cyrus_destination_recipient_limit parameter in postfix
Hi, In my postfix server, my transport configuration is (thanx again to Simon Matter :-) ) virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp Do I still need to keep parameter : cyrus_destination_recipient_limit = 1 ? (it seems to be mandatory with cyris deliver, I don't know if I need to keep it with lmtp) Someone from postfix ML told me : "lmtp has support for multiple recipients and per recipient "result". That said, ask cyrus users to confirm that there is no problem with this. " (http://archives.neohapsis.com/archives/postfix/2008-04/0672.html) So...what do you think about this ? Thanx for any help Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
how to use cyradm with imaps ?
Hello,
I want to desactivate completely imap service to keep only imaps.
But I can't manage to connect to my server with cyradm.
(Everything is working fine if I keep regulat imap service)
I tried this (thanx to Simon Matter) but it doesn't work for me :
cyradm --auth login --tls -u [EMAIL PROTECTED] localhost
cyradm --auth login --tls --port 931 -u [EMAIL PROTECTED] localhost
same result each time :
cyradm: cannot connect to server
My configuration is (running Cyrus imapd 2.3.7) :
[EMAIL PROTECTED] ~]# more /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
# imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=5
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntpscmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp"
prefork=1
}
EVENTS {
# this is required
checkpointcmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
[EMAIL PROTECTED] ~]# more /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: [EMAIL PROTECTED] [EMAIL PROTECTED]
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
virtdomains: yes
Thanx for any help
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS: unable to get certificate ...
From the article: > I’ve *finally* discovered why my IMAP server no longer likes my > self-signed certificates. The certificates are just fine. Cyrus is > just fine. It’s OpenSSL that’s the problem - Bug 1513 to be exact. > Cyrus calls SSL_CTX_use_certificate_chain_file() to read in the > certificate file, but in my case, since I don’t have CA data set, > an earlier function returns an error, so the > SSL_CTX_use_certificate_chain_file() function also returns an > error, even though the certificate and key are just fine. What does that buy you? Why not set the cert as the CA, since that is the meaning of "self-signed certificate"? :wes On 12 Apr 2008, at 12:33, brian wrote: > That's what I was wondering, also, after coming across this last > night: > http://weblog.elwing.org/elwing/index.php/archive/2007/07/18/cyrus- > imap-and-certificates/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS: unable to get certificate ...
What's the ticket number/URL? :wes On 12 Apr 2008, at 09:11, Goetz Babin-Ebell wrote: > Looking in the last source I have here (2.3.8), I'm definitively not > happy about the code that generates that message: > * If you don't do SSL client authentication, this message > ~ is only confusing noise. > * If you do SSL client authentication this message is not an > ~ info but an error and should be logged as one. > I opened a ticket and sent a patch in 2005. > Unfortunately it wasn't accepted (at least the last time I checked...) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS: unable to get certificate ...
Goetz Babin-Ebell wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > brian schrieb: > | Goetz Babin-Ebell wrote: > |> brian schrieb: > |> | brian wrote: > > |> |> I'm trying (and failing) to set up TLS and hope someone might be > able to > |> |> shed some light on my problem. Authentication failed so I checked > |> |> maillog and found: > |> |> > |> |> imap[30288]: TLS server engine: cannot load CA data > |> This^^ > > Looking in the last source I have here (2.3.8), I'm definitively not > happy about the code that generates that message: > * If you don't do SSL client authentication, this message > ~ is only confusing noise. > * If you do SSL client authentication this message is not an > ~ info but an error and should be logged as one. > I opened a ticket and sent a patch in 2005. > Unfortunately it wasn't accepted (at least the last time I checked...) > > |> |> imap[30288]: unable to get certificate from > |> |> '/etc/pki/tls/certs/imapcert.pem' > |> and this ^ > |> Is your first hint. > | > | Yes, it was the first thing I noticed too. However, the fact that that > | file was easily readable confused me as to what the problem actually > | was. I thought that perhaps the file, while readable, contained garbage. > > There is a big difference between CA certificates and > end entity (server) certificates. > Here cyrus tried to load a CA certificate, > but imapcert.pem contains only the server certificate. > > OK, I was wrong: > these two error lines are unrelated. > The second failing because the first failed may be an result > of cyrus not clearing the OpenSSL error stack between > the two lines. > > Any developer listening ? > calling ERR_clear_error(); on entering set_cert_stuff() (tls.c) > should fix this... > (If you're building cyrus from source, > ~ you could insert that line and try again) That's what I was wondering, also, after coming across this last night: http://weblog.elwing.org/elwing/index.php/archive/2007/07/18/cyrus-imap-and-certificates/ > > |> I wish people would stop using self signed certificates in their > |> tutorials. > |> Creating a CA and using it to sign the certificates are > |> just two to three steps more and it gives people a hint how > |> to set up things correctly... > | > | Maybe I've got the terminology wrong then. By "self-signed" I mean that > | I did create my own CA, then created and signed a cert with that. > | > |# CA_nodes -newca > |# CA_nodes -newreq > |# CA_nodes -sign > > A self signed certificate is a certificate that is signed by the > same key that is in the certificate. > > What you have created is a normal certificate that > was signed by a local CA. > > | I'm not aware of any other kind of "self-signed" certificate. I thought > | it was either signed by Thawte, etc. or by one's own CA. > > ... or signed by the same key that is in the certificate > ~ (signed by itself) Thank you. I think it's becoming clearer now. > > |> | [abbreviated output follows] > |> | > |> | CONNECTED(0003) > |> | depth=1 /C=CA/ST=Ontario/O=zijn > |> | digital/OU=server/CN=MYDOMAIN/[EMAIL PROTECTED] > |> | verify return:1 > |> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn > |> | digital/OU=mail/CN=mail.MYDOMAIN/[EMAIL PROTECTED] > |> | verify return:1 > |> | --- > |> | Certificate chain > |> | 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn > |> | digital/OU=mail/CN=mail.MYDOMAIN/[EMAIL PROTECTED] > |> | i:/C=CA/ST=Ontario/O=zijn > |> | digital/OU=server/CN=MYDOMAIN/[EMAIL PROTECTED] > |> OK, this is NOT a self signed certificate. > |> > | What tells you that? > > In a self signed certificate issuer and subject name are identical. Right. This makes sense now I know what to look for. > > BTW: > > If you have your server certificate directly signed by your > root (CA) certificate and you do not want to use client authentication, > you can configure cyrus imapd to not use any CA certificates at all: > > The client needs to know the root certificate anyway to determine if > it may trust it, so you gain nothing by transmitting it in SSL handshake... > > > Goetz Thanks very much for your replies. I'm gaining a better understanding of this. Now, back to the docs ... b Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Postfix, Cyrus, and virtual domains : verify_user failed: Mailbox does not exist - Help !
>>
>> Do you have a good reason to use the deprecated 'cyrus' transport?
>> Otherwise you may try 'mailbox_transport =
>> lmtp:unix:/var/lib/imap/socket/lmtp' instead.
>>
>> Simon
>>
>
> You're right, just didn't see it...and working perfectly with that :-)
> In fact for my case, I used : virtual_transport =
> lmtp:unix:/var/lib/imap/socket/lmtp
>
> With lmtp transport, do I still need cyrus_destination_recipient_limit = 1
> ?
>
> Thanx a lot...do you have ideas for my two other questions ?
>
>>> My Cyrus-imapd configuration is :
>>> [EMAIL PROTECTED] ~]# more /etc/cyrus.conf
>>> # standard standalone server implementation
>>>
>>> START {
>>> # do not delete this entry!
>>> recover cmd="ctl_cyrusdb -r"
>>>
>>> # this is only necessary if using idled for IMAP IDLE
>>> idled cmd="idled"
>>> }
>>>
>>> # UNIX sockets start with a slash and are put into
>>> /var/lib/imap/sockets
>>> SERVICES {
>>> # add or remove based on preferences
>>> imap cmd="imapd" listen="localhost:imap" prefork=0
>>> imaps cmd="imapd -s" listen="imaps" prefork=5
>>> # pop3 cmd="pop3d" listen="pop3" prefork=3
>>> # pop3scmd="pop3d -s" listen="pop3s" prefork=1
>>> sieve cmd="timsieved" listen="sieve" prefork=0
>>>
>>> # these are only necessary if receiving/exporting usenet via NNTP
>>> # nntp cmd="nntpd" listen="nntp" prefork=3
>>> # nntpscmd="nntpd -s" listen="nntps" prefork=1
>>>
>>> # at least one LMTP is required for delivery
>>> # lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0
>>> lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp"
>>> prefork=1
>>>
>>> # this is only necessary if using notifications
>>> # notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
>>> proto="udp" prefork=1
>>> }
>>>
>>> EVENTS {
>>> # this is required
>>> checkpointcmd="ctl_cyrusdb -c" period=30
>>>
>>> # this is only necessary if using duplicate delivery suppression,
>>> # Sieve or NNTP
>>> delprune cmd="cyr_expire -E 3" at=0400
>>>
>>> # this is only necessary if caching TLS sessions
>>> tlsprune cmd="tls_prune" at=0400
>>> }
>
> (I only want imaps for remote access, imap is only here for cyradmBTW,
> if someone can tell me how to use cyradm with imaps, so that I can comment
> out imap, it would be great !)
Something like this works for me:
cyradm --tls --user cyrus --auth login localhost
>
>>>
>>>
>>> [EMAIL PROTECTED] ~]# more /etc/postfix/vmailbox
>>> [EMAIL PROTECTED]virtual
>>> [EMAIL PROTECTED]virtual
>
> (Here, according to doc, "virtual" can be anything else, just a random
> word to have right-hand valueright ?)
I have never used that kind of setup but I have used a relay_recipients
map where the right-hand value simply was 'OK'. As the docs state, the
right-hand part is simply ignored.
Simon
>
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Postfix, Cyrus, and virtual domains : verify_user failed: Mailbox does not exist - Help !
>
> Do you have a good reason to use the deprecated 'cyrus' transport?
> Otherwise you may try 'mailbox_transport =
> lmtp:unix:/var/lib/imap/socket/lmtp' instead.
>
> Simon
>
You're right, just didn't see it...and working perfectly with that :-)
In fact for my case, I used : virtual_transport =
lmtp:unix:/var/lib/imap/socket/lmtp
With lmtp transport, do I still need cyrus_destination_recipient_limit = 1 ?
Thanx a lot...do you have ideas for my two other questions ?
>> My Cyrus-imapd configuration is :
>> [EMAIL PROTECTED] ~]# more /etc/cyrus.conf
>> # standard standalone server implementation
>>
>> START {
>> # do not delete this entry!
>> recover cmd="ctl_cyrusdb -r"
>>
>> # this is only necessary if using idled for IMAP IDLE
>> idled cmd="idled"
>> }
>>
>> # UNIX sockets start with a slash and are put into /var/lib/imap/sockets
>> SERVICES {
>> # add or remove based on preferences
>> imap cmd="imapd" listen="localhost:imap" prefork=0
>> imaps cmd="imapd -s" listen="imaps" prefork=5
>> # pop3 cmd="pop3d" listen="pop3" prefork=3
>> # pop3scmd="pop3d -s" listen="pop3s" prefork=1
>> sieve cmd="timsieved" listen="sieve" prefork=0
>>
>> # these are only necessary if receiving/exporting usenet via NNTP
>> # nntp cmd="nntpd" listen="nntp" prefork=3
>> # nntpscmd="nntpd -s" listen="nntps" prefork=1
>>
>> # at least one LMTP is required for delivery
>> # lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0
>> lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
>>
>> # this is only necessary if using notifications
>> # notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
>> proto="udp" prefork=1
>> }
>>
>> EVENTS {
>> # this is required
>> checkpointcmd="ctl_cyrusdb -c" period=30
>>
>> # this is only necessary if using duplicate delivery suppression,
>> # Sieve or NNTP
>> delprune cmd="cyr_expire -E 3" at=0400
>>
>> # this is only necessary if caching TLS sessions
>> tlsprune cmd="tls_prune" at=0400
>> }
(I only want imaps for remote access, imap is only here for cyradmBTW,
if someone can tell me how to use cyradm with imaps, so that I can comment
out imap, it would be great !)
>>
>>
>> [EMAIL PROTECTED] ~]# more /etc/postfix/vmailbox
>> [EMAIL PROTECTED]virtual
>> [EMAIL PROTECTED]virtual
(Here, according to doc, "virtual" can be anything else, just a random
word to have right-hand valueright ?)
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Postfix, Cyrus, and virtual domains : verify_user failed: Mailbox does not exist - Help !
> Hello,
>
> I'm trying to setup a Postfix+Cyrus installation (no SQL nor LDAP, only
> hash files).
> I only want to handle virtual domains, no local accounts
> My cyrus imap version is 2.3.7 since this is the packaged version for
> centos/redhat.
> My postfix version is 2.3.3 for the same reason.
> I'm still having the same problem, after hours and hours of researchs,
> surfing, and doc reading :
> lmtpunix[11333]: verify_user(user.test) failed: Mailbox does not exist
> And then mail bounces...
>
> I'm not sure if this is a postfix or cyrus problem, it seems like postfix,
> through cyrus deliver, doesn't pass @myothervirtualdomain1.com
> (This is explained here but I don't know how to make it work :
> http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/CyrusDeliverWithAt )
Do you have a good reason to use the deprecated 'cyrus' transport?
Otherwise you may try 'mailbox_transport =
lmtp:unix:/var/lib/imap/socket/lmtp' instead.
Simon
>
> Apr 12 15:31:07 atlantis postfix/smtpd[12091]: connect from
> smtp5-g19.free.fr[212.27.42.35]
> Apr 12 15:31:07 atlantis postfix/smtpd[12091]: 8A2F4587D4:
> client=smtp5-g19.free.fr[212.27.42.35]
> Apr 12 15:31:07 atlantis postfix/cleanup[12098]: 8A2F4587D4:
> message-id=<[EMAIL PROTECTED]>
> Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 8A2F4587D4:
> from=<[EMAIL PROTECTED]>, size=1772, nrcpt=1 (queue active)
> Apr 12 15:31:07 atlantis postfix/smtpd[12091]: disconnect from
> smtp5-g19.free.fr[212.27.42.35]
> Apr 12 15:31:07 atlantis lmtpunix[11333]: accepted connection
> Apr 12 15:31:07 atlantis lmtpunix[11333]: lmtp connection preauth'd as
> postman
> Apr 12 15:31:07 atlantis lmtpunix[11333]: verify_user(user.test) failed:
> Mailbox does not exist
> Apr 12 15:31:07 atlantis postfix/pipe[12099]: 8A2F4587D4:
> to=<[EMAIL PROTECTED]>, relay=cyrus, delay=0.03,
> delays=0.02/0/0/0.01, dsn=5.6.0, status=bounced (data format error.
> Command output: test: Mailbox does not exist )
> Apr 12 15:31:07 atlantis postfix/cleanup[12098]: 916EB587FA:
> message-id=<[EMAIL PROTECTED]>
> Apr 12 15:31:07 atlantis postfix/bounce[12102]: 8A2F4587D4: sender
> non-delivery notification: 916EB587FA
> Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 916EB587FA: from=<>,
> size=3604, nrcpt=1 (queue active)
> Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 8A2F4587D4: removed
> Apr 12 15:31:08 atlantis postfix/smtp[12103]: 916EB587FA:
> to=<[EMAIL PROTECTED]>,
> relay=mail.cybergaia.org[82.247.77.102]:25, delay=0.77,
> delays=0/0/0.59/0.17, dsn=2.0.0, status=sent (250 ok 1208010902 qp 20643)
> Apr 12 15:31:08 atlantis postfix/qmgr[9964]: 916EB587FA: removed
>
> I created my mailbox with :
> [EMAIL PROTECTED] ~]# su - cyrus
> -bash-3.1$ cyradm -u [EMAIL PROTECTED] localhost
> IMAP Password:
> localhost.localdomain> lm
> localhost.localdomain> cm [EMAIL PROTECTED]
> localhost.localdomain> lm
> user.test (\HasNoChildren)
> localhost.localdomain> exit
> -bash-3.1$ ls -laR /var/spool/imap/
> /var/spool/imap/:
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwxr-xr-x 13 root root 4096 Apr 10 23:28 ..
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 domain
>
> /var/spool/imap/domain:
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 m
>
> /var/spool/imap/domain/m:
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 myothervirtualdomain1.com
>
> /var/spool/imap/domain/m/myothervirtualdomain1.com :
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 t
>
> /var/spool/imap/domain/m/myothervirtualdomain1.com/t:
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 user
>
> /var/spool/imap/domain/m/myothervirtualdomain1.com/t/user:
> total 12
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> drwx-- 2 cyrus mail 4096 Apr 12 15:18 test
>
> /var/spool/imap/domain/m/myothervirtualdomain1.com/t/user/test:
> total 20
> drwx-- 2 cyrus mail 4096 Apr 12 15:18 .
> drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
> -rw--- 1 cyrus mail4 Apr 12 15:18 cyrus.cache
> -rw--- 1 cyrus mail 164 Apr 12 15:18 cyrus.header
> -rw--- 1 cyrus mail 96 Apr 12 15:18 cyrus.index
> -bash-3.1$
> My Cyrus-imapd configuration is :
> [EMAIL PROTECTED] ~]# more /etc/cyrus.conf
> # standard standalone server implementation
>
> START {
> # do not delete this entry!
> recover cmd="ctl_cyrusdb -r"
>
> # this is only necessary if using idled for IMAP IDLE
> idled cmd="idled"
> }
>
> # UNIX sockets start with a slash and are put into /var/lib/imap/sockets
> SE
Postfix, Cyrus, and virtual domains : verify_user failed: Mailbox does not exist - Help !
Hello,
I'm trying to setup a Postfix+Cyrus installation (no SQL nor LDAP, only hash
files).
I only want to handle virtual domains, no local accounts
My cyrus imap version is 2.3.7 since this is the packaged version for
centos/redhat.
My postfix version is 2.3.3 for the same reason.
I'm still having the same problem, after hours and hours of researchs, surfing,
and doc reading :
lmtpunix[11333]: verify_user(user.test) failed: Mailbox does not exist
And then mail bounces...
I'm not sure if this is a postfix or cyrus problem, it seems like postfix,
through cyrus deliver, doesn't pass @myothervirtualdomain1.com
(This is explained here but I don't know how to make it work :
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/CyrusDeliverWithAt )
Apr 12 15:31:07 atlantis postfix/smtpd[12091]: connect from
smtp5-g19.free.fr[212.27.42.35]
Apr 12 15:31:07 atlantis postfix/smtpd[12091]: 8A2F4587D4:
client=smtp5-g19.free.fr[212.27.42.35]
Apr 12 15:31:07 atlantis postfix/cleanup[12098]: 8A2F4587D4: message-id=<[EMAIL
PROTECTED]>
Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 8A2F4587D4: from=<[EMAIL
PROTECTED]>, size=1772, nrcpt=1 (queue active)
Apr 12 15:31:07 atlantis postfix/smtpd[12091]: disconnect from
smtp5-g19.free.fr[212.27.42.35]
Apr 12 15:31:07 atlantis lmtpunix[11333]: accepted connection
Apr 12 15:31:07 atlantis lmtpunix[11333]: lmtp connection preauth'd as postman
Apr 12 15:31:07 atlantis lmtpunix[11333]: verify_user(user.test) failed:
Mailbox does not exist
Apr 12 15:31:07 atlantis postfix/pipe[12099]: 8A2F4587D4: to=<[EMAIL
PROTECTED]>, relay=cyrus, delay=0.03, delays=0.02/0/0/0.01, dsn=5.6.0,
status=bounced (data format error. Command output: test: Mailbox does not exist
)
Apr 12 15:31:07 atlantis postfix/cleanup[12098]: 916EB587FA: message-id=<[EMAIL
PROTECTED]>
Apr 12 15:31:07 atlantis postfix/bounce[12102]: 8A2F4587D4: sender non-delivery
notification: 916EB587FA
Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 916EB587FA: from=<>, size=3604,
nrcpt=1 (queue active)
Apr 12 15:31:07 atlantis postfix/qmgr[9964]: 8A2F4587D4: removed
Apr 12 15:31:08 atlantis postfix/smtp[12103]: 916EB587FA: to=<[EMAIL
PROTECTED]>, relay=mail.cybergaia.org[82.247.77.102]:25, delay=0.77,
delays=0/0/0.59/0.17, dsn=2.0.0, status=sent (250 ok 1208010902 qp 20643)
Apr 12 15:31:08 atlantis postfix/qmgr[9964]: 916EB587FA: removed
I created my mailbox with :
[EMAIL PROTECTED] ~]# su - cyrus
-bash-3.1$ cyradm -u [EMAIL PROTECTED] localhost
IMAP Password:
localhost.localdomain> lm
localhost.localdomain> cm [EMAIL PROTECTED]
localhost.localdomain> lm
user.test (\HasNoChildren)
localhost.localdomain> exit
-bash-3.1$ ls -laR /var/spool/imap/
/var/spool/imap/:
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwxr-xr-x 13 root root 4096 Apr 10 23:28 ..
drwx-- 3 cyrus mail 4096 Apr 12 15:18 domain
/var/spool/imap/domain:
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
drwx-- 3 cyrus mail 4096 Apr 12 15:18 m
/var/spool/imap/domain/m:
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
drwx-- 3 cyrus mail 4096 Apr 12 15:18 myothervirtualdomain1.com
/var/spool/imap/domain/m/myothervirtualdomain1.com :
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
drwx-- 3 cyrus mail 4096 Apr 12 15:18 t
/var/spool/imap/domain/m/myothervirtualdomain1.com/t:
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
drwx-- 3 cyrus mail 4096 Apr 12 15:18 user
/var/spool/imap/domain/m/myothervirtualdomain1.com/t/user:
total 12
drwx-- 3 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
drwx-- 2 cyrus mail 4096 Apr 12 15:18 test
/var/spool/imap/domain/m/myothervirtualdomain1.com/t/user/test:
total 20
drwx-- 2 cyrus mail 4096 Apr 12 15:18 .
drwx-- 3 cyrus mail 4096 Apr 12 15:18 ..
-rw--- 1 cyrus mail4 Apr 12 15:18 cyrus.cache
-rw--- 1 cyrus mail 164 Apr 12 15:18 cyrus.header
-rw--- 1 cyrus mail 96 Apr 12 15:18 cyrus.index
-bash-3.1$
My Cyrus-imapd configuration is :
[EMAIL PROTECTED] ~]# more /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=5
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
# these are
Re: TLS: unable to get certificate ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 brian schrieb: | Goetz Babin-Ebell wrote: |> brian schrieb: |> | brian wrote: |> |> I'm trying (and failing) to set up TLS and hope someone might be able to |> |> shed some light on my problem. Authentication failed so I checked |> |> maillog and found: |> |> |> |> imap[30288]: TLS server engine: cannot load CA data |> This^^ Looking in the last source I have here (2.3.8), I'm definitively not happy about the code that generates that message: * If you don't do SSL client authentication, this message ~ is only confusing noise. * If you do SSL client authentication this message is not an ~ info but an error and should be logged as one. I opened a ticket and sent a patch in 2005. Unfortunately it wasn't accepted (at least the last time I checked...) |> |> imap[30288]: unable to get certificate from |> |> '/etc/pki/tls/certs/imapcert.pem' |> and this ^ |> Is your first hint. | | Yes, it was the first thing I noticed too. However, the fact that that | file was easily readable confused me as to what the problem actually | was. I thought that perhaps the file, while readable, contained garbage. There is a big difference between CA certificates and end entity (server) certificates. Here cyrus tried to load a CA certificate, but imapcert.pem contains only the server certificate. OK, I was wrong: these two error lines are unrelated. The second failing because the first failed may be an result of cyrus not clearing the OpenSSL error stack between the two lines. Any developer listening ? calling ERR_clear_error(); on entering set_cert_stuff() (tls.c) should fix this... (If you're building cyrus from source, ~ you could insert that line and try again) |> I wish people would stop using self signed certificates in their |> tutorials. |> Creating a CA and using it to sign the certificates are |> just two to three steps more and it gives people a hint how |> to set up things correctly... | | Maybe I've got the terminology wrong then. By "self-signed" I mean that | I did create my own CA, then created and signed a cert with that. | |# CA_nodes -newca |# CA_nodes -newreq |# CA_nodes -sign A self signed certificate is a certificate that is signed by the same key that is in the certificate. What you have created is a normal certificate that was signed by a local CA. | I'm not aware of any other kind of "self-signed" certificate. I thought | it was either signed by Thawte, etc. or by one's own CA. ... or signed by the same key that is in the certificate ~ (signed by itself) |> | [abbreviated output follows] |> | |> | CONNECTED(0003) |> | depth=1 /C=CA/ST=Ontario/O=zijn |> | digital/OU=server/CN=MYDOMAIN/[EMAIL PROTECTED] |> | verify return:1 |> | depth=0 /C=CA/ST=Ontario/L=Stratford/O=zijn |> | digital/OU=mail/CN=mail.MYDOMAIN/[EMAIL PROTECTED] |> | verify return:1 |> | --- |> | Certificate chain |> | 0 s:/C=CA/ST=Ontario/L=Stratford/O=zijn |> | digital/OU=mail/CN=mail.MYDOMAIN/[EMAIL PROTECTED] |> | i:/C=CA/ST=Ontario/O=zijn |> | digital/OU=server/CN=MYDOMAIN/[EMAIL PROTECTED] |> OK, this is NOT a self signed certificate. |> | What tells you that? In a self signed certificate issuer and subject name are identical. |> It is obvious that you don't know what you are doing. | | Sure, that's why I've emailed this list looking for help. While I seem | to have fixed the problem (see below) there are aspects of this that are | more than a little bit hazy. I'd like to understand this a lot better. | |> If you would tell us what you want to do, |> we might be able to tell you what you should do. |> | | OK, I'll start again from the beginning: I wish to incorporate TLS | support into Postfix/Cyrus-IMAP. I don't feel that a signed cert from | Thawte, etc. is necessary, as I'm not expecting to have any strangers | with accounts on this machine. Thus, I followed Patrick's tutorial in | which he explains how to create one's own CA and use that to sign a | certificate. If you have configured CA certificates in cyrus you might drop them and try again. The loading of the server cert seemed to fail because just bevore it the loading of the CA data failed. (seems to be a bug in cyrus) | I was under the impression that *that* was a self-signed certificate. Nope. It is a certificate signed by a local CA. | The only thing I wanted to do with s_server was see if it would complain | about imapcert.pem being unusable because the msg in maillog led me to | believe that that was the problem. | | This seems to have been resolved by copying cacert.pem to a directory | readable by the mail group. Apparently, imapcert.pem is, in fact, ok. At least that seems to be. BTW: If you have your server certificate directly signed by your root (CA) certificate and you do not want to use client authentication, you can configure cyrus imapd to not use any CA certificates at all: The client needs t
