Re: Problem with RENAME

2003-11-06 Thread Simon Matter


 On Wed, 5 Nov 2003, Etienne Goyer wrote:

 Hi,

 On the system I work, it is being considered to backup mailbox instead
 of destroying them when a user is deleted from the system.  The idea is
 that instead of deleting the mailbox, it would be moved somewhere else,
 possible to be restored.  I know I could just dump the mailbox somewhere
 and delete it within Cyrus, but I would prefer to do this within IMAP.

 When logged on as an admin, here is what I get when trying to RENAME a
 top-level mailbox to a special backup mailbox :

 * OK mail Cyrus IMAP4 v2.1.13 server ready
 . login admin *
 . OK User logged in
 . rename user.gwb user.backup.gwb
 . NO Operation is not supported on mailbox


 admin have ACL lrswipcda on both user.gwb and user.backup.  If this is
 of any importance, this is being done in a Murder.

 What does the Operation is not supported on mailbox mean ?  Is there
 any other way to achieve the same result ?

 Thanks for your insight !

 Cyrus 2.1.x does not support renaming user.xxx mailboxes.  I don't know if
 Cyrus 2.2.x does or not.

 I've written a pair of perl scripts that we use here when someone asks to
 have their username changed.  One script copies a mailbox to a new
 mailbox.  The other script deletes a mailbox.  I'm willing to share these
 scripts if there is interest.

I'd be interested to put them into contrib in my rpms, if the license
permits it.

Simon


   Andy






Re: map of authentication methods for cyrus

2003-11-06 Thread Simon Matter
Hi Craig,

I just wanted to say that such a 'big picture' is VERY useful. One picture
says more than thousand words.

Thanks,
Simon

 I posted a little while ago with a graphical map of the Cyrus
 authentication methods - missing the Mechanism layer completely.
 I think I have a better understanding of that now, and have
 updated the document appropriately. Comments would be appreciated.

 I'm about as far from an expert on Cyrus as there is, so apologies if
 I'm dead wrong about something. I do think that a document like this
 will be useful in showing people how things fit together, and the
 various different paths through which Cyrus can handle
 authentication/authorization . There are enough of them, after all ;-)

 Later I'd like to collect and document some common working
 configurations for the wiki, if folks are OK with that. I suspect that
 the majority of users, at least Linux/BSD users, will probably want to
 either hook Cyrus up to their existing PAM setup or plug it directly
 into an LDAP directory. (If LDAP can be used for authentication against
 MS Active Directory, that's cool ... otherwise NTLM will probably be
 another common config). A few starting-point configs might be very
 useful here, including an end-to-end explanation of how things fit
 together. I plan to write up my config here
 (cyrus-sasl-saslauthd-pam-ldap) as an example to start things off.
 Again, of course, this is only if it's likely to be useful and if people
 think it's a good idea.

 Anyway, the updated diagram is at:

 http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf
 http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd

 It's not an explanation of Cyrus's authentication on it's own, but
 should be informative in combination with the existing docs. As I
 personally found the hardest part about Cyrus to be figuring out how all
 the various bits of the auth scheme fit together, perhaps this can help
 others with that.

 Craig Ringer






Re: Problem with RENAME

2003-11-06 Thread Patrick T. Tsang
- Original Message - 
From: Andrew Morgan [EMAIL PROTECTED]
To: Etienne Goyer [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 5:28 AM
Subject: Re: Problem with RENAME




 On Wed, 5 Nov 2003, Etienne Goyer wrote:

  Hi,
 
  On the system I work, it is being considered to backup mailbox instead
  of destroying them when a user is deleted from the system.  The idea is
  that instead of deleting the mailbox, it would be moved somewhere else,
  possible to be restored.  I know I could just dump the mailbox somewhere
  and delete it within Cyrus, but I would prefer to do this within IMAP.
 
  When logged on as an admin, here is what I get when trying to RENAME a
  top-level mailbox to a special backup mailbox :
 
  * OK mail Cyrus IMAP4 v2.1.13 server ready
  . login admin *
  . OK User logged in
  . rename user.gwb user.backup.gwb
  . NO Operation is not supported on mailbox
 
 
  admin have ACL lrswipcda on both user.gwb and user.backup.  If this is
  of any importance, this is being done in a Murder.
 
  What does the Operation is not supported on mailbox mean ?  Is there
  any other way to achieve the same result ?
 
  Thanks for your insight !

 Cyrus 2.1.x does not support renaming user.xxx mailboxes.  I don't know if
 Cyrus 2.2.x does or not.

 I've written a pair of perl scripts that we use here when someone asks to
 have their username changed.  One script copies a mailbox to a new
 mailbox.  The other script deletes a mailbox.  I'm willing to share these
 scripts if there is interest.

 Andy



Cyrus 2.2.2 BETA supports mailbox deletion.

in /etc/imapd.conf

allowusermoves: yes

I tested it and it works.
I don't know if it can cater sieve scripts.


Patrick




Re: Problem with RENAME

2003-11-06 Thread Patrick T. Tsang

- Original Message - 
From: Simon Matter [EMAIL PROTECTED]
To: Andrew Morgan [EMAIL PROTECTED]
Cc: Etienne Goyer [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, November 06, 2003 3:58 PM
Subject: Re: Problem with RENAME


 
 
  On Wed, 5 Nov 2003, Etienne Goyer wrote:
 
  Hi,
 
  On the system I work, it is being considered to backup mailbox instead
  of destroying them when a user is deleted from the system.  The idea is
  that instead of deleting the mailbox, it would be moved somewhere else,
  possible to be restored.  I know I could just dump the mailbox
somewhere
  and delete it within Cyrus, but I would prefer to do this within IMAP.
 
  When logged on as an admin, here is what I get when trying to RENAME a
  top-level mailbox to a special backup mailbox :
 
  * OK mail Cyrus IMAP4 v2.1.13 server ready
  . login admin *
  . OK User logged in
  . rename user.gwb user.backup.gwb
  . NO Operation is not supported on mailbox
 
 
  admin have ACL lrswipcda on both user.gwb and user.backup.  If this is
  of any importance, this is being done in a Murder.
 
  What does the Operation is not supported on mailbox mean ?  Is there
  any other way to achieve the same result ?
 
  Thanks for your insight !
 
  Cyrus 2.1.x does not support renaming user.xxx mailboxes.  I don't know
if
  Cyrus 2.2.x does or not.
 
  I've written a pair of perl scripts that we use here when someone asks
to
  have their username changed.  One script copies a mailbox to a new
  mailbox.  The other script deletes a mailbox.  I'm willing to share
these
  scripts if there is interest.

 I'd be interested to put them into contrib in my rpms, if the license
 permits it.

 Simon

 
  Andy
 


What about sieve script?
If the perl script can move script and compile it, it is useful.

Best Regards
Patrick Tsang



Re: digest-md5 problems with imapd, saslauthd and openldap

2003-11-06 Thread Jon Wilson

Some delving into the tangled mess that is documentation, the mailing
lists, and the Cyrus wiki, has taught me the following:

 * saslauthd can't do digest type authentications. OK, this seems
   to be a genuine design restriction

 * imapd falls back to using sasldb access if digest authentication
   is tried

 * Getting sasl to use an auxprop method that calls an LDAP server is
   possible, but tricky. Various patches exist, but are non trivial
   to install and configure.

Some other things the developers might wish to consider:

 * More debugging output IN THE LOGS when an unconfigured authetication
   mechanism is attempted, rather than falling back to sasldb.

 * Overhauling the docs, to make sure everything in the code is in the
   docs, and everything in the docs is still in the code.

 * Making saslpasswd2 work properly. I get error logs full of
   Nov  6 09:32:54 4.5 fermat saslpasswd2: Couldn't update db
   and
   Nov  6 09:32:15 4.5 fermat imapd[15755]: no user in db

 * Integrating the current LDAP auxprop patches into the core code

My options seem to be:

 * Not bother with digest authentication at all for now

 * Struggle with patches, and get a auxprop method configured that looks
   up plain text passwords from my LDAP server, and uses these in digest
   authentication

 * Write a perl script that takes my LDAP plaintext password data and
   creates sasldb entries as needed. Hack hack hackity-hack.

Advice and opinions welcome.

Jon

On Wed, 5 Nov 2003, Jon Wilson wrote:

 I am having trouble getting Cyrus Imapd to authenticate properly against
 an OpenLDAP database when using digest-md5 authentication.

 I have the following software installed on FreeBSD 4.8 (from the ports
 collection):

   openldap-server-2.1.22
   cyrus-imapd-2.1.15
   cyrus-sasl-2.1.15
   cyrus-sasl-saslauthd-2.1.15 (compiled with LDAP support)

 My imapd.conf file has the following:

sasl_pwcheck_method: saslauthd

 My saslauthd.conf file has:

   ldap_servers: ldap://127.0.0.1/
   ldap_bind_dn: cn=Manager,dc=mydomain,dc=com
   ldap_bind_pw: XX
   ldap_auth_method: custom
   ldap_password_attr: mailPassword
   ldap_filter: mailLocalAddress=%u
   ldap_search_base: dc=mydomain,dc=com

 I start the saslauthd daemon with flags -a ldap.

 A sample LDAP record looks like this:

 dn: cn=Jon Wilson,dc=mydomain,dc=com
 ou: employees
 cn: Jon Wilson
 mail: [EMAIL PROTECTED]
 givenname: Jon
 sn: Wilson
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: inetLocalMailRecipient
 objectClass: mydomainPerson
 mailLocalAddress: itjpw
 mailPassword: test

 Essentially mailLocalAddress and mailPassword are the tokens used
 for any mail authentication. I am using them succesfully to allow
 relaying for remote authenticated users on our Exim SMTP server.

 Now, here's where it gets interesting. Firstly, I start both the
 saslauthd and OpenLdap's slapd in debugging mode, so I can see what is
 going on. Then I try the following:

   imtest -a itjpw -m login localhost

 This logs me in successfully with the password 'test'. Using the
 plain login mechanism also works. During these tests I can see the
 saslauthd and openldap happily doing the right thing.

 Now I try:

 [EMAIL PROTECTED] itjpw]$ imtest -s -a itjpw -m digest-md5 localhost
 verify error:num=19:self signed certificate in certificate chain
 TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
 S: * OK mailtest.mydomain.com Cyrus IMAP4 v2.1.15 server ready
 C: C01 CAPABILITY
 S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE 
 UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT 
 THREAD=REFERENCES IDLE AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
 S: C01 OK Completed
 C: A01 AUTHENTICATE DIGEST-MD5
 S: + 
 bm9uY2U9IlFSV3c2RUJyN0RDbHF6VUpBQ0wyT05TVjltV2dYVnh4MDF2enUzclZSNWM9IixyZWFsbT0ibWFpbHRlc3QudWsuYXNwZXh0ZWNobm9sb2d5LmNvbSIscW9wPSJhdXRoIixtYXhidWY9NDA5NixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw==
 Please enter your password:
 C: 
 dXNlcm5hbWU9Iml0anB3IixyZWFsbT0ibWFpbHRlc3QudWsuYXNwZXh0ZWNobm9sb2d5LmNvbSIsbm9uY2U9IlFSV3c2RUJyN0RDbHF6VUpBQ0wyT05TVjltV2dYVnh4MDF2enUzclZSNWM9Iixjbm9uY2U9Ild3dnJpWUREc1pFK0hHODVWZFEvTlhnZm1pQlh4VmJJamhqdWZGN1BuWUk9IixuYz0wMDAwMDAwMSxxb3A9YXV0aCxtYXhidWY9MTAyNCxkaWdlc3QtdXJpPSJpbWFwL2xvY2FsaG9zdCIscmVzcG9uc2U9N2E1NzA3OWM1MzgxYWU5ZDkxNDExYzE0MzQxZWUzYmI=
 S: A01 NO user not found
 Authentication failed. generic failure
 Security strength factor: 256

 The same thing happens when I try to use cram-md5 as the mechanism.
 During both these tests, the saslauthd and openldap daemons appear to
 be doing nothing at all. Zilch, nothing, nada.

 Questions:

 (1) How can I get saslauthd to correctly process digest-md5 IMAP
 logins?

 (2) Do I need a different format for the mailPassord LDAP entry
 (e.g. something like mailPassword: {MD5}ad23d23d2d2= ). If so,
 what format?

 (3) Is there a better way of doing this? I have to use 

Re: Large deliver.db file

2003-11-06 Thread Leena Heino
On Tue, 4 Nov 2003, Igor Brezac wrote:

 Is your deliver.db continually growing?

Yes it is. In just a couple of days it has grown from 180M to 195M

-- 
  Leena Heino  University of Tampere / Computer Centre
  ( liinu at uta.fi )  ( http://www.uta.fi/laitokset/tkk )


RE: Cyrus-SASL-WINBIND/KERBEROS

2003-11-06 Thread Tim Branson
Title: RE: Cyrus-SASL-WINBIND/KERBEROS





Samba services are the only thing that work at the present. I do have saslauthd with PAM. I did create a config file in pam.d It follows:

linux:/etc/pam.d # cat saslauthd
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/pam_deny.so


account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so


password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so


session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
linux:/etc/pam.d #


-Original Message-
From: Wil Cooley [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 05, 2003 8:14 PM
To: Tim Branson
Cc: '[EMAIL PROTECTED]'
Subject: Re: Cyrus-SASL-WINBIND/KERBEROS


On Wed, 2003-11-05 at 08:01, Tim Branson wrote:
 I am trying to do an exchange replacement. I need the clients to be
 able to use their network names and passwords as the email username
 and password. 
...
 I currently have SAMBA automatically authenticating, but SASLAUTH
 isn't working.


Is saslauthd set to use PAM? Does it's PAM configuration use
pam_winbind? Do other servies than Samba work?

Wil
-- 
Wil Cooley [EMAIL PROTECTED]
Naked Ape Consulting http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
* Naked Ape Consulting http://nakedape.cc *





Re: Large deliver.db file

2003-11-06 Thread Leena Heino
On Thu, 6 Nov 2003, Igor Brezac wrote:

 Your expire process is not running properly.  Please see my previous post:
 http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrusmsg=25637

Thanks for the information. I'll try it as soon as possible.

Do you know if this db enviroment setup problem is fixed in the upcoming
BerkeleyDB version 4.2?

-- 
  Leena Heino  University of Tampere / Computer Centre
  ( liinu at uta.fi )  ( http://www.uta.fi/laitokset/tkk )


¡¶ÊµÓÃͶ¸å´óÈ«¡·

2003-11-06 Thread [EMAIL PROTECTED]

2004
 

??
:



20042002004
200310161000230120
(343000)

103
 7366 1110 6292 80194367 
4221 1411 0006 
143120.29120.35120.08
0796--8865686 [EMAIL PROTECTED]


Re: Problem with RENAME

2003-11-06 Thread Andrew Morgan


On Thu, 6 Nov 2003, Simon Matter wrote:

  I've written a pair of perl scripts that we use here when someone asks to
  have their username changed.  One script copies a mailbox to a new
  mailbox.  The other script deletes a mailbox.  I'm willing to share these
  scripts if there is interest.

 I'd be interested to put them into contrib in my rpms, if the license
 permits it.

 Simon

I don't mind at all.  These are home grown scripts I wrote, so just
consider them public domain.

Andy



what to do with skiplist seendb ? (fwd)

2003-11-06 Thread Bob Tito
Sorry for the noise.. but the first post appears to got lost...

Bob
 Forwarded Message 
Date: donderdag 6 november 2003 14:44 +0100
From: Bob Tito [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: what to do with skiplist seendb ?
Hi,

I converted the seen db's to skiplist for cyrus-imap 2.1.15.
All went ok, and seems to work just fine ;-)
on question though, do i need to create an event in cyrus.conf for
maintenance on these files ? If so.. what, i seem to have missed it in the
docs ...
best regards, Bob

--
Bob Tito
-- End Forwarded Message --



--
Bob Tito


Re: map of authentication methods for cyrus

2003-11-06 Thread Rob Siemborski
On Thu, 6 Nov 2003, Craig Ringer wrote:

 I'm about as far from an expert on Cyrus as there is, so apologies if
 I'm dead wrong about something. I do think that a document like this
 will be useful in showing people how things fit together, and the
 various different paths through which Cyrus can handle
 authentication/authorization . There are enough of them, after all ;-)

This is much better.  I'd probably put the mechanisms outside of the
libsasl box, since they are (almost always) loaded dynamicly.

NTLM can use either Windows NT networking or the auxprop plugins.

GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC).

You should probably add these links to the wiki.  Directly attaching the
files would be even better.

 Later I'd like to collect and document some common working
 configurations for the wiki, if folks are OK with that. I suspect that

There is already a section for this, so it is definately encouraged:

http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations

 the majority of users, at least Linux/BSD users, will probably want to
 either hook Cyrus up to their existing PAM setup or plug it directly
 into an LDAP directory. (If LDAP can be used for authentication against
 MS Active Directory, that's cool ... otherwise NTLM will probably be
 another common config). A few starting-point configs might be very
 useful here, including an end-to-end explanation of how things fit
 together. I plan to write up my config here
 (cyrus-sasl-saslauthd-pam-ldap) as an example to start things off.

I'd discourage people from using pam if they can at all avoid it.
Certainly going saslauthd-pam-ldap is pretty questionable given that
saslauthd has an internal LDAP module.

-Rob


 Anyway, the updated diagram is at:

 http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf
 http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.sxd

 It's not an explanation of Cyrus's authentication on it's own, but
 should be informative in combination with the existing docs. As I
 personally found the hardest part about Cyrus to be figuring out how all
 the various bits of the auth scheme fit together, perhaps this can help
 others with that.

 Craig Ringer




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper



Re: what to do with skiplist seendb ? (fwd)

2003-11-06 Thread Rob Siemborski
On Thu, 6 Nov 2003, Bob Tito wrote:

 I converted the seen db's to skiplist for cyrus-imap 2.1.15.
 All went ok, and seems to work just fine ;-)

 on question though, do i need to create an event in cyrus.conf for
 maintenance on these files ? If so.. what, i seem to have missed it in the
 docs ...

You don't need anything new in cyrus.conf that you didn't need for flat or
berkeley (a ctl_cyrusdb -r in the START section and a ctl_cyrusdb -c in
the EVENTS section should be standard for *all* cyrus installations).

-Rob


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper



Re: what to do with skiplist seendb ? (fwd)

2003-11-06 Thread Bob Tito


--On donderdag 6 november 2003 12:09 -0500 Rob Siemborski 
[EMAIL PROTECTED] wrote:

On Thu, 6 Nov 2003, Bob Tito wrote:

I converted the seen db's to skiplist for cyrus-imap 2.1.15.
All went ok, and seems to work just fine ;-)
on question though, do i need to create an event in cyrus.conf for
maintenance on these files ? If so.. what, i seem to have missed it in
the docs ...
You don't need anything new in cyrus.conf that you didn't need for flat or
berkeley (a ctl_cyrusdb -r in the START section and a ctl_cyrusdb -c in
the EVENTS section should be standard for *all* cyrus installations).
Thanks Rob, i just wanted to be sure ;-) I could imagine a change in this 
moving from a plain file to a database file, but then again a notice would 
have been in the upgrade docs ...

Best regards, Bob


-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper


--
Bob Tito


Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection

2003-11-06 Thread Andrzej Filip
Ken Murchison wrote:
Igor Brezac wrote:

On Wed, 5 Nov 2003, Andrzej Filip wrote:


Igor Brezac wrote:

On Wed, 5 Nov 2003, Andrzej Filip wrote:



Igor Brezac wrote:


On Tue, 4 Nov 2003, Andrzej Filip wrote:
[...]

I also thought that virtusertable like solutions [periodic dump 
of cyrus
mailbox data into existing sendmail databases] are the best but 
most people
had wanted real time synchronization.


True, this would be a long way of doing things.  Shell/perl/web/etc
scripts can automate the process of managing cyrus mboxlist and 
sendmail
maps simultaneously thus keeping the two databases in sync real 
time.


IMHO making cyrus daemon servicing also simple tcp based map 
protocol (to be
introduced in sendmail 8.13) is a better way. I bet it :)


In my opinion it is better if it does more than just the mbox
verification.  I'd like to see the quota check as well.


The current protocol specification allows only passing one parameter 
(key)
queries e.g. mailbox name. I am going to try make it capable to pass 
multiple
parameters queries e.g. mailbox name, SIZE= parameter.

It would be nice to allow interaction with sieve rules at RCPT TO: 
stage.
[it seems to be possible from sendmail's perspective]


I am not sure if
the map protocol allows for multiple return codes rather than just
yes/no type answer.  Then there is the performance consideration, I 
would
hope that the map protocol allows for a persistent tcp connection.


* return codes
quote
The status indicator is one of the following upper case words:
OK   the key was found, result contains the looked up value
NOTFOUND the key was not found, the result is empty
TEMP a temporary failure occured
TIMEOUT  a timeout occured on the server side
PERM a permanent failure occured
/quote
* current map protocol uses TCP connections
(one tcp connection per one sendmail process)
I hope UDP (connectionless) transport will be supported too.


PERM/TEMP can be used for 'over quota' situations and it should be
parameter driven (similar to the way lmtpd deals with over quota).


I could probably write this service in a couple hours given its 
simplicity, but I have a few of questions:
All the answers below are from sendmail perspective.

- What would the map name be?  cyrus?  Would it ever change?  Can people 
envision different types of maps that this daemon would have to support?
cyrus seems to be good default name.

Let us start with mailbox presence checking.
Next version may also:
* check if mailbox will accpet message of given size based on SIZE= 
parameter of MAIL FROM:
* take into account who successfully authenticated SMTP session
[it can make some folders accessible]
* apply some sieve reject rules based on envelope sender and sending host

I personally think that the best way will be to add a few new lines to 
sendmail.cf for handling the queries result.
Some comments about using socketmap in maps already supported in sendmail.cf:
* virtusertable map will ask to many needless queries
[IMHO first [EMAIL PROTECTED] will be sufficient from cyrus perspective]
* user map will strip domain part from recipient address

- Is the key always the RCPT TO address, including +detail info, or does 
Sendmail strip this before doing the map lookup?
It will be easy to make sendmail.cf deliver whatever you like in this matter

- How do we handle lookups of public mailboxes?  Always return OK?
Return OK they are ready to accept anonymous append

- I assume that the mapping would be a noop, we just spit out the 
input if the user exists and is under quota.
accepted = OK key-as-it-was
   OR   OK %0
rejected = NOTFOUND
P.S.
I hope to make sendmail.org use slightly different protocol in the public 
release e.g.
* making the query packet contain multiple parameters
[ now it is map name and single parameter/key]
* making it accept connection less transport (UDP)

--
Andrzej [plen: Andrew] Adam Filip http://www.polbox.com/a/anfi/
[EMAIL PROTECTED] [EMAIL PROTECTED] [former: [EMAIL PROTECTED]


Site-wide Sieve script

2003-11-06 Thread Sarwar Ansari
Hello,

I am using spamassassin to to tag spam
and would like to file the spam in users
INBOX/Spam folder.

Is it possible to have a site-wide
sieve script which will filter all the
incoming mails, and be called before the
per user sieve scripts.

This would save users the hassle of
explicitly invoking the anti-spam sieve
script, to file spam when they first sign-in.

will appreciate insights  by sys admins already
using spamassassin to filter spam,
and file it in spam folder.

Regards

Sarwar Ansari


Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection

2003-11-06 Thread Rob Siemborski
On Thu, 6 Nov 2003, Andrzej Filip wrote:

  - What would the map name be?  cyrus?  Would it ever change?  Can people
  envision different types of maps that this daemon would have to support?

 cyrus seems to be good default name.
 Let us start with mailbox presence checking.

I agree.

 Next version may also:
 * check if mailbox will accpet message of given size based on SIZE=
 parameter of MAIL FROM:
 * take into account who successfully authenticated SMTP session
 [it can make some folders accessible]
 * apply some sieve reject rules based on envelope sender and sending host

This last one might be very hard, especially if rules are based half off
an envelope bit and half off a header bit.  I wouldn't want to think of
trying to run a sieve interpreter with limited information.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper



Re: Site-wide Sieve script

2003-11-06 Thread Rob Siemborski
On Fri, 7 Nov 2003, Sarwar Ansari wrote:

 I am using spamassassin to to tag spam
 and would like to file the spam in users
 INBOX/Spam folder.

 Is it possible to have a site-wide
 sieve script which will filter all the
 incoming mails, and be called before the
 per user sieve scripts.

No.

 This would save users the hassle of
 explicitly invoking the anti-spam sieve
 script, to file spam when they first sign-in.

 will appreciate insights  by sys admins already
 using spamassassin to filter spam,
 and file it in spam folder.

It also might have wierd interactions with a user's script.  What if the
user's script executes a discard/reject but yours executes a fileinto?
Certainly what the user expects may not be exactly what happens.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper



Re: Site-wide Sieve script

2003-11-06 Thread Jules Agee
No site-wide sieve scripts.

I set up SpamAssassin so it only adds an X-Spam-Status and spam score 
headers to each message. That way, by default SA is completely 
transparent to the users, no action is taken by default except adding 
that header. I also set up a cgi interface for sieve (similar to the one 
included with SquirrelMail). Then I put up a web page accessible to 
users who want spam control, with instructions for setting up their own 
sieve filters, and a link to the sieve cgi. That way, they can choose 
the spam score that they want to filter on, they can choose whether to 
discard it, or file it into a folder to periodically check for false 
positives (recommended). The users also have the option of using filters 
built into their mail client if they would rather not use sieve.

The biggest advantage to this setup from my point of view is that if 
there are any lost messages the users can't blame us. :-)

So far, it has been a success, despite the fact that spammers have been 
getting better at dodging SpamAssassin lately.  I'm currently using 
Mozilla 1.4's built-in bayes filter to catch the spam that gets past SA.

-Jules Agee

Sarwar Ansari wrote:

Hello,

I am using spamassassin to to tag spam
and would like to file the spam in users
INBOX/Spam folder.
Is it possible to have a site-wide
sieve script which will filter all the
incoming mails, and be called before the
per user sieve scripts.
This would save users the hassle of
explicitly invoking the anti-spam sieve
script, to file spam when they first sign-in.
will appreciate insights  by sys admins already
using spamassassin to filter spam,
and file it in spam folder.
Regards

Sarwar Ansari
 



--
Jules Agee
System Administrator
Pacific Coast Feather Co.
[EMAIL PROTECTED]  x284




Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection

2003-11-06 Thread Andrzej Filip
Rob Siemborski wrote:
On Thu, 6 Nov 2003, Andrzej Filip wrote:

- What would the map name be?  cyrus?  Would it ever change?  Can people
envision different types of maps that this daemon would have to support?
cyrus seems to be good default name.
Let us start with mailbox presence checking.
I agree.

Next version may also:
* check if mailbox will accpet message of given size based on SIZE=
parameter of MAIL FROM:
* take into account who successfully authenticated SMTP session
[it can make some folders accessible]
* apply some sieve reject rules based on envelope sender and sending host
 
This last one might be very hard, especially if rules are based half off
an envelope bit and half off a header bit.  I wouldn't want to think of
trying to run a sieve interpreter with limited information.
Would not it be posiible to interpet only heading sieve rules which reject 
message based on info available at RCPT TO: point ?
First non reject or need information not available yet sieve rule would 
stop envelope based sieve rules interpretation.
[ Reject what you know for sure you will reject later - ASAP reject ]

It would be nice to allow sieve reject messages before message body is 
received. IMHO it is worth to investigate achievable gain/cost.

--
Andrzej [plen: Andrew] Adam Filip http://www.polbox.com/a/anfi/
[EMAIL PROTECTED] [EMAIL PROTECTED] [former: [EMAIL PROTECTED]


Mailbox

2003-11-06 Thread Norman Zhang
Hi,

I created a mailbox nzhang by

1. cyradm localhost
2. cm user.nzhang
3. quit
4. saslpasswd nzhang

I could add the imap server and see the nzhang\inbox. When I tried sending
mail to nzhang

# mail nzhang
# Subject: Test 1
# Hello
# .
# CC

But I don't see nzhang created under /var/spool/mail. I did set
mail_spool_directory = /var/spool/mail in /etc/postfix/main.cf. Is there
something trivial that I'm missing? Do I need smtpd.conf (I can't find this
file)? Won't postfix take care of mail transfer?

mail_transport = lmtp:$myhostname

Regards,
Norman


Re: map of authentication methods for cyrus

2003-11-06 Thread Craig Ringer
This is much better.  I'd probably put the mechanisms outside of the
libsasl box, since they are (almost always) loaded dynamicly.
OK.

NTLM can use either Windows NT networking or the auxprop plugins.
I don't quite get you there. I'll have a deeper look into the NTLM 
support and see if I get a better understanding of it.

GSSAPI/KERBEROS_V4 rely on the Kerberos Domain Controllers (KDC).
Yeah. I left that off because it seemed pretty obvious, but p'haps it's 
best included.

You should probably add these links to the wiki.  Directly attaching the
files would be even better.
Sure. I'll do that, I just wanted to make sure it was going to be 
complete and accurate first.

Later I'd like to collect and document some common working
configurations for the wiki, if folks are OK with that. I suspect that
There is already a section for this, so it is definately encouraged:

http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations
Sure. I'll collect things up and write it up in a bit.

I'd discourage people from using pam if they can at all avoid it.
Certainly going saslauthd-pam-ldap is pretty questionable given that
saslauthd has an internal LDAP module.
I personally like using PAM because it lets me centralise my 
authentication setup to one place, yet it's flexible enough to handle 
different needs for different apps. I like being able to use multiple 
sources of user information (it's handy when transitioning things). As 
it happens, I don't currently use anything but LDAP, but the flexibility 
is nice. As my Cyrus host doesn't have a high mail load, and has a lot 
of other roles as well, it's been useful to be able to just link Cyrus 
into the main LDAP config.

To be honest, I used pam-ldap simply because I already had libpam_ldap 
working happily and it was easy to integrate Cyrus into it. If I spot 
some good documentation on the use of saslauthd's LDAP support I'll try 
it out. I'd be interested in your reasons for avoiding PAM though.

Craig Ringer



Re: digest-md5 problems with imapd, saslauthd and openldap

2003-11-06 Thread Craig Ringer
 * imapd falls back to using sasldb access if digest authentication
   is tried
IMHO that calls for a FAQ entry. I'm trying to use saslauthd, and cyrus 
keeps on complaining that it can't read the SASL db - what's wrong?.

 * Getting sasl to use an auxprop method that calls an LDAP server is
   possible, but tricky. Various patches exist, but are non trivial
   to install and configure.
OK, I may be totally wrong here but I thought LDAP authentication was 
normally done by logging in to the LDAP server with the user's name and 
password. As such, you shouldn't have permission to read the user's 
password off the LDAP server. I guess you could add a user 'cyrus' to 
the LDAP server with permission to read passwords if you wanted to use 
digest authentication types, though.

 * Not bother with digest authentication at all for now
I'd love to use it personally. I have concerns about giving read access 
to passwords to anything, though. Does anybody here have an opinion on 
kerberizing the network so that slapd, cyrus etc just use kerberos?

Craig Ringer



Re: map of authentication methods for cyrus

2003-11-06 Thread Ken Murchison
Craig Ringer wrote:

This is much better.  I'd probably put the mechanisms outside of the
libsasl box, since they are (almost always) loaded dynamicly.


OK.

NTLM can use either Windows NT networking or the auxprop plugins.


I don't quite get you there. I'll have a deeper look into the NTLM 
support and see if I get a better understanding of it.
The NTLM plugin can either pull the user's password out of an auxprop 
plugin and generate/verify the challenges/responses itself (like 
CRAM-MD5, DIGEST-MD5), or it can proxy the challenge/responses between 
the client and an actual NT/Win2K/Samba server.

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp


Re: sendmail-8.12.6+cyrus-imapd-2.0.17: check presence of the cyrus mailbox during establishing SMTP connection

2003-11-06 Thread Igor Brezac
On Fri, 7 Nov 2003, Andrzej Filip wrote:

 Rob Siemborski wrote:
  On Thu, 6 Nov 2003, Andrzej Filip wrote:
 
 - What would the map name be?  cyrus?  Would it ever change?  Can people
 envision different types of maps that this daemon would have to support?
 
 cyrus seems to be good default name.
 Let us start with mailbox presence checking.
 
  I agree.
 
 Next version may also:
 * check if mailbox will accpet message of given size based on SIZE=
 parameter of MAIL FROM:
 * take into account who successfully authenticated SMTP session
 [it can make some folders accessible]
 * apply some sieve reject rules based on envelope sender and sending host
 
  This last one might be very hard, especially if rules are based half off
  an envelope bit and half off a header bit.  I wouldn't want to think of
  trying to run a sieve interpreter with limited information.

 Would not it be posiible to interpet only heading sieve rules which reject
 message based on info available at RCPT TO: point ?
 First non reject or need information not available yet sieve rule would
 stop envelope based sieve rules interpretation.
 [ Reject what you know for sure you will reject later - ASAP reject ]

 It would be nice to allow sieve reject messages before message body is
 received. IMHO it is worth to investigate achievable gain/cost.


This would be nice, but as much as sendmail 'abuses' these maps I wonder
if busier sites would be able to use such maps.

-- 
Igor


Re: Mailbox

2003-11-06 Thread Pascal Gienger
Norman Zhang [EMAIL PROTECTED] wrote:

Hi,

I created a mailbox nzhang by

1. cyradm localhost
2. cm user.nzhang
3. quit
4. saslpasswd nzhang
Err it should be saslpasswd2 - otherwise you are using a SASLv1 linked 
imap server, e.g. Cyrus 1.6.x...

But I don't see nzhang created under /var/spool/mail. I did set
mail_spool_directory = /var/spool/mail in /etc/postfix/main.cf. Is there
something trivial that I'm missing? Do I need smtpd.conf (I can't find
this file)? Won't postfix take care of mail transfer?
mail_transport = lmtp:$myhostname
No...
Use
fallback_transport = lmtp:unix:/path/to/your/lmtp/socket/lmtp

if you want to get mail delivered in your cyrus imap spool and local unix 
users will still have their /var/spool/mail-Files.

The Cyrus mail system does NOT use normal mailfiles, it has its own spool.

Pascal