Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Heiler Bemerguy via Info-cyrus wrote on 07/03/2019 16:30: > My "man imapd.conf" doesn't list this option at all. I think my Cyrus > 2.5.10 is older than it.. Yes. It appeared in 2.5.11 according to my build environment. But there already was the option timeout: 30 before. So every connection was closed by default after 30 minutes if there was no activity. "imapidletimeout" uses the value of "timeout" as upper limit default as well. > But I've added it to the .conf anyway. Won't hurt if it doesn't exist > yet, right? lol I currently don't remember if imapd ignores unknown options or fails on startup. But maybe the better option is to use tcp_keepalive: yes anyway. We had "dead" connections as well before imapidletimeout existed and I was able to get rid of them by activating keepalives to trigger the "timeout: 30" check. Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
My "man imapd.conf" doesn't list this option at all. I think my Cyrus 2.5.10 is older than it.. But I've added it to the .conf anyway. Won't hurt if it doesn't exist yet, right? lol Atenciosamente, Heiler Bemerguy - CINBESA Analista de Redes, Wi-Fi, Virtualização e Serviços Internet (55) 91 98151-4894 Em 07/03/2019 11:58, Wolfgang Breyha escreveu: Heiler Bemerguy via Info-cyrus wrote on 07/03/2019 15:39: Yes I've read imapd.conf and cyrus.conf and found no options to limit connections per source IP or "idleness".. It means anyone can open a lot of connections to any port (143, 25, 110 etc) and render the server unusable?? You can try to set imapidletimeout: as documented in "man imapd.conf". To keep your server "RFC friendly" this value should not be lower than 30 minutes, because RFC 2177:3. recommends that clients show activity at least every 29 minutes. Greetings, Wolfgang Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Murder, couldn't authenticate to backend server: no mechanism available
Hi Mickael, thank you very much. That's work. I am now blocked in autocreating user on backend, but it's another problem ;-) Thanks again, Ismaël Tanguy Le 07/03/2019 à 11:55, Michael Menge a écrit : Hi, I suspect, lmtp it trying to proxy auth, which is not possible with the PLAIN mech, (but e.g. with LOGIN). So as only PLAIN is availble "No worthy mechs found". You can try not to set "mupdate_username: murder" in the frontend imapd.conf. But keep "mupdate_authname: murder". This should result in normal PLAIN authentication as user "murder". Even if you enable the LOGIN mech, setting mupdate_username can cause some problems. I can't remember which problems, but I reminded myself not to set mupdate_username with a comment in my own imapd.conf Regards Michael Menge Quoting Ismaël Tanguy : Hello, I'm stucked in configuring a murder cluster with one frontend and one backend. LMTP between frontend and backend doesn't work, the logs says that no mechanism is available. I'm using sasl plain. When turning saslauthd in debug mode, mta connection to frontend is OK, but there's no request for the connection between frontend and backend. lmtptest -t "" -a murder backend is OK and goes over TLS. Here's the debug log: ### /var/log/maillog -> frontend cyrus frontend cyrus/lmtp[19541]: accepted connection frontend cyrus/lmtp[19541]: connection from mta.domain [IP] frontend cyrus/lmtp[19541]: command: LHLO mta.domain frontend cyrus/lmtp[19541]: TLS is available. frontend cyrus/lmtp[19541]: command: STARTTLS frontend cyrus/lmtp[19541]: TLS is available. frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication frontend cyrus/lmtp[19541]: command: LHLO mta.domain frontend cyrus/lmtp[19541]: TLS is available. frontend cyrus/lmtp[19541]: command: AUTH PLAIN *** frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS User logged in frontend cyrus/lmtp[19541]: command: MAIL FROM: SIZE=576 frontend cyrus/lmtp[19541]: command: RCPT TO: frontend cyrus/lmtp[19541]: command: DATA frontend cyrus/lmtp[19541]: USAGE user: 0.030932 sys: 0.017066 frontend cyrus/lmtp[19537]: accepted connection frontend cyrus/lmtp[19537]: connection from frontend.domain [IP] frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd frontend cyrus/lmtp[19537]: TLS is available. frontend cyrus/lmtp[19537]: command: STARTTLS frontend cyrus/lmtp[19537]: TLS is available. frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL) tls_server_ca_file=/etc/ssl/certs/wildcard.ca frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait frontend cyrus/lmtp[19541]: Doing a peer verify frontend cyrus/lmtp[19541]: Doing a peer verify frontend cyrus/lmtp[19541]: Doing a peer verify frontend cyrus/lmtp[19537]: Doing a peer verify frontend cyrus/lmtp[19537]: Doing a peer verify frontend cyrus/lmtp[19537]: Doing a peer verify frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done frontend cyrus/lmtp[19537]: received client certificate frontend cyrus/lmtp[19537]: subject=*** frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as *.domain frontend cyrus/lmtp[19541]: received server certificate frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no authentication frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd frontend cyrus/lmtp[19537]: TLS is available. frontend cyrus/lmtp[19541]: couldn't authenticate to backend server: no mechanism available frontend cyrus/lmtp[19537]: command: QUIT frontend cyrus/lmtp[19541]: command: QUIT ### saslauthd -d -a pam >> cyrus is lmtpuser from mta, murder is lmtpuser for the backend, ### lmtp connection to the backend doesn't go to saslauthd saslauthd[19525] :rel_accept_lock : released accept lock saslauthd[19527] :get_accept_lock : acquired accept lock saslauthd[19525] :do_auth : auth success: [user=cyrus] [service=lmtp] [realm=] [mech=pam] saslauthd[19525] :do_request : response: OK ### /var/log/messages frontend cyrus/lmtp[19563]: No worthy mechs found frontend cyrus/lmtp[19563]: No worthy mechs found ### /var/log/maillog -> mta postfix mta postfix/smtpd[7678]: connect from client_test mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<> mta postfix/qmgr[2161]: DCAEF10392E5: from=, size=576, nrcpt=1 (queue active) mta postfix/smtpd[7678]: disconnect from client_test mta postfix/lmtp[7683]: Untrusted TLS connection established to frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) mta postfix/lmtp[7683]: DCAEF10392E5: to=, relay=frontend:24,
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Thank you very much, it worked perfectly.
Best Regards,
Heiler Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Em 07/03/2019 11:55, Ivan Kuznetsov escreveu:
Hello
iptables -A INPUT -p tcp --syn --dport 143 -m connlimit
--connlimit-above 8 -j REJECT
This will limit established imap connections to 8 per ip
07.03.2019 17:39, Heiler Bemerguy via Info-cyrus пишет:
Yes I've read imapd.conf and cyrus.conf and found no options to limit
connections per source IP or "idleness"..
It means anyone can open a lot of connections to any port (143, 25,
110 etc) and render the server unusable??
I'm using Debian, so I'll try to figure out how to do that with
iptables.. Thanks!
Best Regards,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Em 07/03/2019 11:25, Willem Offermans escreveu:
Dear Cyrus friends and Heiler Bensimon Bemerguy,
You could use your firewall to achieve this.
For ipfw:
${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
You have to lookup the right syntax for your firewall.
Dit you check man imapd or man cyrus, maybe there is also an option
for the daemon itself, but I would prefer the firewall.
Wiel Offermans
wil...@offermans.rompen.nl
On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus
> wrote:
Hail,
I've noticed an user with ~200 open connections to cyrus imap port
(143) and, because of him, no one else could login to the server.
I've noticed even with a single "telnet ip 143", the connection is
accepted and never ever dropped, even while still unauthenticated.
How to stop that from happening?
cyrus.conf:
imap cmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
--
Atenciosamente,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Heiler Bemerguy via Info-cyrus wrote on 07/03/2019 15:39: > Yes I've read imapd.conf and cyrus.conf and found no options to limit > connections per source IP or "idleness".. > > It means anyone can open a lot of connections to any port (143, 25, 110 etc) > and render the server unusable?? You can try to set imapidletimeout: as documented in "man imapd.conf". To keep your server "RFC friendly" this value should not be lower than 30 minutes, because RFC 2177:3. recommends that clients show activity at least every 29 minutes. Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Hello
iptables -A INPUT -p tcp --syn --dport 143 -m connlimit
--connlimit-above 8 -j REJECT
This will limit established imap connections to 8 per ip
07.03.2019 17:39, Heiler Bemerguy via Info-cyrus пишет:
Yes I've read imapd.conf and cyrus.conf and found no options to limit
connections per source IP or "idleness"..
It means anyone can open a lot of connections to any port (143, 25, 110
etc) and render the server unusable??
I'm using Debian, so I'll try to figure out how to do that with
iptables.. Thanks!
Best Regards,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Em 07/03/2019 11:25, Willem Offermans escreveu:
Dear Cyrus friends and Heiler Bensimon Bemerguy,
You could use your firewall to achieve this.
For ipfw:
${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
You have to lookup the right syntax for your firewall.
Dit you check man imapd or man cyrus, maybe there is also an option
for the daemon itself, but I would prefer the firewall.
Wiel Offermans
wil...@offermans.rompen.nl
On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus
> wrote:
Hail,
I've noticed an user with ~200 open connections to cyrus imap port
(143) and, because of him, no one else could login to the server.
I've noticed even with a single "telnet ip 143", the connection is
accepted and never ever dropped, even while still unauthenticated.
How to stop that from happening?
cyrus.conf:
imap cmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
--
Atenciosamente,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--
С уважением, Иван Кузнецов
Руководитель технического отдела
Компания "СОЛВО"
+7(812)60-60-555
+7(495)66-83-003
+7(921)740-72-61
http://www.solvo.ru
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Dear Cyrus friends and Heiler Bensimon Bemerguy,
Don’t forget to report your solution.
It might certainly help other Cyrus users as well, though it is not directly
related to Cyrus.
Wiel Offermans
wil...@offermans.rompen.nl
> On 7 Mar 2019, at 15:39, Heiler Bemerguy via Info-cyrus
> wrote:
>
> Yes I've read imapd.conf and cyrus.conf and found no options to limit
> connections per source IP or "idleness"..
>
> It means anyone can open a lot of connections to any port (143, 25, 110 etc)
> and render the server unusable??
>
> I'm using Debian, so I'll try to figure out how to do that with iptables..
> Thanks!
>
>
>
> Best Regards,
>
> Heiler Bensimon Bemerguy - CINBESA
> Analista de Redes, Wi-Fi,
> Virtualização e Serviços Internet
> (55) 91 98151-4894
> Em 07/03/2019 11:25, Willem Offermans escreveu:
>> Dear Cyrus friends and Heiler Bensimon Bemerguy,
>>
>> You could use your firewall to achieve this.
>>
>> For ipfw:
>>
>> ${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
>>
>> You have to lookup the right syntax for your firewall.
>>
>> Dit you check man imapd or man cyrus, maybe there is also an option for the
>> daemon itself, but I would prefer the firewall.
>>
>>
>> Wiel Offermans
>> wil...@offermans.rompen.nl
>>
>>
>>
>>
>>> On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus
>>> mailto:info-cyrus@lists.andrew.cmu.edu>>
>>> wrote:
>>>
>>> Hail,
>>>
>>> I've noticed an user with ~200 open connections to cyrus imap port (143)
>>> and, because of him, no one else could login to the server.
>>>
>>> I've noticed even with a single "telnet ip 143", the connection is accepted
>>> and never ever dropped, even while still unauthenticated.
>>>
>>> How to stop that from happening?
>>>
>>> cyrus.conf:
>>> imapcmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
>>>
>>>
>>> --
>>> Atenciosamente,
>>>
>>> Heiler Bensimon Bemerguy - CINBESA
>>> Analista de Redes, Wi-Fi,
>>> Virtualização e Serviços Internet
>>> (55) 91 98151-4894
>>>
>>>
>>> Cyrus Home Page: http://www.cyrusimap.org/
>
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Yes I've read imapd.conf and cyrus.conf and found no options to
limit connections per source IP or "idleness"..
It means anyone can open a lot of connections to any port (143,
25, 110 etc) and render the server unusable??
I'm using Debian, so I'll try to figure out how to do that with
iptables.. Thanks!
Best Regards,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Em 07/03/2019 11:25, Willem Offermans
escreveu:
Dear Cyrus friends and Heiler Bensimon Bemerguy,
You could use your firewall to achieve this.
For ipfw:
${fwcmd} add pass tcp from any to ${ip_me} imap
setup limit src-addr 10
You have to lookup the right syntax for your
firewall.
Dit you check man imapd or man cyrus, maybe there is
also an option for the daemon itself, but I would prefer the
firewall.
Wiel
Offermans
wil...@offermans.rompen.nl
On 7 Mar 2019, at 14:53, Heiler Bemerguy via
Info-cyrus
wrote:
Hail,
I've noticed an user with ~200 open connections to cyrus
imap port (143) and, because of him, no one else could
login to the server.
I've noticed even with a single "telnet ip 143", the
connection is accepted and never ever dropped, even while
still unauthenticated.
How to stop that from happening?
cyrus.conf:
imap cmd="imapd -U 30" listen="imap" prefork=6
maxchild=200
--
Atenciosamente,
Heiler Bensimon Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.5 imap idle/stuck connections (DOS like)
Dear Cyrus friends and Heiler Bensimon Bemerguy,
You could use your firewall to achieve this.
For ipfw:
${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
You have to lookup the right syntax for your firewall.
Dit you check man imapd or man cyrus, maybe there is also an option for the
daemon itself, but I would prefer the firewall.
Wiel Offermans
wil...@offermans.rompen.nl
> On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus
> wrote:
>
> Hail,
>
> I've noticed an user with ~200 open connections to cyrus imap port (143)
> and, because of him, no one else could login to the server.
>
> I've noticed even with a single "telnet ip 143", the connection is accepted
> and never ever dropped, even while still unauthenticated.
>
> How to stop that from happening?
>
> cyrus.conf:
> imapcmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
>
>
> --
> Atenciosamente,
>
> Heiler Bensimon Bemerguy - CINBESA
> Analista de Redes, Wi-Fi,
> Virtualização e Serviços Internet
> (55) 91 98151-4894
>
>
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Murder, couldn't authenticate to backend server: no mechanism available
Hello,
I'm stucked in configuring a murder cluster with one frontend and one
backend.
LMTP between frontend and backend doesn't work, the logs says that no
mechanism is available.
I'm using sasl plain.
When turning saslauthd in debug mode, mta connection to frontend is OK,
but there's no request for the connection between frontend and backend.
lmtptest -t "" -a murder backend is OK and goes over TLS.
Here's the debug log:
### /var/log/maillog -> frontend cyrus
frontend cyrus/lmtp[19541]: accepted connection
frontend cyrus/lmtp[19541]: connection from mta.domain [IP]
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: STARTTLS
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
frontend cyrus/lmtp[19541]: command: LHLO mta.domain
frontend cyrus/lmtp[19541]: TLS is available.
frontend cyrus/lmtp[19541]: command: AUTH PLAIN ***
frontend cyrus/lmtp[19541]: login: mta.domain [IP] cyrus PLAIN+TLS User
logged in
frontend cyrus/lmtp[19541]: command: MAIL FROM: SIZE=576
frontend cyrus/lmtp[19541]: command: RCPT TO:
frontend cyrus/lmtp[19541]: command: DATA
frontend cyrus/lmtp[19541]: USAGE user: 0.030932 sys: 0.017066
frontend cyrus/lmtp[19537]: accepted connection
frontend cyrus/lmtp[19537]: connection from frontend.domain [IP]
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19537]: command: STARTTLS
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: tls_server_ca_dir=(NULL)
tls_server_ca_file=/etc/ssl/certs/wildcard.ca
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19541]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: Doing a peer verify
frontend cyrus/lmtp[19537]: SSL_accept() incomplete -> wait
frontend cyrus/lmtp[19537]: SSL_accept() succeeded -> done
frontend cyrus/lmtp[19537]: received client certificate
frontend cyrus/lmtp[19537]:
subject=***
frontend cyrus/lmtp[19537]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) authenticated as *.domain
frontend cyrus/lmtp[19541]: received server certificate
frontend cyrus/lmtp[19541]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new client) no authentication
frontend cyrus/lmtp[19537]: command: LHLO lmtpproxyd
frontend cyrus/lmtp[19537]: TLS is available.
frontend cyrus/lmtp[19541]: couldn't authenticate to backend server: no
mechanism available
frontend cyrus/lmtp[19537]: command: QUIT
frontend cyrus/lmtp[19541]: command: QUIT
### saslauthd -d -a pam >> cyrus is lmtpuser from mta, murder is
lmtpuser for the backend,
### lmtp connection to the backend doesn't go to saslauthd
saslauthd[19525] :rel_accept_lock : released accept lock
saslauthd[19527] :get_accept_lock : acquired accept lock
saslauthd[19525] :do_auth : auth success: [user=cyrus]
[service=lmtp] [realm=] [mech=pam]
saslauthd[19525] :do_request : response: OK
### /var/log/messages
frontend cyrus/lmtp[19563]: No worthy mechs found
frontend cyrus/lmtp[19563]: No worthy mechs found
### /var/log/maillog -> mta postfix
mta postfix/smtpd[7678]: connect from client_test
mta postfix/smtpd[7678]: DCAEF10392E5: client=client_test
mta postfix/cleanup[7682]: DCAEF10392E5: message-id=<>
mta postfix/qmgr[2161]: DCAEF10392E5: from=, size=576,
nrcpt=1 (queue active)
mta postfix/smtpd[7678]: disconnect from client_test
mta postfix/lmtp[7683]: Untrusted TLS connection established to
frontend:24: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mta postfix/lmtp[7683]: DCAEF10392E5: to=,
relay=frontend:24, delay=0.1, delays=0.01/0/0.07/0.02, dsn=4.4.3,
status=deferred (host frontend said: 451 4.4.3 Remote server unavailable
(in reply to end of DATA command))
### /etc/imapd.conf -> frontend
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
mupdate_server: cyrus-murder.univ-brest.fr
mupdate_username: murder
mupdate_authname: murder
mupdate_password: password
backend_password: password
proxy_authname: murder
### /etc/cyrus.conf -> frontend
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
# add or remove based on preferences
mupdate cmd="mupdate" listen=3905 prefork=1
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve
