Re: Security risk of POP3 & IMAP protocols
[23~On Fri, Feb 13, 2009 at 03:21:06PM +, Ian Eiloart wrote: > > > --On 13 February 2009 14:35:43 +0000 Alain Williams > wrote: > > >That got me thinking > >I rate limit ssh connections to try to prevent dictionary attacks (3 > >attempts/3 minutes/IP address). If I were to do the same with IMAP would > >that cause problems with some clients, ie are there some clients that to > >many connect/disconnects ? > > Yes. Anything that opens a bunch of mailboxes at the same time might be > doing way more than that. You should be measuring "failed attempts", not > "attempts". Yes, but I do the rate limiting with iptables (Linux firewall). I don't know how to feedback failed attempts to iptables. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 & IMAP protocols
On Fri, Feb 13, 2009 at 09:13:40AM -0500, Adam Tauno Williams wrote: > On Fri, 2009-02-13 at 13:17 +, Duncan Gibb wrote: > > Jason Voorhees wrote: > > JV> a sales person told my friend that IMAP protocol is > > JV> less secure than POP3 protocol. > > Other people have covered the IMAP vs POP3 issues - Ian Batten most > > comprehensively - but one comment I would add is that if you make either > > service available to the open internet, even under SSL encryption, > > password-based authentication is still susceptible to dictionary attack. > > So IMAP and/or POP3 (and/or SMTP AUTH) should be included in the list > > of things you rate limit, monitor for bad password attempts, and lock > > remote hosts out of if it they do things that look suspicious. That got me thinking I rate limit ssh connections to try to prevent dictionary attacks (3 attempts/3 minutes/IP address). If I were to do the same with IMAP would that cause problems with some clients, ie are there some clients that to many connect/disconnects ? > True; but really none of those good practices is specific to any > protocol. The exact same charge could be leveled against HTTP, FTP, > SSH, etc... and if you use certificate/PKI authentication you run the > risk that someone could steal the private keys (and it isn't hard to > make a setup where that is comically easy). It is really far and away > more about end-to-end security practices than it is the OSI layer 7 > protocol(s) involved. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Past chairman of UKUUG: http://www.ukuug.org/ #include Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Recommend how to move 31GB of mail to a new server
On Sun, Jun 24, 2007 at 10:50:28AM +0200, Ulrich Spoerlein wrote: > On Sat, 23.06.2007 at 22:34:33 -0300, Patrick Boutilier wrote: > > Daniel O'Connor wrote: > > > On Sunday 24 June 2007 07:37, Gary Mills wrote: > > >> For only 30 gigabytes, you might be better off just copying the files > > >> over, with IMAP down. It could only take a few hours. You can copy > > >> a sample from the live system to get an idea of the timing. > > > > > > You could rsync the mail spool while it is live, take it down and then > > > rsync again. > > > > > > That should save considerable time as I would imagine the vast majority > > > of email would be unchanged between the first & second copy. > > > > But unfortunately rsync will still have to scan each file to determine > > what has changed, and that can chew up a lot of time. > > Better than to speculate is to measure. > Time the rsync of the mailboxes to your new server. *Don't* shutdown > cyrus, but rsync right again. Measure the second run, too. This will > roughly be your expected downtime. I would be surprised if it is more > than 5-10 minutes. > > You could also do: rsync (long time), rsync (short time), shutdown > cyrus, rsync (even shorter time). I did this a couple of years ago with some 250GB mail. Machines physically close, so good connectivity, but 250GB still takes forever. I ran rsync over a few nights, just killing it at 8am. This got us close to where we wanted to be, then on a Saturday I took everything down and ran a final rsync that, IIRC, took about 1/2 hour; switched cyrus/mail/... on the new server on and voila - migration completed. -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mail lists and cyrus
On Tue, Sep 05, 2006 at 10:21:28AM -0800, barsalou wrote: > Maybe my google foo isn't very good, but I'm having a hard time finding > information on how I might implement a mailling list using cyrus. > > Can someone give me a kick in the right direction? > > Using sendmail, ldap, cyrus. It is not cyrus' job to implement a mail list, cyrus acts as a mail store once mail has been delivered. That mail may have come from a mail list or been sent from an individual. To implement a mail list you need to get the MTA (sendmail) to recognise the address as that of a list and pass it to appropriate mail list software, mailman is what I use and it works well; others like majordomo. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ #include Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: performance issue (imap spool on san)
On Fri, Jul 28, 2006 at 10:41:19AM +0200, Daniel Eckl wrote: > > > Andrew Findlay schrieb: > >On Fri, Jul 28, 2006 at 12:18:12AM -0700, Nikola Milutinovic wrote: > > > >>So, perhaps we could state that the desired behavior of any IMAP > >>client would be to fetch only those message headers it nedds to and > >>perhaps a bit more. In case of TB, that would transalte to fetching > >>only headers that would be visible to the user and perhaps > >>screenful of header up and down. > > > >It also helps if the clients ask for a limited set of headers from > >each message of interest. > > Yes, I want to second all these statements. That would be my prefered > solution, too. > > By the way: I checked kmails behavior. It fetches the headers of all > mails in a folder, too, but I think it uses just the limited set of > headers and that's why it is so incredible fast compared to thunderbird. Might it not be better to have Cyrus 'learn' what header lines are needed, rather than just bloating the list with more headers. The set of headers would needed to be dynamically changable. The points are: 1) different IMAP clients want different sets of headers. The same IMAP client at different releases might change the set requested. 2) most individual sites run only 2 or 3 different IMAP clients, why get Cyrus to collect the headers that the IMAP clients at that site don't want. 3) most system admins don't have the skills/inclination/... to optimise the set of headers cached. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ #include Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
LDAP problem
Summary: passwords with openldap 2.0 don't seem to work with openldap 2.2
I am migrating 9,000 users onto bigger hardware, two machines, etc.
User authentication is sasl with the info held in an openldap database.
After looong digging I find that the reason that users cannot login to imap
is down to the password in ldap somehow being wrong.
Old machine: openldap2-2.0.23 SUSE: Sles8
New machine: openldap2-2.2.6SUSE: Sles9
The user information has been carried across in an ldif file.
The schema can't quite carry over since openldap 2.2 is more exacting than 2.0,
so a few
fields I have to remove as I copied (users had 'objectClass: organization' &
the such,
which the should not have).
I notice that /etc/openldap/schema/core.schema now (2.2) has commented out:
attributetype ( 2.5.4.35 NAME 'userPassword'
but if I comment it back in openldap complains of duplicate attributeType.
I think that that is a red herring.
Passwords are set via a php script, the relevant bit is:
$salt = pack("C2",(rand(0, 26)+65),(rand(0, 26)+65));
$md5pw = md5($password . $salt);
$bin = pack('H*', $md5pw);
$encpw = base64_encode($bin . $salt);
$mods['userPassword'] = '{smd5}' . $encpw; // $mods is the list of
modifications
This works with openldap 2.0
The passwords that come out of ldapsearch look like:
userPassword:: e3NtZDV9eUgrTHd1UUJENXl3RTlRaUpQNXZYbFpE
(for password 'password')
If I try and authenticate with that user:
ldapsearch -LLL -b dc=example,dc=uk -D uid=testuser,dc=example,dc=uk -x
-w password
it fails on the new system but works on the old one.
If (on the new system) I set the password on my testuser to (using slapadd):
userPassword:: cGFzc3dvcmQ=
(also for 'password') authentication works properly.
I can't remember how I generated the above string, it is set for the cyrus user.
I don't want 9,000 users to have to have their password reset.
/etc/ldap.conf is the same on both machines.
/etc/slapd.conf contains (on both machines)
password-hash {smd5}
syslog messages:
saslauthd[26685]: Authentication failed for testuser: Bind to ldap
server failed (invalid user/password or insufficient access) (-7)
saslauthd[26685]: do_auth : auth failure: [user=testuser]
[service=imap] [realm=] [mech=ldap] [reason=Unknown]
I am at a loss has anyone got any pointers please.
TIA
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include
pgpo2KV65fZGm.pgp
Description: PGP signature
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: [info-cyrus] put on the subject line. was: spam
On Tue, May 17, 2005 at 07:43:44AM -0500, Greg Harris wrote: > While some subject lines do get a little messy, it is easier for a person to > jump past all of the junk in the subject line than to move messages between > folders. This is the only list that I know of that does not add a tag to > the subject line and I have always thought that it was a little weird and > wished it was there. > > Just an opinion, Seconded. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 #include pgp4fLb7zgmQ6.pgp Description: PGP signature
Re: Spam coming from list server??
On Sun, May 15, 2005 at 07:40:25PM -0400, Derrick J Brashear wrote: > On Sun, 15 May 2005, Patrick Gibson wrote: > > >Is there any particular reason why info-cyrus is not a closed list? It is > >unnecessary in my opinion to be receiving spam via a list that can easily > >restrict posting to subscribed members. > > The spam can be (and on other lists has been) forged as from members. Then > what? Quite possible ... but more difficult for the spammer to do. Making it closed would improve matters. I would also like to see '[info-cyrus]' put on the subject line. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 #include pgpPlwD6CjPNl.pgp Description: PGP signature
Re: Messages from 2004
On Sat, Feb 26, 2005 at 08:42:08AM -0500, Igor Brezac wrote: > > You are not alone... Yes: about a new one every 30 seconds :-( > -Igor > > On Sat, 26 Feb 2005, Tibor-Attila ANCA wrote: > > >Hello List, > > > >is there something strange on the list? I am getting messages of the > >last year (December)? Someone else too? > > > >By, > > > > -- > Igor > --- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Alain Williams 0787 668 0256 #include Sign the "Thank you, Poland!" http://thankpoland.info/ --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus + (insert Best MTA here) Suggestions
On Thu, Nov 18, 2004 at 04:45:55PM +0100, Andrzej Adam Filip wrote: > Ow Mun Heng wrote: > >On Thu, 2004-11-18 at 16:31, [EMAIL PROTECTED] wrote: > >[...] > >>No Sendmail guru here, but if you use procmail you have lost on the > >>performance > >>comparsion ;-) > > > >Fedora/redhat by default uses procmail as it's default lmtp. > > > >what do you use then? Is Cyrus considered a LMTP or..? > > If you want to intgrate sendmail and cyrus then take a look at > http://anfi.homeunix.net/sendmail/rtcyrus2.html > > [Exim variant: http://pse.anfi.org/exim/rtvcyrus.html ] That does not work, try: http://anfi.homeunix.net/exim/rtvcyrus.html > -- > Andrzej [en:Andrew] Adam Filip [EMAIL PROTECTED] [EMAIL PROTECTED] > Home Page http://anfi.homeunix.net/ [ PageRank 6 ] > --- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Alain Williams #include --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: reconstruct with unixhierarchysep:yes
On Wed, Oct 13, 2004 at 11:42:57PM -0400, Ken Murchison wrote: > If that's the case, then you'll also have to update the docs for every > other command line Cyrus tool, including cyradm, which you presumably > used to create the mailbox in the first place. I didn't create the mail box, I have applied the Autocreate INBOX patch from the University of Athens. There are 20,000 users in the ldap database, many of whom do not use email. Is there any reason why this patch has not been incorporated into main line Cyrus ? I am sure that many will find it useful. See: http://email.uoa.gr/projects/cyrus/autocreate/ > If you submit a complete documentation patch, then either Derrick or I > will take a look at it. I'll put it on my jobs list. -- Alain Williams #include --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: reconstruct with unixhierarchysep:yes
On Wed, Oct 13, 2004 at 01:28:45PM -0400, Ken Murchison wrote: > Alain Williams wrote: > > >On Wed, Oct 13, 2004 at 01:56:56PM +0200, Christiaan den Besten wrote: > > > >>Use > >> > >>'reconstruct -r user/ben.lacy' > >> > > > > > >Thanks. I have submitted a patch for the reconstruct.8 man page that > >describes this. > > Why is a patch needed when it seems blantantly obvious that if you > change the hierarchy separator, then you must then use it. How about: * Making it easy for people * Recognising that not everyone knows as much about Cyrus as Ken Murchison * Reducing the 'needless' questions to the mail list * Makeing Cyrus more accessable * Makeing Cyrus a better product If you don't like it you don't need to read it, I thought that if I was puzzled others might be also. -- Alain Williams #include --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: reconstruct with unixhierarchysep:yes
On Wed, Oct 13, 2004 at 01:56:56PM +0200, Christiaan den Besten wrote: > Use > > 'reconstruct -r user/ben.lacy' > Thanks. I have submitted a patch for the reconstruct.8 man page that describes this. -- Alain Williams #include --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
reconstruct with unixhierarchysep:yes
I am running cyrus 2.1.15. I am trying to reconstruct one individual's mailbox (ben.lacy). reconstruct -r user.ben.lacy The trouble is that it sees the '.' and changes them for '^' and gdb shows that it ends up with user^ben^lacy with the result that it doesn't do anything. Am I doing something wrong or is there a real problem here ? I also tried: reconstruct -r ben.lacy still does nothing. -- Alain Williams #include --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Antivirus solution
On Fri, Jan 30, 2004 at 09:52:51AM -, Allister Gearon wrote: > Hi all, > can anybody recommend an antivirus solution for scanning incoming email at > least (outgoing emails would be a bonus) with a SuSE based (8.2) Cyrus-IMAP > mailserver. > Versions are; > cyrus - imapd 2.1.12 > cyrus - sasl2 2.1.12 > fetchmail6.2.1 > db4.0.14 > postfix2.0.6 > Thanks for your help > Alllister Gearon > I have recently set up MailScanner (www.mailscanner.info). You plug in your favourite spam catcher (SpamAssasin) & it can interface to something like 15 antivirus scanners, the one that I have been using is Clam AntiVirus (http://www.clamav.net/), open source & seems to have a well updated database (again no subscription). Slotted in nicely with exim, I think that MailScanner has postifx hooks. -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Re: Is Reiserfs better than ext3
On Fri, Jan 09, 2004 at 03:46:04PM +, mb wrote: > At 17:54 +0530 Ramprasad A Padmanabhan wrote: > > >I am having around 2000 users on my cyrus server ( redhat 9.0 ) > >someone told be I should reformat my partition in Reiserfs rather that > >ext3 and I will get a great perlformance improvement > > ..until you get a hardware failure and your entire mail store is toast. > > reiserfs is brilliant for some applications (Squid boxes, desktops..), but > ext3 is reliable (the best fsck in town alone makes it worth it), and for > your mail server that is surely the most important thing. If you want to > speed up ext3 look at Linux 2.6. I can concurr. A year ago a box that I looked after had a hardware failure (low voltage in the PSU), things started to go wrong with the reiser file system - I eventually recovered, but many files had a byte of cr*p at their start and were missing a byte at the end. -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
[cyrus] Mail list subject line
Would it be possible for the list administrator, to force the adding of something like [cyrus] into the subject line for all mail reflected from this list ? I get quite a lot of mail, other lists do this & I find it a useful way of deciding what to read. Thanks -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Re: imap and ldap
On Thu, Dec 11, 2003 at 05:02:42PM -0500, Rob Siemborski wrote: > On Thu, 11 Dec 2003, Alain Williams wrote: > > > Tweak master.c (version 1.82), starting line 138, insert: > > #include > > > > int allow_severity = LOG_DEBUG; > > int deny_severity = LOG_ERR; > > I'm unclear why you needed to do this, since master doesn't link > tcpwrappers, only the cyrus services do. > > Could you expand on what errors you were getting, and what commands were > causing them? > > Also, writing documentation is great. Either post what you did to the > wiki or send us patches for the documentation we distributed. I shall complete what I am doing and then write it all up from the notes that I have. A couple of weeks time. -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Re: imap and ldap
On Thu, Dec 11, 2003 at 10:32:33AM -0500, Igor Brezac wrote: > > On Thu, 11 Dec 2003, Geert Reijnders wrote: > > > Oke I tried to reconfigure cyrus-sasl with the following options > > --with-ldap=/etc/ldap (because I had to give a directory) > > It appears that saslauthd configure script cannot find openldap libs on > your system. Check saslauthd/config.log and search for LDAP. I have just installed & configured cyrus on a SuSE Linux box, I was going to put up a small write up, but here is some of it now. I had to: ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 Tweak master.c (version 1.82), starting line 138, insert: #include int allow_severity = LOG_DEBUG; int deny_severity = LOG_ERR; I had a flirtation with kerberos (trying to authenticate off MS active directory) before giving up and moving to ldap. ln -s /etc/saslauthd.conf /usr/local/etc/saslauthd.conf That file containing: # Config file for SASL with ldap # ADDW - December 2003 # The 2 ldap servers on the main site: ldap_servers: ldap://172.17.5.1:389/ ldap://172.17.5.2:389/ # This doesn't work, the servers don't appear to be listening to ldaps #ldap_servers: ldaps://172.17.5.1:636/ ldap_filter: SAMAccountName=%u ldap_version: 3 # Who we bind as - ie the user that we use to ask the question: ldap_bind_dn: cn=AccountName,ou=staff,dc=oaklands,dc=ac,dc=uk ldap_bind_pw: TopSecret # The ''domain'' within which we search: ldap_search_base: ou=students,ou=academic,DC=oaklands,dc=ac,dc=uk # end Thanks to Trey Tabner <[EMAIL PROTECTED]> for giving me this useful URL: http://www.bynari.net/Resellers/docs/bynari_ad_integration.txt One of the distributed files is: saslauthd/LDAP_SASLAUTHD I must admit, that I find the testing/verification side of authentication very difficult to do if things go wrong, there is little information that is given to help trace problems. There is also an assumption that you are intimate with the workings of your authentication mechanism. But I like Cyrus, which is why I will to document what I have done so that others can follow. -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Re: Authenticate Cyrus off active directory
On Thu, Dec 04, 2003 at 10:41:04AM -0600, Trey Tabner wrote:
> Alain,
>
> You can also set saslauthd.conf to authenticate against LDAP on the
> AD server. You can use the autocreate patch at http://email.uoa.gr/
Hmmm, I shall try that since I seem to be getting nowhere using kerberos.
The trouble that I find is that the documentation seems to be aimed at developers
& people that really understand the protocols and that there is very little
in the way of diagnostics (or verbose mode) to trace what is happening.
Very frustrating.
kinit works when I type something like (for a user 'internet.test'):
kinit [EMAIL PROTECTED]
and then enter the password, I see the file /tmp/krbcc_500 being created
with something that I can inspect with:
klist -v
(my user # is 500).
If I change the server listed in /etc/krb5.conf ('kdc = server') it fails
as expected. This all suggests that the basic kerberos config is OK.
Running saslauthd in debug mode
saslauthd -d -n0 -a kerberos5
I see the request come in and it simply says 'no':
saslauthd[9126] :main: num_procs : 0
saslauthd[9126] :main: mech_option: NULL
saslauthd[9126] :main: run_path : /var/state/saslauthd
saslauthd[9126] :main: auth_mech : kerberos5
saslauthd[9126] :detach_tty : master pid is: 0
saslauthd[9126] :ipc_init: listening on socket: /var/state/saslauthd/mux
saslauthd[9126] :do_auth : auth failure: [user=internet.test] [service=imap]
[realm=] [mech=kerberos5] [reason=krb5_verify_user failed]
saslauthd[9126] :server_exit : pid file lock removed:
/var/state/saslauthd/saslauthd.pid.lock
saslauthd[9126] :ipc_cleanup : socket removed: /var/state/saslauthd/mux
saslauthd[9126] :server_exit : master exited: 0
The above is in response to:
telnet localhost imap
. login internet.test foobar
Quoting the username makes no difference:
. login "internet.test" foobar
I just get:
. NO Login failed: authentication failure
I have run saslauthd under strace, I can see it exchange a packet with the local
domain controller,
the packet is much longer (1430 bytes sent, 100 read) than the equivalent packet from
kinit (404 bytes sent, 1380 read).
I am running on SuSE Linux SLES 8, with the latest cyrus/sasl - this has heimdal
gssapi.
Where do I go from here ?
* I can try ldap, but I can't see any documentation on how to configure sasl to do
this.
I already use ldap in the MTA (exim) to validate that the user exists.
* I can persist with kerberos5, but ... what ?
> so the authenticated users will have mailboxes when logging in for
> the first time.
Autocreate seems to be the thing to do, thanks all -- first to get
authentication going.
Thanks for bearing with me.
--
Alain Williams
#include
FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the
best interests of our children. See http://www.fathers-4-justice.org
User creation - automatic subscriptions
Summary: can safely I put mailbox subscriptions for a new user directly into their .sub file ? Hi, I am putting together a large cyrus system - 20,000 users - at a UK college. Creation of users need to be automatic, I will get a list of new users every day from central admin. Logged in as cyrus I can create the users and their mail boxes (drafts, etc) using a perl script, easy. The user then needs to be subscribed to their mailboxes. This must be done logged in as the user - that is hard, I have no way of knowing their password. I do notice that the user fred's subscription list is stored in: /var/imap/user/f/fred.sub Is there any reason why I should not just create that file ? Come to that, is there any reason why I should not create the user's mailbox directly, ie .../users/fred/ and use reconstruct to rebuild the cyrus.cache, etc files ? -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Authenticate Cyrus off active directory
Hi, I am seeking advice on how to authenticate Cyrus off a Microsoft Active directory server. The users will not have Linux accounts, I don't want to modify AD at all - the only Linux is the web mail, so I don't want to insert the extra (unix) fields into the database. I have saslauthd currently working off pam. I don't mind if I authenticate using kerberos or ldap - whatever works. I am running Cyrus and Sasl 2.1.15 on top of SuSE Linux (enterprise server 8). Uses will (mainly) access cyrus via horde/imp webmail. Can anyone give a simple HOWTO for this ? Many thanks. -- Alain Williams #include FATHERS-4-JUSTICE - Campaigning for equal rights for parents and the best interests of our children. See http://www.fathers-4-justice.org
Re: Interesting space issue
On Mon, Mar 10, 2003 at 03:13:30PM -0500, Jim Howell wrote: > Hi, > I have an interesting problem. Over the weekend our syslog forwarder went > beserk generating over 300,000 messages to about 6 people. This morning > our three new Cyrus systems went belly up, (yes that is a technical term), > actually the master daemon seemed to eventually freeze up. The only real > error msgs I can find are these: > Mar 10 00:18:16 postoffice8 lmtpd[27393]: [ID 729713 local6.error] DBERROR: > opening /opt/cyrus/mailboxes.db: Not enough space > Mar 10 08:04:46 postoffice8 pop3d[2183]: [ID 729713 local6.error] DBERROR: > opening /opt/cyrus/mailboxes.db: Not enough space > Mar 10 08:12:58 postoffice8 imapd[2489]: [ID 729713 local6.error] DBERROR: > opening /opt/cyrus/mailboxes.db: Not enough space > Mar 10 08:14:05 postoffice8 imapd[2731]: [ID 729713 local6.error] DBERROR: > opening /opt/cyrus/mailboxes.db: Not enough space > Mar 10 08:27:59 postoffice8 imapd[3951]: [ID 729713 local6.error] DBERROR: > opening /opt/cyrus/mailboxes.db: Not enough space > ... * Exceeed some sort of operating system user/group quota limit ? * Exceeded 2Gb on some file ? * Tried fscking /opt ? -- Alain Williams #include
