Re: Delete folders via another IMAP client

[Craig White]

On Fri, 2005-02-18 at 00:53 -0500, Forrest Aldrich wrote:
> Using Cyrus IMAP 2.1.10 (FreeBSD port), I'm able to create folders 
> within my account, but cannot delete them.
> 
> The mailbox was created via standard cyradm:
> 
> cyradm --user admin my.domain.com
>  > cm user/username
> 
> Perhaps I missed a step here - I assume that creating a mailbox will 
> permit for full access in the ACL.
> 
> But the problem may actually be connected to this error I'm unable to 
> resolve:
> 
> imap[000]: no user in db
> 
> (same for imaps)
> 
> But looking with sasldblistusers2, I find everything intact as it should 
> be.  I'm using Thunderbird as the IMAP client (recent build).

forget the client for a moment...

Are you trying to create users/mailboxes that aren't posixAccounts?

Then I would assume that sasldb would be the place for them but I have
always used local account setup. It would seem that you need to be
consistent when you create their accounts with saslpassword and cyrus
account creation.

you can check acl's of mailboxes - I do this by...

su - cyrus -c '/usr/lib/cyrus-imapd/cyradm localhost'
lam user.username #perhaps with unix hierachy, lam user/username
lam user.username.subfolder_name

you can change acl's
sam user.username
sam user.username.subfolder_name

this allows you to check and if necessary (which I suspect via
inheritance shouldn't be necessary to fool with subfolders, you want
them to be different).

Lot's of mail client software won't let you delete the 'current'
folder...i.e. if you select the INBOX and the contents are viewed, you
can delete another folder by right clicking the folder and selecting
delete.

Craig

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Delete folders via another IMAP client

[Forrest Aldrich]

Using Cyrus IMAP 2.1.10 (FreeBSD port), I'm able to create folders 
within my account, but cannot delete them.

The mailbox was created via standard cyradm:
cyradm --user admin my.domain.com
> cm user/username
Perhaps I missed a step here - I assume that creating a mailbox will 
permit for full access in the ACL.

But the problem may actually be connected to this error I'm unable to 
resolve:

imap[000]: no user in db
(same for imaps)
But looking with sasldblistusers2, I find everything intact as it should 
be.  I'm using Thunderbird as the IMAP client (recent build).

Pointers appreciated.
Thanks...
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Igor Brezac]

On Thu, 17 Feb 2005, Kevin P. Fleming wrote:
Igor Brezac wrote:
SASL/EXTERNAL is what you want although I have to not tried it.  OpenLDAP 
works great.  In theory, the CN part of the client certitificate subject 
needs to be a valid mailbox.  You can test this with imtest -t 
client_cert_file -m EXTERNAL   I assume that you have SSL/TLS working.
Yes, I do have that working. I'll test with SASL/EXTERNAL, it sounds like 
exactly what I need. I don't really want the CN to be the mailbox name, 
though, I'd rather have SASL/EXTERNAL work off the email address embedded in 
the certificate.
Actually, this is what you want to do.  I should have said a valid 
cyrus userid rather than mailbox name.


Your bigger issue is to find a client that supports SASL/EXTERNAL.  I do 
not believe c-client library (this is what drives IMP/Horde via PHP) 
supports SASL/EXTERNAL, so this is what you need to start hacking.
That's been my plan; c-client is very simple, and I've already hacked Horde 
to get the PEM-encoded client cert from Apache and store it in a session 
variable, so I can extract it out in IMP and pass it to c-client. If I get it 
working I'll post the results :-)
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Basic FAQs and HOWTOs

[Forrest Aldrich]

I ran into the infamous /var/imap/socket/lmtp write problem - all the 
permissions were correct.  The issue was solved by completely removing 
Cyrus (and all directories) then rebuilding (FreeBSD port) and 
reinstalling.  Then it work.

I'm getting mail on my test machine - but now receiving this error in 
the syslog:

   imaps[99308]: no user in db
I searched all the archives I could find, and haven't found a sufficient 
explanation - though I think this is SASL-related.

Any pointers would be appreciated.
We really need to get some detailed debugging and HOWTOs pooled into a 
Wiki somewhere.   I would "presume" that the Cyrus Wiki would be the 
place to hold this - does anyone have some content to donate?  Surely 
there must be a plethora of information around by now ;-)


Forrest
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[pascal]

Quoting "Kevin P. Fleming" <[EMAIL PROTECTED]>:
[EMAIL PROTECTED] wrote:
cyrus/imapd[15511]: starttls: TLSv1 with cipher AES256-SHA (256/256 
bits new) no
authentication
cyrus/imapd[15511]: login: localhost[127.0.0.1] pascal plaintext+TLS

The "no authentication" at the end of the first line is due to 
client certicats
are not allowed with webmail (c-client library doesn't support it)
But the connection has well been crypted like passwd and login.
Yes, I'm aware of that; what I'm proposing is to enhance c-client to 
support client certificates so that after the TLS negotiation is 
complete, the client will already be authenticated as well.
I read your answer to Igor and it would be a great feature if we could use
client certicat with a webmail.
But I can't help you :-(
Pascal
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html



This message was sent using IMP, the Internet Messaging Program.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Rob Mueller]

No experience with them, but they're the best specs I've seen for SATA 
external RAID - decent processor and NCQ support.
There's quite a few companies making these SATA-to-SCSI and SATA-to-FC 
boxes. A lot of them look quite similar and have almost identical specs, and 
are probably just rebadged versions of the same box made somewhere in 
Taiwan/China.

http://www.excelmeridiandata.com/products/raid.shtml
http://www.fibrenetix.co.uk/products/
http://www.infortrend.com/800600/eonstor.asp
http://www.areasys.com/template.asp?content=index_ide_raid.asp
I'm sure a bit of google searching can find a lot more.
They appear to be reaonsably good value, and some of them have some nice 
features:

1. High density - eg. 12 400G SATA drives in 3U is a lot of space
2. RAID6 - some units now have what they call "RAID6", which is RAID5 with 
double parity. That's different to RAID5+hotspare in that 2 drives can fail 
simultaneously with no problems. Nice if you have high IO load situation, 
since if 1 drive fails, and you wait for it to rebuild to the hotspare it 
could be 24+ hours, quite a danger time for another drive to possibly fail 
in a big 12 or 16 drive array.
3. All-in-one - Sure you could have a PC motherboard and SATA controller 
card and an appropriate, but then you've got another OS to maintain/upgrade, 
etc. These tend to come as one box that you slide the drives in, create the 
partitions through a web-interface, and away you go. They often offer 
monitoring via a web-interface, and active alerting through SNMP and/or SMTP 
email.
4. Battery backup - most of them come with 128M-1024M of cache, and an 
optional battery backup option so you can use write-back caching which 
definitely helps performance

Areasys include a blurb why they think it's better than a "build your own" 
solution, but of course make up your own mind.
http://www.areasys.com/pdf/2012_vs_HomeMadeStorageServer.pdf

We've used two different boxes from different companies and so far they've 
worked great. Hmmm, hope I'm not tempting murphy by saying that... ;)

Rob
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

headers of letters on cyrus vs real

[Golovanoff Sergio]

Hi, pls sorry for my bad english.

The source of the local copy:

//
...
X-UID: 8849
X-Length: 6462
Status: RO
X-Status: ORT
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  

This is a multi-part message in MIME format.
--050605030209000904040105
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

п║п╣я─пЁп╣п╧ п я┐п╥п╫п╣я├п╬п╡ п©п╦я┬п╣я┌:
> п░п╪я─п╣п╫п╬п╡ п ., п▓я▀ п©п╦я│п╟п╩п╦:

//

The source of the same letter on cyrus-imap:

//
...
X-UID: 8849
X-Length: 6462
Status: RO
X-Status: RT
X-KMail-EncryptionState: N
X-KMail-SignatureState: N
X-KMail-MDN-Sent:  

--050605030209000904040105

п║п╣я─пЁп╣п╧ п я┐п╥п╫п╣я├п╬п╡ п©п╦я┬п╣я┌:
> п░п╪я─п╣п╫п╬п╡ п ., п▓я▀ п©п╦я│п╟п╩п╦:

//

i. e.  missed 

This is a multi-part message in MIME format.
...
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

That's why this letter shown incorrect in MUA. It's configuration error or bug 
or something else?

PS. cyrus-imapd-2.2.10-3.fc3

-- 
wbr, Golovanoff Sergio
[EMAIL PROTECTED]
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Kevin P. Fleming]

[EMAIL PROTECTED] wrote:
cyrus/imapd[15511]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits 
new) no
authentication
cyrus/imapd[15511]: login: localhost[127.0.0.1] pascal plaintext+TLS

The "no authentication" at the end of the first line is due to client 
certicats
are not allowed with webmail (c-client library doesn't support it)
But the connection has well been crypted like passwd and login.
Yes, I'm aware of that; what I'm proposing is to enhance c-client to 
support client certificates so that after the TLS negotiation is 
complete, the client will already be authenticated as well.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Kevin P. Fleming]

Igor Brezac wrote:
SASL/EXTERNAL is what you want although I have to not tried it.  
OpenLDAP works great.  In theory, the CN part of the client 
certitificate subject needs to be a valid mailbox.  You can test this 
with imtest -t client_cert_file -m EXTERNAL   I assume that you have 
SSL/TLS working.
Yes, I do have that working. I'll test with SASL/EXTERNAL, it sounds 
like exactly what I need. I don't really want the CN to be the mailbox 
name, though, I'd rather have SASL/EXTERNAL work off the email address 
embedded in the certificate.

Your bigger issue is to find a client that supports SASL/EXTERNAL.  I do 
not believe c-client library (this is what drives IMP/Horde via PHP) 
supports SASL/EXTERNAL, so this is what you need to start hacking.
That's been my plan; c-client is very simple, and I've already hacked 
Horde to get the PEM-encoded client cert from Apache and store it in a 
session variable, so I can extract it out in IMP and pass it to 
c-client. If I get it working I'll post the results :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[pascal]

Quoting "Kevin P. Fleming" <[EMAIL PROTECTED]>:
Edward Rudd wrote:
This is really a Cyrus-SASL topic. as Cyrus IMAP doesn't really care how
the user gets authenticated, only that the SASL layer authenticates the
users.  So client certificate authentication would have to be added as a
SASL authentication module.
It's never been clear to me where IMAP stops and SASL starts as it 
relates to this... but it's my impression that Cyrus SASL has nothing 
at all to do with SSL/TLS, and only handles the authentication 
details after Cyrus IMAP has collected them.

SSL/TLS starts before authentication: you can see in logs the SARTTLS command
before authentication:
cyrus/imapd[15511]: starttls: TLSv1 with cipher AES256-SHA (256/256 
bits new) no
authentication
cyrus/imapd[15511]: login: localhost[127.0.0.1] pascal plaintext+TLS

The "no authentication" at the end of the first line is due to client 
certicats
are not allowed with webmail (c-client library doesn't support it)
But the connection has well been crypted like passwd and login.

Therefore, Cyrus collects login and passwd after TLS started.
Using TLS bitween postsfix and Horde will produce these logs:
postfix/smtpd[15609]: starting TLS engine <== TLS starts
postfix/smtpd[15609]: match_string: fast_flush_domains ~? debug_peer_list
postfix/smtpd[15609]: match_string: fast_flush_domains ~? fast_flush_domains
postfix/smtpd[15609]: watchdog_create: 0x80911c8 18000
postfix/smtpd[15609]: watchdog_stop: 0x80911c8
postfix/smtpd[15609]: watchdog_start: 0x80911c8
postfix/smtpd[15609]: connection established <== Crypted connection is OK
[...]
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 220
euphorie.linuxorable.net ESMTP Postfix (Debian/GNU)
postfix/smtpd[15609]: watchdog_pat: 0x80911c8
postfix/smtpd[15609]: < camomile.cloud9.net[168.100.1.3]: EHLO
camomile.cloud9.net
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]:
250-euphorie.linuxorable.net
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-PIPELINING
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-SIZE 2048
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-ETRN
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-STARTTLS
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-AUTH NTLM
DIGEST-MD5 CRAM-MD5
You can see that TLS starts before the authentication commands begin (last 9
lines)
TLS crypts the connection in order the login and passwd (which represents the
authentication) are crypted too.
The mail will be crypted too until is posted to the mailbox where it is 
no more
crypted.

If this can help you...
Pascal
I guess that means that what I want to do will actually require 
changes in both Cyrus IMAP and SASL... time for more research :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




This message was sent using IMP, the Internet Messaging Program.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Igor Brezac]

On Thu, 17 Feb 2005, Edward Rudd wrote:
On Wed, 16 Feb 2005 21:18:07 -0700, Kevin P. Fleming wrote:
[snip]
Any thoughts on how difficult it would be to get Cyrus IMAP to accept a
client certificate, validate it and automatically "log in" the user once
that is done? I'll happily contribute the code back to CMU if I get it
working, but I though I'd ask the gurus for their opinions before I
tried to tackle it :-)

SASL/EXTERNAL is what you want although I have to not tried it.  OpenLDAP 
works great.  In theory, the CN part of the client certitificate subject 
needs to be a valid mailbox.  You can test this with imtest -t 
client_cert_file -m EXTERNAL   I assume that you have SSL/TLS working.

Your bigger issue is to find a client that supports SASL/EXTERNAL.  I do 
not believe c-client library (this is what drives IMP/Horde via PHP) 
supports SASL/EXTERNAL, so this is what you need to start hacking.

--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Henrique de Moraes Holschuh]

On Thu, 17 Feb 2005, Norman Zhang wrote:
> Henrique de Moraes Holschuh wrote:
> >*All* Intel hardware RAID adapters look the same to the OS, AFAIK. So yes,
> >it is supported by Linux 2.4 and 2.6, and very well supported at that.
> 
> http://downloadfinder.intel.com/scripts-df/filter_results.asp?strOSs=39&strTypes=MOD%2CSPH%2CSCD&ProductID=974&OSFullName=Linux*&submit=Go%21

You do not want to talk to the IOP321. You want to talk to the Intel GDTH (I
think, I might have gotten the name slightly wrong) interface the RAID
firmware exports. It is included in the kernel upstream.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Kevin P. Fleming]

Edward Rudd wrote:
This is really a Cyrus-SASL topic. as Cyrus IMAP doesn't really care how
the user gets authenticated, only that the SASL layer authenticates the
users.  So client certificate authentication would have to be added as a
SASL authentication module.
It's never been clear to me where IMAP stops and SASL starts as it 
relates to this... but it's my impression that Cyrus SASL has nothing at 
all to do with SSL/TLS, and only handles the authentication details 
after Cyrus IMAP has collected them.

I guess that means that what I want to do will actually require changes 
in both Cyrus IMAP and SASL... time for more research :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jure Pe_ar]

On Thu, 17 Feb 2005 14:41:29 -0800
David R Bosso <[EMAIL PROTECTED]> wrote:

> I just ran across these today:
> 
>  yneRAID6-SATA.htm>
> 
> No experience with them, but they're the best specs I've seen for SATA 
> external RAID - decent processor and NCQ support.

Hm ... $7,345 for just the enclosure and only 128mb cache ...
For $8,849.00 Apple gives you 7 400gb disks ... but they're standard ata and
since it's Apple, i'd guess the whole thing is tuned more toward large media
files ... 

hmm ... 


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Horde/IMP authentication to Cyrus via client certificates?

[Edward Rudd]

On Wed, 16 Feb 2005 21:18:07 -0700, Kevin P. Fleming wrote:

[snip]
> 
> Any thoughts on how difficult it would be to get Cyrus IMAP to accept a 
> client certificate, validate it and automatically "log in" the user once 
> that is done? I'll happily contribute the code back to CMU if I get it 
> working, but I though I'd ask the gurus for their opinions before I 
> tried to tackle it :-)

This is really a Cyrus-SASL topic. as Cyrus IMAP doesn't really care how
the user gets authenticated, only that the SASL layer authenticates the
users.  So client certificate authentication would have to be added as a
SASL authentication module.

> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Henrique de Moraes Holschuh]

On Thu, 17 Feb 2005, Norman Zhang wrote:
> Do you have some figures?

>From the top of my head, about 4MB/s write and 10-30MB/s reading on a 5-disc
RAID5 array.  If that's enough for your needs, go for it.  Linux software
RAID can do better than that (but it eats some CPU *and* it doesn't drive
the SAFTE enclosure, nor can it do global hot-spares...)

> >You will notice Intel itself stopped with this sillyness and their newer
> >zero-channel adapters feature 128MB of DDR333 RAM and a IOP-321 
> >processor...
> 
> Thanks. I'll look into that. I'm not sure if support is already added to 
> the 2.6.x kernel. Most of us run Cyrus on Linux/BSD, right?

*All* Intel hardware RAID adapters look the same to the OS, AFAIK. So yes,
it is supported by Linux 2.4 and 2.6, and very well supported at that.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Norman Zhang]

Henrique de Moraes Holschuh wrote:
From the top of my head, about 4MB/s write and 10-30MB/s reading on a 5-disc
RAID5 array.  If that's enough for your needs, go for it.  Linux software
RAID can do better than that (but it eats some CPU *and* it doesn't drive
the SAFTE enclosure, nor can it do global hot-spares...)
Thanks.
*All* Intel hardware RAID adapters look the same to the OS, AFAIK. So yes,
it is supported by Linux 2.4 and 2.6, and very well supported at that.
http://downloadfinder.intel.com/scripts-df/filter_results.asp?strOSs=39&strTypes=MOD%2CSPH%2CSCD&ProductID=974&OSFullName=Linux*&submit=Go%21
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[David R Bosso]

--On Thursday, February 17, 2005 10:56 PM +0100 Jure Pe ar 
<[EMAIL PROTECTED]> wrote:

Because of that (and because I already have FC infrastructure in place)
I'm mostly interested in standalone disk enclosures doing their own raid
with cheap sata drives and big caches with batteries.
I just ran across these today:

No experience with them, but they're the best specs I've seen for SATA 
external RAID - decent processor and NCQ support.

We've had good luck with the LSI Megaraid 320-2X and 320-4X SCSI cards. 
The older, non "X" cards don't use the newer Intel xscale chips and really 
can't keep up for RAID-5 based on the testing I did.

I've seen pretty poor RAID-5 performance from an LSI SATA card, the 150-6. 
It uses one of the older Intel i960 based IOP chips.

-David
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jim Bartus]

Kevin P. Fleming wrote:
Even better, they just released the AX100i, which uses iSCSI for the 
host interface. The array units are about the same price, but 
connectivity for 6-8 hosts is far, far cheaper than FC.
FYI iSCSI eats up a ton of CPU unless you're using a TOE NIC.
-jim
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Norman Zhang]

Henrique de Moraes Holschuh wrote:
Thanks for your explanation. How's this one
http://www.supermicro.com/products/accessories/addon/DAC-ZCRINT.cfm
It uses Intel 80303 I/O processor boards? I'm planning to build my 
Cyrus-IMAPD on this HW.
Well, I have something like it, an Intel SRCZCR.  It is also a zero-channel
RAID adapter, and yes, it is a real honest hardware RAID, but it is not
PCI-X.
But it is a *piece* *of* *crap* performance-wise, and that's using U320 SCSI
drives on the host adapter.  So, it will work well if you don't need much
performance.  But otherwise, get something better.  Anything that hasn't got
NVRAM (64MB or more) and an on-card SCSI U160 or U320 controller is not
worth thinking about IMHO (for SATA that translates to on-card NCQ SATA
controllers, I suppose).
Do you have some figures?
You will notice Intel itself stopped with this sillyness and their newer
zero-channel adapters feature 128MB of DDR333 RAM and a IOP-321 processor...
Thanks. I'll look into that. I'm not sure if support is already added to 
the 2.6.x kernel. Most of us run Cyrus on Linux/BSD, right?

Regards,
Norman Zhang
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jure Pe_ar]

On Thu, 17 Feb 2005 20:50:56 +0100
[EMAIL PROTECTED] wrote:

> If you want the benefits of host independant RAID and cheap SATA disks you
> may have a look at this one :
> http://www.icp-vortex.com/english/product/pci/rz_sata_8/8586rz_e.htm

I'm actually very afraif of all those cards with plenty of cache and no
battery backup for it. It has been proven (on certain notebook disks iirc)
that even 2mb cache on disks themselves if not flushed properly on shutdown
can be a disaster for the filesystem. Don't want to expirience what happens
if you manage to create a 128mb large "hole" in your data. That's why you
see write caching disabled everywhere by default. And write caching is what
we in the mail business want the most ...

3ware has gotten the right idea recently and started offering batery backup
units for their cards. I'm trying to get one to test ...

Because of that (and because I already have FC infrastructure in place) I'm
mostly interested in standalone disk enclosures doing their own raid with
cheap sata drives and big caches with batteries.


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Henrique de Moraes Holschuh]

On Thu, 17 Feb 2005, Aleksandar Milivojevic wrote:
> Norman Zhang wrote:
> >Thanks for your explanation. How's this one
> >http://www.supermicro.com/products/accessories/addon/DAC-ZCRINT.cfm
> >
> >It uses Intel 80303 I/O processor boards? I'm planning to build my 
> >Cyrus-IMAPD on this HW.

Well, I have something like it, an Intel SRCZCR.  It is also a zero-channel
RAID adapter, and yes, it is a real honest hardware RAID, but it is not
PCI-X.

But it is a *piece* *of* *crap* performance-wise, and that's using U320 SCSI
drives on the host adapter.  So, it will work well if you don't need much
performance.  But otherwise, get something better.  Anything that hasn't got
NVRAM (64MB or more) and an on-card SCSI U160 or U320 controller is not
worth thinking about IMHO (for SATA that translates to on-card NCQ SATA
controllers, I suppose).

You will notice Intel itself stopped with this sillyness and their newer
zero-channel adapters feature 128MB of DDR333 RAM and a IOP-321 processor...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jared Watkins]

Andrew Morgan wrote:
You may want to look into Dell's AX100 SAN (a rebranded version of the 
EMC Clariion AX100).  These use SATA drives with a FC front end.  They 
are relatively inexpensive for the amount of storage you can get, if 
your I/O needs match.  You can also go a little more upscale with the 
CX300/500/700 models which support a mix of FC and SATA hard drives 
and offer greater expandability.

Whether these solutions are appropriate for storing mail is left as an 
exercise for the reader...   :)

I've had the chance to test about a dozen different storage systems... 
FC and ATA...   I have tried to run CX200 and 300s in production with a 
mix of FC and ATA drives.. using the ata for simple file server space.. 
and let me just say.. don't go there.  The emc ata performance was so 
bad.. after 4 months of them tinkering with it we eventually sent it 
back for all FC drives.  Their ata systems couldn't match any of the 
other ata disk arrays I've tested.

One good but lesser known company is http://www.technomagesinc.com/  I 
have about 8TB worth of their ata disk in production... with FC and U160 
connectivity.   The boxes are all off the shelf and proven hardware.. 
nothing exotic and proprietary.. and they run embedded linux.  Very 
straight forward systems that just work.. and very good support.

Jared
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jure Pe_ar]

On Thu, 17 Feb 2005 10:19:28 -0800 (PST)
Andrew Morgan <[EMAIL PROTECTED]> wrote:

> You may want to look into Dell's AX100 SAN (a rebranded version of the EMC
> 
> Clariion AX100).  These use SATA drives with a FC front end.  They are 
> relatively inexpensive for the amount of storage you can get, if your I/O 
> needs match.  You can also go a little more upscale with the CX300/500/700
> 
> models which support a mix of FC and SATA hard drives and offer greater 
> expandability.

Has anyone any expirience with Aplle Xserve RAID offer? It seems to be the
cheapest of the bunch.


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[lst_hoe01]

Zitat von Aleksandar Milivojevic <[EMAIL PROTECTED]>:

> Norman Zhang wrote:
> > May I ask has anyone consider SATA RAID yet? I seems to be a very
> > inexpensive solution.
>
> All inexpensive SATA RAID solutions are "fake RAID".  This includes
> almost all SATA controlers that are integrated into motherboards and
> marketed as RAID capable.  They are software RAID.  Basically, you use
> BIOS to write some metadata to the disks (configure the RAID), and than
> you need to use special drivers in OS that will do the actual software
> RAID stuff.  Most of those specialized drivers are slow, unstable, not
> available for anything but Windows, or all three of previous statements.
>   If you have one of those motherboards and/or controllers, you are far
> better disabling RAID stuff in BIOS and using standard Linux software
> RAID drivers (md) or standard *BSD RAID drivers (RAIDframe).

If you want the benefits of host independant RAID and cheap SATA disks you may
have a look at this one :
http://www.icp-vortex.com/english/product/pci/rz_sata_8/8586rz_e.htm

Regards

Andreas

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Aleksandar Milivojevic]

Norman Zhang wrote:
Thanks for your explanation. How's this one
http://www.supermicro.com/products/accessories/addon/DAC-ZCRINT.cfm
It uses Intel 80303 I/O processor boards? I'm planning to build my 
Cyrus-IMAPD on this HW.
Don't know much about it.  Looks as if it might be real hardware RAID.
--
Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited
Systems Administrator   1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB  R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Kevin P. Fleming]

Andrew Morgan wrote:
You may want to look into Dell's AX100 SAN (a rebranded version of the 
EMC Clariion AX100).  These use SATA drives with a FC front end.  They 
are relatively inexpensive for the amount of storage you can get, if 
your I/O needs match.  You can also go a little more upscale with the 
CX300/500/700 models which support a mix of FC and SATA hard drives and 
offer greater expandability.
Even better, they just released the AX100i, which uses iSCSI for the 
host interface. The array units are about the same price, but 
connectivity for 6-8 hosts is far, far cheaper than FC.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Andrew Morgan]

On Thu, 17 Feb 2005, Aleksandar Milivojevic wrote:
Norman Zhang wrote:
May I ask has anyone consider SATA RAID yet? I seems to be a very 
inexpensive solution.
All is not dark.  There are several companies making real hardware RAID 
solutions that use SATA disks.  3ware is one of them and seems to be very 
well supported and popular in Linux community.  Device drivers are part of 
official Linux kernel.  Adaptec has some real SATA hardware RAID controlers. 
Device drivers for some of them are part of official Linux kernel, for others 
can be downloaded from Adaptec web site.  So if you want hardware RAID 
solution based on SATA disks, that is the only way to go currently.  If 
buying Adaptec, be carefull.  The cheap SATA RAID card they sell is software 
RAID.  You need to buy one of the more expensive ones to get hardware RAID.
You may want to look into Dell's AX100 SAN (a rebranded version of the EMC 
Clariion AX100).  These use SATA drives with a FC front end.  They are 
relatively inexpensive for the amount of storage you can get, if your I/O 
needs match.  You can also go a little more upscale with the CX300/500/700 
models which support a mix of FC and SATA hard drives and offer greater 
expandability.

Whether these solutions are appropriate for storing mail is left as an 
exercise for the reader...   :)

Andy
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Basic FAQs and HOWTOs

[Kevin P. Fleming]

Wil Cooley wrote:
Lately I've been trying to migrate my self-signed certs to certs
generated with TinyCA from a self-signed root cert; that way once I
import my root CA I can bypass all of the prompts.
Yes, that is a much better plan. I do that for my clients who have 
private webmail/intranet sites, just generate a cert for each client who 
will be connecting (from the same CA that generated the server's cert), 
and when they install it into their browser/mail client they 
automatically "trust" the private CA. No prompts when they connect to 
the server :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Aleksandar Milivojevic]

Norman Zhang wrote:
May I ask has anyone consider SATA RAID yet? I seems to be a very 
inexpensive solution.
All inexpensive SATA RAID solutions are "fake RAID".  This includes 
almost all SATA controlers that are integrated into motherboards and 
marketed as RAID capable.  They are software RAID.  Basically, you use 
BIOS to write some metadata to the disks (configure the RAID), and than 
you need to use special drivers in OS that will do the actual software 
RAID stuff.  Most of those specialized drivers are slow, unstable, not 
available for anything but Windows, or all three of previous statements. 
 If you have one of those motherboards and/or controllers, you are far 
better disabling RAID stuff in BIOS and using standard Linux software 
RAID drivers (md) or standard *BSD RAID drivers (RAIDframe).

The only reason why would anybody use one of those "fake" RAID stuff is 
if you have Windows XP Home/Professional installed on the machine.  This 
will give you software RAID support by using special device driver 
(since native Windows software RAID driver is available only in Server 
versions of Windows).  Basically this is the core reason why those 
"fake" RAID controlers exist: chipset manufacturers giving you something 
Microsoft denied to you.  This is more or less desktop/home user domain. 
 For servers, there is no advantage of using them (only disadvantages).

All is not dark.  There are several companies making real hardware RAID 
solutions that use SATA disks.  3ware is one of them and seems to be 
very well supported and popular in Linux community.  Device drivers are 
part of official Linux kernel.  Adaptec has some real SATA hardware RAID 
controlers.  Device drivers for some of them are part of official Linux 
kernel, for others can be downloaded from Adaptec web site.  So if you 
want hardware RAID solution based on SATA disks, that is the only way to 
go currently.  If buying Adaptec, be carefull.  The cheap SATA RAID card 
they sell is software RAID.  You need to buy one of the more expensive 
ones to get hardware RAID.

Also, there's couple of "accelerated SATA RAID controlers" around. 
Those are software RAIDs too, special device drivers needed, with some 
accleration done in hardware.  People who tested them reported that they 
are slower than standard Linux software RAID (implemented by md device 
driver).

--
Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited
Systems Administrator   1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB  R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Treo 650 SSL Interaction with Cyrus

[Alec H. Peterson]

Oh man that's twisted, as soon as I started looking at it with ssldump it 
started working properly.  Now I'm thoroughly confused.

Alec
--On February 17, 2005 9:27:55 -0500 Ken Murchison <[EMAIL PROTECTED]> wrote:
Alec H. Peterson wrote:
Hi there,
I am using a Treo 650 with Chatter IMAP (which has IDLE support) to sync
with my Cyrus IMAP folders.  It works great over port 143, however over
port 993 the SSL refuses to synchronize.  I've already been in contact
with the developer of Chatter, and he says the SSL API on the Treo gives
the developer very little to play with.  Furthermore, when using
STARTTLS with the SMTP functionality against my Exim SMTP server (which
has the same version of OpenSSL and uses the same certificate) it works
just fine.  This leads me to believe that something Cyrus is doing with
OpenSSL is not agreeing with the Treo's SSL library.
Note that Chatter only supports IMAP over port 993, not STARTTLS IMAP at
this stage.
Anyway, I have attached a debugging log of the failed SSL negotiation
from the server side.  If somebody with some insight in to Cyrus's use
of OpenSSL could give me a clue about where to look to try and narrow
this down that would be really helpful.
You're probably better off using something like SSLdump
(http://www.rtfm.com/ssldump/) to debug this.  It will provide you with
more extensive and more readable output.

Thanks much,
Alec
Feb 16 17:10:12 ramirez master[32384]: about to exec /usr/cyrus/bin/imapd
Feb 16 17:10:12 ramirez imaps[32384]: executed
Feb 16 17:10:17 ramirez imaps[32289]: starting TLS server engine
Feb 16 17:10:17 ramirez imaps[32289]: TLS server engine: cannot load CA
data
Feb 16 17:10:17 ramirez imaps[32289]: TLS server engine: cannot load CA
data
Feb 16 17:10:17 ramirez imaps[32289]: setting up TLS connection
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:before/accept
initialization
Feb 16 17:10:17 ramirez imaps[32289]:  16 03 00 00 33 01 00 00|2f 03
Feb 16 17:10:17 ramirez imaps[32289]: 000b - 
Feb 16 17:10:17 ramirez imaps[32289]:  3a 5e df 74 53 01 eb 69|dc bc
fd ff 0c c8 82 39
Feb 16 17:10:17 ramirez imaps[32289]: 0010 5c b8 89 33 35 6e 05 d4|79 e3
71 5e 45 3b 59 f7
Feb 16 17:10:17 ramirez imaps[32289]: 0020 00 00 08 00 04 00 05 00|64 00
03 01
Feb 16 17:10:17 ramirez imaps[32289]: 002d - 
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 read client hello
A Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server
hello A Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write
certificate A Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3
write server done A Feb 16 17:10:17 ramirez imaps[32289]:
SSL_accept:SSLv3 flush data Feb 16 17:10:17 ramirez imaps[32289]: 
16 03 00 00 33
Feb 16 17:10:17 ramirez imaps[32289]:  01 00 00 2f 03 00 3a 5e|df 79
72 fb fa f8 ec 93
Feb 16 17:10:17 ramirez imaps[32289]: 0010 3b c4 07 94 20 12 88 f7|e0 25
ae 2b 88 39 e7 b1
Feb 16 17:10:17 ramirez imaps[32289]: 0020 5b 68 c5 b3 a5 6f 00 00|08 00
04 00 05 00 64 00
Feb 16 17:10:17 ramirez imaps[32289]: 0030 03 01
Feb 16 17:10:17 ramirez imaps[32289]: 0033 - 
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 read client hello
C Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server
hello A Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write
certificate A Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3
write server done A Feb 16 17:10:17 ramirez imaps[32289]:
SSL_accept:SSLv3 flush data Feb 16 17:10:18 ramirez imaps[32289]: 
16 03 00 00 84
Feb 16 17:10:18 ramirez imaps[32289]:  10 00 00 80 24 1e d6 0f|b4 25
7c d8 c5 3e 66 78
Feb 16 17:10:18 ramirez imaps[32289]: 0010 d3 e8 fc 2c 22 14 b5 9c|35 a0
33 cc e8 aa bd f3
Feb 16 17:10:18 ramirez imaps[32289]: 0020 0e 19 c8 55 ae 87 2a 3b|89 c2
9b 19 3d 07 4c aa
Feb 16 17:10:18 ramirez imaps[32289]: 0030 a8 43 bf 1b 69 a6 37 15|81 94
89 a2 ae 5f 25 76
Feb 16 17:10:18 ramirez imaps[32289]: 0040 f7 24 61 1a ea c6 5d af|88 95
02 fa c3 c9 fc 33
Feb 16 17:10:18 ramirez imaps[32289]: 0050 8f 74 45 58 02 54 b8 68|c1 90
78 6a c9 fe 14 0f
Feb 16 17:10:18 ramirez imaps[32289]: 0060 29 e6 73 68 5a 1d 87 38|33 c9
a6 60 dc e3 44 8b
Feb 16 17:10:18 ramirez imaps[32289]: 0070 58 79 a5 b8 af 30 6d 60|19 a6
df 60 0f c5 fa ea
Feb 16 17:10:18 ramirez imaps[32289]: 0080 0c 8d 56 67
Feb 16 17:10:18 ramirez imaps[32289]: SSL_accept:SSLv3 read client key
exchange A
Feb 16 17:10:18 ramirez imaps[32289]:  14 03 00 00 01
Feb 16 17:10:18 ramirez imaps[32289]:  01
Feb 16 17:10:18 ramirez imaps[32289]:  16 03 00 00 38
Feb 16 17:10:18 ramirez imaps[32289]:  48 26 76 cc 52 e3 92 ca|bc bf
8d 38 17 13 73 1a
Feb 16 17:10:18 ramirez imaps[32289]: 0010 20 4d 62 94 fb a2 39 51|d3 ef
c9 59 91 6f 28 f0
Feb 16 17:10:18 ramirez imaps[32289]: 0020 41 7f a1 39 96 d8 ad 73|5b ed
27 db 33 dc 21 0f
Feb 16 17:10:18 ramirez imaps[32289]: 0030 c3 46 04 20 54 6e e0 c1|
Feb 16 17:10:18 ramirez imaps[32289]: SSL3 alert write:fatal:bad record
mac Feb 16 17:10:18 ramirez imaps[322

Re: User directory hashing

[Jure Pe_ar]

On Thu, 17 Feb 2005 16:56:57 +0100
Tucsek János <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> Does anybody know, how to turn on directory hashing on users directory?
> So, for example:
> Our user's messages are in: 
> 
> /imap/domain/foobar.com/user/foo
> .
> .
> /imap/domain/foobar.com/user/bar
> 
> directories.
> 
> And the question is: is there any directory hashing patch to cyrus ( 2.2+
> version ), what will make something like this with directories:
> 
> /imap/domain/foobar.com/user/f/fo/foo
> .
> .
> /imap/domain/foobar.com/user/b/ba/bar

Hm? hashimapspool: 1 in imapd.conf gives me this:

/imap/domain/f/foobar.com/b/user/bar ... which is ok, for now.

> Because we have approx. 20-25 thousand user under one domain dir (free
> mail service),

same here :)

> and when doing a backup it tooks a lot of time to get the directory
> listing...

Which filesystem? default ext3 is going to take some time here, yes ... 

Also, the next limit you're going to hit is 32k subdirectories per directory
max on many filesystems (at least ext2/3 and veritas behave that way).
Luckily, reiserfs does not suffer from this.


For those who don't (want) / can't use reiserfs and fulldirhash is too messy
... it would be nice to hash in the f/fo/user/foo way ... maybe like
something postfix does with the hash_queue_depth. Anyone?


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

User directory hashing

[Tucsek János]

Title: User directory hashing






Hi,

Does anybody know, how to turn on directory hashing on users directory?
So, for example:
Our user's messages are in:

/imap/domain/foobar.com/user/foo
.
.
/imap/domain/foobar.com/user/bar

directories.

And the question is: is there any directory hashing patch to cyrus ( 2.2+ version ),
what will make something like this with directories:

/imap/domain/foobar.com/user/f/fo/foo
.
.
/imap/domain/foobar.com/user/b/ba/bar

Because we have approx. 20-25 thousand user under one domain dir (free mail service),
and when doing a backup it tooks a lot of time to get the directory listing...

I found that there is a fulldirhash configure option, but it hashes only the domain name,
not the user's dir, so for example with fulldirhash the directory seems to be like that: /imap/domain/f/foobar.com/...

Any ideas?

Thanks,
Janos Tucsek

Re: Cyrus in ISP environment?

[Jure Pe_ar]

On Thu, 17 Feb 2005 14:54:11 +0100
Marco Colombo <[EMAIL PROTECTED]> wrote:

> > 10-15MBps ... then add a few hundred concurrent pop & imap sessions plus
> > some monitoring/statistical script walking your spool doing various
> > operations and see this number fall down dramatically ... Because with
> > random i/o ops you increase time disk heads travel around and add
> > latency to the whole setup.

Just came up with a test: if you have linux software raid, you can fail one
drive and put it back, forcing a resync; then you can play with sysct
dev.raid.speed_limit_min|max to establish a linear read/write i/o that takes
some % of your total i/o capacity. Then add your above test to the mix and
observe throughput numbers. Might be interesting :)

> Consider splitting the SMPT incoming part from the IMAP/POP serving one.
> Have the SMTP server receive, queue, scan messages. Once messages are in
> the queue, use a queue runner to deliver message the IMAP server via LMTP.

I think this goes by default? :)
 
> Unless you are willing to accept mail for unknow users (and discover
> that later at LMTP level) you may need to teach your SMTP server how to
> recognize valid users.

If you have some external db for user auth, it is relatively trivial to
build a postfix (or sendmail..) map that checks for valid users before
accepting the mail. 

What i'd like to see next is a overquota check on the same level. 


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Listing common user's ACLs from the admin's point of view (perl or PHP)

[LaurentG]

Hello,
In order to manage common users status changes (indicated by the update 
of the LDAP directory) I'd need to enumerate all the granted ACLs my 
common user owns.

As an admin, I don't have his password, so can't connect as his identity 
but need to list all ACLs he owns (except his own mailbox ones). One 
solution, not the best (I'd rather), is to parse the entire spool with a 
'listaclmailbox' and delete any matching ACL, except on his own mailbox.

But  searching more efficient way, such as the imap 'getmailboxes'under 
the common user's identity.

The admins tools are being  writen  in perl an PHP, so the solution can 
be in either language.

Thanks for help, or ideas.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Treo 650 SSL Interaction with Cyrus

[Ken Murchison]

Alec H. Peterson wrote:
Hi there,
I am using a Treo 650 with Chatter IMAP (which has IDLE support) to sync 
with my Cyrus IMAP folders.  It works great over port 143, however over 
port 993 the SSL refuses to synchronize.  I've already been in contact 
with the developer of Chatter, and he says the SSL API on the Treo gives 
the developer very little to play with.  Furthermore, when using 
STARTTLS with the SMTP functionality against my Exim SMTP server (which 
has the same version of OpenSSL and uses the same certificate) it works 
just fine.  This leads me to believe that something Cyrus is doing with 
OpenSSL is not agreeing with the Treo's SSL library.

Note that Chatter only supports IMAP over port 993, not STARTTLS IMAP at 
this stage.

Anyway, I have attached a debugging log of the failed SSL negotiation 
from the server side.  If somebody with some insight in to Cyrus's use 
of OpenSSL could give me a clue about where to look to try and narrow 
this down that would be really helpful.
You're probably better off using something like SSLdump 
(http://www.rtfm.com/ssldump/) to debug this.  It will provide you with 
more extensive and more readable output.


Thanks much,
Alec
Feb 16 17:10:12 ramirez master[32384]: about to exec /usr/cyrus/bin/imapd
Feb 16 17:10:12 ramirez imaps[32384]: executed
Feb 16 17:10:17 ramirez imaps[32289]: starting TLS server engine
Feb 16 17:10:17 ramirez imaps[32289]: TLS server engine: cannot load CA 
data
Feb 16 17:10:17 ramirez imaps[32289]: TLS server engine: cannot load CA 
data
Feb 16 17:10:17 ramirez imaps[32289]: setting up TLS connection
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:before/accept 
initialization
Feb 16 17:10:17 ramirez imaps[32289]:  16 03 00 00 33 01 00 00|2f 03
Feb 16 17:10:17 ramirez imaps[32289]: 000b - 
Feb 16 17:10:17 ramirez imaps[32289]:  3a 5e df 74 53 01 eb 69|dc bc 
fd ff 0c c8 82 39
Feb 16 17:10:17 ramirez imaps[32289]: 0010 5c b8 89 33 35 6e 05 d4|79 e3 
71 5e 45 3b 59 f7
Feb 16 17:10:17 ramirez imaps[32289]: 0020 00 00 08 00 04 00 05 00|64 00 
03 01
Feb 16 17:10:17 ramirez imaps[32289]: 002d - 
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 read client hello A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server hello A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write certificate A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server done A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 flush data
Feb 16 17:10:17 ramirez imaps[32289]:  16 03 00 00 33
Feb 16 17:10:17 ramirez imaps[32289]:  01 00 00 2f 03 00 3a 5e|df 79 
72 fb fa f8 ec 93
Feb 16 17:10:17 ramirez imaps[32289]: 0010 3b c4 07 94 20 12 88 f7|e0 25 
ae 2b 88 39 e7 b1
Feb 16 17:10:17 ramirez imaps[32289]: 0020 5b 68 c5 b3 a5 6f 00 00|08 00 
04 00 05 00 64 00
Feb 16 17:10:17 ramirez imaps[32289]: 0030 03 01
Feb 16 17:10:17 ramirez imaps[32289]: 0033 - 
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 read client hello C
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server hello A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write certificate A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 write server done A
Feb 16 17:10:17 ramirez imaps[32289]: SSL_accept:SSLv3 flush data
Feb 16 17:10:18 ramirez imaps[32289]:  16 03 00 00 84
Feb 16 17:10:18 ramirez imaps[32289]:  10 00 00 80 24 1e d6 0f|b4 25 
7c d8 c5 3e 66 78
Feb 16 17:10:18 ramirez imaps[32289]: 0010 d3 e8 fc 2c 22 14 b5 9c|35 a0 
33 cc e8 aa bd f3
Feb 16 17:10:18 ramirez imaps[32289]: 0020 0e 19 c8 55 ae 87 2a 3b|89 c2 
9b 19 3d 07 4c aa
Feb 16 17:10:18 ramirez imaps[32289]: 0030 a8 43 bf 1b 69 a6 37 15|81 94 
89 a2 ae 5f 25 76
Feb 16 17:10:18 ramirez imaps[32289]: 0040 f7 24 61 1a ea c6 5d af|88 95 
02 fa c3 c9 fc 33
Feb 16 17:10:18 ramirez imaps[32289]: 0050 8f 74 45 58 02 54 b8 68|c1 90 
78 6a c9 fe 14 0f
Feb 16 17:10:18 ramirez imaps[32289]: 0060 29 e6 73 68 5a 1d 87 38|33 c9 
a6 60 dc e3 44 8b
Feb 16 17:10:18 ramirez imaps[32289]: 0070 58 79 a5 b8 af 30 6d 60|19 a6 
df 60 0f c5 fa ea
Feb 16 17:10:18 ramirez imaps[32289]: 0080 0c 8d 56 67
Feb 16 17:10:18 ramirez imaps[32289]: SSL_accept:SSLv3 read client key 
exchange A
Feb 16 17:10:18 ramirez imaps[32289]:  14 03 00 00 01
Feb 16 17:10:18 ramirez imaps[32289]:  01
Feb 16 17:10:18 ramirez imaps[32289]:  16 03 00 00 38
Feb 16 17:10:18 ramirez imaps[32289]:  48 26 76 cc 52 e3 92 ca|bc bf 
8d 38 17 13 73 1a
Feb 16 17:10:18 ramirez imaps[32289]: 0010 20 4d 62 94 fb a2 39 51|d3 ef 
c9 59 91 6f 28 f0
Feb 16 17:10:18 ramirez imaps[32289]: 0020 41 7f a1 39 96 d8 ad 73|5b ed 
27 db 33 dc 21 0f
Feb 16 17:10:18 ramirez imaps[32289]: 0030 c3 46 04 20 54 6e e0 c1|
Feb 16 17:10:18 ramirez imaps[32289]: SSL3 alert write:fatal:bad record mac
Feb 16 17:10:18 ramirez imaps[32289]: SSL_accept:error in SSLv3 read 
certificate verify A
Feb 16 17:10:18 ramirez imaps[32289]: imaps TLS negotiation failed: 
032-374-746.area5.spcsdns.net [70.2.19.200]
Feb 16

Re: Cyrus in ISP environment?

[Marco Colombo]

Jure Pe_ar wrote:
On Wed, 16 Feb 2005 16:21:09 +0100
Attila Nagy <[EMAIL PROTECTED]> wrote:

Amavisd was slow like hell, but cyrus could easily put email down to 
disk at a rate of 10-15 MBps.

Take the above numbers with a grain of salt, because the testing was 
pretty lame

10-15MBps ... then add a few hundred concurrent pop & imap sessions plus
some monitoring/statistical script walking your spool doing various
operations and see this number fall down dramatically ... Because with
random i/o ops you increase time disk heads travel around and add latency to
the whole setup.
The only thing that helps here is having lots and lots of disks or hw raid
controllers with nice big caches. Just what 'lots' and 'big' means depends
much on your actual needs. 
Consider splitting the SMPT incoming part from the IMAP/POP serving one.
Have the SMTP server receive, queue, scan messages. Once messages are in
the queue, use a queue runner to deliver message the IMAP server via LMTP.
Unless you are willing to accept mail for unknow users (and discover
that later at LMTP level) you may need to teach your SMTP server how to
recognize valid users.
The splitted approach scales much better, and reduces I/O load a lot
(as you said, it's the _combined_ I/O load that hurts you). You can
identify the overloaded part easily, and take countermeasures. Adding
a second SMTP server should be easy. Adding a second IMAP backend can be
easy or hard depending on your setup (e.g., if you can split messages
based on, say, domain, it's just a matter of configuring your MTA to
deliver to the "right" LMTP server for a given domain).
The only difference from a standard installation (where both the MTA
and IMAP servers run on the same host) is LMTP authentication (you need
to set it up - the defaul "preauthentication" based on Unix permissions
of the local socket won't do of course) and authorization (the MTA needs
write access to all mailboxes).
.TM.
--
  /  /   /
 /  /   /   Marco Colombo
___/  ___  /   /  Technical Manager
   /  /   /  ESI s.r.l.
 _/ _/  _/ [EMAIL PROTECTED]
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Treo 650 SSL Interaction with Cyrus

[Alec H. Peterson]

Hrm, I have VersaMail on the 650, I'll give that a shot.  Should have 
thought of that myself.

Thanks much,
Alec
--On February 17, 2005 0:28:31 -0500 Derrick J Brashear 
<[EMAIL PROTECTED]> wrote:

On Wed, 16 Feb 2005, Alec H. Peterson wrote:
I am using a Treo 650 with Chatter IMAP (which has IDLE support) to sync
with  my Cyrus IMAP folders.  It works great over port 143, however over
port 993  the SSL refuses to synchronize.  I've already been in contact
with the
It is claimed that Versamail 3.0 on the Treo 650 works with SSL certs
both from a ca and self-signed. I don't know, I only have a 600. But, on
that basis I'd expect the API is capable of doing it. I have no
particular insight into what the 650 is looking for. If I ever get one,
you can be assured I will look, but $600 to find this answer is right out.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
!DSPAM:4214319943491573095556!



---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Treo 650 SSL Interaction with Cyrus

[Alec H. Peterson]

--On February 17, 2005 0:28:31 -0500 Derrick J Brashear 
<[EMAIL PROTECTED]> wrote:

It is claimed that Versamail 3.0 on the Treo 650 works with SSL certs
both from a ca and self-signed. I don't know, I only have a 600. But, on
that basis I'd expect the API is capable of doing it. I have no
particular insight into what the 650 is looking for. If I ever get one,
you can be assured I will look, but $600 to find this answer is right out.
VersaMail on the 650 failed with the same server-side error that Chatter 
fails with for me...

Alec
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level & Performance

[Jure Pe_ar]

On Wed, 16 Feb 2005 13:51:09 -0800
Norman Zhang <[EMAIL PROTECTED]> wrote:

> May I ask has anyone consider SATA RAID yet? I seems to be a very 
> inexpensive solution.

Yes, I plan to research this thorouglhy Really Soon Now. A Tb or two would
be perfect for users that come around once evey month or so.


-- 

Jure Pečar
http://jure.pecar.org/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Cyrus logging

[Rob MacGregor]

On Thu, 17 Feb 2005 11:05:59 +1100, JB Hewit <[EMAIL PROTECTED]> wrote:
> I've been searching about and haven't been able to find anywhere to
> change the verbosity of Cyrus imap (ver 2.1.x).

Check the settings of your syslog.conf file.  Avoiding the debug level
will help.
 
> On another note, I realise this is a syslog thing but how do I change
> where cyrus logs are being sent to?  At the moment they are being sent
> to the mail.log/err/warn, but I want to send this to imap.log.  Any
> hints there, I tried adding "local6.debug/var/log/imapd.log" to no
> avail.

Check the details of your syslog daemon (man syslogd).  You'll
probably find that you need to create the file first (touch
/var/log/imapd.log) and then tell syslog to re-read it's config file
(kill -HUP `cat /var/run/syslogd.pid`).

-- 
 Please keep list traffic on the list.
Rob MacGregor
  Whoever fights monsters should see to it that in the process he 
doesn't become a monster.  Friedrich Nietzsche
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Basic FAQs and HOWTOs

[Wil Cooley]

On 2005-02-16, Craig White <[EMAIL PROTECTED]> wrote:
> I am also interested in knowing how to generate self-signed certificates
> for tls connections on pop3/imap
>
> This is what I used...
>
> # openssl req -new -x509 -nodes -out /etc/ssl/cyrus-global.pem \
> -keyout /etc/ssl/cyrus-global.pem -days 3650
> # openssl gendh 512 >> /etc/ssl/cyrus-global.pem
>
> and set /etc/imapd.conf
>
> tls_cert_file: /etc/ssl/cyrus-global.pem
> tls_key_file: /etc/ssl/cyrus-global.pem
> tls_ca_file: /etc/ssl/certs/ca.crt
>
> which seems to work - the ca.crt file I had create previously with
> commands to build certs for openldap...
>
> openssl genrsa -des3 -out ca.key 2048
> openssl req -new -x509 -days 3650 -key ca.key -out ca.cert
>
> and while it works, it would be interesting to have someone knowledgable
> confirm that I am on the right track here since I certainly don't know
> what it is that I am doing.

This is what I use, copped from the Stunnel FAQ:

http://nakedape.cc/wiki/ApplicationNotes/SslNotes

Lately I've been trying to migrate my self-signed certs to certs
generated with TinyCA from a self-signed root cert; that way once I
import my root CA I can bypass all of the prompts.

Wil
-- 
Wil Cooley [EMAIL PROTECTED]
Naked Ape Consultinghttp://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html