Re: Modifying the subject line with Sieve
I know no other way to edit a header field without the editheader support. Well, let's ask the question in a different way: Does anyone know *why* timsieved does not support the editheader extension? Regards, Torsten Michael Menge schrieb: Hi, I know no other way to edit a header field without the editheader support. Sieve don't allow to run other programms to edit the message like procmail. Normaly the subject is changed by spamassasin and used to sort the mail in folders by sieve or by the client. But you could move all spam mails in an extra folder. Michael Menge Quoting Torsten Schlabach [EMAIL PROTECTED]: Hi! We are using Cyrus IMAPd 2.1 with the corresponding timsieved. I was looking at an example how I would be able to prefix the subject line of a message in a Sieve script, so I could add a [SPAM] tag for example. I found some sample which contained require editheader, but the editheader extensions is not supported in Cyrus IMAPd's Sieve implementation. Is there any other way to make this happen? Regards, Torsten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: lmtp through tcp doesn't find the mailbox
Hello, unixhierarchysep: true so you need to use slashes instead of .s. e.g cm user/test thanks. I was treating user. as a fixed prefix until now, not as a folder. I now successfully created a mailbox: lm user/[EMAIL PROTECTED] (\HasNoChildren) lam user/[EMAIL PROTECTED] [EMAIL PROTECTED] lrswipcda Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: lmtp through tcp doesn't find the mailbox
a sub folder cm user/[EMAIL PROTECTED]/Sent Btw.: I found out that subfolders are appended before the domain part, thus cm user/test/[EMAIL PROTECTED]. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
changed delivery to subfolder?
Hello, the documentation says, that one should use an address like [EMAIL PROTECTED] to delivery a message directly into the Junk-folder of [EMAIL PROTECTED] I noticed that this doesn't work and the mail is delivered to INBOX instead. However, I found out that I have to deliver messages to test/[EMAIL PROTECTED] instead and then it will be delivered to the Junk folder correctly. But this behaviour isn't described anywhere, so is cyrus actually expected to behave like that? Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Running murder in unified config
Hi all, Again with one of my questions. I am trying to run a murder installation, with two boxes. My idea is to run a frontend/backend box in unified config and one extra backend. The thing I was trying to set up is to run the frontend/backend/mupdate master on the same box, but it looks like it is not possible. Looking at the source code at imap/mupdate.c we have something like this: if (masterp config_mupdate_config == IMAP_ENUM_MUPDATE_CONFIG_UNIFIED) { /* XXX We currently prohibit this because mailboxes created * on the master will cause local mailbox entries to be propagated * to the slave. We can probably fix this by prepending * config_servername onto the entries before updating the slaves. */ fatal(can not run mupdate master on a unified server, EC_USAGE); } I found one other reference on the mailing list but no answers: http://www.irbs.net/internet/info-cyrus/0604/0307.html So, is there anyway to run the mupdate master on the same node where the frontend/backend unified config is running? or do I need to place it in a different box? on one backend? Many thanks. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: changed delivery to subfolder?
Hello, the documentation says, that one should use an address like [EMAIL PROTECTED] to delivery a message directly into the Junk-folder of [EMAIL PROTECTED] I noticed that this doesn't work and the mail is delivered to INBOX instead. However, I found out that I have to deliver messages to test/[EMAIL PROTECTED] instead and then it will be delivered to the Junk folder correctly. But this behaviour isn't described anywhere, so is cyrus actually expected to behave like that? You seem to have configured unixhierarchysep: yes in imapd.conf, which is not the default. The docs are always shown for the default config. Simon Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
lmtp rejecting mails for valid mailboxes
I just configured my cyrus server to accept mails directly from my remote postfix server over lmtp Everything seems to work fine but sometimes lmtp gives strange errors like to=X, orig_to=X, relay=202.162.229.40[202.162.229.40]:24, delay=0.26, delays=0.25/0/0/0.01, dsn=5.1.1, status=bounced (host 202.162.229.40[202.162.229.40] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command)) When actually the mailbox is valid. The same mail sent again reaches the mailbox without problems. What could be the reason. The cyrus server is highly loaded most of the time could that be a reason. Anyway I dont want lmtp failures to bounce the mail , can I send a 450 instead of 550. Because I am already ensuring the mailbox exists before accepting the mail. How do I configure this on postfix or lmtp ? Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: changed delivery to subfolder?
Marten Lehmann wrote: Hello, the documentation says, that one should use an address like [EMAIL PROTECTED] to delivery a message directly into the Junk-folder of [EMAIL PROTECTED] I noticed that this doesn't work and the mail is delivered to INBOX instead. However, I found out that I have to deliver messages to test/[EMAIL PROTECTED] instead and then it will be delivered to the Junk folder correctly. But this behaviour isn't described anywhere, so is cyrus actually expected to behave like that? No, you're creating your mailboxes wrong. Are you using a single domain? Then set it as the default in imapd.conf: defaultdomain: mail.example.net And create your new mailboxes like this with cyradm: cm user.bob Or, if using the UNIX heirarchy separator: cm user/bob Then use your client, not cyradm, to create subfolders. If you want to add virtual domains, which is only necessary if you want to duplicate logins between domains (you can avoid this by giving everyone a unique login in the same realm), read this carefully: http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html Then you will create mailboxes for your virtual domains like this: cm [EMAIL PROTECTED] or cm user/[EMAIL PROTECTED] Once again, use your mail client to create subfolders, not cyradm! You will be better able to understand the changes that are occuring to the account in your mail spool, which is normally /var/spool/imap. Monitor this folder as you make changes, but do not manipulate it directly. This information is somewhat incomplete, as you also need to deal with your realms in your MTA and selected authentication system. There are a lot of choices in this area, so noone can tell you what is best for you. You'll need to specify your requirements. For example, why have you chosen to use the UNIX heirarchy separator? This is fine, but do you have a demonstrated need, or are you following a howto? Do you need to implement virtual domains? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: changed delivery to subfolder?
Hi, --On 10. Oktober 2006 15:04:25 +0200 Marten Lehmann [EMAIL PROTECTED] wrote: the documentation says, that one should use an address like [EMAIL PROTECTED] to delivery a message directly into the Junk-folder of [EMAIL PROTECTED] I noticed that this doesn't work and the mail is delivered to INBOX instead. However, I found out that I have to deliver messages to test/[EMAIL PROTECTED] instead and then it will be delivered to the Junk folder correctly. But this behaviour isn't described anywhere, so is cyrus actually expected to behave like that? that's at least partially an MTA issue. With sendmail the +-notation works, but only if the address is all lowercase! So it'd have to be test+junk (of course that means the mailbox's name needs to be lowercase as well). You also have to declare the following in the .mc file: FEATURE(`preserve_local_plus_detail') I don't think test/junk would work with sendmail. -- .:.Sebastian Hagedorn - RZKR-R1 (Gebäude 52), Zimmer 18.:. Zentrum für angewandte Informatik - Universitätsweiter Service RRZK .:.Universität zu Köln / Cologne University - ✆ +49-221-478-5587.:. .:.:.:.Skype: shagedorn.:.:.:. pgpQ56iE2hfBd.pgp Description: PGP signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
replication: sync_client dies
I am able to run sync_client -u username for all my users with no errors, so there is no problem with the setup or authentication that I know of, yet sync_client -r fails after a few runs. imapd.conf: sync_host: tsnf.gatch.edu sync_authname: cyrus sync_log: 1 sync_machineid: 1 sync_repeat_interval: 60 I run sync_client -l -r and never get an error - it just dies. On the machine running sync_server, I get: Oct 10 10:13:10 tsnf.gatch.edu syncserver[11089]: [ID 314898 local6.debug] mydelete: starting txn 2147488126 Oct 10 10:13:10 tsnf.gatch.edu syncserver[11089]: [ID 504160 local6.debug] mydelete: committing txn 2147488126 Oct 10 10:13:10 tsnf.gatch.edu syncserver[11089]: [ID 873112 local6.error] IOERROR: reading message: unexpected end of file and sync_client has exited on the imap server. It will usually run for a few minutes, and then dies with the same message (with a different txn number). Right now I am running a crontab that just restarts it every minute if it has died - not an elegant solution. Any clues? Thanks, Sam Smith Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: export / import
Hi! Export / import sounds to me like backup/restore, just on different machines. http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/Backup This should get you somewhere. Best, Daniel On 10.10.2006 06:48, Joe Harvell wrote: I am about to get a new desktop PC at work, and I need to get my Cyrus IMAP database transferred over to the new machine. The problem is they take the old machine away first and then deliver the new one. So I have to make sure I have all the data I want to keep saved off somewhere. The new machine will come with Windows on it, and then I will wipe it and install Gentoo Linux. Since I am installing all the software on the new machine, I can make sure the version of Cyrus on the new machine is identical to that on the old machine. How do I get the Cyrus IMAP database transferred to the new machine? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: lmtp rejecting mails for valid mailboxes
Hi! I don't seem to see lmtp here at all. Your MTA seems to reject these mails on SMTP layer. Most probably your MTA can not know which mailboxes cyrus has and that's why it rejects all mails, because local users are no system user, but by using cyrus, they are pure virtual. So the mails don't hit lmtp delivery to cyrus at all. You should use local_recipient_maps for all users which are in cyrus. These maps can reside in a file or in a mysql or in an ldap server and the program which creates new accounts could update this table automatically. In my case, this is webcyradm who does this for me in mysql. http://www.postfix.org/LOCAL_RECIPIENT_README.html Best, Daniel On 10.10.2006 16:01, Ramprasad wrote: I just configured my cyrus server to accept mails directly from my remote postfix server over lmtp Everything seems to work fine but sometimes lmtp gives strange errors like to=X, orig_to=X, relay=202.162.229.40[202.162.229.40]:24, delay=0.26, delays=0.25/0/0/0.01, dsn=5.1.1, status=bounced (host 202.162.229.40[202.162.229.40] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command)) When actually the mailbox is valid. The same mail sent again reaches the mailbox without problems. What could be the reason. The cyrus server is highly loaded most of the time could that be a reason. Anyway I dont want lmtp failures to bounce the mail , can I send a 450 instead of 550. Because I am already ensuring the mailbox exists before accepting the mail. How do I configure this on postfix or lmtp ? Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: lmtp rejecting mails for valid mailboxes
On Tue, 2006-10-10 at 16:50 +0200, Daniel Eckl wrote: Hi! I don't seem to see lmtp here at all. Your MTA seems to reject these mails on SMTP layer. relay=202.162.229.40[202.162.229.40]:24, That is the lmtp relay on the remote server. I already have the userlist in hash dbs . As I said it works most of the times but sometimes randomly lmtp bounces a mail Thanks Ram Most probably your MTA can not know which mailboxes cyrus has and that's why it rejects all mails, because local users are no system user, but by using cyrus, they are pure virtual. So the mails don't hit lmtp delivery to cyrus at all. You should use local_recipient_maps for all users which are in cyrus. These maps can reside in a file or in a mysql or in an ldap server and the program which creates new accounts could update this table automatically. In my case, this is webcyradm who does this for me in mysql. http://www.postfix.org/LOCAL_RECIPIENT_README.html Best, Daniel On 10.10.2006 16:01, Ramprasad wrote: I just configured my cyrus server to accept mails directly from my remote postfix server over lmtp Everything seems to work fine but sometimes lmtp gives strange errors like to=X, orig_to=X, relay=202.162.229.40[202.162.229.40]:24, delay=0.26, delays=0.25/0/0/0.01, dsn=5.1.1, status=bounced (host 202.162.229.40[202.162.229.40] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command)) When actually the mailbox is valid. The same mail sent again reaches the mailbox without problems. What could be the reason. The cyrus server is highly loaded most of the time could that be a reason. Anyway I dont want lmtp failures to bounce the mail , can I send a 450 instead of 550. Because I am already ensuring the mailbox exists before accepting the mail. How do I configure this on postfix or lmtp ? Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
tls_ca_path and tls_ca_file
Hello, could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Best regards, Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
30% failure rate with sieve? debug output...?
So I *finally* got my employers out of stone-age multihundred megabyte inbox files and over to cyrus. Yay! However, we're seeing fairly consistent sieve failures. For example, 21 messages came from a certain address that we're filtering last night. 12 were filed into the subfolder correctly. 4 fell down and hit a later rule in the ruleset, and 5 made it into my inbox. Grepping through the logs (at debug level) indicates zero complaints from sieve. So... clue me in. How do I get real debugging enabled? I want very verbose output stored somewhere so that I can analyze the failures... -- Jo Rhett Senior Network Engineer Network Consonance Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Running murder in unified config
On Tue, 10 Oct 2006, Jesus Roncero wrote: Hi all, Again with one of my questions. I am trying to run a murder installation, with two boxes. My idea is to run a frontend/backend box in unified config and one extra backend. The thing I was trying to set up is to run the frontend/backend/mupdate master on the same box, but it looks like it is not possible. Looking at the source code at imap/mupdate.c we have something like this: if (masterp config_mupdate_config == IMAP_ENUM_MUPDATE_CONFIG_UNIFIED) { /* XXX We currently prohibit this because mailboxes created * on the master will cause local mailbox entries to be propagated * to the slave. We can probably fix this by prepending * config_servername onto the entries before updating the slaves. */ fatal(can not run mupdate master on a unified server, EC_USAGE); } I found one other reference on the mailing list but no answers: http://www.irbs.net/internet/info-cyrus/0604/0307.html So, is there anyway to run the mupdate master on the same node where the frontend/backend unified config is running? or do I need to place it in a different box? on one backend? You would need to run the mupdate master as a separate installation of cyrus (at least a separate configdirectory). The backend and the mupdate master cannot share the same mailboxes.db file. Just guessing on that part, but it seems logical to me. Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
On Tuesday 10 October 2006 10:50, Andreas Benzing wrote: could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Are you sure that you don't just have to run c_rehash in the directory with the certs? wt -- Warren Turkal, Research Associate III/Systems Administrator Colorado State University, Dept. of Atmospheric Science Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Benzing schrieb: Hello, Hello Andreas, could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Without looking in the cyrus and the openssl code: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. This way you don't need beforehand to load all certificates that you may need to verify a peer. On the other hand the certificates in tls_ca_file are loaded before the TLS handshake is done and directly used to verify the peer. (This file is also used to build the servers CA certificate chain that is sent to the client) Now the tls_ca_path it is primary useful in client configurations, because you may have a big number of trusted CA certificates. On server side the tls_ca_path is less useful, because for you must have the complete list of CA certifcates you accept before you start a handshake because you send this list (only the subject names) to the client saying him which CA certificates you accept for client authentication. You can still use it for intermediate CA certificates and CRLs. I don't know how other servers handle the tls_ca_path. Perhaps they iterate over the certificate files in it to build the client list or their client verification code is f*ed up and only seem to work... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK/IG2iGqZUF3qPYRAgLiAJ0YDacJ3wH8ZzeeON2KlT2L6h57awCfU2r0 R74oV6cOAPkNOaXGB0EYxgE= =XwoO -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
Hello once more, Goetz Babin-Ebell wrote: Andreas Benzing schrieb: Hello, Hello Andreas, could please somebody tell me what tls_ca_path is good for if it is somehow ignored in the config file? For other servers putting the different CA-certs in one directory is enough but cyrus needs an extra file with all of them in a single file. Shouldn't this be the sense of tls_ca_path? Without looking in the cyrus and the openssl code: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. Now this and the hint with c_rehash makes things clearer. I didn't know that cyrus is only looking for specific filenames. So it works now =) Now the tls_ca_path it is primary useful in client configurations, because you may have a big number of trusted CA certificates. On server side the tls_ca_path is less useful, because for you must have the complete list of CA certifcates you accept before you start a handshake because you send this list (only the subject names) to the client saying him which CA certificates you accept for client authentication. Which takes me to the next question that may be in the wrong place here: I only came to this problem because when connecting with thunderbird there was an error establishing an encrypted connection. After investigating the logfiles I found that the server could not verify a cert I wanted to use with thunderbird to sign messages. Now the question is: Why did thunderbird try to authenticate with the cert when my server (with the old config) did not have any CA certs at all? Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: tls_ca_path and tls_ca_file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Benzing schrieb: Hello once more, Hello Andreas, Goetz Babin-Ebell wrote: Andreas Benzing schrieb: the tls_ca_path directory is used in certificate verification: of the issuer dn of the cert to verify is a checksum calculated, this 32 bit value is used as an file name in tls_ca_path to load the CA certificate. Now this and the hint with c_rehash makes things clearer. I didn't know that cyrus is only looking for specific filenames. So it works now =) the 32 Bit hash is the only way to determine the file name from the subject / issuer DN... Which takes me to the next question that may be in the wrong place here: I only came to this problem because when connecting with thunderbird there was an error establishing an encrypted connection. After investigating the logfiles I found that the server could not verify a cert I wanted to use with thunderbird to sign messages. Now the question is: Why did thunderbird try to authenticate with the cert when my server (with the old config) did not have any CA certs at all? Accepting client authentication without providing the list of acceptable CA certificates is a misconfiguration that is not common but happens. My knowledge of the TLS specification is not that deep to know how the client and sever SHOULD act in this situation, but some clients pick a client certificate and send it to the server. OpenSSL allows this misconfiguration but requires that the client certificate is verified by callbacks provided by the user of the library. To make it clear: Server: I accept client certificate but won't tell you which CAs I trust Client: OK, let's try this one... Server: Sorry, I don't know your issuer. Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFLCoE2iGqZUF3qPYRApdVAKCBdoymVE/4RcyYC2sjm7DWMhvqrQCeK6Ci tCfKPLWyb6ifbDlx1O//TBM= =DwhJ -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html