Re: Input on patch for ptclient/ldap requested
* Clement Hermann (nodens) [20110809 04:04]: > Le 09/08/2011 02:08, Jeroen van Meeuwen (Kolab Systems) a écrit : > > Hi there, > > > Hi, > > > I wanted to ask who is actively using ptclient/ldap, as I have some inhouse > > patch pending on the canonification using some sort of result_attribute, if > > you will. > > > > We currently have under consideration whether everything, life and the > > universe should be configurable before the patch is accepted upstream, which > > is to say (pardon my postfix lingo); > > > > - result_attribute_format, > > - leaf_result_attribute, > > > > but also; > > > > - group_filter_scope, > > - group_result_attribute > > > > Which is to say, we have a deployment extensively using 'nsroledn' -which > > functionally behaves like a 'memberOf', and the question then becomes if you > > want to use the 'cn' attribute for groups -which most often is not enforced > > to > > be a unique attribute value for groups, but is automatically unique is the > > search scope for groups is 'one' and the 'cn' attribute builds the 'rdn'. > > > > Long story short, I would like to know of other people who use > > ptclient/ldap, > > or have attempted to do so but failed, and the various use-case / deployment > > scenarios. > > We use it for shared folders / mailboxes, on a Stock debian install (so > 2.2.x), we only repackaged cyrus to include pts support. Works great so far > We use it extensively (in our current 2.3.x murder and soon in 2.4) for controlling access to shared folders. In addition we use ldap/pts as a general purpose authorization service for our Cyrus Murder installation; we've got a lot of people in our LDAP directory and Kerberos KDC, but only a subset of that population get IMAP service. We haven't had an issue with non-uniqueness of "cn" for group names as we use a dedicated search base for groups and our groups have their cn built into their dn... We have noticed some weirdness when ptloader is configured to authenticate to the LDAP server, it appears to want to do a SASL proxy authz *as* the end user. This seems unnecessarily complex and it fails in a non-graceful way in our environment, consequently we've configured ptloader to do anonymous ldap queries. Ben -- PGP (318B6A97): 3F23 EBC8 B73E 92B7 0A67 705A 8219 DCF0 318B 6A97 signature.asc Description: Digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Vacation notices time controlled
* Rudy Gevaert <[EMAIL PROTECTED]> [20080311 08:21]: > Christian Garling wrote: > > Hello, > > > > is there a user-friendly way to create time controlled vacation notices? > > We want to define start date and end date for vacation. I did not find > > something that would work while my internet search. > > This is not possible from the Sieve implementation in Cyrus. IIRC the > Sieve RFCs don't provide it either. > Actually there is a draft sieve 'date' extension which could support this sort of thing (and other interesting things like time based message routing): http://tools.ietf.org/html/draft-freed-sieve-date-index-08 But of course this is a draft and cyrus imap doesn't support it as of yet. Ben -- PGP fingerprint: A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019 pgpDMUFJKiY1r.pgp Description: PGP signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Spam filtering / Sieve on bulletinboards
* Janne Peltonen <[EMAIL PROTECTED]> [20070228 07:16]: > On Tue, Feb 27, 2007 at 07:07:22AM -0800, Ben Poliakoff wrote: > > Since version 2.2.13 bulletins/shared-folders can be made to evaluate > > sieve scripts. Configuring these scripts is different in two key ways: > > > > - sieve scripts for shared folders must be uploaded into the global > > namespace, one does this by connecting to the sieve server as a user > > listed in the 'admins' section in imapd.conf > > > > - once the script has been uploaded into the global namespace a > > shared folder can be configured to use the script via the new > > 'sieve' mailbox annotation (e.g. in cyradm 'mboxcfg sieve > > ) > > > > We use this feature a lot these days. > > Thanks. :) > > But this means, doesn't it, that a normal user can't install sieve > scripts for bulletin boards, even if she has full access for the > bulletin board? Or is the way to go to create a collection of different > global sieve scripts for bb users to select from? Would there happen to > be a Web tool for this purpose? Should I RTFM? ;) (Cyrus' documentation > is sparse at some subjects.) > Yes it's true, end users can't upload scripts to the global namespace. End users can (given the correct ACL) update the annotation on a shared folder to select a pre-existing sieve script in the global namespace. As far as I know there isn't a widely circulated web UI to do this, one would need to roll one's own using the Cyrus perl modules. Ben Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Spam filtering / Sieve on bulletinboards
* Janne Peltonen <[EMAIL PROTECTED]> [20070226 23:55]:
> On Mon, Feb 26, 2007 at 03:53:09PM -0600, Chris St. Pierre wrote:
> > We use something like this:
> >
> > # Probably Spam
> > if header :comparator "i;ascii-casemap" :matches "Subject" "[SPAM:*"
> > {
> > fileinto "INBOX.Junk Mail";
> > stop;
> > }
>
> So apparently you can sieve mail coming to a bulletin board? How?
>
> Thanks in advance.
>
Since version 2.2.13 bulletins/shared-folders can be made to evaluate
sieve scripts. Configuring these scripts is different in two key ways:
- sieve scripts for shared folders must be uploaded into the global
namespace, one does this by connecting to the sieve server as a user
listed in the 'admins' section in imapd.conf
- once the script has been uploaded into the global namespace a
shared folder can be configured to use the script via the new
'sieve' mailbox annotation (e.g. in cyradm 'mboxcfg sieve
)
We use this feature a lot these days.
One interesting gotcha about the sieve global namespace is that (at
least in 2.3.7) it is subject to some of the same limitations as a
normal user's sieve access. With the default configs you'll be able
to upload a maximum of 5 separate scripts to the global namespace.
'sieve_maxscripts' can be set to a value higher than 5 but of course
this will allow normal users to upload more scripts as well. It would
be nice to be able to configure distinct behaviors / limitations /
capabilities for the global namespace vs the end-user space.
Ben
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?
* Jeff Blaine <[EMAIL PROTECTED]> [20070209 10:42]: > A little more info, in case anyone finds the time to help > me out: > > I've tried everything I can imagine. > > saslauthd: > > saslauthd -a kerberos5 -d (with additional debug code by me!) > > Feb 9 13:22:20 noodle.foo.com saslauthd[27437]: > auth_krb5: krb5_kt_read_service_key returned -1765328203 > - going to fini: in k5support_verify_tgt() > > I can find no information on that Kerberos error, but I > most certainly have imap/noodle.foo.com in a readable > /etc/krb5.keytab (and truss shows it being read fine). > > imapd.conf: > > sasl_pwcheck_method: saslauthd > I'm fairly certain that saslauthd is going to be looking for a *host* principle in the keytab (i.e. host/noodle.foo.com). Do you have a host principle in the same keytab file? Of course saslauthd won't be involved at all if you're doing GSSAPI auth with Thunderbird, saslauthd is only used for "plaintext" authentication. Ben signature.asc Description: Digital signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Patches used at FastMail.FM
* Ken Murchison <[EMAIL PROTECTED]> [20070108 08:34]: > > Jeff and I have already discussed pushing out a 2.3 release soon -- as > soon as we iron out all of the wrinkles in our 2.3 deployment on campus. > > We found a few small buglets in the IMAP proxy code that we didn't > expect. Either nobody else has a 2.3 Murder running, or they didn't > notice the random (infrequent) core dumps. > /me waves. I just turned up a 2.3.7 based murder and *have* noticed those core dumps. Please let me know if I can provide you with any pertinent information. Ben signature.asc Description: Digital signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: renaming a mailbox fails
* Marten Lehmann <[EMAIL PROTECTED]> [20061017 10:43]: > Hello, > > within cyradm I'm trying to rename a folder. > > My goal would be to rename a mailbox from > > user/[EMAIL PROTECTED] > > to > > backup/2006-10-17/[EMAIL PROTECTED] or > backup/2006-10-17/[EMAIL PROTECTED] > > But renaming always fails, even with really simple renames: > > rename user/[EMAIL PROTECTED] user/[EMAIL PROTECTED] > > renamemailbox: Operation is not supported on mailbox > > What am I doing wrong? > > > lam user/[EMAIL PROTECTED] > [EMAIL PROTECTED] lrswipcda > > Is any right missing? Set 'allowusermoves' to '1' in imapd.conf? From the imapd.conf man page: allowusermoves: 0 Allow moving user accounts (with associated meta‐data) via RENAME or XFER. Note that measures should be taken to make sure that the user being moved is not logged in, and can not login during the move. Failure to do so may result in the user’s meta‐data (seen state, subscriptions, etc) being corrupted or out of date. Ben Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Question about using ipurge
* Andrew Morgan <[EMAIL PROTECTED]> [20061017 10:17]:
> On Tue, 17 Oct 2006, Andrew Morgan wrote:
>
> >On Tue, 17 Oct 2006, AndrXs Tarallo wrote:
> >
> >>We need to clean certain mails from a mailbox. Specifically we are
> >>trying to clean mails older than 30 days. So we execute (as cyrus)
> >>this command:
> >>
> >>ipurge -d 30 username
> >>
> >>It returns almost inmediately but nothing happens and the mails remain
> >>there. We didn't use -f flag because we were affraid of deleting all
> >>mailboxes.
> >>
> >>Thanks in advance
> >
> >Have you tried using "ipurge -d 30 user.username"?
>
Perhaps you should consider using the expiration annotation on the
mailbox(es) in question. Mailboxes with expiration annotations are
pruned via a periodic 'cyr_expire' event in cyrus.conf. Here's a sample
entry in the cyrus.conf events section:
EVENTS {
...
prune cmd="cyr_expire -E 3" at=0400
...
}
For more details see the man page, cyr_expire(8).
Ben
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LMTPD sockets
* David Korpiewski <[EMAIL PROTECTED]> [20060817 14:03]:
> This is building on my original discussion about simultaneous access:
>
> We are having a problem where two servers accessing the same SAN now
> give us a LMTPD error because they are stomping on each other's sockets
> (they share the same database on the SAN with the same socket
> directory). Is there any way to prevent this from happening or easily
> configuring them not to not to use the same sockets?
>
> I've gone into cyrus.conf and changed the socket directory listed for
> lmtpd but for some reason the deliver still fails on accessing the
> original socket directory. So somewhere else in the system it is
> trying to access configdirectory/socket/lmtpd.
I suspect you need to look at modifying the 'lmtpsocket:' option in
imapd.conf:
>From the man page:
lmtpsocket: {configdirectory}/socket/lmtp
Unix domain socket that lmtpd listens on, used by
deliver(8). This should match the path specified in
cyrus.conf(5).
Ben
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ptloader segfaulting while looking up LDAP groups
* Igor Brezac <[EMAIL PROTECTED]> [20060809 11:50]:
>
>
> On Wed, 9 Aug 2006, Ben Poliakoff wrote:
>
> >* Igor Brezac <[EMAIL PROTECTED]> [20060809 07:39]:
> >>
> >>
> >>On Tue, 8 Aug 2006, Ben Poliakoff wrote:
> >>
> >>>ptloader is segfaulting on multiple servers in my test environment when
> >>>the user that is connecting for IMAP service is found in more than one
> >>>group.
> >>>
> >>>I have a core file, but it doesn't seem that useful since a number of
> >>>the libraries that ptloader links to don't currently have debugging
> >>>symbols...
> >>
> >>Can you provide backtrace?
> >>
> >
> >Yes, here's a backtrace...
> >
> >Core was generated by `ptloader'.
> >Program terminated with signal 11, Segmentation fault.
> >...
> >#0 0x2b180d157c00 in strlen () from /lib/libc.so.6
> >(gdb) bt
> >#0 0x2b180d157c00 in strlen () from /lib/libc.so.6
> >#1 0x004079f7 in ptsmodule_make_authstate_filter (canon_id=0x0,
> > size=0, reply=0x6e, dsize=0x1, newstate=0x7fff9e958860) at
> >ldap.c:1070
> >#2 0x00407de6 in myauthstate (identifier=0x0, size=4,
> > reply=0x7fff9e9588d8, dsize=0x7fff9e9588e4) at ldap.c:1217
> >#3 0x0040590a in ptsmodule_make_authstate (
> > identifier=0x7fff9e9588f0 "benp", size=4, reply=0x7fff9e9588d8,
> > dsize=0x7fff9e9588e4) at ptloader.c:120
> >#4 0x00405b60 in service_main_fd (c=7, argc=4, argv=0x5db69c,
> > envp=0x0) at ptloader.c:235
> >#5 0x0040821a in main (argc=6099056, argv=0x7fff9e959258,
> > envp=0x7fff9e959268) at service-thread.c:304
> >
> >Ben
> >
>
> The last commit has an issue.
>
> Please try this patch and report back:
>
> --- ldap.c.orig 2006-08-09 14:42:05.023665000 -0400
> +++ ldap.c2006-08-09 14:42:41.274455000 -0400
> @@ -1065,11 +1065,11 @@
> continue;
>
> strcpy((*newstate)->groups[i].id, "group:");
> +
> int j;
> - strcpy((*newstate)->groups[i].id, "group:");
> - for(j =0; j < strlen(vals[i]); j++) {
> - if(isupper(vals[i][j]))
> - vals[i][j]=tolower(vals[i][j]);
> + for(j =0; j < strlen(vals[0]); j++) {
> + if(isupper(vals[0][j]))
> + vals[0][j]=tolower(vals[0][j]);
> }
>
> strlcat((*newstate)->groups[i].id, vals[0],
>
Yes, this patch fixes the problem. Thanks so much for your help!
Ben
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ptloader segfaulting while looking up LDAP groups
* Ben Poliakoff <[EMAIL PROTECTED]> [20060809 09:53]:
> * Igor Brezac <[EMAIL PROTECTED]> [20060809 07:39]:
> >
> >
> > On Tue, 8 Aug 2006, Ben Poliakoff wrote:
> >
> > >ptloader is segfaulting on multiple servers in my test environment when
> > >the user that is connecting for IMAP service is found in more than one
> > >group.
> > >
> > >I have a core file, but it doesn't seem that useful since a number of
> > >the libraries that ptloader links to don't currently have debugging
> > >symbols...
> >
> > Can you provide backtrace?
> >
>
> Yes, here's a backtrace...
>
> Core was generated by `ptloader'.
> Program terminated with signal 11, Segmentation fault.
> ...
> #0 0x2b180d157c00 in strlen () from /lib/libc.so.6
> (gdb) bt
> #0 0x2b180d157c00 in strlen () from /lib/libc.so.6
> #1 0x004079f7 in ptsmodule_make_authstate_filter (canon_id=0x0,
> size=0, reply=0x6e, dsize=0x1, newstate=0x7fff9e958860) at
> ldap.c:1070
> #2 0x00407de6 in myauthstate (identifier=0x0, size=4,
> reply=0x7fff9e9588d8, dsize=0x7fff9e9588e4) at ldap.c:1217
> #3 0x0040590a in ptsmodule_make_authstate (
> identifier=0x7fff9e9588f0 "benp", size=4, reply=0x7fff9e9588d8,
> dsize=0x7fff9e9588e4) at ptloader.c:120
> #4 0x00405b60 in service_main_fd (c=7, argc=4, argv=0x5db69c,
> envp=0x0) at ptloader.c:235
> #5 0x0040821a in main (argc=6099056, argv=0x7fff9e959258,
> envp=0x7fff9e959268) at service-thread.c:304
>
And here are the last few lines from an strace of the ptloader process:
22009 uname({sys="Linux", node="imap-3", ...}) = 0
22009 time(NULL)= 1155079054
22009 write(8, "0\f\2\1\1`\7\2\1\3\4\0\200\0", 14) = 14
22009 select(256, [8], [], NULL, NULL) = 1 (in [8])
22009 read(8, "0\f\2\1\1a\7\n", 8) = 8
22009 read(8, "\1\0\4\0\4\0", 6)= 6
22009 time(NULL)= 1155079054
22009 time(NULL)= 1155079054
22009 write(8, "03\2\1\2c.\4\16dc=example,dc=com\n\1\2\n\1\0\2\1\n"..., 53)
= 53
22009 time(NULL)= 1155079054
22009 select(256, [8], [], NULL, {5, 0}) = 1 (in [8], left {4, 996000})
22009 read(8, "0\202\2t\2\1\2d", 8) = 8
22009 read(8, "\202\2m\4!uid=benp,ou=People,dc=example,"..., 624) = 624
22009 time(NULL)= 1155079054
22009 select(256, [8], [], NULL, {4, 996000}) = 1 (in [8], left {4,
996000})
22009 read(8, "0\f\2\1\2e\7\n", 8) = 8
22009 read(8, "\1\0\4\0\4\0", 6)= 6
22009 time(NULL)= 1155079054
22009 time(NULL)= 1155079054
22009 write(8, "0`\2\1\3c[\4\27ou=group,dc=example,dc=com"..., 98) = 98
22009 time(NULL)= 1155079054
22009 select(256, [8], [], NULL, {5, 0}) = 1 (in [8], left {5, 0})
22009 read(8, "0H\2\1\3dC\4", 8)= 8
22009 read(8, "(cn=group-1,ou=Group,dc=re"..., 66) = 66
22009 time(NULL)= 1155079054
22009 select(256, [8], [], NULL, {5, 0}) = 1 (in [8], left {5, 0})
22009 read(8, "0D\2\1\3d?\4", 8)= 8
22009 read(8, "&cn=group-2,ou=Group,dc=example"..., 62) = 62
22009 time(NULL)= 1155079054
22009 select(256, [8], [], NULL, {5, 0}) = 1 (in [8], left {5, 0})
22009 read(8, "0\f\2\1\3e\7\n", 8) = 8
22009 read(8, "\1\0\4\0\4\0", 6)= 6
22009 time(NULL)= 1155079054
22009 time(NULL)= 1155079054
22009 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ptloader segfaulting while looking up LDAP groups
* Igor Brezac <[EMAIL PROTECTED]> [20060809 07:39]: > > > On Tue, 8 Aug 2006, Ben Poliakoff wrote: > > >ptloader is segfaulting on multiple servers in my test environment when > >the user that is connecting for IMAP service is found in more than one > >group. > > > >I have a core file, but it doesn't seem that useful since a number of > >the libraries that ptloader links to don't currently have debugging > >symbols... > > Can you provide backtrace? > Yes, here's a backtrace... Core was generated by `ptloader'. Program terminated with signal 11, Segmentation fault. ... #0 0x2b180d157c00 in strlen () from /lib/libc.so.6 (gdb) bt #0 0x2b180d157c00 in strlen () from /lib/libc.so.6 #1 0x004079f7 in ptsmodule_make_authstate_filter (canon_id=0x0, size=0, reply=0x6e, dsize=0x1, newstate=0x7fff9e958860) at ldap.c:1070 #2 0x00407de6 in myauthstate (identifier=0x0, size=4, reply=0x7fff9e9588d8, dsize=0x7fff9e9588e4) at ldap.c:1217 #3 0x0040590a in ptsmodule_make_authstate ( identifier=0x7fff9e9588f0 "benp", size=4, reply=0x7fff9e9588d8, dsize=0x7fff9e9588e4) at ptloader.c:120 #4 0x00405b60 in service_main_fd (c=7, argc=4, argv=0x5db69c, envp=0x0) at ptloader.c:235 #5 0x0040821a in main (argc=6099056, argv=0x7fff9e959258, envp=0x7fff9e959268) at service-thread.c:304 Ben Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
ptloader segfaulting while looking up LDAP groups
ptloader is segfaulting on multiple servers in my test environment when the user that is connecting for IMAP service is found in more than one group. I have a core file, but it doesn't seem that useful since a number of the libraries that ptloader links to don't currently have debugging symbols... software versions: Platform: debian sarge amd64 Cyrus IMAP version: 2.3.7 Cyrus SASL version: 2.1.19 local OpenLDAP version: 2.2.23 Remote OpenLDAP version: 2.3.24 ldap configs from imapd.conf: auth_mech: pts pts_module: ldap ldap_filter: (uid=%U) ldap_start_tls: 0 ldap_base: dc=example,dc=com ldap_sasl: 0 ldap_uri: ldap://ldap.example.com # max number of records to return ldap_size_limit: 100 # begin LDAP group configs # find groups ldap_group_base: ou=group,dc=example,dc=com ldap_group_filter: (cn=%U) # find members of groups ldap_member_base: ou=group,dc=example,dc=com ldap_member_method: filter ldap_member_filter: (member=%D) ldap_member_attribute: cn Has anyone else seen a problem like this? Ben Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Problem with ptloader and SASL authenticated LDAP
Hi All, I've been trying to use the LDAP pts module with Cyrus imapd 2.3.6. I've had reasonably good success with ptloader configured to do *anonymous* binds, but when I set 'ldap_sasl: 1' in imapd.conf ptloader fails to bind to my LDAP server with the following error: Unable to set LDAP_OPT_X_SASL_SECPROPS. The master process is running with GSSAPI credentials (I'm able to bind to the LDAP server with these credentials using the 'ldapsearch' command, even when I manually specify SASL secprops with ldapsearch's -O option). By default it appears that cyrus sets the 'noplain' SASL secprop. Looking throught archives I haven't seen mention of the above error. My ldap_* configs look like this: ldap_filter: (uid=%U) ldap_realm: example.com ldap_start_tls: 1 ldap_tls_cacert_dir: /etc/ssl/certs ldap_mech: gssapi ldap_base: ou=people,dc=example,dc=com ldap_group_base: ou=group,dc=example,dc=com ldap_sasl: 1 ldap_uri: ldap://ldap.example.com Am I missing something big? Ben Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: kerberos auth trouble (take 2)
Replies inline * Mark Hannessen <[EMAIL PROTECTED]> [041210 04:09]: > > hi. > > I am trying to setup a kerberos v5 only mailserver. > that is: I would like all autherisation to be done by gssapi/kerberos. > so this is what I did.. > # I added the imap principle to the imap server and gave it the right > permissions. > > addprinc -randkey imap/xp2600c.linuxnet.nl > ktadd -k /etc/krb5.keytab imap/xp2600c.linuxnet.nl > chown cyrus:root /etc/krb5.keytab > > I obtain a ticket using: > > kinit mark > > klist returns the following: > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > Valid starting Expires Service principal > 12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/[EMAIL PROTECTED] > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > I then try running the imtest program to test out if everything is ok. > > imtest xp2600c.linuxnet.nl > S: * OK nperfection.com Cyrus IMAP4 v2.2.8 server ready > C: C01 CAPABILITY > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE > UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT > THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LOGINDISABLED > AUTH=GSSAPI SASL-IR > S: C01 OK Completed > C: A01 AUTHENTICATE GSSAPI > YIICDwYJKoZIhvcSAQICAQBuggH+MIIB+qADAgEFoQMCAQ6iBwMFACCjggEWYYIBEjCCAQ6gAwIBBaENGwtMSU5VWE5FVC5OTKImMCSgAwIBA6EdMBsbBGltYXAbE3hwMjYwMGMubGludXhuZXQubmyjgc8wgcygAwIBEKEDAgEGooG/BIG8Fblb9IEEBBehkSNV/kckAwkbDn4WZcmTpbSrdOMyi0NI+yB6a4Q25Fw0coWt1z+H78gco+/ebkPZFHmy2c7Fx6YJ8aD7sLikgVHrC6cMpbdhtFeF+6HKcUelZKVCgR8DGuxuomODHA8z4HCfu0Bg4PvECbhnbL0q02q7873KxtEJOIH06c5cqzHaFa3u2q6XvIpn4QqIs40Ul1stMQdQpd9njof/UTaJrwbV5cdo10BdXF6PPynM1aWzWmGkgcowgcegAwIBEKKBvwSBvFKdv3AGvjSJnZgYj1ag25rpeTBHtY5phHmneNDA+BnnUl2SBYxC/UQ4hiPYMSwIUQZJecSOn9QMXIZgg3u/92M+3d5/WMYrbLmB4y7wkraZ+nlngRFQ1wDhDWA7/T3+HBcVnOXmhYJhnW+Xs9wv/Jpgq/UBcnzmCjqQMbYYUedeoR5BOSx4C6KwGQALyXjkZNpBd1dUHutFINPeAXI2AXD8/L2cWnTHO5oak2tDYJDSJaTa5YxE7IbZrq9m > S: A01 NO generic failure > Authentication failed. generic failure > Security strength factor: 0 > > this seems to fail for some reason > when i run klist again it returns: > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 12/10/04 11:17:50 12/11/04 11:17:50 krbtgt/[EMAIL PROTECTED] > 12/10/04 11:18:38 12/11/04 11:17:50 imap/[EMAIL PROTECTED] > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > so I DO see an addition principal in my list. > > as expected the cyrus admin tool doesn't work as well. > > cyradm xp2600c.linuxnet.nl -auth GSSAPI > cyradm: cannot authenticate to server with GSSAPI as mark > > my system log file contains the following: > > Dec 10 11:33:48 xp2600c imap[1896]: badlogin: xp2600c.linuxnet.nl [10.4.8.27] > GSSAPI [SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No > principal in keytab matches desired name)] I would guess that imapd isn't actually looking in /etc/krb5.keytab. > But I don't understand this messege since I DID add imap/xp2600c.linuxnet.nl > to the servers keytab. > > my imapd.conf looks like this: > > servername: nperfection.com > configdirectory: /cyrus-imapd/var/imap > partition-default: /cyrus-imapd/var/spool/imap > admins: [EMAIL PROTECTED] > lmtp_admins: lmtpmanager > sasl_passwd_check: GSSAPI > sasl_mech_list: GSSAPI > keytab: /etc/krb5.keytab > annotation_db: skiplist > duplicate_db: skiplist > mboxlist_db: skiplist > ptscache_db: skiplist > quota_db: skiplist > seenstate_db: skiplist > subscription_db: skiplist > tlscache_db: skiplist > allowapop: no > skiplist_unsafe: no > virtdomains: userid > defaultdomain: localdomain > allowplaintext: no > before trying to work with kerberos I used this config > and it worked great... it however was plain text all the way. > configdirectory: /cyrus-imapd/var/imap > partition-default: /cyrus-imapd/var/spool/imap > admins: root > sasl_pwcheck_method: saslauthd > lmtp_admins: lmtpmanager > sasl_passwd_check: saslauthd > sasl_ldap_servers: openldap.linuxnet.nl > sasl_ldap_bind_dn: cn=Manager,dc=linuxnet,dc=nl > sasl_ldap_bind_pw: secret > allowplaintext: yes > sasl_mech_list: LOGIN PLAIN > annotation_db: skiplist > duplicate_db: skiplist > mboxlist_db: skiplist > ptscache_db: skiplist > quota_db: skiplist > seenstate_db: skiplist > subscription_db: skiplist > tlscache_db: skiplist > allowapop: no > skiplist_unsafe: no > virtdomains: userid > defaultdomain: localdomain > > does anybody have a suggestion where I should look next? > While "srvtab" is described in the man page for imapd.conf "keytab" is not. You probably want to use a separate keytab file for cyrus anyway (so that the cyrus user doesn't have access to keys that don't belong to it, like host/foo.bar.com). We use a separate keytab that is readable by the cyrus user. This is accomplished by adding the following the the startup script we use for cyrus: KRB5_KTNAME="
Re: Is it possible to clean the trash folder automatic?
* Sebastian Hagedorn <[EMAIL PROTECTED]> [041013 08:59]: > >>> purgetrashcmd="ipurge -d 7 -f user/%/Trash" at=0200 > >> > >>Does this also remove old message from anything below user/%/Trash, like > >>user/%/Trash/SPAM and user/%/Trash/Virus? > > > >The above "purgetrash" event is not recursive. It should only operate > >on user/*/Trash (INBOX/Trash, from the user's point of view). > >Mailboxes fitting the pattern, "user/%/Trash/SPAM" would be untouched. > > unfortunately that's not true. "ipurge" apparently always works > recursively. I just tried it on a backup of our server (this is under > 2.2.8): Ouch! I stand corrected. Thanks for clarifying this issue. Ben --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Is it possible to clean the trash folder automatic?
Don't know if others have replied to you directly already... * Adi Linden <[EMAIL PROTECTED]> [041010 08:46]: > This almost answers the same question I had. > > On Sun, 10 Oct 2004, Bob Tito wrote: > > purgetrashcmd="ipurge -d 7 -f user/%/Trash" at=0200 > > Does this also remove old message from anything below user/%/Trash, like > user/%/Trash/SPAM and user/%/Trash/Virus? The above "purgetrash" event is not recursive. It should only operate on user/*/Trash (INBOX/Trash, from the user's point of view). Mailboxes fitting the pattern, "user/%/Trash/SPAM" would be untouched. One advantage of this method is that it will work on any mailbox that matches the "user/%/Trash". One disadvantage is that it will operate on "user/%/Trash" without the possibility of any exceptions. > On Sun, 10 Oct 2004, Jukka Salmi wrote: > > In cyradm, try 'mboxcfg user.%.Trash expire 20'. > > Once this has been configured, which part of the configuration takes care > of the actual deleting of messages? cyr_expire does the work of purging messages that have expired (see the man page for cyr_expire for more details). It is usually configured as an event in cyrus.conf. I think this is probably the more graceful solution (using mboxcfg to set expiration flags in the box's metadata). You can use the mboxcfg command within cyradm to recursively set the expire annotation on a large range of mailboxes. One disadvantage of this method is that the expire annotation will not be automatically applied to new accounts' Trash folders. You might need to integrate the expire annotation into your account creation routines. One advantage of using the expire annotation is that users can potentially specify how long they want mail in the specified mailbox to hang around before it expires (or if they want mail in the specified folder to expire at all!). For end users a web based interface to make these tweaks would probably be preferable. These are, of course, only my opinions. Ben --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: System-wide sieve filter
* Nikos Voutsinas <[EMAIL PROTECTED]> [040619 06:34]: > > Also I suppose that a lot of people would like an extended autocreate > Inbox patch with an "autocreatesievescript" option. > Coming in a little late here. Has anyone tried to extend the autocreate patch with this "autocreatesievescript" functionality? We could certainly use it here... Ben --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: having trouble feeding Cyrus NNTP with fetchnews
* Ken Murchison <[EMAIL PROTECTED]> [040625 11:49]: > Ben Poliakoff wrote: > > >Hello All, > > > >I've recently upgraded from the 2.1.x branch to the 2.2.x branch of > >cyrus-imapd (2.2.6 as of yesterday). The upgrade was seamless. > > > >One of the 2.2.x features I've been looking forward to has been the new > >NNTP support. > > > >I've created all the target mailboxes several times, both by hand and > >also with the help of the "mknewsgroups" script. All of the boxes have > >(at minimum) the "anyone p" ACL set. > > > >So far I'm having spotty luck feeding news from a remote INN server > >into our cyrus imap server with the "fetchnews" command. It's actually > >worked only once. > > How are you determining that its failing? I've been using it since the > first day that I wrote it, and it works fine. You might have something > configured incorrectly. If you get a protocol dump of fetchnews talking > to Cyrus, we might be able to see what is happening. > I don't think I was trying to say that it was failing, it's just that I thought I was setting the stage for the 24 articles to be received. I knew I was missing something but I was having trouble figuring out what it was. I never doubted that "fetchnews" worked. I'm really *very* grateful that you added it to the cyrus imap project (among your many contributions to the project!). > > > >Now when I run the following fetchnews command (starting over, having > >cleared out the fetchnews.db file, and having freshly recreated all of > >the target mailboxes to be fed): > > > >/usr/cyrus/bin/fetchnews -n -s my.server.name -w "news.bulletins*" \ > >remote.news.server > > > >I get the following message in my logs: > > > >Jun 25 10:19:15 my.server.name fetchnews[20623]: \ > >fetchnews: remote.news.server offered 24; my.server.name rejected 24, \ > >accepted 0, failed 0 > > > >I'd love to get those 24 articles. I can't figure out why the cyrus > >server is rejecting them. Are there lingering message/article numbers > >floating around in the duplicate.db? > > Most likely. If you simply removed the mailboxes and articles, the > message-id records are still in deliver.db. > > Do you have admin access on the INN server? If you do, then why don't > you just set it up to feed articles to Cyrus (unless you want to 'pull' > rather than 'push' for security reasons). > That was it, it was the lingering entries in the deliver.db that seem to have been keeping subsequent copies of all of the active articles from being delivered. I won't normally be removing a whole swath of mailboxes and then recreating them. Flushing the deliver.db allowed the articles to be copied from the other news server again. So deliver.db isn't updated when mailboxes that contain messages are deleted? I hadn't realized that, but it's seems like important information. Thanks for the help! Ben --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
having trouble feeding Cyrus NNTP with fetchnews
Hello All, I've recently upgraded from the 2.1.x branch to the 2.2.x branch of cyrus-imapd (2.2.6 as of yesterday). The upgrade was seamless. One of the 2.2.x features I've been looking forward to has been the new NNTP support. I've created all the target mailboxes several times, both by hand and also with the help of the "mknewsgroups" script. All of the boxes have (at minimum) the "anyone p" ACL set. So far I'm having spotty luck feeding news from a remote INN server into our cyrus imap server with the "fetchnews" command. It's actually worked only once. Now when I run the following fetchnews command (starting over, having cleared out the fetchnews.db file, and having freshly recreated all of the target mailboxes to be fed): /usr/cyrus/bin/fetchnews -n -s my.server.name -w "news.bulletins*" \ remote.news.server I get the following message in my logs: Jun 25 10:19:15 my.server.name fetchnews[20623]: \ fetchnews: remote.news.server offered 24; my.server.name rejected 24, \ accepted 0, failed 0 I'd love to get those 24 articles. I can't figure out why the cyrus server is rejecting them. Are there lingering message/article numbers floating around in the duplicate.db? What's the best way to debug fetchnews issues? Any suggestions would be gratefully accepted! Ben --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: admins: kerberos instance
I got bitten by this a long time ago. If you built cyrus with --with-auth=unix then you'll find that "/" characters in usernames are not allowed because such characters are not allowed in a mailbox name. This following is by **no means** an officially sanctioned fix (but it's been working well for us for almost a year) If you're careful (and are only using your kerberos */admin instances for cyrus administrative operations, not creating mailboxes for them), then you can remove the "/" from the forbidden character list. This list of allowed and disallowed characters is specified in the cyrus source distribution lib/auth_unix.c starting around line 97. Hint, "/" is "4F" in hex, so check for the value of 4F in the table of characters listed in auth_unix.c. The value in your case should probably be set to "1" (allowed as long as there are some alphanumeric characters in it as well). Ben * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [040115 04:05]: > I am trying to make one instance of a kerberos principal the cyrus > administrator. I've set the "admins:" field to "username/admin". When I > try running "cyradm -u username/admin servername", cyradm complains: > > cyradm: cannot authenticate to server as user username/admin > > Syslog contains the following entry: > > badlogin: wum.lat[192.168.179.73] GSSAPI [SASL(-13): authentication > failure: bad userid authenticated] > > What's the problem? > > Thanks, > > Jack > -- ___ Ben Poliakoffemail: [EMAIL PROTECTED] Reed Collegetel: 503-788-6674 Unix System Administrator PGP key: 0x6AF52019 PGP fingerprint:A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: SSL wrapped sieve support (ala "imaps") for timsieved [LONG]
* Scott Russell <[EMAIL PROTECTED]> [030617 18:52]: > > So we can stumble along with this solution (and the stunnels) until we > > are able to come up with a STARTTLS patch for the PHP/Pear Net_Sieve > > class. > > Ohh, didn't know this existed. I'm still using sieve-php.lib from Dan > Ellis with some CRAM-MD5/DIGEST-MD5 patches I wrote to avoid the whole > plain text password issue. > > Does Net_Sieve not support CRAM-MD5/DIGEST-MD5 auth mechs? If it did > would that be good enough to solve your problem or are you looking for > SSL to secure the data transfer beyond the authentication? Our auth backend is krb5, so CRAM-MD5/DIGEST-MD5 wouldn't be useful for us, but it sounds like patch for CRAM-MD5/DIGEST-MD5 is forthcoming... Ben -- ------- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019 pgp0.pgp Description: PGP signature
Re: SSL wrapped sieve support (ala "imaps") for timsieved [LONG]
Looks like I forgot to reply to the list on that last message Thanks for the reminder about the -C flag for timsieved. Using that I can at least limit the "allowplaintext: yes" to timsieved. So we can stumble along with this solution (and the stunnels) until we are able to come up with a STARTTLS patch for the PHP/Pear Net_Sieve class. Thanks for the feedback! Much obliged. Ben * Rob Siemborski <[EMAIL PROTECTED]> [030617 12:01]: > On Tue, 17 Jun 2003, Ben Poliakoff wrote: > > > When it comes to sieve, I'd really like to be able to do the same sort > > of thing. Right now to support a cgi/web based sieve client (like > > websieve, easysieve, squirrelmail's sieve plugin, or Horde's Ingo - > > none of which support STARTTLS) I need to set "allowplaintext: yes" in > > imapd.conf. And then if I want to protect the traffic between my > > cyrus-imap/timsieved server and my webmail server I need to run two > > instances of stunnel: > > This seems to me like you're solving the problem in the wrong way. You > should fix the clients, not force the server to support something that the > IETF clearly thinks is a bad idea. > > > It's awful, but it works and I'll do it because I don't want that > > traffic running across our network in cleartext. But of course now I > > have clients that might start accidentally doing cleartext imap > > connections, since that's now allowed (where it wasn't before). > > In 2.2 cyrus you can have per-service configuration options. In 2.1 I > suppose you can use the -C option to imapd or sieve to cause it to read > different imapd.confs. > > If you wanted to play worse games, you could have the sieve clients > connect to a UNIX socket provided by sivtest, but I suspect this is more > complicated than you want, especially when the solution is "make the > clients do STARTTLS". > > > Obviously it would be really nice if we had a crop of web based sieve > > clients that supported STARTTLS (and I'm investigating what it might > > take to patch the PHP/Pear Net_Sieve class, used by Horde's Ingo, to > > support STARTTLS). > > This is definately what you want to patch, not the server. The server is > already providing the needed functionality. > > -Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: SSL wrapped sieve support (ala "imaps") for timsieved [LONG]
* Rob Siemborski <[EMAIL PROTECTED]> [030617 10:49]:
> On Tue, 17 Jun 2003, Ben Poliakoff wrote:
>
> > Given that in many environments end user interactions with sieve scripts
> > are mediated by web based interfaces (that don't easily lend themselves
> > to authentication methods like SASL/GSSAPI), how much work might it be
> > to implement a separate SSL wrapped "sieves" port for timsieved?
>
> timsieved supports STARTTLS. Why do you need a separate port?
I need PLAIN authentication on my server (because I need to support many
clients, not all of which support SASL/GSSAPI or STARTTLS), but only if
it is done within an SSL tunnel or within a STARTTLS session. I don't
want to allow plaintext authentication if the network traffic is clear
text.
Cyrus imapd can run on port 143 (imap) and/or 993 (imaps). In either
case with "allowplaintext: no" in imapd.conf, PLAIN authentication
is available if the connection is "imaps" or if the client is using
STARTTLS (plaintext+TLS). This kind of flexibility is great. With it I
can support a larger number of clients, all authenticating "securely".
When it comes to sieve, I'd really like to be able to do the same sort
of thing. Right now to support a cgi/web based sieve client (like
websieve, easysieve, squirrelmail's sieve plugin, or Horde's Ingo -
none of which support STARTTLS) I need to set "allowplaintext: yes" in
imapd.conf. And then if I want to protect the traffic between my
cyrus-imap/timsieved server and my webmail server I need to run two
instances of stunnel:
- on the server that runs timsieved I use stunnel to wrap port 2000 and
make it available on another local port (say 2001)
- on the webmail server I need to run stunnel once more to decrypt
traffic from port 2001 on the imap/timsieved server and make it
available on the local server on another port
It's awful, but it works and I'll do it because I don't want that
traffic running across our network in cleartext. But of course now I
have clients that might start accidentally doing cleartext imap
connections, since that's now allowed (where it wasn't before).
If timsieved supported an SSL wrapped port ("sieves" for lack of a
better identifier) I could cut out one of those stunnel instances and I
wouldn't have to set allowplaintext to yes in imapd.conf.
Obviously it would be really nice if we had a crop of web based sieve
clients that supported STARTTLS (and I'm investigating what it might
take to patch the PHP/Pear Net_Sieve class, used by Horde's Ingo, to
support STARTTLS).
But in the meanwhile it would be great if we could enable web based
sieve clients without turning on cleartext authentication for entire
cyrus-imap installation.
I think that summarizes my points. Sorry for the length of that post,
but I wanted to make myself as clear and unambiguous as possible.
Ben
--
---
Ben Poliakoff email: <[EMAIL PROTECTED]>
Reed College tel: (503)-788-6674
Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html
---
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
SSL wrapped sieve support (ala "imaps") for timsieved
Hi all, Given that in many environments end user interactions with sieve scripts are mediated by web based interfaces (that don't easily lend themselves to authentication methods like SASL/GSSAPI), how much work might it be to implement a separate SSL wrapped "sieves" port for timsieved? Of course this sort of thing can by done with stunnel, but that requires the server admin to set "allowplaintext: yes". I'd dearly love to have the same logic that applies to imapd apply to timsieved. In other words with "allowplaintext: no" have AUTH=PLAIN be available *if* the context of the connection to timsieved is STARTTLS *or* "sieve/ssl". Given the number of people running webmail systems in conjuction with cyrus-imap it seems like might be a welcome feature. In a nutshell, I really love the "allowplaintext: no" setting and I'd really like to keep from having to allowing plain text authentication. I know the IANA isn't thrilled about the proliferation of multi-ported services, but the "sieves" port wouldn't have to be set in stone since it would probably be most used by admins setting up webmail sieve environments (just pick an available high port). Has anyone already done this in a patch? Would anyone else like to see this feature be available in cyrus-imapd/timsieved? Do the developers cringe at the thought of this feature? Ben -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: Problem with cyradm and krb5 */admin principals
Thanks Paul! I'm look forward to trying this out very soon! Ben * Paul M Fleming <[EMAIL PROTECTED]> [030328 07:28]: > I've attached the code. Put this in the lib directory as auth_regexp.c > When you configure you must do --with-auth=regexp This code requires > POSIX regex functions, you may have to include additional libraries > depending on the OS. On RedHat the regex functions are part of libc. > Someday I'll get a web page up with this code and some more > explaination. > > Once compiled with this module you can use any regular expression to > match identifiers.. > > For example from my configs: > > admins: regexp:.+/admin > proxyservers: regexp:murder/.+\.siumed\.edu > lmtp_admins: regexp:murder/.+\.siumed\.edu > -- ----------- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: Problem with cyradm and krb5 */admin principals
That certainly would explain this behavior. How involved is your regex auth module? And would you feel comfortable sharing it? Ben * Paul M Fleming <[EMAIL PROTECTED]> [030326 13:10]: > The / is considered an illegal character under auth_unix. I wrote a > regular expression based auth module which will work with Kerb V. That > is how we solved the problem.. > > > > Rudolph T Maceyko wrote: > >--On Wednesday, March 26, 2003 11:47:34 -0800 Ben Poliakoff > ><[EMAIL PROTECTED]> wrote: > > > >>Anyone out there using */admin principals with cyradm? > > > > > >I tried and gave up, so I'd like to discover the way to do this too... > >It worked under 2.0.x releases of Cyrus IMAPd. > > > >Rudy > > > > -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Problem with cyradm and krb5 */admin principals
We make use of SASL/GSSAPI authentication with our cyrus installation. The man page for imapd.conf says that the "admins:" field may contain a kerberos admin principal, enabling that admin principal to, well administer the cyrus installation. I can't get that to work with cyradm. I've tried repeatedly over the last two years. If I add "benp/admin" to the "admins:" line in imapd.conf and then try to connect to the imap server (while having a tgt for benp/admin), cyradm fails with this error: cyradm: cannot authenticate to server with as benp And imapd logs this: Mar 26 11:36:02 x imapd[14556]: bad userid authenticated Mar 26 11:36:02 x imapd[14556]: badlogin: x.reed.edu[xxx.xxx.xxx.xxx] GSSAPI [SASL(-13): authentication failure: bad userid authenticated] My lame solution has been to use a dedicated "regular" (no / in the name) principal. But if possible it sure would be great to be able to reuse our */admin principals. I'm currently using cyrus-imapd-2.1.12. I've wondered if this is a problem with / characters and have tried a lot of \ escaping and single tick quoting, to no avail. What am I missing? Anyone out there using */admin principals with cyradm? Ben -- ------- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: delivering to bb folders
* Lawrence Greenfield <[EMAIL PROTECTED]> [030325 12:14]: >Date: Tue, 25 Mar 2003 11:24:52 -0800 > From: Ben Poliakoff <[EMAIL PROTECTED]> > [...] >I know it's vaguely off topic, but it's certainly related to cyrus-imap; >can anyone point to some sendmail config tips that make it pass this >info to LMTP? > >Is this passing of "authid" supposed to happen by default with SMTP auth >enabled? > > You might have to add -D_FFR_AUTH_PASSING=1 to your site.config.m4, > like so: > > APPENDDEF(`confENVDEF', `-DSASL=2 -DNEWDB -DLDAPMAP -DSTARTTLS -DMAP_REGEX -DMILTER > -D_FFR_AUTH_PASSING=1') > > Larry Wow, thanks! This works like a charm. Don't think I would have found that! :) But I guess that's because it's one of those FFR (for future release) features. Thanks again! Ben -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: delivering to bb folders
* Rob Siemborski <[EMAIL PROTECTED]> [030324 06:50]: > On Mon, 24 Mar 2003 [EMAIL PROTECTED] wrote: > > > for eg. with cyradm, > > localhost> sam folder1 anyone lrs > > localhost> sam folder1 user1 lrswip > > > > where folder1 is a mailbox used as a bulletin board and user1 > > is a special user with post permission to the folder. > > > > Mail sent by user1 to folder1 bounces with a "permission denied" > > error. > > > > Is there any way to achieve this? > > You need to be sure that your users are using SMTP auth and your MTA is > passing this authorization information on to LMTP. I'm doing SMTP auth with Sendmail 8.12.8, but apparently Sendmail in my configuration is not "passing this authorization information on to LMTP". My sendmail configuration is based on the cyrusv2.mc that comes with cyrus-imap. I know it's vaguely off topic, but it's certainly related to cyrus-imap; can anyone point to some sendmail config tips that make it pass this info to LMTP? Is this passing of "authid" supposed to happen by default with SMTP auth enabled? Ben -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: multiple problems with imsp
Hi, > | a OK User `benp' Logged in > | A2 CREATEADDRESSBOOK .benp.foo > | A2 NO User 'benp' not permitted to create address book '.benp.foo' > | * BYE IMSP server exiting (probably out of memory) > | > | Is this a namespace thing? > > Why is it trying to create using '.' as the first part of the address book > name? Exactly what are you typing into Mulberry's create address book > dialog? I really don't know. I'm just typing in "benp.foo" in mulberry's "Create Address Book" window (with type set to "Personal Address Book"). I'm most definitely not sticking the . at the beginning... Ben -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Re: multiple problems with imsp
I've tried this before (on your advise in the archives of this list)... When I try that (benp.foo) I get an error like this in the telemetry logs: a OK User `benp' Logged in A2 CREATEADDRESSBOOK .benp.foo A2 NO User 'benp' not permitted to create address book '.benp.foo' * BYE IMSP server exiting (probably out of memory) Is this a namespace thing? Ben * Cyrus Daboo <[EMAIL PROTECTED]> [030219 16:00]: > Hi Ben, > > --On Wednesday, February 19, 2003 3:15 PM -0800 Ben Poliakoff > <[EMAIL PROTECTED]> wrote: > > | a OK User `benp' Logged in > | A2 CREATEADDRESSBOOK .foo > | A2 NO User 'benp' not permitted to create address book '.foo' > > This isn't going to work even if the server itself is working. By default > users are only allowed to create personal address books, and under the IMSP > naming scheme that means address books with the user id as a prefix. i.e. > you should have been able to create 'benp.foo'. Using '.' at the start of > the name is also going to be a problem given that that character is the > hierarchy separator character, and you can't start with a 'null' level of > hierarchy. > > -- > Cyrus Daboo -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
multiple problems with imsp
Hi All, I've been attempting to set up imsp using the code from current cyrus cvs (uses sasl 2). It compiles and seems to run just fine on a RedHat 7.3 host, but I run into trouble when I make an imsp connection (either with mulberry or imtest). There seem to be two problems: 1) ACL 2) imsp instability My preferred auth method is GSSAPI. I'm able to log in without a hitch, but I can't seem to do anything once I'm logged in without imspd bailing. When connecting via imtest my session looks like this: --- [benp@tesuji benp]$ imtest -p 406 servername S: * OK Cyrus IMSP version 1.6a3 ready C: C01 CAPABILITY S: * CAPABILITY AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 LITERAL+ S: C01 OK capability completed C: A01 AUTHENTICATE GSSAPI ...snip. S: A01 OK User `benp' Logged in Authenticated. Security strength factor: 56 failure: Internal error: assertion failed: prot.c: 632: s->cnt > 0 [benp@tesuji benp]$ --- When I connect via gssapi with Mulberry I see the following in the telemetry logs: --- a OK User `benp' Logged in A2 CREATEADDRESSBOOK .foo A2 NO User 'benp' not permitted to create address book '.foo' * BYE IMSP server exiting (probably out of memory) --- I'm unable to create any acls to give me priviliges to create addressbooks since I can't keep an imsp connection open. Is the "probably out of memory" bogus? "ulimit -d" reports "unlimited". Ben -- --- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Anyone using Linux LVM with cyrus?
Hi all, We're preparing to roll out a new cyrus mail system which will handle the bulk of our 1700 users' email. The server platform will be redhat linux 7.3 or 8.0. We'd like to use the Linux LVM (at the very least for the mail store itself) so that we can back up the system off of read only snapshots (courtesy of LVM). Has anyone out there used LVM with cyrus imap in an environment as large or larger than 1700 users? If so we'd love to hear about any lessons learned (i.e. "Don't do it!") or gotchas... Ben
Jaguar Mail.app (using GSSAPI) thrashes with cyrus imap 2.1.9
Since upgrading our cyrus imap server from 2.0.16 to 2.1.9 the MacOSX Jaguar Mail.app no longer works with GSSAPI authentication. The cyrus server logs a successful GSSAPI authentication for a user, but Mail.app then violently spins it's wheels while performing two tasks: "Traversing mail hierarchy" "Fetching headers" tcpdump running on our cyrus server captures over *8000* imap packets going back and forth to the Jaguar Mail.app. Finally Mail.app "quits unexpectedly". The cyrus server is running on a RedHat 7.3 system using rebuilt versions of Simon Matter's SRPMs. Before the upgrade to cyrus 2.1.9 the Jaguar Mail.app was quite happy to do GSSAPI authentication to the cyrus server. And, in fact it still does a fine job connecting with GSSAPI to a UW imap server. Here's the kicker... If I change the config on Mail.app and have it authenticate PLAIN over SSL then everything works without a hitch! Has anyone else seen this problem? I don't see any mention of it on the info-cyrus archives. Ben P.S. The following other imap clients are doing GSSAPI authenticated connections on multiple plaforms without any trouble at all: mutt-1.4 mullberry-2.x mullberry-3.x pine-4.33 pine-4.44 -- ------- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
imap/sasl upgrade breaks non-sasl gssapi connections
Perhaps this is a known issue. I haven't seen any mention of it though. I just upgraded from cyrus-imap 2.0.16 to 2.1.9. The 2.0.16 installation was all built from source, the new installation uses Simon Matter's RPMS (rebuild on my machine). The problem I'm seeing is that mail clients that aren't linked with the sasl libraries are no longer able to successfully "authenticate GSSAPI". Some of the clients I see this behavior with are: mutt 1.2.5 MacOS 10.2 Mail.app Both were able to do GSSAPI authentication before the upgrade. But now both of the above can only authenticate via TLS+plain. mutt-1.4 built with sasl can still do GSSAPI authentication without a hitch. Anyone have an idea about how I might figure out what's going on? Ben -- ------- Ben Poliakoff email: <[EMAIL PROTECTED]> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
cyradm administration via krb5 admin instance
Hi all,
Is it possible to use a krb5 style admin instance with cyradm? It's
not working for me.
I've been testing a cyrus imapd installation using SASL GSSAPI
authentication. Aside from the problem with the above, everything is
working quite nicely, it's really great software!
I'm guessing the problem is with the '/' character, i.e. 'benp/admin'.
It doesn't seem to be shell related, since I've tried a dozen different
quoting and escaping methods ('benp/admin', "benp/admin", benp\/admin,
etc...).
The man page for imapd.conf states:
admins:
The list of userids with administrative rights. Separate each userid
with a space. Sites using Kerberos authentication may use separate
"admin" instances.
Currently the 'admins' line of my imapd.conf file looks like:
admins: benpadmin 'benp/admin'
I've resorted to creating an additional "benpadmin" principle... (with
which I'm able to GSSAPI authenticate using cyradm).
The error logged by imapd when I attempt to use cyradm with benp/admin
is:
Jun 7 15:31:45 imogen imapd[4477]: badlogin: .reed.edu[...]
GSSAPI authentication failure [bad userid authenticated]
cyradm fails with this error:
/usr/local/bin/cyradm --user 'benp/admin' --auth GSSAPI .reed.edu
cyradm: cannot authenticate to server with GSSAPI as benp/admin
[ BTW I don't have any problems getting a kerberos *ticket* for the
benp/admin instance ]
The server is an x86 Red Hat Linux 7.1 system and we're running
cyrus-imapd-2.0.12 and cyrus-sasl-1.5.24 both built from source.
I'm somewhat new to being a krb5 administrator (so the problem may not
be related to cyrus), but I haven't had any other problems with this
'benp/admin' instance.
Any thoughts?
Ben
--
---
Ben Poliakoff email: <[EMAIL PROTECTED]>
Reed College tel: (503)-788-6674
Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html
---
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
