Re: Best distro for Exim/Cyrus
On Thursday 20 of February 2014 05:50:21 Paul O'Rorke wrote:
Hi again guys,
thanks for the help thus far. I have managed to get cyrus talking with
exim to deliver mail (the -a inside the quotes did this) and I have the
cyrus_sasl driver authenticating using DIGEST-MD5:
digest_md5_sasl_server:
driver = cyrus_sasl
public_name = DIGEST-MD5
server_realm = chemainus.mjbrownloos.com
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Hi,
the last three lines (ifnedef - endif) can be IMHO deleted, because DIGEST-MD5
(and CRAM-MD5 and NTLM) do not send plaintext passwords, so should be allowed
even on otherwise unencrypted connection.
Check if user Debian-exim is member of sasl group - to get access to
/etc/sasldb2.
I can receive mail OK, exim passes it to cyrus and I can work with
mailboxes in Thunderbird however I don't seem to be able to authenticate
to the SMTP server when sending. Do I need to specify a separate auth
for sending through SMTP?
Thunderbird has separate auth setting for SMTP, hovewer you should specify the
same user/pass as for IMAP. Check also the option auth method and set
encrypted password - which is luser translation of DIGEST/CRAM-MD5.
If it can authenticate for IMAP using *digest_md5_sasl_server* why would
it fail when sending?
Just because IMAP auth is done by cyrus and SMTP auth by exim ;) Check
/var/log/exim/*log, there might be some hints...
--
S pozdravem
Vladislav Kurz
=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === vladislav.k...@webstep.net ===
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/20/14 10:35 +0100, Willy Offermans wrote:
I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following
package: cyrus-imapd24-2.4.17_4
If I test my setup with imtest, I get connection to the imap server.
MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR]
MyComputer Cyrus IMAP v2.4.17 server ready
Please enter your password:
C: L01 LOGIN username {13}
S: + go ahead
C: omitted
S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN COMPRESS=DEFLATE
IDLE] User logged in SESSIONID=MyComputer-11451-1392884061-1
Authenticated.
Security strength factor: 256
From the message log file:
Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH parameters
Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1]
plaintext username SASL(-13): authentication failure: checkpass failed
Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1] username
plaintext+TLS User logged in SESSIONID=MyComputer-3437-1392800430-1
Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys:
0.022632
However, if I try to connect via cyradm, I cannot login.
MyName@MyComputer:~$ cyradm --user username localhost
Password:
verify error:num=19:self signed certificate in certificate chain
cyradm: cannot authenticate to server with as username
Does the output really say this (empty username)? I'm assuming you just
removed it when pasting it.
from the message log file:
Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get
auxprops]
Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get
auxprops]
Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters
Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
In imapd.conf, set:
sasl_mech_list: PLAIN LOGIN EXTERNAL
to remove some extraneous error messages. Try specifying a mechanism
(--auth=PLAIN) in your cyradm command.
--
Dan White
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
Hello Dan and Cyrus Friends,
On Thu, Feb 20, 2014 at 08:38:42AM -0600, Dan White wrote:
On 02/20/14 10:35 +0100, Willy Offermans wrote:
I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following
package: cyrus-imapd24-2.4.17_4
If I test my setup with imtest, I get connection to the imap server.
MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
bits)
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR]
MyComputer Cyrus IMAP v2.4.17 server ready
Please enter your password:
C: L01 LOGIN username {13}
S: + go ahead
C: omitted
S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN
QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN
COMPRESS=DEFLATE IDLE] User logged in
SESSIONID=MyComputer-11451-1392884061-1
Authenticated.
Security strength factor: 256
From the message log file:
Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH
parameters Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1]
plaintext username SASL(-13): authentication failure: checkpass failed
Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1]
username plaintext+TLS User logged in
SESSIONID=MyComputer-3437-1392800430-1
Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys:
0.022632
However, if I try to connect via cyradm, I cannot login.
MyName@MyComputer:~$ cyradm --user username localhost
Password:
verify error:num=19:self signed certificate in certificate chain
cyradm: cannot authenticate to server with as username
Does the output really say this (empty username)? I'm assuming you just
removed it when pasting it.
No Dan, I did not remove anything. I just replaced the actual username by
username. There is a whitespace between with and as in the output!
from the message log file:
Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get
auxprops]
Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1]
DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get
auxprops]
Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters
Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't
read/write key database /etc/opiekeys: Permission denied
In imapd.conf, set:
sasl_mech_list: PLAIN LOGIN EXTERNAL
to remove some extraneous error messages. Try specifying a mechanism
(--auth=PLAIN) in your cyradm command.
--
Dan White
I did this and it worked:
MyName@MyComputer:~$ cyradm --user username --auth PLAIN localhost
verify error:num=19:self signed certificate in certificate chain
Password:
localhost
Many thnx for your help!
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
Wiel
*
W.K. Offermans
Home: +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: wi...@offermans.rompen.nl
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Outlook 2013
Hello, One of my customers has bought a laptop with Outlook 2013. He says he can see his messages over IMAP, but it's a kind of read-only access. The mailserver is an old installation with Cyrus 2.2.13 (Debian Squeeze), so I need to update it to Debian Wheezy (Cyrus 2.4.16) to get e.g. the XLIST command I expect. Yesterday I spoke to someone who said Outlook 2013 gives many problems with IMAP (corruptions of the local cache). What's your experience with Outlook 2013 together with Cyrus? Is it stable and does it really need XLIST? With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Best distro for Exim/Cyrus
Thanks Vlad,
the last three lines (ifnedef - endif) can be IMHO deleted, because
DIGEST-MD5 (and CRAM-MD5 and NTLM) do not send plaintext passwords, so
should be allowed even on otherwise unencrypted connection.
commented out.
Check if user Debian-exim is member of sasl group - to get access to
/etc/sasldb2.
root@blmail:/etc/exim4/conf.d# groups Debian-exim
Debian-exim : Debian-exim root mail sasl cyrus
root@blmail:/etc/exim4/conf.d# ls -l /etc/sasldb2
-rw-rw 1 cyrus Debian-exim 12288 Feb 19 20:19 /etc/sasldb2
Looks right to me...
Thunderbird has separate auth setting for SMTP, hovewer you should
specify the same user/pass as for IMAP. Check also the option auth
method and set encrypted password - which is luser translation of
DIGEST/CRAM-MD5.
It seems that exim is not using the same auth as cyrus. TB doesn't
recognise the encrypted passwords option. Nor does Outlook so I don't
think it's the MUA.
When I let TB query the server for settings it correctly returns with
'Encrypted password' for IMAP but 'Password, transmitted insecurely' for
SMTP. Leaving that setting results in the expected 'relay not
permitted' setting it in TB to use 'Encrypted password' results in the
following error message in TB:
Sending of message failed.
The SMTP server chemainus.mjbrownloos.com does not support the
selected authentication method. Please change the 'Authentication
method' in the 'Account Settings | Outgoing Server (SMTP)'.
I'm watching (tail -f) the following 4 log files when I send
(/var/log/exim/ has only mainlog and rejectlog):
/var/log/exim4/mainlog
/var/log/exim4/rejectlog
/var/log/syslog
/var/log/auth.log
but I'm not seeing anything helpful. Indeed I need to trace the
process on send and find out where is is baulking, any thoughts on how
to find that?
Since this seems to now be an Exim thing, perhaps at this point I should
be asking this on the exim list?
*Paul O'Rorke* Tracker Software Products p...@tracker-software.com
mailto:paul.oro...@tracker-software.com
On 2/20/2014 2:23 AM, Vladislav Kurz wrote:
On Thursday 20 of February 2014 05:50:21 Paul O'Rorke wrote:
Hi again guys,
thanks for the help thus far. I have managed to get cyrus talking with
exim to deliver mail (the -a inside the quotes did this) and I have the
cyrus_sasl driver authenticating using DIGEST-MD5:
digest_md5_sasl_server:
driver = cyrus_sasl
public_name = DIGEST-MD5
server_realm = chemainus.mjbrownloos.com
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Hi,
the last three lines (ifnedef - endif) can be IMHO deleted, because
DIGEST-MD5 (and CRAM-MD5 and NTLM) do not send plaintext passwords, so
should be allowed even on otherwise unencrypted connection.
Check if user Debian-exim is member of sasl group - to get access to
/etc/sasldb2.
I can receive mail OK, exim passes it to cyrus and I can work with
mailboxes in Thunderbird however I don't seem to be able to authenticate
to the SMTP server when sending. Do I need to specify a separate auth
for sending through SMTP?
Thunderbird has separate auth setting for SMTP, hovewer you should
specify the same user/pass as for IMAP. Check also the option auth
method and set encrypted password - which is luser translation of
DIGEST/CRAM-MD5.
If it can authenticate for IMAP using *digest_md5_sasl_server* why would
it fail when sending?
Just because IMAP auth is done by cyrus and SMTP auth by exim ;) Check
/var/log/exim/*log, there might be some hints...
--
S pozdravem
Vladislav Kurz
=== WebStep, s.r.o. (Ltd.) = a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net === vladislav.k...@webstep.net ===
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On Thu, Feb 20, 2014 at 10:35:42AM +0100, Willy Offermans wrote: Dear Cyrus Friends, I need your help to solve the following: I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following package: cyrus-imapd24-2.4.17_4 If I test my setup with imtest, I get connection to the imap server. MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost It works However, if I try to connect via cyradm, I cannot login. MyName@MyComputer:~$ cyradm --user username localhost Password: verify error:num=19:self signed certificate in certificate chain cyradm: cannot authenticate to server with as username You specified your authentication mechanism to be login with imtest. You did not specify an authentication mechanism with cyradm. Perhaps it would work if you try : cyradm --auth login --user username localhost That is only a guess. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
if cyrus is your user admin just do cyradm --user cyrus --server localhost and it will work depending on your password backend you may need to add user cyrus with sasldb2 or if you use local unix account with saslauthd you just need to set a password for user cyrus with passwd On 2/20/14 11:12 PM, Scott Lambert wrote: On Thu, Feb 20, 2014 at 10:35:42AM +0100, Willy Offermans wrote: Dear Cyrus Friends, I need your help to solve the following: I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following package: cyrus-imapd24-2.4.17_4 If I test my setup with imtest, I get connection to the imap server. MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost It works However, if I try to connect via cyradm, I cannot login. MyName@MyComputer:~$ cyradm --user username localhost Password: verify error:num=19:self signed certificate in certificate chain cyradm: cannot authenticate to server with as username You specified your authentication mechanism to be login with imtest. You did not specify an authentication mechanism with cyradm. Perhaps it would work if you try : cyradm --auth login --user username localhost That is only a guess. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
