Re: Can't login: @-sign in login name
Alexander Dalloz <"ad+lists"@uni-x.org> schrieb am Do, 23.10.2014 23:39: > Am 23.10.2014 um 22:28 schrieb Admin@bbs1: > > Hi, > > due to a server change i ported my ldap Accounts to a new host. I tried > > to migrate my cyrus imap settings but i still can't log in, because the > > realm is stripped. For example "i...@my-domain.com" becomes simply "info". > > I tried to adopt the /etc/sasalauthd.conf but that doesn't seem to > > change anything. I think some parts of the underlying system has changed > > substantially over the years. New OS is CentOS release 6.5 (Final). > > > > /etc/saslauthd.conf: > > ldap_servers: ldap://localhost:389/ > > ldap_scope: sub > > ldap_password_attr: userPassword > > ldap_default_realm: basichostname.net > > ldap_filter: uid=%U@%r > > ldap_search_base: dc=my-domain,dc=com > > Make sure your saslauthd runs with parameter "-r". On CentOS 6 to be > defined in /etc/sysconfig/saslauthd. Boah! You can't imagine how much this hint helped me! THANK YOU Malte > > > Can anybody give me any helpful hints? > > > > Thank's a lot in advance > > Malte > > Alexander > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Thu, Oct 23, 2014, at 09:18 PM, Bron Gondwana wrote: > If you DON'T have virtdomains, or the users are all in the default > domain, then it will keep working just the same. I guess we could have > a config option "strip domain if same" or something, and get the same > display as what we have now despite the different representation > internally. The only thing is, you _could_ share with users in other > domains if you wanted. (the reason why I don't mind suggesting this sort of option is that I'm very close to having code where there is just one place where all this logic would need to be, so the complexity load isn't so bad any more) Bron. -- Bron Gondwana br...@fastmail.fm Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Thu, Oct 23, 2014, at 09:03 PM, Stephen Ingram wrote: > On Thu, Oct 23, 2014 at 5:59 PM, Bron Gondwana > wrote: >> __ >> On Thu, Oct 23, 2014, at 08:55 PM, Stephen Ingram wrote: >> >>> On Wed, Oct 22, 2014 at 2:02 PM, Bron Gondwana >>> wrote: >>> >>> We only set quotas on individual mailboxes so that wouldn't be a >>> problem. We also don't have sieve scripts except per-mailbox, so >>> ditto there. >>> >> >> Sounds like you'll be fine. >> >>> I'm not quite clear though about the global sharing thing. Does this >>> mean, for example, that if one user wants to share a mailbox with >>> another user, its name has to be unique on the entire system? We >>> would have users who would want to only share with other users in >>> their domain. >> >> >> No, the per-user namespace is still fine - users can still share with >> other users in their own domain - just currently it is technically >> impossible to share with users in other domains right now - because >> the mailbox naming is not RFC compliant, so it's not compatible with >> real IMAP client, only with Cyrus management tools. >> >>> Since we support a single-realm Kerberos setup we only use usernames >>> not email address login. Does that make any difference here since >>> there appears to be an issue with the domain part? >> >> >> There's nothing wrong with running without domains still - there >> would still be support for virtdomains: off, or else for a single >> defaultdomain: "example.com" which would be appended/stripped as >> appropriate. >> >> > > Great. I forgot to ask about unixheirarchysep. Does that mean that the > default netnews "." way of doing things is going away? If so, will > there be an easy way to convert? Yeah, I'm afraid so. It's going to kind of suck for FastMail customers as much as anyone actually - since that's what we use! But here's the thing: a) it will be possible to switch to the netnews way if you want b) but if you have virtdomains AND netnews separator, then that will mean that you need to switch. Hopefully most clients will cope - I haven't tested it. If you DON'T have virtdomains, or the users are all in the default domain, then it will keep working just the same. I guess we could have a config option "strip domain if same" or something, and get the same display as what we have now despite the different representation internally. The only thing is, you _could_ share with users in other domains if you wanted. Bron. -- Bron Gondwana br...@fastmail.fm Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Thu, Oct 23, 2014 at 5:59 PM, Bron Gondwana wrote: > On Thu, Oct 23, 2014, at 08:55 PM, Stephen Ingram wrote: > > On Wed, Oct 22, 2014 at 2:02 PM, Bron Gondwana wrote: > > We only set quotas on individual mailboxes so that wouldn't be a problem. > We also don't have sieve scripts except per-mailbox, so ditto there. > > > Sounds like you'll be fine. > > > I'm not quite clear though about the global sharing thing. Does this mean, > for example, that if one user wants to share a mailbox with another user, > its name has to be unique on the entire system? We would have users who > would want to only share with other users in their domain. > > > No, the per-user namespace is still fine - users can still share with > other users in their own domain - just currently it is technically > impossible to share with users in other domains right now - because the > mailbox naming is not RFC compliant, so it's not compatible with real IMAP > client, only with Cyrus management tools. > > > Since we support a single-realm Kerberos setup we only use usernames not > email address login. Does that make any difference here since there appears > to be an issue with the domain part? > > > There's nothing wrong with running without domains still - there would > still be support for virtdomains: off, or else for a single defaultdomain: " > example.com" which would be appended/stripped as appropriate. > > Great. I forgot to ask about unixheirarchysep. Does that mean that the default netnews "." way of doing things is going away? If so, will there be an easy way to convert? Steve Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Thu, Oct 23, 2014, at 08:55 PM, Stephen Ingram wrote: > On Wed, Oct 22, 2014 at 2:02 PM, Bron Gondwana > wrote: > > We only set quotas on individual mailboxes so that wouldn't be a > problem. We also don't have sieve scripts except per-mailbox, so > ditto there. Sounds like you'll be fine. > I'm not quite clear though about the global sharing thing. Does this > mean, for example, that if one user wants to share a mailbox with > another user, its name has to be unique on the entire system? We > would have users who would want to only share with other users in > their domain. No, the per-user namespace is still fine - users can still share with other users in their own domain - just currently it is technically impossible to share with users in other domains right now - because the mailbox naming is not RFC compliant, so it's not compatible with real IMAP client, only with Cyrus management tools. > Since we support a single-realm Kerberos setup we only use usernames > not email address login. Does that make any difference here since > there appears to be an issue with the domain part? There's nothing wrong with running without domains still - there would still be support for virtdomains: off, or else for a single defaultdomain: "example.com" which would be appended/stripped as appropriate. Bron. -- Bron Gondwana br...@fastmail.fm Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Wed, Oct 22, 2014 at 2:02 PM, Bron Gondwana wrote: > So Cyrus has three different types of domain split: > > * none at all > * "on/yes" => weird reverse DNS hackery > * userid => login with domain. > > As part of finally switching to unixheirarchysep: on (yay) and better key > format (double yay) I want to change the overarching "split users into > separate domains" logic we have right now. > > Yes, that means a massive change, instead of internally: > > example.com!user.foo.bar <=> user/foo/b...@example.com (which is a > million ways of bogus) we would have: > > user.foo@example^com.bar <=> user/f...@example.com/bar > > Or in alt namspace: > > Other Users/f...@example.com/bar > > This means we will finally be able to share things across domains. It > creates a single consistent way to access everything. > > > > The problem is, it means you can't set quotas per domain, you can't have > sieve scripts per domain, and most of all - you can't have shared folders > in a domain. > > example.com!shared.stuff worked fine, but > > shared.example^com.stuff would be weird. It's just a folder, and wouldn't > be treated specially in any way. The domain would have no special meaning. > > This is all, obviously, Cyrus 3.0 stuff. It's a significant change in how > folder naming works. It's really good for removing some inconsistencies > though. I just want to have an idea of whether it will mess up anyone's > existing workflows - and if so how we can make sure you can still achieve a > similar result, even if it doesn't look quite the same in the new world. We only set quotas on individual mailboxes so that wouldn't be a problem. We also don't have sieve scripts except per-mailbox, so ditto there. I'm not quite clear though about the global sharing thing. Does this mean, for example, that if one user wants to share a mailbox with another user, its name has to be unique on the entire system? We would have users who would want to only share with other users in their domain. Since we support a single-realm Kerberos setup we only use usernames not email address login. Does that make any difference here since there appears to be an issue with the domain part? Steve Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't login: @-sign in login name
Am 23.10.2014 um 22:28 schrieb Admin@bbs1: > Hi, > due to a server change i ported my ldap Accounts to a new host. I tried > to migrate my cyrus imap settings but i still can't log in, because the > realm is stripped. For example "i...@my-domain.com" becomes simply "info". > I tried to adopt the /etc/sasalauthd.conf but that doesn't seem to > change anything. I think some parts of the underlying system has changed > substantially over the years. New OS is CentOS release 6.5 (Final). > > /etc/saslauthd.conf: > ldap_servers: ldap://localhost:389/ > ldap_scope: sub > ldap_password_attr: userPassword > ldap_default_realm: basichostname.net > ldap_filter: uid=%U@%r > ldap_search_base: dc=my-domain,dc=com Make sure your saslauthd runs with parameter "-r". On CentOS 6 to be defined in /etc/sysconfig/saslauthd. > Can anybody give me any helpful hints? > > Thank's a lot in advance > Malte Alexander Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Can't login: @-sign in login name
Hi, due to a server change i ported my ldap Accounts to a new host. I tried to migrate my cyrus imap settings but i still can't log in, because the realm is stripped. For example "i...@my-domain.com" becomes simply "info". I tried to adopt the /etc/sasalauthd.conf but that doesn't seem to change anything. I think some parts of the underlying system has changed substantially over the years. New OS is CentOS release 6.5 (Final). /etc/saslauthd.conf: ldap_servers: ldap://localhost:389/ ldap_scope: sub ldap_password_attr: userPassword ldap_default_realm: basichostname.net ldap_filter: uid=%U@%r ldap_search_base: dc=my-domain,dc=com /etc/imapd.conf: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd unixhierarchysep: 1 virtdomains: yes allowplaintext: yes sasl_mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt autocreatequota: 12048000 Can anybody give me any helpful hints? Thank's a lot in advance Malte Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Patch for adding tls_honor_cipher_order
Kristian Kræmmer Nielsen wrote on 17/10/14 15:13:
> The more important part of my previous mail are that there are issues with
> the patches that now have been merged into git. E.g. compression is not
> merged correctly and it is recommended to do negative list and not
> positive lists of protocols.
Yes, you're right. The patches in master tree have broken logic...
Option documentation says:
tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
Disable SSL/TLS protocols not in this list.
Code says:
+ if (strstr(tls_versions, "tls1_2") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
+ off |= SSL_OP_NO_TLSv1_2;
+#else
+ syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
+#endif
+ }
Setting the NO_TLSv1_2 option does the opposite of the expected/wanted
behavior. I also would prefer a negative list as most other daemons like
apache, exim, ... use. Maybe a more generic
tls_openssl_options: no_ssl2 no_ssl3 no_compression prefer_server_cipher_order
would be better?
And yes, you're also right with mentioning that functionality is missing.
tls_compression: 0
Enable TLS compression. Disabled by default.
tls_eccurve: prime256v1
Select the elliptic curve used for ECDHE.
description is there, but there is no code doing it actually. Support for ECDH
auto mode in Openssl 1.2+ as provided in
https://bugzilla.cyrusimap.org/attachment.cgi?id=1535
is missing in the documentation as well.
I think this should be fixed/enhanced for a alpha release of 2.5.
Greetings, Wolfgang
--
Wolfgang Breyha | http://www.blafasel.at/
Vienna University Computer Center | Austria
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On Thu, Oct 23, 2014, at 05:39 AM, Clement Hermann (nodens) wrote: > On 22/10/2014 23:02, Bron Gondwana wrote: > So if I understand this correctly, it means we could still have "global" > shared folders but not shared folders limited in a domain namespace like > we have now ? Correct. > if so, it seems both good and bad to me. > > The good : if you have several domains in a single organisation, you can > have shared folder for all. And likewise users can share across those domains, which is my real goal here (apart from neatness and RFC correctness of the view that the admin sees) > The bad : in a multi-tenant environment, we can't provide shared folder > to our customers without adding something to the name to ensure it is > unique accross all customers, or use the standard mailbox sharing (so > the end user sees "Other users/mypublicmailbox@mydomain" in its client). > No more "Shared Folders/contact" or "Shared Folders/public". So you could do Shared Folders/mydomain.com/contact as well, but I do see your point. > Shared folders in a multi-tenant environment is not so widespread I > think, it's more a global organisation thing, but still, it could be an > issue for some. > > I'm not sure how well it would be handled in groupware suites like Horde > for instance. Presumably with the right groups, it would work OK - unless the shared folder names are hard coded. Another alternative is just to run a fully separate instance of Cyrus for every domain. Bron. -- Bron Gondwana br...@fastmail.fm Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: POLL: per-domain shared folder/sieve/etc
On 22/10/2014 23:02, Bron Gondwana wrote: > The problem is, it means you can't set quotas per domain, you can't have > sieve scripts per domain, and most of all - you can't have shared folders in > a domain. > > example.com!shared.stuff worked fine, but > > shared.example^com.stuff would be weird. It's just a folder, and wouldn't be > treated specially in any way. The domain would have no special meaning. So if I understand this correctly, it means we could still have "global" shared folders but not shared folders limited in a domain namespace like we have now ? if so, it seems both good and bad to me. The good : if you have several domains in a single organisation, you can have shared folder for all. The bad : in a multi-tenant environment, we can't provide shared folder to our customers without adding something to the name to ensure it is unique accross all customers, or use the standard mailbox sharing (so the end user sees "Other users/mypublicmailbox@mydomain" in its client). No more "Shared Folders/contact" or "Shared Folders/public". Shared folders in a multi-tenant environment is not so widespread I think, it's more a global organisation thing, but still, it could be an issue for some. I'm not sure how well it would be handled in groupware suites like Horde for instance. Cheers, -- Clément Hermann (nodens) Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
hanging POP3 client, how to kill
Hi, from time to time I have hanging pop3 clients. I've activated telemetry logging (thanks Bron) for that single user to see the interaction between client and server. While downloading messages the client stops suddenly (in middle of the body of a 6 MB big message) but the pop3 process is running for a long time. Interestingly if changing on client side from pop3 to pop3s the same messages from the same account and from the same network are downloaded without any problems. There is an application firewall running on the router on client side, therefore I think this firewall application is analyzing the stream, but can't do that when using pop3s and that's why the messages are going through with pop3s. I checked the same account with the same messages from another networks and I myself don't have any problems with pop3 and pop3s. Question for me now is how to kill these hanging pop3 processes automatically? I didn't set poptimeout value so it should be 10 minutes by default, but those processes are running for a longer time. Ciao Marcus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
