Re: Patches used at FastMail.FM
Rob Mueller wrote: Ok, I thought that 'post' pre-dated lmtp and was the IMAP function to write a message into the folder. i.e. a program like imapsync would need the 'p' permission to write the messages, (but would need other permissions to check for messages, set flags, etc) I think the only way to add a message to a folder via IMAP is APPEND or COPY, which is what the "i" right controls. i - insert (perform APPEND, COPY into mailbox) Correct again. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
Rob Mueller wrote: but this is in conflict with the the idea that in a large installation of people who don't know each other the 'anyone' permission doesn't make sense. what is really desired for + addressing is to say that messages that arrive via the lmtp interface are allowed to write to all folders (not just the inbox folders) without allowing other users on the system to write arbatrary data to other people's folders via the IMAP interface. at least if it's arriving via the lmtp interface you have reason to believe that it's been (somewhat) validated by your MTA. That's really what the "p" permission is all about: p - post (send mail to submission address for mailbox, not enforced by IMAP4 itself) So setting "anyone p" means that email via LMTP can be put into any persons folder by the delivery agent, but that folder isn't visible or accessible via any IMAP commands. At least that how I believe it works, and what we've observed. Maybe Ken can clarify? Correct. 'p' is only used by lmtpd and nntpd, not by imapd or pop3d. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
Ok, I thought that 'post' pre-dated lmtp and was the IMAP function to write a message into the folder. i.e. a program like imapsync would need the 'p' permission to write the messages, (but would need other permissions to check for messages, set flags, etc) I think the only way to add a message to a folder via IMAP is APPEND or COPY, which is what the "i" right controls. i - insert (perform APPEND, COPY into mailbox) Rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
On Wed, 10 Jan 2007, Rob Mueller wrote: but this is in conflict with the the idea that in a large installation of people who don't know each other the 'anyone' permission doesn't make sense. what is really desired for + addressing is to say that messages that arrive via the lmtp interface are allowed to write to all folders (not just the inbox folders) without allowing other users on the system to write arbatrary data to other people's folders via the IMAP interface. at least if it's arriving via the lmtp interface you have reason to believe that it's been (somewhat) validated by your MTA. That's really what the "p" permission is all about: p - post (send mail to submission address for mailbox, not enforced by IMAP4 itself) So setting "anyone p" means that email via LMTP can be put into any persons folder by the delivery agent, but that folder isn't visible or accessible via any IMAP commands. At least that how I believe it works, and what we've observed. Maybe Ken can clarify? Ok, I thought that 'post' pre-dated lmtp and was the IMAP function to write a message into the folder. i.e. a program like imapsync would need the 'p' permission to write the messages, (but would need other permissions to check for messages, set flags, etc) I'll play around with things a bit while waiting for clarification. David Lang Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
but this is in conflict with the the idea that in a large installation of people who don't know each other the 'anyone' permission doesn't make sense. what is really desired for + addressing is to say that messages that arrive via the lmtp interface are allowed to write to all folders (not just the inbox folders) without allowing other users on the system to write arbatrary data to other people's folders via the IMAP interface. at least if it's arriving via the lmtp interface you have reason to believe that it's been (somewhat) validated by your MTA. That's really what the "p" permission is all about: p - post (send mail to submission address for mailbox, not enforced by IMAP4 itself) So setting "anyone p" means that email via LMTP can be put into any persons folder by the delivery agent, but that folder isn't visible or accessible via any IMAP commands. At least that how I believe it works, and what we've observed. Maybe Ken can clarify? Rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
On Wed, 10 Jan 2007, Rob Mueller wrote: the usual reason for allowing the "anyone" ACL is to allow for + addressing to work. is there another way to do this? The admin user can still set the anyone acl, it's just non-admin users can't change/set it. The way we do this to allow + addressing is when we create the users top level folder, we set the "anyone p" acl on it, and any new folders created after that by the user automatically inherit it. but this is in conflict with the the idea that in a large installation of people who don't know each other the 'anyone' permission doesn't make sense. what is really desired for + addressing is to say that messages that arrive via the lmtp interface are allowed to write to all folders (not just the inbox folders) without allowing other users on the system to write arbatrary data to other people's folders via the IMAP interface. at least if it's arriving via the lmtp interface you have reason to believe that it's been (somewhat) validated by your MTA. David Lang Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
the usual reason for allowing the "anyone" ACL is to allow for + addressing to work. is there another way to do this? The admin user can still set the anyone acl, it's just non-admin users can't change/set it. The way we do this to allow + addressing is when we create the users top level folder, we set the "anyone p" acl on it, and any new folders created after that by the user automatically inherit it. Rob Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
On Tue, 09 Jan 2007 08:52:21 -0500, "Ken Murchison" <[EMAIL PROTECTED]> said: > > http://cyrus.brong.fastmail.fm/cyrus-plainsync-2.3.3.diff > > Why not just run 'sync_server -p 2' ? I believe that I added the 'p' > option to all services for just this reason. It didn't work in my testing for some reason. I'm happy to try it out again, but I was pretty sure it wasn't enough. It may just be that it wasn't happy to use the saslauthd, which is OK because I'm putting sync passwords in /etc/sasldb2 now anyway. The other thing is that sync may have been broken due to other issues like binding to the wrong IP address on the machine thanks to hostname lookups. There were a few different weird things I had to solve before I got sync working, and this patch appeared to solve one of them. Besides which, I didn't understand SASL much when I wrote that, and it works. Actually, I still don't understand SASL much. It appears to take an already difficult problem and abstract it away so much that its becomes even more complex (and yet you still can't pass an error message back from the authd explaining why the user isn't allowed to log in right now) Bron. -- Bron Gondwana [EMAIL PROTECTED] Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Comments on remaining FastMail.FM patches
On Tue, 09 Jan 2007 16:37:23 -0500, "Ken Murchison" <[EMAIL PROTECTED]> said: > I've been looking at the remaining, non-site specific patches, and here > are some comments. > > Command timer - Assuming that we want to specify the minimum time as > fractional seconds (which I gather is the case given that its a double), > I'd prefer to have it specified as millisecond and use an integer rather > than a string in imapd.conf. Since Jeff tells me that he'd like to have > this patch, I'm going to go ahead and make this change unless there is > an objection from the list. I'm pretty sure we don't mind this. > Fast Index Interator - Since the patch assumes that the sequence set is > sorted low->high, we don't get any advantage for SEARCH or UID EXPUNGE. > Would it make more sense to parse the sequence set once, creating a > linked list of sorted ranges, and then do index_insequence() on the > linked list? This would then would for STATUS, SEARCH, and UID EXPUNGE, > since all of the current code currently has msgno for each call > monotonically increasing. If we're slick, we can remove nodes from the > head of the sequence set list, once we match a msgno that is greater > than the range in the node. Yeah - I was thinking something similar. The "cyrus way of doing things" would probably be to generate a "rock" that contained a pointer to the original string and some custom data structure that made it efficient. Besides, it's almost object-oriented: sequencelookup_t rock = sequencelookup_init(char *sequence); for (i = 0; uid = uids[i], i++) { if (sequencelookup_check(rock, uid)) { r = do_stuff(uid); if (r) break; } } sequencelookup_free(rock); This interface would allow you to reimplement those three functions and one datatype with whatever implementation seemed most efficient. Indeed, you could write a really basic one with a couple of typedefs and #defines that just implemented the current code unchanged. > Accept 'From ' header from IMAP clients - I'm really reluctant to add > code to work around non-RFC2822 compliant messges, but if this is a big > deal for people, I could probably be convinced to make this an > imapd.conf option (probably another *_strict option). I'm afraid these clients aren't going away any time soon, and their users tend to get grumpy and go join some service that works how they expect if you don't support them. It's a harsh reality out here in the commercial service world. > Index Upgrade during Reconstruct - Is this a workaround for a bug in the > stock code? Yeah, ish. It's a workaround for Reconstruct opening an index and the upgrade happening automatically, but the upgrade code trying to do things like lock some pop3 constructs that aren't available in reconstruct. The other way to fix it would be to provide those constructs, but that seems a bit pointless since you've already locked the index when you're reconstructing. It's only an issue across upgrades where the index format is changed. > Longer constants for word sizes - We should probably make these values > (including MAXLITERALSIZE) configurable. Yeah, makes sense. This patch was written before I started here, and I think the idea was quick and easy, not necessarily planned for upstream. > Mailwasher bug workaround. - The [CAPABILITY] response is just part of > the banner. Mailwasher should just ignore whatever it doesn't > understand. My guess would be that the size of the banner is > overflowing a static buffer. Yeah, maybe. Again - annoying your clients doesn't get you any brownie points, and in this case it's a matter of "conservative in what you send just in case your client isn't liberal in what they accept". I said pretty much exactly the same to our users and they said "so what, it used to work, fix it" - basically. > Statuscache - We've discussed this before, and I'm pretty sure its a > good idea. I'd like to think some more to see if there might be a > better solution. Fair enough. This is Rob's baby. We have noticed that it has timing issues due to only 1 second resolution on some things. Bron. -- Bron Gondwana [EMAIL PROTECTED] Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
On Tue, 9 Jan 2007, Ken Murchison wrote: Disable "anyone" ACL the usual reason for allowing the "anyone" ACL is to allow for + addressing to work. is there another way to do this? in most cases I think that a global 'allow + addressing' config option is really more appropriate then having to configure things on a per-folder basis, possibly with a 'no, don't allow + addressing to this folder' override. David Lang Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
On Tue, 09 Jan 2007 12:49:25 -0500, "Ken Murchison" <[EMAIL PROTECTED]> said: > Bron Gondwana wrote: > > It's been a while since I posted our list of patches, and there have been > > a couple of changes since then. > > > > I'm generating the site from a script and a bunch of patch description files > > now, so I should be able to keep it up to date. > > > > > > Feel free to use any of these patches, and Ken - feel free to include > > anything that looks good into upstream! Some of these patches are quite > > specific to our site, but many of the are more generally useful as well. > > After a quick discussion with Jeff, I just committed the following > patches to CVS. Others may follow for a later 2.3 release or rolled > into 2.4. > > [...] Wow, makes me wish I'd got sorted and split out the patch that you accepted about half of already so I could ask why the other half didn't go in. I've attached the entire patch now. I'm leaving on vacation in a couple of hours so my wife would kill me if I spent any longer on this now... This is the one that stops cyr_expire performing so many index opens and closes by checking if the cyrus_expunge file exists first. You appear to have accepted the code that does that, but not the code for the additional option (-a) which skips reading the annotations database. I haven't actually done a performance comparison, so I can't guarantee that it is a big performance win, but the strace I did showed about 4 db lookups per folder (because it walked back up the tree). We don't use annotations at all, at least not for the purpose of controlling expiry, so it's somewhat of a performance saving. Anyway, thanks heaps for looking at those patches and taking so many of them. It's always good to reduce our "distance" from upstream. We are still going to be patching cyrus a little bit (you'll notice that I didn't include cyrus-fastmailsecrects.diff on the website!) - at least until we find some other way to add our s00per-s33krit encrypted header to messages which allows us to know which user (or which user's sieve script) generated a message without leaking their identity to any third party. Regards, Bron. -- Bron Gondwana [EMAIL PROTECTED] diff -ur --new-file cyrus-imapd-cvs.orig/imap/cyr_expire.c cyrus-imapd-cvs/imap/cyr_expire.c --- cyrus-imapd-cvs.orig/imap/cyr_expire.c 2005-12-15 08:21:16.0 -0500 +++ cyrus-imapd-cvs/imap/cyr_expire.c 2006-10-11 04:26:12.0 -0400 @@ -73,7 +73,7 @@ void usage(void) { fprintf(stderr, - "cyr_expire [-C ] -E [-X ] [-v]\n"); + "cyr_expire [-C ] -E [-X ] [-a] [-v]\n"); exit(-1); } @@ -86,6 +86,7 @@ unsigned long messages; unsigned long deleted; int verbose; +int skip_annotate; }; /* @@ -143,26 +144,32 @@ * since mailboxes inherit /vendor/cmu/cyrus-imapd/expire, * we need to iterate all the way up to "" (server entry) */ -while (1) { - r = annotatemore_lookup(buf, "/vendor/cmu/cyrus-imapd/expire", "", - &attrib); - - if (r ||/* error */ - attrib.value || /* found an entry */ - !buf[0] || /* done recursing */ - !strcmp(buf+domainlen, "user")) { /* server entry doesn't apply - to personal mailboxes */ - break; - } - - p = strrchr(buf, '.'); /* find parent mailbox */ - - if (p && (p - buf > domainlen)) /* don't split subdomain */ - *p = '\0'; - else if (!buf[domainlen]) /* server entry */ - buf[0] = '\0'; - else/* domain entry */ - buf[domainlen] = '\0'; +if (erock->skip_annotate) { + /* we don't want to check for annotations, so we didn't find any */ + attrib.value = 0; +} +else { +while (1) { + r = annotatemore_lookup(buf, "/vendor/cmu/cyrus-imapd/expire", "", + &attrib); + + if (r ||/* error */ + attrib.value || /* found an entry */ + !buf[0] || /* done recursing */ + !strcmp(buf+domainlen, "user")) { /* server entry doesn't apply + to personal mailboxes */ + break; + } + + p = strrchr(buf, '.'); /* find parent mailbox */ + + if (p && (p - buf > domainlen)) /* don't split subdomain */ + *p = '\0'; + else if (!buf[domainlen]) /* server entry */ + buf[0] = '\0'; + else/* domain entry */ + buf[domainlen] = '\0'; +} } i
Re: Patches used at FastMail.FM
Bron Gondwana wrote: On Tue, 09 Jan 2007 08:52:21 -0500, "Ken Murchison" <[EMAIL PROTECTED]> said: http://cyrus.brong.fastmail.fm/cyrus-plainsync-2.3.3.diff Why not just run 'sync_server -p 2' ? I believe that I added the 'p' option to all services for just this reason. It didn't work in my testing for some reason. I'm happy to try it out again, I tested this morning before I responded (so as not to put my foot in my mouth) and it worked as expected. I think that the -p option only appeared right before 2.3.7, so it may not have been available when you wrote your patch. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Comments on remaining FastMail.FM patches
I've been looking at the remaining, non-site specific patches, and here are some comments. Command timer - Assuming that we want to specify the minimum time as fractional seconds (which I gather is the case given that its a double), I'd prefer to have it specified as millisecond and use an integer rather than a string in imapd.conf. Since Jeff tells me that he'd like to have this patch, I'm going to go ahead and make this change unless there is an objection from the list. Fast Index Interator - Since the patch assumes that the sequence set is sorted low->high, we don't get any advantage for SEARCH or UID EXPUNGE. Would it make more sense to parse the sequence set once, creating a linked list of sorted ranges, and then do index_insequence() on the linked list? This would then would for STATUS, SEARCH, and UID EXPUNGE, since all of the current code currently has msgno for each call monotonically increasing. If we're slick, we can remove nodes from the head of the sequence set list, once we match a msgno that is greater than the range in the node. Accept 'From ' header from IMAP clients - I'm really reluctant to add code to work around non-RFC2822 compliant messges, but if this is a big deal for people, I could probably be convinced to make this an imapd.conf option (probably another *_strict option). Index Upgrade during Reconstruct - Is this a workaround for a bug in the stock code? Longer constants for word sizes - We should probably make these values (including MAXLITERALSIZE) configurable. Mailwasher bug workaround. - The [CAPABILITY] response is just part of the banner. Mailwasher should just ignore whatever it doesn't understand. My guess would be that the size of the banner is overflowing a static buffer. Statuscache - We've discussed this before, and I'm pretty sure its a good idea. I'd like to think some more to see if there might be a better solution. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
Bron Gondwana wrote: It's been a while since I posted our list of patches, and there have been a couple of changes since then. I'm generating the site from a script and a bunch of patch description files now, so I should be able to keep it up to date. Feel free to use any of these patches, and Ken - feel free to include anything that looks good into upstream! Some of these patches are quite specific to our site, but many of the are more generally useful as well. After a quick discussion with Jeff, I just committed the following patches to CVS. Others may follow for a later 2.3 release or rolled into 2.4. Disable "anyone" ACL cyr_dbtool - utility for manipulating databases Cyrus expire - keep going Custom is_digit implementation Allow plaintext auth for sync_client (not committed, but can be accomplished with '-p' option) Randomise connection timeout Replication sync_client - only connect once Replication - batch messages in a folder (batch size is controlled by sync_batch_size option) Replication - Check lastuid in seen database -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to restore a deleted mail
Uwe Kiewel wrote: Hi, how do I restore a deleted message in an mailbox? A scenarioa as followed: A user deleted a mail and emptied the trash. Cyrus is configued to expunge delayed. I think the messages is deleted in unser's opinion. Can the admin restore such a deleted message? If you're using delayed expunge and the message hasn't been removed by cyr_expire, use the unexpunge tool. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Reconstruct oddity
Hi, We're using Cyrus 2.2.12 on Solaris 10. I have a problem with reconstruct. A partition which got lost and then restored has a number of a user's mailboxes on it. Via Imap, many of these mailboxes seem empty, so I used /usr/cyrus/bin/reconstruct -r user.Username to hopefully readd the data. However, this does not appear to work. Trying /usr/cyrus/bin/reconstruct -r -f user.Username also does not do the required, yet the files are on disk. One problem that may be exacerbating the situation is that some of this user's mailboxes are on one cyrus partition and some on another and the partition I am working on is not the one that mbpath returns. But the mailboxes are definitely on that partition as a dump of the mailboxes database indicates that they are. So where from here ? Is there an easy way out - maybe force all the user's mailboxes to go onto the correct (as far as mbpath goes) partition and reconstruct... Advice most welcome. Thanks Geoff Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to restore a deleted mail
Am Dienstag, 9. Januar 2007 17:15 schrieb Adam Tauno Williams: > > how do I restore a deleted message in an mailbox? > > A scenarioa as followed: > > A user deleted a mail and emptied the trash. Cyrus is configued to > > expunge delayed. > > I think the messages is deleted in unser's opinion. Can the admin restore > > such a deleted message? > > Restore the file [message] to the appropriate directory and reconstruct > the corresponding mailbox. Thx. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem upgrading mailboxes.db with cvt_cyrusdb : can't open old database / DBERROR db4: Program version 4.4 doesn't match environment version 0.5
> > I'm just moving all emails from an old imap-2.0.16 to a new machine with > version 2.2 > > I copied all files from the old machine to the new machine and followed > the > instructions at: > > http://cyrusimap.web.cmu.edu/imapd/install-upgrade.html > > after performing the rehash-command I try to upgrade the mailboxes.db and > seen-files with the cvt_cyrusdb-command as recommended, but I run into a > strange > error: > > as user cyrus I do: > > $ /usr/sbin/cvt_cyrusdb /data/cyrus/config/mailboxes.db berkeley > /tmp/mailboxes.db.new skiplist > Converting from /data/cyrus/config/mailboxes.db (berkeley) to > /tmp/mailboxes.db.new (skiplist) > fatal error: can't open old database > > in the logs I see: > > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR db4: Program > version 4.4 > doesn't match environment version 0.5 > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: dbenv->open > '/data/cyrus/config/db' failed: DB_VERSION_MISMATCH: Database environment > version mismatch > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: init() on berkeley > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: reading > /data/cyrus/config/db/skipstamp, assuming the worst: No such file or > directory > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR db4: DB_AUTO_COMMIT > may > not be specified in non-transactional environment > Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: opening > /data/cyrus/config/mailboxes.db: Invalid argument > > > To be frank : I seem doomed. I didnt find anything useful to my problem in > the > docs or on google. I dont even know if my original mailboxes.db-file is > really > in Berkeley-format. I tried to use '/usr/cyrus/bin/ctl_mboxlist -d > >/tmp/mailbox.db' on the old machine with gave me - as expected - the > same > mailboxfile. Its a binary-file with the mailbox-lists as ASCII somewhere > in it > with binary noise around. > > Converting the seen-files from flat to skiplist seems to work. I also > tried to > convert the mailboxes.db from flat to skiplist but then cvt_cyrusdb said > that > its appearently an empty file. > > Any suggestions? Or is there maybe a workaround? By reconstructing the > mailboxes-files manually from the userdatabase (ldap-based). All users > have the > same permissions. I think you have the BerkeleyDB problem which has been discussed on this list again and again. Looks like your new box uses another BDB version and your db files are in the wrong format. You have to somehow convert those files to the version you need, there are tools to do that in the BDB distribution I think. Otherwise try to convert to skiplist on the old server, skiplist does not have the "BerkeleyDB" problem. Simon Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to restore a deleted mail
>> how do I restore a deleted message in an mailbox? >> A scenarioa as followed: >> A user deleted a mail and emptied the trash. Cyrus is configued to >> expunge >> delayed. >> I think the messages is deleted in unser's opinion. Can the admin >> restore such >> a deleted message? > > Restore the file [message] to the appropriate directory and reconstruct > the corresponding mailbox. With delayed expunge, it's much easier, like this: List deleted messages: su - cyrus -c "/usr/lib/cyrus-imapd/unexpunge -l user.x" Unexpunge all deleted messages: su - cyrus -c "/usr/lib/cyrus-imapd/unexpunge -a -d -v user.x" Unexpunge a single message: su - cyrus -c "/usr/lib/cyrus-imapd/unexpunge -u -d -v user.x 14156" Simon > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to restore a deleted mail
> how do I restore a deleted message in an mailbox? > A scenarioa as followed: > A user deleted a mail and emptied the trash. Cyrus is configued to expunge > delayed. > I think the messages is deleted in unser's opinion. Can the admin restore > such > a deleted message? Restore the file [message] to the appropriate directory and reconstruct the corresponding mailbox. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to restore a deleted mail
Hi, how do I restore a deleted message in an mailbox? A scenarioa as followed: A user deleted a mail and emptied the trash. Cyrus is configued to expunge delayed. I think the messages is deleted in unser's opinion. Can the admin restore such a deleted message? Kind regards, Uwe Kiewel Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus imapd stalling with multiple instances
Tuomas Toropainen wrote: Hello everyone I'm trying to accomplish 2 things: 1) prevent plain logins without ssl/tls over network 2) prevent cyrus admin user(s) from logging in over network (users are authenticated from ldap and admin(s) from local sasldb) Here are complete cyrus configuration files (with debugging turned off and comments stripped): /etc/cyrus.conf START { recover cmd="/usr/sbin/ctl_cyrusdb -r" delprunecmd="/usr/sbin/cyr_expire -E 3" tlsprunecmd="/usr/sbin/tls_prune" } SERVICES { imapcmd="imapd -U 30" listen="213.255.190.58:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 30" listen="213.255.190.58:imaps" prefork=0 maxchild=100 imapcmd="imapd -U 30 -C /etc/imapd.conf.localhost" Entries in cyrus.conf need to have unique names, like 'imapext' and 'imapint' or 'imap1', 'imap2', etc listen="127.0.0.1:imap" prefork=0 maxchild=100 lmtpunixcmd="lmtpd" listen="/var/spool/postfix/extern/cyrus/lmtp" prefork=0 maxchild=20 sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100 notify cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1 } EVENTS { checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30 delprunecmd="/usr/sbin/cyr_expire -E 3" at=0401 tlsprunecmd="/usr/sbin/tls_prune" at=0401 } -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus imapd stalling with multiple instances
Hello everyone I'm trying to accomplish 2 things: 1) prevent plain logins without ssl/tls over network 2) prevent cyrus admin user(s) from logging in over network (users are authenticated from ldap and admin(s) from local sasldb) I have figured out one way to do this. Please tell me if I'm trying to do it incorrectly or in otherwise not-so-wise way. I have tried to run 2 separate cyrus imapd instances: one for users to connect over network (which listens on imap.lanwan.fi service ip address) and another for administrative use which only listens on localhost. Both instances are defined in /etc/cyrus.conf. The platform is debian testing (etch RC1), with cyrus installed from debian provided package. The problem is, that with this kind of configuration, cyrus occasionally stops responding to one (or both) addresses. Cyrus is running, and tcp connection is fine, but imapd doesn't respond with usual imap banner or to any commands at all. After waiting for some while (a minute or five), imapd (usually) responds again. Maybe an example is in place to point out what I mean. Normally when everything works fine, this is what I see: # telnet imap.lanwan.fi imap Trying 213.255.190.58... Connected to imap.lanwan.fi. Escape character is '^]'. * OK imap.lanwan.fi Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready But when problems occur, thing look this way (I have deliberately disconnected telnet after waiting a while): # telnet imap.lanwan.fi imap Trying 213.255.190.58... Connected to imap.lanwan.fi. Escape character is '^]'. ^] telnet> c Connection closed. I have searched mailing lists and google, but not found anything like this. I tried to debug cyrus and here are the results. The debug log (CYRUS_VERBOSE=1) doesn't reveal anything special: (here the tcp connection is established) Jan 9 15:27:37 delta cyrus/master[5616]: set maximum file descriptors to 256/256 Jan 9 15:27:37 delta cyrus/master[5616]: about to exec /usr/lib/cyrus/bin/imapd Jan 9 15:27:37 delta cyrus/imap[5616]: running external debugger: /usr/bin/strace -tt -o /tmp/strace.cyrus.imapd.5616 -p 5616 <&- 2>&1 & Jan 9 15:27:37 delta cyrus/imap[5616]: debugger returned exit status: 0 Jan 9 15:27:37 delta cyrus/imap[5616]: executed (here cyrus responds with imap banner) Jan 9 15:28:35 delta cyrus/master[5578]: process 5593 exited, status 0 Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 2 Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in READY state: now unavailable and in BUSY state Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Jan 9 15:28:35 delta cyrus/imap[5616]: accepted connection Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 3 Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in BUSY state: now serving connection Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Here is also an excerpt from imapd strace: 15:27:37.130492 stat64("/usr/lib/cyrus/bin/imapd", {st_mode=S_IFREG|0755, st_size=984752, ...}) = 0 15:27:37.130579 open("/var/lib/cyrus/socket/imap-0.lock", O_RDWR|O_CREAT, 0600) = 12 15:27:37.130651 rt_sigaction(SIGALRM, {0x8088300, [], SA_ONESHOT}, NULL, 8) = 0 15:27:37.130698 rt_sigaction(SIGHUP, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130746 rt_sigaction(SIGINT, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130792 rt_sigaction(SIGQUIT, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0} (previous line is last after tcp connection is established, and below is the same line and some that follow after cyrus responds with imap banner, so it looks like that imapd process stalls in fcntl64() syscall?) 15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0 15:28:35.286038 stat64("/usr/lib/cyrus/bin/imapd", {st_mode=S_IFREG|0755, st_size=984752, ...}) = 0 15:28:35.286153 accept(4, 0, NULL) = 13 15:28:35.286199 fcntl64(12, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 15:28:35.286247 alarm(0)= 0 Here are complete cyrus configuration files (with debugging turned off and comments stripped): /etc/cyrus.conf START { recover cmd="/usr/sbin/ctl_cyrusdb -r" delprunecmd="/usr/sbin/cyr_expire -E 3" tlsprunecmd="/usr/sbin/tls_prune" } SERVICES { imapcmd="imapd -U 30" listen="213.255.190.58:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 30" listen="213.255.190.58:imaps" prefork=0 maxchild=100 imapcmd="imapd -U 30 -C /etc/imapd.conf.localhost" listen="127.0.0.1:imap" prefork=0 maxchild=100 lmtpunixcmd="lmtpd" listen="/var/spool/postfix/extern/cyrus/lmtp" prefork=0 maxchild=20 sieve cmd="timsieved" listen="localhost:s
Re: Patches used at FastMail.FM
http://cyrus.brong.fastmail.fm/cyrus-plainsync-2.3.3.diff Why not just run 'sync_server -p 2' ? I believe that I added the 'p' option to all services for just this reason. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
problem upgrading mailboxes.db with cvt_cyrusdb : can't open old database / DBERROR db4: Program version 4.4 doesn't match environment version 0.5
I'm just moving all emails from an old imap-2.0.16 to a new machine with version 2.2 I copied all files from the old machine to the new machine and followed the instructions at: http://cyrusimap.web.cmu.edu/imapd/install-upgrade.html after performing the rehash-command I try to upgrade the mailboxes.db and seen-files with the cvt_cyrusdb-command as recommended, but I run into a strange error: as user cyrus I do: $ /usr/sbin/cvt_cyrusdb /data/cyrus/config/mailboxes.db berkeley /tmp/mailboxes.db.new skiplist Converting from /data/cyrus/config/mailboxes.db (berkeley) to /tmp/mailboxes.db.new (skiplist) fatal error: can't open old database in the logs I see: Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR db4: Program version 4.4 doesn't match environment version 0.5 Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: dbenv->open '/data/cyrus/config/db' failed: DB_VERSION_MISMATCH: Database environment version mismatch Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: init() on berkeley Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: reading /data/cyrus/config/db/skipstamp, assuming the worst: No such file or directory Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR db4: DB_AUTO_COMMIT may not be specified in non-transactional environment Jan 9 12:28:28 ihf2 cyrus/cvt_cyrusdb[19760]: DBERROR: opening /data/cyrus/config/mailboxes.db: Invalid argument To be frank : I seem doomed. I didnt find anything useful to my problem in the docs or on google. I dont even know if my original mailboxes.db-file is really in Berkeley-format. I tried to use '/usr/cyrus/bin/ctl_mboxlist -d >/tmp/mailbox.db' on the old machine with gave me - as expected - the same mailboxfile. Its a binary-file with the mailbox-lists as ASCII somewhere in it with binary noise around. Converting the seen-files from flat to skiplist seems to work. I also tried to convert the mailboxes.db from flat to skiplist but then cvt_cyrusdb said that its appearently an empty file. Any suggestions? Or is there maybe a workaround? By reconstructing the mailboxes-files manually from the userdatabase (ldap-based). All users have the same permissions. thnx a lot peter -- mag. peter pilsl - goldfisch.at IT-Consulting Tel: +43-650-3574035 Tel: +43-1-8900602 Fax: +43-1-8900602-15 skype: peter.pilsl [EMAIL PROTECTED] www.goldfisch.at Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Authentication in LDAP with different UID
2007/1/8, Guus Leeuw jr. <[EMAIL PROTECTED]>: Hello, Hi Guus! First of all a couple of questions: 1) Are you planning to manage multiple domains' mail, or just the domain.com mail? Yes, I need to manage more two domains, like lists.domain.com and domain.org. 2) Can you post the contents of the canonical.cf file that postfix uses for canonical mapping? I needed to modify the configurations of canonical, because I wasn't send mail. Now it is thus: main.cf recipient_canonical_maps = proxy:ldap:/etc/postfix/ldap/recipient_canonical.cf sender_canonical_maps = proxy:ldap:/etc/postfix/ldap/sender_canonical.cf main.cf recipient_canonical.cf -- server_host = ldap://ldap.domain.com:389 bind = yes bind_dn = cn=admin,dc=domain,dc=com bind_pw = password search_base = ou=users,dc=domain,dc=com query_filter = (&(mail=%s)(objectClass=CourierMailAccount)(enableMail=Y)) result_attribute = uid result_filter = [EMAIL PROTECTED] recipient_canonical.cf -- sender_canonical.cf server_host = ldap://ldap.domain.com:389 bind = yes bind_dn = cn=admin,dc=domain,dc=com bind_pw = password search_base = ou=users,dc=domain,dc=com query_filter = (&(uid=%s)(objectClass=CourierMailAccount)(enableMail=Y)) result_attribute = mail sender_canonical.cf As you can see in file recipient_canonical.cf, the result_filter have @domain.com fixed. This way, it wouldn't work with virtual domains, i'll need to add an attribute with code+domain like [EMAIL PROTECTED] 3) Why would you want SASL to talk to PAM for PAM to talk to LDAP? Why not do the whole thing in 1 go? Yes, the reason is that this server directly effects the authentication of ssh in LDAP. I Tried authenticate SASL directly in LDAP, with this saslauthd configuration: ldap_servers: ldap://ldap.domain.com/ ldap_version: 3 ldap_search_base: ou=users,dc=domain,dc=com ldap_filter: uid=%u ldap_auth_method: bind It's works normally. I belief, you told imapd to use the PLAIN mechanism… AFAIK PLAIN is not equal to PAM in terms of mechanism… OK, PAM method, I could understand, but then again, that raises question 3. Yes, I understand that using salauthd as method this will autenticate on PAM (and this work). I see in imapd.conf manual, that this can autenticate (or get an attribute) directly in LDAP, but i don't found any example of this. If I can get the UID from LDAP after postfix deliver via LMTP to Cyrus, and before the Cyrus verify that the mailboxes exist (and verify using the UID), this will work perfectly. The tests with canonical worked, but I will need to convert the mail address everytime, and I will have to modify my LDAP Base (~ 150.000 registers). I belive that there is an "corret way" to make this. Can you bind to the LDAP server with the uid 12345? Can you bind to LDAP with [EMAIL PROTECTED] yes with uid 12345, and no with [EMAIL PROTECTED] Without answers, it would be difficult to help (for me). I understand, also it's difficult for me to explain :) Regards, Guus Thank's for your interest in this problem! Neto. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Morelli Neto Sent: 08 January 2007 12:07 To: info-cyrus@lists.andrew.cmu.edu Subject: Authentication in LDAP with different UID Hello, I am updating the mail server at my work and in this process I decided to change the Courier-IMAP for the Cyrus-IMAP, however I still came across myself with a problem without solution (at least for me). Here, all users have an personal ID who is used to effect the authentication in some systems (also in the mail). For example, an user with the personal ID 12345 possess the mail [EMAIL PROTECTED] If I create the mailbox in cyrus with the personal ID (cm user.12345), I can connect through imap/pop3 and cyrus get access to the mailbox without problems (using as user 12345), however when sending a message for this user, postfix delivery saw LMTP for cyrus, that does not locate mailbox (with the error: lmtpunix [5514]: to verify_user (user.12345) failed: Mailbox you donate not exist). Then if I create mailbox with the user's mail ( cm [EMAIL PROTECTED]), the message is delivery without problems from postfix to cyrus (that it finds mailbox), however I can't have access to mailbox saw IMAP/POP using as login the person code (12345) and only the email ( [EMAIL PROTECTED]). The authentication of cyrus is made by SASL using the mechanism PAM (that it validates through LDAP). It follows some configurations to facilitate the understanding: /etc/imapd.conf -- configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_
RE: unable to open Berkeley db /etc/sasldb2: Permission denied
> -Original Message- > From: Alex Prinsier [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 09, 2007 11:06 AM > To: Leon Kolchinsky > Cc: info-cyrus@lists.andrew.cmu.edu > Subject: Re: unable to open Berkeley db /etc/sasldb2: Permission denied > > Try: > chgrp mail /etc/sasldb2 > chmod 660 /etc/sasldb2 > > You seem to have configured cyrus to access sasldb2. That means you > should give it access to the database too :) Currently it's set only > root can read/write it. > I think you’re right. I forgot this step: # chgrp mail /etc/sasldb2 # ls -al /etc/sasldb2 -rw-r- 1 root mail 12288 11月 19 20:02 /etc/sasldb2 No errors till now. I'll keep an eye on it. Thanks, Leon > If you're not using sasldb2 you should probably better disable it in > your config. > > Hope it helps. > > Alex > > Leon Kolchinsky wrote: > > Hello All, > > > > > > I have a working mail system Cyrus+Postfix+Web-cyradm+Amavisd- > new(SA+ClamAV) > > with 2 virtual domains. > > > > All is working, but I've noticed that I keep getting: > > -- > > Jan 9 10:28:20 mail pop3[25728]: unable to open Berkeley db > /etc/sasldb2: > > Permission denied > > Jan 9 10:28:23 mail pop3[25728]: unable to open Berkeley db > /etc/sasldb2: > > Permission denied > > Jan 9 10:29:55 mail pop3[25728]: unable to open Berkeley db > /etc/sasldb2: > > Permission denied > > Jan 9 10:29:58 mail pop3[25728]: unable to open Berkeley db > /etc/sasldb2: > > Permission denied > > > > in my /var/log/warn file. > > > > > > I did a little googling and thought that this procedure would help > (adding > > mail and postfix to the same group): > > # ls -l /etc/sasldb2 > > -rw-r- 1 root root 12288 Sep 15 2005 /etc/sasldb2 > > > > Now check the group of cyrus user: > > # cat /etc/passwd| grep cyrus > > cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash > > > > Now make sure that cyrus and postfix in the same group and restart cyrus > and > > postfix: > > # cat /etc/group| grep 12 > > mail:x:12:mail,postfix Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: unable to open Berkeley db /etc/sasldb2: Permission denied
Try: chgrp mail /etc/sasldb2 chmod 660 /etc/sasldb2 You seem to have configured cyrus to access sasldb2. That means you should give it access to the database too :) Currently it's set only root can read/write it. If you're not using sasldb2 you should probably better disable it in your config. Hope it helps. Alex Leon Kolchinsky wrote: > Hello All, > > > I have a working mail system Cyrus+Postfix+Web-cyradm+Amavisd-new(SA+ClamAV) > with 2 virtual domains. > > All is working, but I've noticed that I keep getting: > -- > Jan 9 10:28:20 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: > Permission denied > Jan 9 10:28:23 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: > Permission denied > Jan 9 10:29:55 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: > Permission denied > Jan 9 10:29:58 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: > Permission denied > > in my /var/log/warn file. > > > I did a little googling and thought that this procedure would help (adding > mail and postfix to the same group): > # ls -l /etc/sasldb2 > -rw-r- 1 root root 12288 Sep 15 2005 /etc/sasldb2 > > Now check the group of cyrus user: > # cat /etc/passwd| grep cyrus > cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash > > Now make sure that cyrus and postfix in the same group and restart cyrus and > postfix: > # cat /etc/group| grep 12 > mail:x:12:mail,postfix Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
unable to open Berkeley db /etc/sasldb2: Permission denied
Hello All, I have a working mail system Cyrus+Postfix+Web-cyradm+Amavisd-new(SA+ClamAV) with 2 virtual domains. All is working, but I've noticed that I keep getting: -- Jan 9 10:28:20 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: Permission denied Jan 9 10:28:23 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: Permission denied Jan 9 10:29:55 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: Permission denied Jan 9 10:29:58 mail pop3[25728]: unable to open Berkeley db /etc/sasldb2: Permission denied in my /var/log/warn file. I did a little googling and thought that this procedure would help (adding mail and postfix to the same group): # ls -l /etc/sasldb2 -rw-r- 1 root root 12288 Sep 15 2005 /etc/sasldb2 Now check the group of cyrus user: # cat /etc/passwd| grep cyrus cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash Now make sure that cyrus and postfix in the same group and restart cyrus and postfix: # cat /etc/group| grep 12 mail:x:12:mail,postfix But it didn't help and I'm still getting these "Permission denied" messages. Where are they coming from and how to get rid of them? Best Regards, Leon Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html