Re: Can't authorize as different user in cyradm and sieveshell
I'm using Debian packages for sasl. Here is what libsasl2-modules includes: /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 But in my imapd.conf, I'm not specifying an auxprop plugins: # grep sasl /etc/imapd.conf sasl_mech_list: PLAIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd Since we are using saslauthd, we don't use auxprop plugins, I think... Andy On Mon, 21 Nov 2016, Michael Ulitskiy wrote: I'm trying to read the code and it seems that it tries to lookup authorization id in auxprop plugin. since I don't have any auxprop plugins that returns SASL_NOMECH and results in the error I'm seeing. By any chance do you have any auxprop plugin defined? On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote: Maybe there is something wrong with your saslauthd parameters or PAM config? Here is what I use: saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5 # cat /etc/pam.d/sieve # PAM configuration file for Cyrus IMAP service authsufficient pam_ldap.so authrequiredpam_unix.so account sufficient pam_ldap.so account requiredpam_unix.so (pretty simple!) In your original email, you showed that you could authenticate as the target user successfully. Can you connect to sieve as the admin user (no proxy-auth)? Thanks, Andy On Mon, 21 Nov 2016, Michael Ulitskiy wrote: Andrew, Thanks for the reply. It's good to know it works for someone. I've tried to downgrade cyrus to 2.4.18, but that didn't help. sivtest doesn't provide much clue: root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {48+} S: NO "Authentication Error" Authentication failed. generic failure Security strength factor: 0 while log is saying: Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available the same happens if I use admin user. i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help. I'm at loss now. Anymore troubleshooting clues? Thanks, Michael On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: This works for me under v2.4.18. I'm able to run sieveshell against a frontend or backend authenticating as a cyrus "admins" user or a "proxyservers" user (on the backend). Against a frontend: # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu connecting to imap.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit Against a backend: # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu connecting to cyrus-be1.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit My imapd.conf settings: admins: cyrus allowplaintext: 0 sasl_mech_list: PLAIN sasl_minimum_layer: 0 sasl_pwcheck_method: saslauthd sieve_allowreferrals: 0 sieve_allowplaintext: 1 Have you tried using the "sivtest" program? It will show you the protocol handshakes, which might help. Here is an example for me: # sivtest -u morgan -a cyrus localhost S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope body relational regex subaddress copy" S: "STARTTLS" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {28+} S: OK Authenticated. Security strength factor: 0 C: LOGOUT OK "Logout Complete" Connection closed. Andy On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote: Since nobody answered, I guess, nobody has any idea. I wonder if anybody uses this feature and it works for you? I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? Thanks in advance, Michael On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: Hello, I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. i'm trying to use sieveshell to setup users sieve scripts, but since i don't know users passwords i want to use a special user for authentication and authorize as the target user. Here's what I have. imapd.conf: admins: mailadmin proxyservers: proxyadmin sasl_pwcheck_method: saslauthd #sasl_pwcheck_method: alwaystrue sasl_mech_li
Re: Can't authorize as different user in cyradm and sieveshell
Maybe there is something wrong with your saslauthd parameters or PAM config? Here is what I use: saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5 # cat /etc/pam.d/sieve # PAM configuration file for Cyrus IMAP service authsufficient pam_ldap.so authrequiredpam_unix.so account sufficient pam_ldap.so account requiredpam_unix.so (pretty simple!) In your original email, you showed that you could authenticate as the target user successfully. Can you connect to sieve as the admin user (no proxy-auth)? Thanks, Andy On Mon, 21 Nov 2016, Michael Ulitskiy wrote: Andrew, Thanks for the reply. It's good to know it works for someone. I've tried to downgrade cyrus to 2.4.18, but that didn't help. sivtest doesn't provide much clue: root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope imap4flags relational regex subaddress copy" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {48+} S: NO "Authentication Error" Authentication failed. generic failure Security strength factor: 0 while log is saying: Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN no mechanism available the same happens if I use admin user. i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no authentication problems stand in the way, but that also didn't help. I'm at loss now. Anymore troubleshooting clues? Thanks, Michael On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote: This works for me under v2.4.18. I'm able to run sieveshell against a frontend or backend authenticating as a cyrus "admins" user or a "proxyservers" user (on the backend). Against a frontend: # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu connecting to imap.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit Against a backend: # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu connecting to cyrus-be1.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit My imapd.conf settings: admins: cyrus allowplaintext: 0 sasl_mech_list: PLAIN sasl_minimum_layer: 0 sasl_pwcheck_method: saslauthd sieve_allowreferrals: 0 sieve_allowplaintext: 1 Have you tried using the "sivtest" program? It will show you the protocol handshakes, which might help. Here is an example for me: # sivtest -u morgan -a cyrus localhost S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope body relational regex subaddress copy" S: "STARTTLS" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {28+} S: OK Authenticated. Security strength factor: 0 C: LOGOUT OK "Logout Complete" Connection closed. Andy On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote: Since nobody answered, I guess, nobody has any idea. I wonder if anybody uses this feature and it works for you? I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? Thanks in advance, Michael On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: Hello, I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. i'm trying to use sieveshell to setup users sieve scripts, but since i don't know users passwords i want to use a special user for authentication and authorize as the target user. Here's what I have. imapd.conf: admins: mailadmin proxyservers: proxyadmin sasl_pwcheck_method: saslauthd #sasl_pwcheck_method: alwaystrue sasl_mech_list: PLAIN allowplaintext: yes here's what i do: root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: unable to connect to server at /usr/bin/sieveshell line 191, line 1. here's the log: Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong and it says "PLAIN no mechanism available". this only happens if i try to authorize as different user. if i don't everything works fine: root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: log: Nov 17 18:24:11 rway-im
Re: Can't authorize as different user in cyradm and sieveshell
This works for me under v2.4.18. I'm able to run sieveshell against a frontend or backend authenticating as a cyrus "admins" user or a "proxyservers" user (on the backend). Against a frontend: # sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu connecting to imap.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit Against a backend: # sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu connecting to cyrus-be1.onid.oregonstate.edu Please enter your password: list onid-web real <- active script quit My imapd.conf settings: admins: cyrus allowplaintext: 0 sasl_mech_list: PLAIN sasl_minimum_layer: 0 sasl_pwcheck_method: saslauthd sieve_allowreferrals: 0 sieve_allowplaintext: 1 Have you tried using the "sivtest" program? It will show you the protocol handshakes, which might help. Here is an example for me: # sivtest -u morgan -a cyrus localhost S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18" S: "SASL" "PLAIN" S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope body relational regex subaddress copy" S: "STARTTLS" S: "UNAUTHENTICATE" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {28+} S: OK Authenticated. Security strength factor: 0 C: LOGOUT OK "Logout Complete" Connection closed. Andy On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote: Since nobody answered, I guess, nobody has any idea. I wonder if anybody uses this feature and it works for you? I mean I'd like to know if that's just me and something is wrong with my setup or may be that feature isn't functional at all? Thanks in advance, Michael On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus wrote: Hello, I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26. i'm trying to use sieveshell to setup users sieve scripts, but since i don't know users passwords i want to use a special user for authentication and authorize as the target user. Here's what I have. imapd.conf: admins: mailadmin proxyservers: proxyadmin sasl_pwcheck_method: saslauthd #sasl_pwcheck_method: alwaystrue sasl_mech_list: PLAIN allowplaintext: yes here's what i do: root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: unable to connect to server at /usr/bin/sieveshell line 191, line 1. here's the log: Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available. Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 'proxyadmin' granted access Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN no mechanism available Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting as you can see user proxyadmin authenticated successfully, but then something (authorization?) went wrong and it says "PLAIN no mechanism available". this only happens if i try to authorize as different user. if i don't everything works fine: root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com localhost connecting to localhost Please enter your password: log: Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available. Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 't...@virtualcrap.com' granted access Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] t...@virtualcrap.com PLAIN User logged in the same happends to cyradm: root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com --auth=plain localhost Password: IMAP Password: log: Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 'proxyadmin' granted access Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-4): no mechanism available: Unable to find a callback: 32773] but ok without trying to authorize as different user: root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost Password: localhost> Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 't...@virtualcrap.com' granted access Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] t...@virtualcrap.com PLAIN User logged in SESSIONID= Can somebody tell me what I am doing wrong? Thanks a lot, Michael Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: 2.4.17 --> 2.5.3 Delayed expunge?
On Thu, 13 Oct 2016, Sergey via Info-cyrus wrote: On Wednesday 12 October 2016, Sergey via Info-cyrus wrote: I'm wrong, "expunge_mode: immediate" works. I was expecting quick delete, but it is slow: about 30 seconds or more. and a lot time for big mailboxes: some minutes. If I remember correctly, this "lazy" delete of message files is a performance optimization so that IMAP clients don't have to wait for the deletion to happen. Also, expunged messages don't count against the mailbox quota. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: how to deal with mail retention/archival.
Could your retention needs be satisfied with Cyrus' delayed_delete and delayed_expunge functionality? Thanks, Andy On Fri, 26 Aug 2016, Alvin Starr via Info-cyrus wrote: Well the MTA still does not deal with archival because it will need to be passed through to Yet Another MDA to handle the archival and management process. For the pure archival of the input/output stream including duplicate deliveries and all spam always_bcc into YAMDA would work. In my thinking Cyrus is responsible for the storage and management of email so archival would be a part of that process. On 08/26/2016 09:17 AM, Nic Bernstein wrote: Alvin, This is really more of an issue for your MTA, such as Postfix or Exim. The MDA -- Cyrus in this case -- has little or nothing to do with the sort of archiving/retention you need for compliance. Take a look at always_bcc and similar directives in Postfix, or the equivalent in whatever your MTA is. -nic On 08/26/2016 08:09 AM, Alvin Starr via Info-cyrus wrote: A company I am working with is facing issues of regulatorymail retention. Some searching has yielded little useful results other than putting a system in front to store all incoming messages. What are others doing for mail archival? An ideal solution would let the users carry on using current use patterns and not impose extra restrictions. -- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 al...@netvel.net || Cyrus Home Page:http://www.cyrusimap.org/ List Archives/Info:http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Nic bernstein...@onlight.com Onlight Inc.www.onlight.com 6525 W Bluemound Rd., Ste 24 v. 414.272.4477 Milwaukee, Wisconsin 53213-4073 f. 414.290.0335 -- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 al...@netvel.net || Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: prefork and IPv6
On Thu, 9 Jun 2016, Wolfgang Breyha via Info-cyrus wrote: Hi! I recently wondered why some of my preforked processes on my murder backends never get used. I detected them because some quite old lmtpd's were holding locks on an already deleted deliver.db. After some debugging I recognized that cyrus-master seems to fork the configured amount of "prefork" daemons twice. One half listening on IPv4 and the other half on IPv6. Since IPv6 is practically never used from our frontends they stay forever doing nothing on the backends. Is there some reasonable way to prevent this other than setting prefork=0? I'm only using SERVICE entries like: Bimap cmd="imapd" listen="imap" prefork=5 Only the port is used for listen= without interface/IP. Use the proto argument: proto=tcp The protocol used for this service (tcp, tcp4, tcp6, udp, udp4, udp6). This string argument is optional. tcp4, udp4: These arguments are used to bind the service to IPv4 only. tcp6, udp6: These arguments are used to bind the service to IPv6 only, if the operating system supports this. tcp, udp: These arguments are used to bind to both IPv4 and IPv6 if possible. Here is my cyrus.conf entry: imap cmd="/usr/local/cyrus/bin/imapd" listen="imap" proto="tcp4" prefork=10 maxchild=4000 Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: [cyrus 3.0] 20 delayed mailbox deleted limit?
On Thu, 9 Jun 2016, Andre Felipe Machado via Info-cyrus wrote: Bron Gondwana via Info-cyrus wrote .. On Thu, Jun 9, 2016, at 03:02, Andre Felipe Machado via Info-cyrus wrote: Hello, At future release notes I read "Under delete_mode: delayed, only the 20 most recently deleted mailboxes are kept for any given name." https://cyrusimap.org/imap/release-notes/3.0/x/3.0.0-beta2.html Is there any configuration parameter to increase this limit? Why this limit is needed? denial of service / space wastage protection. There's no config option available right now. I could be convinced to change it. How would you suggest we protect against exploiting delayed delete to fill the server without going over quota? Maybe a new quota field for "total mailbox usage including deleted stuff" that can be set to a high enough value that no reasonable user will ever hit it? Bron. -- Bron Gondwana br...@fastmail.fm Hello, Bron I understand the problem. But at a corporate scenario, it is a rare event, because of jobs at stake, tracked user accounts, antispam measures, etc. It is more likely a "rogue" client, bug/misconfiguration on a smartphone causing such problems. We stay with official debian repositories versions as long as we could, receiving security patches. So, mantaining an unofficial patch will be a big problem. The sysadmin configurable parameters will be a more elegant solution. Having configurations at sysadmin control will mantain cyrus flexible for use at different usage scenarios. For the DoS / waste space problems, the 2 quota limits configurations are more suitable than counting folders quantity. What if each folder contains 1 TB deleted messages? Maybe a reasonable default (10 times user quota?) for those not wanting to configure is good idea. Even better to have also a way to control individual accounts total quotas, for those corporate accounts like "sa...@foo.bar" that receive lots of legitimate emails and have to delete them after processing. We have zabbix monitoring space at our cyrus backends, and need unlimited or configurable delayed expunge limits for recovering messages and folders for years at corporate scenario. Thanks . Andre Felipe Remember, this is a limit on the number of deleted *mailboxes* kept, not messages. Bron, this could impact Pine/Alpine users that frequently postpone messages. Pine creates a folder named "postponed-msgs" to store drafts. The folder is created when a draft is saved and deleted when all drafts have been deleted/sent. Here is my personal deleted folders list, right now: DELETED.user.morgan.postponed-msgs.5755CF0C 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F446 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F486 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F4D1 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F4E4 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F50E 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F65F 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5755F844 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5756ECFC 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.5756F602 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.575706F8 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.57585C5D 0 p2 morgan lrswipkxtecda DELETED.user.morgan.postponed-msgs.57587FE1 0 p2 morgan lrswipkxtecda We are removing deleted mailboxes after 7 days: delprune cmd="/usr/local/cyrus/bin/cyr_expire -E 1 -X 7 -D 7" at=0100 I don't know if other IMAP clients have similar quirky behavior, but I could see myself running into this limit. However, I certainly don't care about recovering my old postponed-msgs mailboxes. Hmmm, is this a limit per-mailbox (user.morgan.postponed-msgs) or per-user (all mailboxes under user.morgan)? Thanks, Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Problems with murder upgrade from 2.2.13 to 2.5.8
I've found that backends should be upgraded before frontends... You'll run into frontends trying to use features that don't exist on the backends. Usually, you can work around that with the suppress_capabilities setting in imapd.conf, but it may require less testing to upgrade the frontends last. Regarding you specific permissions problem, I think Mathieu has already posted the answer. Although, I wonder if the frontend is enforcing permissions that can't exist on the backend yet... For reference, these are the permissions on my v2.4.18 mailbox: localhost> lam user.morgan morgan lrswipkxtecda Andy On Mon, 6 Jun 2016, Jean Charles Delépine via Info-cyrus wrote: Hello, I'm on the way to make a big (late) upgrade. My murder config is composed of 16 1To backends. I can't upgrade all of them simultaneously. So I planed to : - upgrade mupdate server (make a new one, and update frontend's and backend's conf) - replace frontends with upgraded one's - upgrade backends one after the other, nightly, on serveral night mupdate server upgrade is ok. But I have problems with 2.5 frontends and 2.2 backends interaction. All seems fine (no error), but users can't create new sub mailboxes (admin can create mailboxes and sub mailboxes) : loggued as mailbox owner : imap-01> lam INBOX delepine lrswipcda anyone p imap-01> cm INBOX.hop createmailbox: Permission denied My tests say that, whichever mupdate server version : Frontend 2.2 can create 2.2 mailboxes and 2.5 mailboxes Frontend 2.5 can't create 2.2 mailboxes but can create 2.5 mailboxes All others tested features work. The 2.2 is using saslauthd + pam_ldap for authentification. The 2.5 is using either ldapdb or saslauthd + ptoader and ldap. With or without suppress_capabilities: ESEARCH QRESYNC XLIST LIST-EXTENDED WITHIN on 2.5 frontends. 2 questions : - do you have an idea why users can't create submailboxes on 2.2 backends with 2.5 frontends ? Is there any acl new option I miss ? ... - what are the risks if I wait for all backends to migrate before using 2.5 frontends ? My option with this problem. I didn't find any problem... but surely, if there's one, my users will find it. Options that might be relevant : On backends : proxyservers: proxy proxy_authname: proxy On frontends: proxy_authname: proxy proxy_password: <> proxyd_allow_status_referral: 0 proxyd_disable_mailbox_referrals: 1 backends are in an internal non routable network. Sincerly, Jean Charles Delépine Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Request: Please sign this list's messages via DKIM or SPF
On Tue, 5 Apr 2016, lst_hoe02--- via Info-cyrus wrote: Zitat von Binarus via Info-cyrus : Combine SPF / DKIM with domain blacklisting, and then you *have* an efficient spam fighting tool. As stated the spam actually reaching our inboxes after around 90% cutoff is valid DKIM/SPF signed as it is mostly from the big free providers like Outlook.com, Google and Yahoo. Some other big share is from professional spam farms with always alternating IP and Domains ranges from all over the world with also valid DKIM/SPF. Next big share is from educational servers also mostly valid DKIM/SPF. The tiny rest with around 10% is in fact not DKIM/SPF signed. From the valid e-mail around 20% looks like having a valid SPF/DKIM, mostly professional newsletters not personal mail from customers. So No, SPF/DKIM is no useful spam fighting tool at least not in our corner of the world. Another recent standard, DMARC (https://dmarc.org/) allows the domain owner to specify what the recipient should do with messages that fail DKIM or SPF checks. We ran into this recently and discovered that Yahoo's DMARC records tell the recipient to REJECT messages that fail DKIM or SPF. Google is honoring that DMARC record by putting the message into the Spam folder. This seems like a pretty effective method to prevent someone from spoofing email from your domain. Of course, it does not prevent an actual Yahoo account from sending spam, so you still need traditional spam detection tools as well. However, it is nice that a third-party sender cannot harm your domain's reputation through spoofing. Note: I don't care whether this email list uses SPF or DKIM. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Is there a way to send custom warning to all IMAP users?
On Mon, 28 Mar 2016, francis picabia via Info-cyrus wrote: We have migrated all email on a server to a cloud email platform. The users were notified by email beforehand, but hundreds are still connecting to the standard IMAP service. They may not even remember they have set up devices to connect here. Is there a way to send a custom warning through some setting, similar to how quota warnings are generated. Really if there is any error I can fake, and customize the message, it would work. We are using Linux, pam authentication, Cyrus with saslauthd. Just shutting down the service is also a solution, but given over 600 unique users have logged in today, I'd rather not dump that load on the service desk. When we migrated some of our users to Google Mail, we placed a final message in their Cyrus mailbox. When they login, they can see "You've been migrated to Google!", and the message tells them how to find their email on Google. To bypass email routing, you can use the "deliver" program on the Cyrus server to drop the message in the Cyrus mailbox. Let me know if you need more information. Thanks, Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: drown/SSL issue
On Thu, 3 Mar 2016, Tony Galecki via Info-cyrus wrote: Lots of fiddling arround, tls_versions: ssl3 tls1_2 in the imapd.conf file also fixed the issue. However, some clients (notably older Mac Mail clients) were not able to connect. Don't you want to include tls1_0 and tls1_1 in the list? Here at OSU, we use the defaults, "tls_versions: tls1_0 tls1_1 tls1_2". Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus Murder with different Cyrus IMAP Server versions
On Wed, 2 Mar 2016, Jack Snodgrass via Info-cyrus wrote: I have a older Cyrus 2.2 version setup and running in production. I want to move to a newer Cyrus 2.4 system with minimal downtime. The goal is 1) limit down time and 2) keep the SAME ip address for the users imap configs. I can convert my existing Cyrus 2.2 ( Debian v6 ) to Cyrus 2.4 ( Debian v8 ) but will be down around 8 ( at least ) for the two debian upgrades and converting 200gig of Cyrus 2.2 mail to Cyrus 2.4 - indexes and what not. I was thinking.. maybe another approach would be to setup Cyrus Murder ( 2.2 ) on my existing Cyrus 2.2 box and connect it up with a new Cyrus 2.4 server ( on a new Debian v8 box ) and just move mail accounts over one at a time until all of the mail was off of the old box. Once all of the mail was off of the old Cyrus 2.2 box, I could then upgrade that to debian v8 and Cyrus 2.4 and then have 2 systems that the mail could be split between. Can I run a Murder 2.2 server and have it talk with a Cyrus 2.4 IMAP box or do the versions have to be the same? In a Cyrus Murder, you want the frontend server to be upgraded last. If a newer frontend is used, it will issue newer IMAP commands that the older backend doesn't support. When you are upgrading an existing Murder cluster, you upgrade in this order: mupdate master, backends, then frontends. Murder does allow you to (mostly) transparently move mailboxes between backends. I have upgraded many times by simply moving the mailboxes to a new backend server with newer versions of the OS and Cyrus. However, you'll need to create 2 new hosts - a frontend and mupdate master. Then you'll need to move the DNS CNAME from the existing 2.2 server to the frontend. A Murder is a bit complicated (don't forget about mail delivery too!), so let me suggest an alternative that keeps the downtime short. Build a new server with Debian 8. I'd probably install Cyrus v2.5.latest by hand. Compiling Cyrus is very easy on Debian. Cyrus v2.5 has a major advantage over v2.4 - you can run a script to upgrade the mailbox format instead of waiting for the user to open the mailbox. See the release notes for upgrade instructions: http://cyrusimap.org/imap/release-notes/2.5/x/2.5.0.html Anyways, build the new server with Debian and whatever version of Cyrus makes you comfortable. Then, weeks before you plan to make the cutover, use rsync to copy to the mail from the old server to the new server. Of course, the first run will take a long time to copy 200GB. Successive rsyncs will take less time as the deltas are smaller. In the week before the scheduled outage, run rsync every night. During your outage window, stop Cyrus on the old server, run a final rsync, then swap IP addresses and/or DNS names, and start Cyrus on the new server. There are a couple advantages to this approach. You'll be able to test how the new server works with your actual mail. You can make configuration changes if needed. You can also time how long the rsync will take, so you know how much time to schedule for the outage. Even if there isn't much data to rsync on the final pass, it can still take a long time to calculate the differences between the 2 filesystems. Before I ran Cyrus Murder, this is how I upgraded our Cyrus server to new hardware. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: 2.4.18, problem with reconstruct
On Fri, 5 Feb 2016, Sergey via Info-cyrus wrote: Hello. I attempted to reconstruct some damaged mailboxes with empty folders, but it does not work. I use this command: su -l cyrus -s /bin/bash -c "/usr/lib/cyrus/reconstruct -f -r user/user@domain" Mail directory contains "Trash" subdirectory without any files (manualy created from backup). Reconstruct works if I put any of files cyrus.* to this subdirectory. At the same time there was the opposite problem: I can not delete existing directory, reconstruct restores it. Is this is a bug or require any other settings to run reconstruct ? I usually use these steps to add a new folder using reconstruct: touch cyrus.header chown cyrus:mail cyrus.header reconstruct -f -r user. So, I think the behavior you are seeing is expected. Create an empty cyrus.header file, with the correct ownership, before running reconstruct. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: unable to delete corrupted mail box on cyrus v2.3.16
On Mon, 11 Jan 2016, Sophie Loewenthal via Info-cyrus wrote: Hi! I have a broken mailbox that I would like to delete. This is Cyrus v2.3.16 on CentOS 6. I tried reconstructing the mailbox from scratch ( Because I suspect this was manually deleted from disc ). mkdir imap-store/spool/imap/domain/example.com/user/kat^long cd imap-store/spool/imap/domain/example.com/user/kat^long chmod 755 . chown cyrus:mail . touch cyrus.header chown cyrus:mail cyrus.header log into cyradm: localhost> lam user/kat.long kat.l...@example.com lrswipkxtecda localhost> reconstruct -r user/kae.long reconstruct: Mailbox has an invalid format localhost> dm user/kat.long deletemailbox: Permission denied Names and domain names replaced with false entries. How could I remove this? Here are my steps for recreating a mailbox (normally when I'm restoring a mailbox from backups): 1. Locate user's mail directory (/var/spool/cyrus/mail/prefix/user/username). 2. Change to that directory. 3. Make a RESTORE directory (mkdir RESTORE). 4. Fix ownership/perms (chown cyrus:mail RESTORE; chmod 700 RESTORE). 5. Change to the directory containing the mail folder the user wants restored. 6. Run 'recover', the Legato backup client. 7. 'changetime' to change the time to recover data from. 8. 'add filename' to add the files to restore. To restore all the messages in the folder, use 'add *.'. 9. 'relocate RESTORE' to recover files into the RESTORE directory instead of the current directory. 10. 'recover' to recover the files. 11. 'quit' to quit out of the recover program. 12. Create a dummy cyrus.header file "(touch RESTORE/cyrus.header; chown cyrus:mail RESTORE/cyrus.header; chmod 600 RESTORE/cyrus.header). 13. Run "su cyrus -c '/usr/local/cyrus/bin/reconstruct -x -f user.username'". 14. Run "su cyrus -c '/usr/local/cyrus/bin/quota -f user.username'". I think you're following the same basic steps, but I would try running reconstruct externally, not from cyradm. Don't forget the quota command either. When you run reconstruct, check syslog for errors too. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: delprune on a single mailbox
On Fri, 6 Nov 2015, Marcus Schopen via Info-cyrus wrote: Am Mittwoch, den 04.11.2015, 06:36 -0500 schrieb Adam Tauno Williams via Info-cyrus: globally in cyrus.conf delprune is set to > > > > delprunecmd="/usr/sbin/cyrus expire -E 1 -X 7 -D 7" > > > > at=0501 > > > > For a single mailbox I don't want to keep deleted mails for 7 > > > > days, > > > > but > > > > expire them immediately or once a day per cron. How to do that? > > > Forogt to say that delete_mode and expunge_mode is set to > > > delayed. > > > Via cron this should work for an immediate cleanup/expire: > > You can set an expire annotation per mailbox. > How do I do that? From cyr_expire manpage: > "The value of the /vendor/cmu/cyrus-imapd/expire annotation is > inherited by all children of the given mailbox, so an entire mailbox > tree can be expired by seting a single annotation on the root of that > tree. If a mailbox does not have a /vendor/cmu/cyrus-imapd/expire > annotation set on it (or does not inherit one), then no messages are > expired from the mailbox." Via cyradm - cyrus.example.com> mboxcfg user.adam expire 365 cyrus.example.com> info user.adam {user.adam}: condstore: false duplicatedeliver: false expire: 365 lastpop: lastupdate: 13-Aug-2008 19:37:31 -0400 partition: default sharedseen: false size: 12325671 AFAIK the annotations supported by cyradm/mboxcfg are: * comment – A free-form text comment or description to be attached to the mailbox. * condstore – This annotation is only supported in the 2.3.x release series starting with 2.3.3 although its use is not recommended until 2.3.8. As of the 2.4.x release series CONDSTORE functionality is enabled on all mailboxes regardless of annotation and attempting to set this annotation will result in a permission denied message. On releases where this annotation is supported setting a value of “true” will enable CONDSTORE functionality1. * expire – If an expire value is provided messages will be automatically deleted from the mailbox once the specified number of days has elapsed. * news2mail - * sharedseen - Enables the use of a shared \Seen flag on messages rather than a per-user \Seen flag. The 's' right in the mailbox ACL still controls whether a user can set the shared \Seen flag. * sieve – In the case of a shared folder the “sieve” parameter specifies the name of a global SIEVE script that will be used for every message delivered to the folder. This value is ignored for personal mailboxes (mailboxes including and subordinate to a user's INBOX). * squat – Flags the mailbox to be included for indexing when the SQUAT process performs index generation. > But is it possible to expunge a message immediately when it's deleted > by client and not with the next expire run? Not if delayed expunge is enabled AFAIK; that would defeat the purpose. I set "mboxcfg user.test expire 1" on a test mailbox, but it has no effect on nightly delprune set in cyrus.conf EVENT: delprune cmd="/usr/sbin/cyrus expire -E 1 -X 7 -D 7" at=0501" Messages deleted two days ago are still in the file system. localhost> info user.test {user.test}: duplicatedeliver: false expire: 1 lastpop: lastupdate: 4-Nov-2015 17:14:20 +0100 partition: default pop3newuidl: true sharedseen: false size: 0 The expire annotation causes Cyrus to delete messages older than days. If you have delayed_expunge enabled, the messages still remain on the filesystem until you purge them using cyr_expire. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus