Re: cyrus+openldap+smtp server
sam wun wrote: Hi I need to implement a mail system using cyrus+openldap+postfix/exim. Can anyone please point me to the right direction or is there any howto for that? Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Hi Sam I am working on doing the same, and hopefully making a howto. Could you please post all your findings in this thread? I will do the same Thanks, H --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
saslauthd performance
Hi, I got performance problems with saslauth daemon. I`m using debian with cyrus 2.1.16 and saslauthd 2.1.19 for authentication. The saslauthd is configured to use pam, which itself uses mysql for password-verification. I test the system with 50 perl-script in the background from another machine, which makes continuous pop3-connections to my server. So, the problem is, if I just take one user for the perl-authentification-test, cyrus or better the saslauthd can handle up to 7000 queries per minute. But, if there isn`t only one user but rather 45.000 users, which will be connected through the perl-scripts. The performance goes down to ~1000 queries per minute. I don`t think this causes of pam or mysql, because if saslauthd uses directly ldap (just al little test of me) saslauthd just handles the same (~1000) queries per minute. Another test: if I use auxprop in cyrus with mysql, it goes at least down to 150 queries per minute. I fixed some params of saslauthd like -c, -n (0), -t ... but it didn`t get fast!!! So has anyone an idea? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pop3[6358]: error sending to idled: 2
On Sat, Nov 13, Johan Barelds wrote: After i upgraded Cyrus-imap 2.2.8-6 i got the following message in my message log: -- Nov 13 21:52:56 beast pop3[8196]: error sending to idled: 2 -- I happens after someone pop's his email via cyrus pop3. Anyone a clue what this could be? Your cyrus-imapd 2.2.8 has support for idled. Simply enable it in /etc/cyrus.conf -- With best regards, Carsten Hoeger pgp0Ro9r2J7Bp.pgp Description: PGP signature
Re: saslauthd performance
* Axel Grupe [EMAIL PROTECTED] [041115 12:32]: Hi, I got performance problems with saslauth daemon. I`m using debian with cyrus 2.1.16 and saslauthd 2.1.19 for authentication. The saslauthd is configured to use pam, which itself uses mysql for password-verification. try auxprop: sql [EMAIL PROTECTED] I test the system with 50 perl-script in the background from another machine, which makes continuous pop3-connections to my server. So, the problem is, if I just take one user for the perl-authentification-test, cyrus or better the saslauthd can handle up to 7000 queries per minute. But, if there isn`t only one user but rather 45.000 users, which will be connected through the perl-scripts. The performance goes down to ~1000 queries per minute. I don`t think this causes of pam or mysql, because if saslauthd uses directly ldap (just al little test of me) saslauthd just handles the same (~1000) queries per minute. Another test: if I use auxprop in cyrus with mysql, it goes at least down to 150 queries per minute. I fixed some params of saslauthd like -c, -n (0), -t ... but it didn`t get fast!!! So has anyone an idea? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Patrick KoetterTel: 089 45227227 Echinger Strasse 3 Fax: 089 45227226 85386 Eching-Dietersheim Mail: [EMAIL PROTECTED] --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to get more detailed infos?
Hi there, as I still can't forward any emails directly to folders (subfolders shared-folders) I'd like to know if there's a chance to get more details about the email receiving process. Is there an option somewhere (eg. in /etc/cyrus.conf) to enable enhanced logging, or something like that? Thanks in advance! Torsten --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus+openldap+smtp server
Check this out: http://www.ibiblio.org/oswg/oswg-nightly/oswg/en_US.ISO_8859-1/articles/exchange-replacement-howto/exchange-replacement-howto.html It's probably not your exact solution, but it's a good place to start. Dave Hamish wrote: sam wun wrote: Hi I need to implement a mail system using cyrus+openldap+postfix/exim. Can anyone please point me to the right direction or is there any howto for that? Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Hi Sam I am working on doing the same, and hopefully making a howto. Could you please post all your findings in this thread? I will do the same Thanks, H --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd performance
On Mon, 15 Nov 2004, Axel Grupe wrote: Hi, I got performance problems with saslauth daemon. I`m using debian with cyrus 2.1.16 and saslauthd 2.1.19 for authentication. The saslauthd is configured to use pam, which itself uses mysql for password-verification. I test the system with 50 perl-script in the background from another machine, which makes continuous pop3-connections to my server. So, the problem is, if I just take one user for the perl-authentification-test, cyrus or better the saslauthd can handle up to 7000 queries per minute. But, if there isn`t only one user but rather 45.000 users, which will be connected through the perl-scripts. The performance goes down to ~1000 queries per minute. I don`t think this causes of pam or mysql, because if saslauthd uses directly ldap (just al little test of me) saslauthd just handles the same (~1000) queries per minute. If you want to test the speed of saslauthd alone, do not use pop3 to test the authentication. It seems to me you are bound by the speed of cyrus-imapd rather than saslauthd. saslauthd/ldap can do way more than 1000 auths per minute. Another test: if I use auxprop in cyrus with mysql, it goes at least down to 150 queries per minute. I fixed some params of saslauthd like -c, -n (0), -t ... but it didn`t get fast!!! -n 0 will make it slower... -- Igor --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus+openldap+smtp server
My finds so far: http://jamm.sourceforge.net/ A very cool java admin tool for postfix+cyrus+ldap http://jamm.sourceforge.net/howto/html/ How to set it all up Thoughts? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ploblem with creating user withount domain part (cyrus-sasl2-2.1.19)
On Saturday 13 November 2004 16:10, Sascha Wuestemann wrote: Think it over, Sergey, how should sasl destinguish between [EMAIL PROTECTED] and [EMAIL PROTECTED] if you have user.name, too? Does it belong to domain.one, domain.two, all or none? By no means. It need for global cyrus administrator only. And it can't have mail box. :-) -- Regards, Sergey --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Bynari Insignt Connector and Cyrus?
Hi All... I was just faced with a demand from a new CIO to make Outlook and it's calendaring work and I really don't want to migrate to an Exchange server. I like Cyrus! A little digging revealed the Bynari Insight Connector, which is supposed to install in to any version of Outlook and make it use an IMAP server with ACL support on the folders as an Exchange server. I did a little quick searching here and found this product mentioned a few times, but could someone who has used it please let me know if it works well with Cyrus? I would be very interested to know what, if any, problems you had and if it actually works. Thanks very much... Jim --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bynari Insignt Connector and Cyrus?
If I remember correctly, the Bynari IMAP server was a preconfigured and re-branded Cyrus. So I think the Insight Connector was designed to work with Cyrus from the ground up. I haven't used it myself. -Jules Jim Archer wrote: Hi All... I was just faced with a demand from a new CIO to make Outlook and it's calendaring work and I really don't want to migrate to an Exchange server. I like Cyrus! A little digging revealed the Bynari Insight Connector, which is supposed to install in to any version of Outlook and make it use an IMAP server with ACL support on the folders as an Exchange server. I did a little quick searching here and found this product mentioned a few times, but could someone who has used it please let me know if it works well with Cyrus? I would be very interested to know what, if any, problems you had and if it actually works. Thanks very much... Jim --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bynari Insignt Connector and Cyrus?
Jim Archer wrote: I was just faced with a demand from a new CIO to make Outlook and it's calendaring work and I really don't want to migrate to an Exchange server. I like Cyrus! A little digging revealed the Bynari Insight Connector, which is supposed to install in to any version of Outlook and make it use an IMAP server with ACL support on the folders as an Exchange server. I don't think this would allow you to use Outlook's calendaring because Cyrus doesn't have any way to save any calendaring information. You need to get a groupware product that can save the calendaring info. I would tell your boss that in order to get Outlook's calendaring to work, you either have to spend a buttload of money on MS Exchange (plus licensing every year) and go through the hassle of switching everything over, or a fraction of that price on SuSE Open Exchange Server, which would allow you to keep all your email in Cyrus (Open Exchange uses Cyrus). --Dan --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
pam_pwdfile
Hi, Does anyone know how to configure cyrus with pam_pwdfile? I have already configure pam_pwdfile with the following steps: - sasl must be configured with `--with-pam --with-saslauthd --enable-plain' and I disable the rest (checkapop, digest, otp, krb4, etc.) - imapd should be configured with `--with-auth=unix' - in imapd.conf you need the line sasl_pwcheck_method: saslauthd - start up saslauthd with `saslauthd -a pam' But I m not sure how to define imapd.conf and cyrus.conf for the use of pam_pwdfile. Does anyone got any example for it? Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
is TLS/SSL selection/connection ONLY via port 993?
hi all,
on a MacOSX 10.3.6 sys with:
cyrus-imap 2.2.8
cyrus-sasl 2.1.20
i've a canoncial server:
testserver.internal.testdomain.com
and a virtual domain:
mail2.internal.testdomain.com
i'm currently auth'ing PLAINTEXT via auxprop+sql (MySQL 4.1.7)
i've setup cyrus.conf to LISTEN *only* on the imaps svc (port 993)
...
SERVICES {
# imap cmd=imapd listen=imap prefork=0
imaps cmd=imapd -s listen=imaps prefork=0
...
and, imapd.conf to include:
...
sasl_mech_list: PLAIN LOGIN
sasl_password_format: crypt
sasl_minimum_layer: 0
sasl_maximum_layer: 1024
...
tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
tls_require_cert: 0
tls_session_timeout: 60
...
using my imap client (mulberry), i can successfully login to an account,
'testuser' in the virtual domain, with server ==
mail2.internal.testdomain.com:993 and security == SSLv3.
however, if i instead login to with server == mail2.internal.testdomain.com:993
and security == STARTTLS-TLSv1, no connection occurs, and the attempt times out
after the tls_session_timeout (60 seconds).
if i then drop back to listen ONLY on imap service, i.e. cyrus.conf:
...
SERVICES {
imap cmd=imapd listen=imap prefork=0
# imaps cmd=imapd -s listen=imaps prefork=0
...
i can successfully make connections to port server:143 with security == NO
SECURITY !!or!! security == STARTTLS-TLSv1 !!or!! security == SSLv3. i.e., TLS
negotiated sessions are occuring over to port 143 -- the 'wrong' port.
bottom line:
client to server:143, security = NO SECURITY -- OK (right)
client to server:143, security = SSLv3, STARTTLS-TLSv1 -- OK (wrong)
client to server:993, security = NO SECURITY -- NO CONNECTION
(right)
client to server:993, security = SSLv3 -- OK (right)
client to server:993, security = STARTTLS-TLSv1-- NO CONNECTION
(wrong)
#
## QUESTION
i don't think this is right, is it? aren't TLS SSL sessions ONLY
supposed to connect to port 993, and sessions with no-security ONLY to port 143?
or, have i misunderstood how this is supposed to operate?
threads here:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrusmsg=19483
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg02411.html
have me suspecting this may be the client ...
thanks,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Sieve problem
Hi All,
I have problem with running sieve scripts. I use Cyrus 2.0.16, cyrus.conf
is normal.conf. imapd.conf contains:
configdirectory: /var/imap
partition-default: /var/spool/imap
sieveusehomedir: false
sievedir: /usr/sieve
admins: adm
sasl_pwcheck_method: PAM
sendmail: /usr/sbin/sendmail
lmtpsocket: /var/imap/socket/lmtp
fatemeh.script is in /usr/sieve/f/fatemeh_m/ using sieveshell command and
contains:
require [reject,fileinto];
if address :is :all From [EMAIL PROTECTED]
{
reject testing;
}
Output of sieve test program seems to be OK :
/usr/local/src/cyrus-imapd-2.0.16/sieve/test \
/var/spool/imap/user/fatemeh_m/13857. \
/usr/sieve/f/fatemeh_m/fatemeh.script
rejecting message '/var/spool/imap/user/fatemeh_m/13857.' with 'testing'
notify msg = 'You have new mail
To: [EMAIL PROTECTED]
From: Fatemeh Taj [EMAIL PROTECTED]
Subject: SIEVE
Action(s) taken:
Rejected with: testing
' with priority = medium
But no action is taken. What could be my problem? Any help is appriciated.
Also I have another problem when get emails via webmail (squirrelmail).
1) Sometimes after retrieving emails cyrus can not recognize my folders
and just Trash, Drafts and Sent folder are available and the cyrus.sub
file in /var/imap/user/f is dissappeared then I have to create that file
by hand, remove cyrus.seen and then reconstruct the mailbox.
2) In other case Trash folders get dissapeared and I have to re-create
Trash folder.
It happens for many of my clients. What can I do to solve the problem?
Regards
Fatemeh Taj
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
pam+cyrus failed to authenticate
Hi, I got cyrus-imap2.2 and cyrus-sasl2.1.20 with saslauthd2 compiled in FreeBSD 5.3. I can successfully login with the following cyradm command: # cyradm -u cyrus --server gateway.mydom.com --auth plain Password: IMAP Password: gateway.mydom.com The log corresponding to the above cyradm command is: Nov 16 06:06:43 gateway imap[73636]: badlogin: gateway.mydom.com [192.168.4.88] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Nov 16 06:06:46 gateway perl: No worthy mechs found Nov 16 06:06:50 gateway imap[73636]: login: gateway.mydom.com [192.168.4.88] cyrus plaintext User logged in I can see there is some problem here eventhought cyradm login successfully, but the second log message indicated that cyrus is logged in. Then, I also added [EMAIL PROTECTED] user account using the cyradm admin shell. I further test the cyrus server by adding [EMAIL PROTECTED] to the imap.password file: pwadd -a [EMAIL PROTECTED] # cat imap.passwd [EMAIL PROTECTED]:$1$OxTrXXu7$SPv0UCpp4BuyFGy6uQkBn1 cyrus:$1$EUHsnXCc$qpuk26X8VPQnIifMbnap6. [EMAIL PROTECTED]:$1$3gb6Wviv$0zrfF91CdEd3IlI7c62QQ1 But imtest failed with the following message: Nov 16 06:05:16 gateway saslauthd[73020]: user not found in password database Nov 16 06:05:16 gateway imap[73621]: badlogin: gateway.mydom.com [192.168.4.88] plaintext [EMAIL PROTECTED] SASL(-13): authentication failure: checkpass failed I searched google, but found not much useful information. Can anyone tell me how to fix this problem? Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
pam+cyrus failed to authenticate
Hi, I got cyrus-imap2.2 and cyrus-sasl2.1.20 with saslauthd2 compiled in FreeBSD 5.3. I can successfully login with the following cyradm command: # cyradm -u cyrus --server gateway.mydom.com --auth plain Password: IMAP Password: gateway.mydom.com The log corresponding to the above cyradm command is: Nov 16 06:06:43 gateway imap[73636]: badlogin: gateway.mydom.com [192.168.4.88] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Nov 16 06:06:46 gateway perl: No worthy mechs found Nov 16 06:06:50 gateway imap[73636]: login: gateway.mydom.com [192.168.4.88] cyrus plaintext User logged in I can see there is some problem here eventhought cyradm login successfully, but the second log message indicated that cyrus is logged in. Then, I also added [EMAIL PROTECTED] user account using the cyradm admin shell. I further test the cyrus server by adding [EMAIL PROTECTED] to the imap.password file: pwadd -a [EMAIL PROTECTED] # cat imap.passwd [EMAIL PROTECTED]:$1$OxTrXXu7$SPv0UCpp4BuyFGy6uQkBn1 cyrus:$1$EUHsnXCc$qpuk26X8VPQnIifMbnap6. [EMAIL PROTECTED]:$1$3gb6Wviv$0zrfF91CdEd3IlI7c62QQ1 But imtest failed with the following message: Nov 16 06:05:16 gateway saslauthd[73020]: user not found in password database Nov 16 06:05:16 gateway imap[73621]: badlogin: gateway.mydom.com [192.168.4.88] plaintext [EMAIL PROTECTED] SASL(-13): authentication failure: checkpass failed I searched google, but found not much useful information. Can anyone tell me how to fix this problem? I have saslauthd started with -a pam. imapd.conf is defined with the option: sasl_pwcheck_method: saslauthd Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
pam+cyrus failed to authenticate
Hi, I got cyrus-imap2.2 and cyrus-sasl2.1.20 with saslauthd2 compiled in FreeBSD 5.3. I can successfully login with the following cyradm command: # cyradm -u cyrus --server gateway.mydom.com --auth plain Password: IMAP Password: gateway.mydom.com The log corresponding to the above cyradm command is: Nov 16 06:06:43 gateway imap[73636]: badlogin: gateway.mydom.com [192.168.4.88] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Nov 16 06:06:46 gateway perl: No worthy mechs found Nov 16 06:06:50 gateway imap[73636]: login: gateway.mydom.com [192.168.4.88] cyrus plaintext User logged in I can see there is some problem here eventhought cyradm login successfully, but the second log message indicated that cyrus is logged in. Then, I also added [EMAIL PROTECTED] user account using the cyradm admin shell. I further test the cyrus server by adding [EMAIL PROTECTED] to the imap.password file: pwadd -a [EMAIL PROTECTED] # cat imap.passwd [EMAIL PROTECTED]:$1$OxTrXXu7$SPv0UCpp4BuyFGy6uQkBn1 cyrus:$1$EUHsnXCc$qpuk26X8VPQnIifMbnap6. [EMAIL PROTECTED]:$1$3gb6Wviv$0zrfF91CdEd3IlI7c62QQ1 But imtest failed with the following message: Nov 16 06:05:16 gateway saslauthd[73020]: user not found in password database Nov 16 06:05:16 gateway imap[73621]: badlogin: gateway.mydom.com [192.168.4.88] plaintext [EMAIL PROTECTED] SASL(-13): authentication failure: checkpass failed I searched google, but found not much useful information. Can anyone tell me how to fix this problem? I have saslauthd started with -a pam. imapd.conf is defined with the option: sasl_pwcheck_method: saslauthd Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam_pwdfile
Hi, Does anyone know how to configure cyrus with pam_pwdfile? I have already configure pam_pwdfile with the following steps: - sasl must be configured with `--with-pam --with-saslauthd --enable-plain' and I disable the rest (checkapop, digest, otp, krb4, etc.) - imapd should be configured with `--with-auth=unix' - in imapd.conf you need the line sasl_pwcheck_method: saslauthd - start up saslauthd with `saslauthd -a pam' But I m not sure how to define imapd.conf and cyrus.conf for the use of pam_pwdfile. Does anyone got any example for it? I don't know what pam_pwdfile is but I expect it to work like every other PAM method. In that case, it should be quite easy. No special settings are required for cyrus.conf, just select one of the examples, normal.conf or prefork. For imapd.conf, the following auth options should do it: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN Of course you have to configure the different PAM services which Cyrus IMAP uses, like lmtp, imap, pop, sieve. Regards, Simon Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam_pwdfile
Simon Matter wrote: Hi, Does anyone know how to configure cyrus with pam_pwdfile? I have already configure pam_pwdfile with the following steps: - sasl must be configured with `--with-pam --with-saslauthd --enable-plain' and I disable the rest (checkapop, digest, otp, krb4, etc.) - imapd should be configured with `--with-auth=unix' - in imapd.conf you need the line sasl_pwcheck_method: saslauthd - start up saslauthd with `saslauthd -a pam' But I m not sure how to define imapd.conf and cyrus.conf for the use of pam_pwdfile. Does anyone got any example for it? I don't know what pam_pwdfile is but I expect it to work like every other PAM method. In that case, it should be quite easy. No special settings are required for cyrus.conf, just select one of the examples, normal.conf or prefork. For imapd.conf, the following auth options should do it: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN Of course you have to configure the different PAM services which Cyrus IMAP uses, like lmtp, imap, pop, sieve. Hi, thanks for your email. I have configured Cyrus uses pam: # cat /etc/pam.d/imap auth required /usr/local/lib/pam_pwdfile.so pwdfile /usr/local/etc/imap.passwd accountrequired /usr/lib/pam_permit.so Permission on imap.passwd is: # ls -l imap.passwd -rw-r--r-- 1 cyrus cyrus 147 Nov 16 05:56 imap.passwd Thanks Sam Regards, Simon Thanks Sam -- Senior Security Architect/Consultant AuthTec Gateway Limited Mobile: +852 9839 2464 Email: [EMAIL PROTECTED] Website: http://www.authtec.com --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: is TLS/SSL selection/connection ONLY via port 993?
On Mon, 15 Nov 2004, OpenMacNews wrote:
SERVICES {
# imap cmd=imapd listen=imap prefork=0
imaps cmd=imapd -s listen=imaps prefork=0
That's not what you want. Enable both services, and configure
sasl_minimum_layer to 128 (or is that 64? I forgot. See the SASL docs for
the correct value).
imapd -s is for IMAP connections that are externally wrapped by SSL (bad).
imapd is for non-encrypted IMAP connections, and IMAP connections that use
TLS (good). sasl_minimum_layer tells Cyrus what you require of the
connection.
however, if i instead login to with server ==
mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no
connection occurs, and the attempt times out after the tls_session_timeout
(60 seconds).
Because you effectively connected without SSL to a SSL port. TLS starts with
plaintext, and goes to encryption early (before any sensitive information is
exchanged, but *after* important stuff that could be useful to select
encryption/authentication keys like the server name is exchanged).
BTW add this to imapd.conf:
tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
That will disable all weak ciphers, and leave you with medium grade and high
grade ciphers. Try openssl cipher -v 'what you have in tls_cipher_list'
to see what you get. If you can get away with it, remove SSLv2 (add !SSLv2
after ALL:) too. man ciphers (openssl ciphers) to see how this works.
And try to have both sides of the connection authenticated (require client
certificates with a certification path known to the server).
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie. -- The Silicon Valley Tarot
Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam+cyrus failed to authenticate
Hi, I got cyrus-imap2.2 and cyrus-sasl2.1.20 with saslauthd2 compiled in FreeBSD 5.3. I can successfully login with the following cyradm command: # cyradm -u cyrus --server gateway.mydom.com --auth plain Password: IMAP Password: gateway.mydom.com The log corresponding to the above cyradm command is: Nov 16 06:06:43 gateway imap[73636]: badlogin: gateway.mydom.com [192.168.4.88] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Nov 16 06:06:46 gateway perl: No worthy mechs found Nov 16 06:06:50 gateway imap[73636]: login: gateway.mydom.com [192.168.4.88] cyrus plaintext User logged in I can see there is some problem here eventhought cyradm login successfully, but the second log message indicated that cyrus is logged in. Then, I also added [EMAIL PROTECTED] user account using the cyradm admin shell. I further test the cyrus server by adding [EMAIL PROTECTED] to the imap.password file: pwadd -a [EMAIL PROTECTED] I'm not sure this will work. IIRC with pam the you have to use 'saslauth -r' to make it not remove everything behind @. Simon # cat imap.passwd [EMAIL PROTECTED]:$1$OxTrXXu7$SPv0UCpp4BuyFGy6uQkBn1 cyrus:$1$EUHsnXCc$qpuk26X8VPQnIifMbnap6. [EMAIL PROTECTED]:$1$3gb6Wviv$0zrfF91CdEd3IlI7c62QQ1 But imtest failed with the following message: Nov 16 06:05:16 gateway saslauthd[73020]: user not found in password database Nov 16 06:05:16 gateway imap[73621]: badlogin: gateway.mydom.com [192.168.4.88] plaintext [EMAIL PROTECTED] SASL(-13): authentication failure: checkpass failed I searched google, but found not much useful information. Can anyone tell me how to fix this problem? I have saslauthd started with -a pam. imapd.conf is defined with the option: sasl_pwcheck_method: saslauthd Thanks Sam --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
