Igor Brezac wrote: Your expire process is not running properly. Please see my previous post: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrusmsg=25637 Thanks for the information. I'll try it as soon as possible. Do you know if this db enviroment setup problem is fixed in the upcoming BerkeleyDB version 4.2? -- Leena Heino University of Tampere / Computer Centre ( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk )
¡¶ÊµÓÃͶ¸å´óÈ«¡·
2004 ?? : 20042002004 200310161000230120 (343000) 103 7366 1110 6292 80194367 4221 1411 0006 143120.29120.35120.08 0796--8865686 [EMAIL PROTECTED]
Re: Problem with RENAME
On Thu, 6 Nov 2003, Simon Matter wrote: I've written a pair of perl scripts that we use here when someone asks to have their username changed. One script copies a mailbox to a new mailbox. The other script deletes a mailbox. I'm willing to share these scripts if there is interest. I'd be interested to put them into contrib in my rpms, if the license permits it. Simon I don't mind at all. These are home grown scripts I wrote, so just consider them public domain. Andy
what to do with skiplist seendb ? (fwd)
Sorry for the noise.. but the first post appears to got lost... Bob Forwarded Message Date: donderdag 6 november 2003 14:44 +0100 From: Bob Tito [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: what to do with skiplist seendb ? Hi, I converted the seen db's to skiplist for cyrus-imap 2.1.15. All went ok, and seems to work just fine ;-) on question though, do i need to create an event in cyrus.conf for maintenance on these files ? If so.. what, i seem to have missed it in the docs ... best regards, Bob -- Bob Tito -- End Forwarded Message -- -- Bob Tito
Re: map of authentication methods for cyrus
On Thu, 6 Nov 2003, Craig Ringer wrote: I'm about as far from an expert on Cyrus as there is, so apologies if I'm dead wrong about something. I do think that a document like this will be useful in showing people how things fit together, and the various different paths through which Cyrus can handle authentication/authorization . There are enough of them, after all ;-) This is much better. I'd probably put the mechanisms outside of the libsasl box, since they are (almost always) loaded dynamicly. NTLM can use either Windows NT networking or the auxprop plugins. GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC). You should probably add these links to the wiki. Directly attaching the files would be even better. Later I'd like to collect and document some common working configurations for the wiki, if folks are OK with that. I suspect that There is already a section for this, so it is definately encouraged: http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations the majority of users, at least Linux/BSD users, will probably want to either hook Cyrus up to their existing PAM setup or plug it directly into an LDAP directory. (If LDAP can be used for authentication against MS Active Directory, that's cool ... otherwise NTLM will probably be another common config). A few starting-point configs might be very useful here, including an end-to-end explanation of how things fit together. I plan to write up my config here (cyrus-sasl-saslauthd-pam-ldap) as an example to start things off. I'd discourage people from using pam if they can at all avoid it. Certainly going saslauthd-pam-ldap is pretty questionable given that saslauthd has an internal LDAP module. -Rob Anyway, the updated diagram is at: http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd It's not an explanation of Cyrus's authentication on it's own, but should be informative in combination with the existing docs. As I personally found the hardest part about Cyrus to be figuring out how all the various bits of the auth scheme fit together, perhaps this can help others with that. Craig Ringer -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: what to do with skiplist seendb ? (fwd)
On Thu, 6 Nov 2003, Bob Tito wrote: I converted the seen db's to skiplist for cyrus-imap 2.1.15. All went ok, and seems to work just fine ;-) on question though, do i need to create an event in cyrus.conf for maintenance on these files ? If so.. what, i seem to have missed it in the docs ... You don't need anything new in cyrus.conf that you didn't need for flat or berkeley (a ctl_cyrusdb -r in the START section and a ctl_cyrusdb -c in the EVENTS section should be standard for *all* cyrus installations). -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: what to do with skiplist seendb ? (fwd)
--On donderdag 6 november 2003 12:09 -0500 Rob Siemborski [EMAIL PROTECTED] wrote: On Thu, 6 Nov 2003, Bob Tito wrote: I converted the seen db's to skiplist for cyrus-imap 2.1.15. All went ok, and seems to work just fine ;-) on question though, do i need to create an event in cyrus.conf for maintenance on these files ? If so.. what, i seem to have missed it in the docs ... You don't need anything new in cyrus.conf that you didn't need for flat or berkeley (a ctl_cyrusdb -r in the START section and a ctl_cyrusdb -c in the EVENTS section should be standard for *all* cyrus installations). Thanks Rob, i just wanted to be sure ;-) I could imagine a change in this moving from a plain file to a database file, but then again a notice would have been in the upgrade docs ... Best regards, Bob -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper -- Bob Tito
Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection
Ken Murchison wrote: Igor Brezac wrote: On Wed, 5 Nov 2003, Andrzej Filip wrote: Igor Brezac wrote: On Wed, 5 Nov 2003, Andrzej Filip wrote: Igor Brezac wrote: On Tue, 4 Nov 2003, Andrzej Filip wrote: [...] I also thought that virtusertable like solutions [periodic dump of cyrus mailbox data into existing sendmail databases] are the best but most people had wanted real time synchronization. True, this would be a long way of doing things. Shell/perl/web/etc scripts can automate the process of managing cyrus mboxlist and sendmail maps simultaneously thus keeping the two databases in sync real time. IMHO making cyrus daemon servicing also simple tcp based map protocol (to be introduced in sendmail 8.13) is a better way. I bet it :) In my opinion it is better if it does more than just the mbox verification. I'd like to see the quota check as well. The current protocol specification allows only passing one parameter (key) queries e.g. mailbox name. I am going to try make it capable to pass multiple parameters queries e.g. mailbox name, SIZE= parameter. It would be nice to allow interaction with sieve rules at RCPT TO: stage. [it seems to be possible from sendmail's perspective] I am not sure if the map protocol allows for multiple return codes rather than just yes/no type answer. Then there is the performance consideration, I would hope that the map protocol allows for a persistent tcp connection. * return codes quote The status indicator is one of the following upper case words: OK the key was found, result contains the looked up value NOTFOUND the key was not found, the result is empty TEMP a temporary failure occured TIMEOUT a timeout occured on the server side PERM a permanent failure occured /quote * current map protocol uses TCP connections (one tcp connection per one sendmail process) I hope UDP (connectionless) transport will be supported too. PERM/TEMP can be used for 'over quota' situations and it should be parameter driven (similar to the way lmtpd deals with over quota). I could probably write this service in a couple hours given its simplicity, but I have a few of questions: All the answers below are from sendmail perspective. - What would the map name be? cyrus? Would it ever change? Can people envision different types of maps that this daemon would have to support? cyrus seems to be good default name. Let us start with mailbox presence checking. Next version may also: * check if mailbox will accpet message of given size based on SIZE= parameter of MAIL FROM: * take into account who successfully authenticated SMTP session [it can make some folders accessible] * apply some sieve reject rules based on envelope sender and sending host I personally think that the best way will be to add a few new lines to sendmail.cf for handling the queries result. Some comments about using socketmap in maps already supported in sendmail.cf: * virtusertable map will ask to many needless queries [IMHO first [EMAIL PROTECTED] will be sufficient from cyrus perspective] * user map will strip domain part from recipient address - Is the key always the RCPT TO address, including +detail info, or does Sendmail strip this before doing the map lookup? It will be easy to make sendmail.cf deliver whatever you like in this matter - How do we handle lookups of public mailboxes? Always return OK? Return OK they are ready to accept anonymous append - I assume that the mapping would be a noop, we just spit out the input if the user exists and is under quota. accepted = OK key-as-it-was OR OK %0 rejected = NOTFOUND P.S. I hope to make sendmail.org use slightly different protocol in the public release e.g. * making the query packet contain multiple parameters [ now it is map name and single parameter/key] * making it accept connection less transport (UDP) -- Andrzej [plen: Andrew] Adam Filip http://www.polbox.com/a/anfi/ [EMAIL PROTECTED] [EMAIL PROTECTED] [former: [EMAIL PROTECTED]
Site-wide Sieve script
Hello, I am using spamassassin to to tag spam and would like to file the spam in users INBOX/Spam folder. Is it possible to have a site-wide sieve script which will filter all the incoming mails, and be called before the per user sieve scripts. This would save users the hassle of explicitly invoking the anti-spam sieve script, to file spam when they first sign-in. will appreciate insights by sys admins already using spamassassin to filter spam, and file it in spam folder. Regards Sarwar Ansari
Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection
On Thu, 6 Nov 2003, Andrzej Filip wrote: - What would the map name be? cyrus? Would it ever change? Can people envision different types of maps that this daemon would have to support? cyrus seems to be good default name. Let us start with mailbox presence checking. I agree. Next version may also: * check if mailbox will accpet message of given size based on SIZE= parameter of MAIL FROM: * take into account who successfully authenticated SMTP session [it can make some folders accessible] * apply some sieve reject rules based on envelope sender and sending host This last one might be very hard, especially if rules are based half off an envelope bit and half off a header bit. I wouldn't want to think of trying to run a sieve interpreter with limited information. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Site-wide Sieve script
On Fri, 7 Nov 2003, Sarwar Ansari wrote: I am using spamassassin to to tag spam and would like to file the spam in users INBOX/Spam folder. Is it possible to have a site-wide sieve script which will filter all the incoming mails, and be called before the per user sieve scripts. No. This would save users the hassle of explicitly invoking the anti-spam sieve script, to file spam when they first sign-in. will appreciate insights by sys admins already using spamassassin to filter spam, and file it in spam folder. It also might have wierd interactions with a user's script. What if the user's script executes a discard/reject but yours executes a fileinto? Certainly what the user expects may not be exactly what happens. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Site-wide Sieve script
No site-wide sieve scripts. I set up SpamAssassin so it only adds an X-Spam-Status and spam score headers to each message. That way, by default SA is completely transparent to the users, no action is taken by default except adding that header. I also set up a cgi interface for sieve (similar to the one included with SquirrelMail). Then I put up a web page accessible to users who want spam control, with instructions for setting up their own sieve filters, and a link to the sieve cgi. That way, they can choose the spam score that they want to filter on, they can choose whether to discard it, or file it into a folder to periodically check for false positives (recommended). The users also have the option of using filters built into their mail client if they would rather not use sieve. The biggest advantage to this setup from my point of view is that if there are any lost messages the users can't blame us. :-) So far, it has been a success, despite the fact that spammers have been getting better at dodging SpamAssassin lately. I'm currently using Mozilla 1.4's built-in bayes filter to catch the spam that gets past SA. -Jules Agee Sarwar Ansari wrote: Hello, I am using spamassassin to to tag spam and would like to file the spam in users INBOX/Spam folder. Is it possible to have a site-wide sieve script which will filter all the incoming mails, and be called before the per user sieve scripts. This would save users the hassle of explicitly invoking the anti-spam sieve script, to file spam when they first sign-in. will appreciate insights by sys admins already using spamassassin to filter spam, and file it in spam folder. Regards Sarwar Ansari -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284
Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection
Rob Siemborski wrote: On Thu, 6 Nov 2003, Andrzej Filip wrote: - What would the map name be? cyrus? Would it ever change? Can people envision different types of maps that this daemon would have to support? cyrus seems to be good default name. Let us start with mailbox presence checking. I agree. Next version may also: * check if mailbox will accpet message of given size based on SIZE= parameter of MAIL FROM: * take into account who successfully authenticated SMTP session [it can make some folders accessible] * apply some sieve reject rules based on envelope sender and sending host This last one might be very hard, especially if rules are based half off an envelope bit and half off a header bit. I wouldn't want to think of trying to run a sieve interpreter with limited information. Would not it be posiible to interpet only heading sieve rules which reject message based on info available at RCPT TO: point ? First non reject or need information not available yet sieve rule would stop envelope based sieve rules interpretation. [ Reject what you know for sure you will reject later - ASAP reject ] It would be nice to allow sieve reject messages before message body is received. IMHO it is worth to investigate achievable gain/cost. -- Andrzej [plen: Andrew] Adam Filip http://www.polbox.com/a/anfi/ [EMAIL PROTECTED] [EMAIL PROTECTED] [former: [EMAIL PROTECTED]
Mailbox
Hi, I created a mailbox nzhang by 1. cyradm localhost 2. cm user.nzhang 3. quit 4. saslpasswd nzhang I could add the imap server and see the nzhang\inbox. When I tried sending mail to nzhang # mail nzhang # Subject: Test 1 # Hello # . # CC But I don't see nzhang created under /var/spool/mail. I did set mail_spool_directory = /var/spool/mail in /etc/postfix/main.cf. Is there something trivial that I'm missing? Do I need smtpd.conf (I can't find this file)? Won't postfix take care of mail transfer? mail_transport = lmtp:$myhostname Regards, Norman
Re: map of authentication methods for cyrus
This is much better. I'd probably put the mechanisms outside of the libsasl box, since they are (almost always) loaded dynamicly. OK. NTLM can use either Windows NT networking or the auxprop plugins. I don't quite get you there. I'll have a deeper look into the NTLM support and see if I get a better understanding of it. GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC). Yeah. I left that off because it seemed pretty obvious, but p'haps it's best included. You should probably add these links to the wiki. Directly attaching the files would be even better. Sure. I'll do that, I just wanted to make sure it was going to be complete and accurate first. Later I'd like to collect and document some common working configurations for the wiki, if folks are OK with that. I suspect that There is already a section for this, so it is definately encouraged: http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations Sure. I'll collect things up and write it up in a bit. I'd discourage people from using pam if they can at all avoid it. Certainly going saslauthd-pam-ldap is pretty questionable given that saslauthd has an internal LDAP module. I personally like using PAM because it lets me centralise my authentication setup to one place, yet it's flexible enough to handle different needs for different apps. I like being able to use multiple sources of user information (it's handy when transitioning things). As it happens, I don't currently use anything but LDAP, but the flexibility is nice. As my Cyrus host doesn't have a high mail load, and has a lot of other roles as well, it's been useful to be able to just link Cyrus into the main LDAP config. To be honest, I used pam-ldap simply because I already had libpam_ldap working happily and it was easy to integrate Cyrus into it. If I spot some good documentation on the use of saslauthd's LDAP support I'll try it out. I'd be interested in your reasons for avoiding PAM though. Craig Ringer
Re: digest-md5 problems with imapd, saslauthd and openldap
* imapd falls back to using sasldb access if digest authentication is tried IMHO that calls for a FAQ entry. I'm trying to use saslauthd, and cyrus keeps on complaining that it can't read the SASL db - what's wrong?. * Getting sasl to use an auxprop method that calls an LDAP server is possible, but tricky. Various patches exist, but are non trivial to install and configure. OK, I may be totally wrong here but I thought LDAP authentication was normally done by logging in to the LDAP server with the user's name and password. As such, you shouldn't have permission to read the user's password off the LDAP server. I guess you could add a user 'cyrus' to the LDAP server with permission to read passwords if you wanted to use digest authentication types, though. * Not bother with digest authentication at all for now I'd love to use it personally. I have concerns about giving read access to passwords to anything, though. Does anybody here have an opinion on kerberizing the network so that slapd, cyrus etc just use kerberos? Craig Ringer
Re: map of authentication methods for cyrus
Craig Ringer wrote: This is much better. I'd probably put the mechanisms outside of the libsasl box, since they are (almost always) loaded dynamicly. OK. NTLM can use either Windows NT networking or the auxprop plugins. I don't quite get you there. I'll have a deeper look into the NTLM support and see if I get a better understanding of it. The NTLM plugin can either pull the user's password out of an auxprop plugin and generate/verify the challenges/responses itself (like CRAM-MD5, DIGEST-MD5), or it can proxy the challenge/responses between the client and an actual NT/Win2K/Samba server. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection
On Fri, 7 Nov 2003, Andrzej Filip wrote: Rob Siemborski wrote: On Thu, 6 Nov 2003, Andrzej Filip wrote: - What would the map name be? cyrus? Would it ever change? Can people envision different types of maps that this daemon would have to support? cyrus seems to be good default name. Let us start with mailbox presence checking. I agree. Next version may also: * check if mailbox will accpet message of given size based on SIZE= parameter of MAIL FROM: * take into account who successfully authenticated SMTP session [it can make some folders accessible] * apply some sieve reject rules based on envelope sender and sending host This last one might be very hard, especially if rules are based half off an envelope bit and half off a header bit. I wouldn't want to think of trying to run a sieve interpreter with limited information. Would not it be posiible to interpet only heading sieve rules which reject message based on info available at RCPT TO: point ? First non reject or need information not available yet sieve rule would stop envelope based sieve rules interpretation. [ Reject what you know for sure you will reject later - ASAP reject ] It would be nice to allow sieve reject messages before message body is received. IMHO it is worth to investigate achievable gain/cost. This would be nice, but as much as sendmail 'abuses' these maps I wonder if busier sites would be able to use such maps. -- Igor
Re: Mailbox
Norman Zhang [EMAIL PROTECTED] wrote: Hi, I created a mailbox nzhang by 1. cyradm localhost 2. cm user.nzhang 3. quit 4. saslpasswd nzhang Err it should be saslpasswd2 - otherwise you are using a SASLv1 linked imap server, e.g. Cyrus 1.6.x... But I don't see nzhang created under /var/spool/mail. I did set mail_spool_directory = /var/spool/mail in /etc/postfix/main.cf. Is there something trivial that I'm missing? Do I need smtpd.conf (I can't find this file)? Won't postfix take care of mail transfer? mail_transport = lmtp:$myhostname No... Use fallback_transport = lmtp:unix:/path/to/your/lmtp/socket/lmtp if you want to get mail delivered in your cyrus imap spool and local unix users will still have their /var/spool/mail-Files. The Cyrus mail system does NOT use normal mailfiles, it has its own spool. Pascal
