Re:
On 29/01/10 10:26 -0500, Adam Tauno Williams wrote:
Does sq {root} none not work?
sardine.mormail.com lq user.adam
/
sardine.mormail.com sq user.adam 38400
quota:38400
sardine.mormail.com lq user.adam
STORAGE 91336/38400 (237.85416667%)
sardine.mormail.com sq user.adam none
remove quota
sardine.mormail.com lq user.adam
/
sardine.mormail.com
You still can't remove a quota root this way, as far as I can tell:
lp.net lqr user/dwhite
zek.olp.net lqr user/dwhite/Trash
zek.olp.net sq user/dwhite 1000
quota:1000
zek.olp.net sq user/dwhite/Trash 500
quota:500
zek.olp.net lqr user/dwhite
user/dwhite STORAGE 0/1000 (0%)
zek.olp.net lqr user/dwhite/Trash
user/dwhite/Trash STORAGE 0/500 (0%)
zek.olp.net sq user/dwhite/Trash none
remove quota
zek.olp.net lqr user/dwhite/Trash
user/dwhite/Trash
At this point, the quota root for user/dwhite/Trash should be user/dwhite
(0/1000), but isn't.
To make it so, I must remove /var/lib/imap/quota/d/user.dwhite.Trash from
the filesystem and then run 'quota -f' as cyrus. After doing that, I get:
lp.net lqr user/dwhite/Trash
user/dwhite STORAGE 0/1000 (0%)
As for the original poster, this doesn't really make any difference I don't
think. Somehow he's set a quota root on 'user' and can't remove it.
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re:
On 29/01/10 11:14 +0100, Michael Glad wrote: It seems that I've accidentially enabled IMAP quotas on one of my cyrus servers -- users complain that saving mails into certain folders fails with an 'over quota' message. There's indeed a file in the quota directory: bash-3.2$ cat /var/lib/imap/quota/u/user 226215 0 Yesterday evening, I shut down cyrus and removed the /var/lib/imap/quota/u directory and restarted cyrus, but the file has reappeared. Using cyradm, I can confirm that the affected folders are indeed under quota: localhost lqm user/abc/folder1/folder2/folder3/folder4 user STORAGE 220/0 localhost lqm user/abc/folder1/folder2/folder3 localhost I am running Cyrus 2.3.16. The cyrus documentation and web resource does not contain much info about how to _disable_ quotas, so any input from the list is welcomed. This is discussed in: http://cyrusimap.web.cmu.edu/imapd/overview.html See sections Quota Roots and Removing Quota Roots. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Best/Easiest method using encrypted password in MySQL DB
On 29/01/10 19:00 -0800, Nybbles2Byte wrote: I don't think I can say much more than the title. Cyrus seems to be running well but I would like to have the password in the MySQL DB encrypted. Does anyone have a best way of implementing that? My only criteria is that Postfix looks up the same table for user info. so whatever the implementation is Postfix has to be able to read/decrypt the encrypted password as well. There are a couple of options via saslauthd: 1) Have saslauthd use the PAM backend, and the pam_mysql module to perform password verification. 2) Have saslauthd to use the PAM backend, and use the standard pam_unix module along with an NSS mysql library which allows you to store password/shadow information in mysql. There may also be a way to authenticate against hashed auxprop attributes in the upcoming sasl 2.1.24 release, but I don't have any examples of how that will work (see the NEWS file in the 2.1.24rc1 release for more info). You should be aware that any of these methods will disallow the use of SASL security layers. You will need to use SSL/TLS or another external security mechanism to protect the transmission of passwords over the network. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyradm doesn't show any mailboxes
On 24/01/10 16:56 +0100, Kővári János wrote: Hello, after my shared folder structure and all the messages in it have mysteriously disappeared, I noticed a few strange things: - all user mailboxes remained intact and fully functional - I still see everything in the GUI tool Gyrus (I don't actually use this, just checked the mailboxes with this now.) - the Webmin module 'cyrus' doesn't list any mailboxes at all, just a bare /. (It was working before, I created a couple things with this. I didn't use it since months, I am not sure when and why it gone wrong) - cyradm with user 'cyrus' lm command doesn't display any mailboxes at all. (was working beofre, and still works on an other imap server) - cyradm with another imap admin user doesn't show anything either. - tried deleting all the mailboxes and creating them again with cyradm, and they were created succesfully and they work in the users's client too, but cyradm lm still doesn't show them. - using webmin, it reconstructs the mailboxes fine... Are you using virtual domains? If so, see http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html (you have to specify a defaultdomain to have a global admin). -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyradm doesn't show any mailboxes
On 24/01/10 17:21 +0100, Kővári János wrote: Dan White írta: On 24/01/10 16:56 +0100, Kővári János wrote: - cyradm with user 'cyrus' lm command doesn't display any mailboxes at all. (was working beofre, and still works on an other imap server) - cyradm with another imap admin user doesn't show anything either. - tried deleting all the mailboxes and creating them again with cyradm, and they were created succesfully and they work in the users's client too, but cyradm lm still doesn't show them. - using webmin, it reconstructs the mailboxes fine... Is imapd crashing when you run lm? Do you see anything that stands out in your syslog? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On 21/01/10 03:35 -0600, Scott Lambert wrote:
I am about to bring up the second of several virtual domains on my
Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem
to come up with a useful search string for finding posts talking
about using multiple secure certificates for POP/IMAP connections to
mail.domain1.com and mail.domainN.com. We are rolling up multiple small
mail servers into one host.
The only thing I've been able to figure is that I will need to at least
have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
lines in cyrus.conf for each domain so that the secure certs can match
the hostname configured in the user's existing mail program.
Is there a more elegant method than something like the below plan?
SERVICES {
# add or remove based on preferences
imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap
imapscmd=imapd -s -C imapd-domain1.conf
listen=mail.domain1.com:imaps
pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3
pop3scmd=pop3d -s -C imapd-domain1.conf
listen=mail.domain1.com:pop3s
imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap
imapscmd=imapd -s -C imapd-domain2.conf
listen=mail.domain2.com:imaps
pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3
pop3scmd=pop3d -s -C imapd-domain2.conf
listen=mail.domain2.com:pop3s
...
imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap
imapscmd=imapd -s -C imapd-domainN.conf
listen=mail.domainN.com:imaps
pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3
pop3scmd=pop3d -s -C imapd-domainN.conf
listen=mail.domainN.com:pop3s
sieve cmd=timsieved listen=sieve prefork=0
lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0
Scott,
You won't need to specify alternative imapd.conf configurations.
You can specify [servicename]_tls_cert_file, etc. within your primary
imapd.conf so that you have something like:
imap_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imap_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
imaps_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imaps_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key
pop3s_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3s_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key
imapb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
imapsb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapsb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
pop3b_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3b_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key
pop3sb_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3sb_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key
and in cyrus.conf you'd have service names like:
imap
imaps
pop3
pop3s
imapb
imapsb
pop3b
pop3sb
This is documented in:
http://cyrusimap.web.cmu.edu/imapd/install-configure.html
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 19/01/10 18:00 +0100, Dr. Harry Knitter wrote: Am Montag, 18. Januar 2010 schrieb Dan White: On 18/01/10 18:49 +0100, Dr. Harry Knitter wrote: Am Montag, 18. Januar 2010 schrieb Gabriele Bulfon: Hi, you should check each of the folder's ACLs. You probably lost permissions for these folders. Gabriele. Thanks for quick reply. However, permissions seem not to be the cause. cyradm shows: info lrswipcda File permissions are 600 cyrus:mail Directory permissions are 700 cyrus:mail Check subscriptions. Did you move them over? Some clients may only show folders the user is subscribed to. Already checked. All types of clients tried dont shown these folders. You may have already mentioned, but which versions did you move from, and to? Can you provide a sanitised copy your imapd.conf config, along with your cyradm output? Do you see any related errors in your syslog when clients connect? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 19/01/10 18:25 +0100, Dr. Harry Knitter wrote: what output of cyradm would be of interest? Connecting as an admin (cyrus): localhost lm user.dwhite (\HasChildren) user.dwhite.Secret (\HasChildren) user.dwhite.Secret.Super Secret (\HasNoChildren) user.dwhite.Sent (\HasNoChildren) user.dwhite.Trash (\HasNoChildren) and as a user (dwhite): localhost lm INBOX (\HasChildren) INBOX.Secret (\HasChildren) INBOX.Secret.Super Secret (\HasNoChildren) INBOX.Sent (\HasNoChildren) INBOX.Trash (\HasNoChildren) I'd like to see which mailboxes you are seeing while using cyradm as an admin, and see if the mailboxes are missing while connecting as a user, and if they're not missing, an example of a mailbox that a client is not seeing. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 19/01/10 21:20 +0100, Dr. Harry Knitter wrote: Am Dienstag, 19. Januar 2010 schrieb Simon Matter: Am Dienstag, 19. Januar 2010 schrieb Dan White: On 19/01/10 18:25 +0100, Dr. Harry Knitter wrote: what output of cyradm would be of interest? Connecting as an admin (cyrus): localhost lm user.dwhite (\HasChildren) user.dwhite.Secret (\HasChildren) user.dwhite.Secret.Super Secret (\HasNoChildren) user.dwhite.Sent (\HasNoChildren) user.dwhite.Trash (\HasNoChildren) and as a user (dwhite): localhost lm INBOX (\HasChildren) INBOX.Secret (\HasChildren) INBOX.Secret.Super Secret (\HasNoChildren) INBOX.Sent (\HasNoChildren) INBOX.Trash (\HasNoChildren) Harry, Please include cyradm output while connecting as the user. Also, please submit the following commands to imtest as the user to verify server correctness: c lsub * c select INBOX/Secret/Super Secret c myrights INBOX/Secret/Super Secret Using one of the mailboxes tripping you up. e.g.: ~$ imtest -a dwhite -m plain localhost cut Authenticated. Security strength factor: 0 c lsub * * LSUB (\HasChildren) / INBOX * LSUB (\HasChildren) / INBOX/Secret * LSUB () / INBOX/Secret/Super Secret * LSUB () / INBOX/Sent * LSUB () / INBOX/Trash c OK Completed (0.000 secs 6 calls) c select INBOX/Secret/Super Secret * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1263924043] * OK [UIDNEXT 1] * OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox * OK [URLMECH INTERNAL] c OK [READ-WRITE] Completed c myrights INBOX/Secret/Super Secret * MYRIGHTS INBOX/Secret/Super Secret lrswipkxtecda c OK Completed c logout * BYE LOGOUT received c OK Completed Connection closed. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 19/01/10 21:54 +0100, Dr. Harry Knitter wrote: The program imtest is not in my distribution (debian lenny) cyrus-clients-2.2 -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 19/01/10 23:07 +0100, Dr. Harry Knitter wrote: Am Dienstag, 19. Januar 2010 schrieb Dan White: On 19/01/10 21:54 +0100, Dr. Harry Knitter wrote: The program imtest is not in my distribution (debian lenny) cyrus-clients-2.2 Thanks logged in as user info The box has too many folders to be listed here completely The LSUB was intended to verify your subscriptions, but it sounds like you're seeing them. c select INBOX.Kunden.A * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1174859079] * OK [UIDNEXT 1] c OK [READ-WRITE] Completed c select INBOX.Kunden.A.Abraxa * FLAGS (\Answered \Flagged \Draft \Deleted \Seen $Label1 NonJunk $label2 $label3 $label4 $label5 schaden sofort) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen $Label1 NonJunk $label2 $label3 $label4 $label5 schaden sofort \*)] * 4 EXISTS * 4 RECENT * OK [UNSEEN 1] * OK [UIDVALIDITY 1227273926] * OK [UIDNEXT 5] c OK [READ-WRITE] Completed c myrights INBOX.Kunden.A.Abraxa * MYRIGHTS INBOX.Kunden.A.Abraxa lrswipcda c OK Completed I don't see anything wrong. You can try turning on telemetry logging for this user: mkdir /var/lib/cyrus/log/info chown cyrus:mail /var/lib/cyrus/log/info Afterwards, any activity by the user 'info' will be logged. That may give you an idea of what's going wrong. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: visibility of Mailbox-folders
On 18/01/10 18:49 +0100, Dr. Harry Knitter wrote: Am Montag, 18. Januar 2010 schrieb Gabriele Bulfon: Hi, you should check each of the folder's ACLs. You probably lost permissions for these folders. Gabriele. Thanks for quick reply. However, permissions seem not to be the cause. cyradm shows: info lrswipcda File permissions are 600 cyrus:mail Directory permissions are 700 cyrus:mail Check subscriptions. Did you move them over? Some clients may only show folders the user is subscribed to. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Authentication system failure in Cyrus Aggregator
On 11/01/10 14:44 -0300, Oscar Nuñez wrote: Hi guys: I'm configuring a mail system with cyrus with the aggregator concept. The servers I have are 1 as backend, 1 frontend and a mupdate. The whole system of sending mail through telnet command works correctly, however, authentication from the frontend to the backend does not work and throws the following error: imap[4628]: accepted connection imap[4628]: badlogin: localhost [127.0.0.1] plaintext john SASL(-13): user not found: checkpass failed Oscar, Are these logs from the frontend or backend? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Authentication system failure in Cyrus Aggregator
On 11/01/10 15:08 -0300, Oscar Nuñez wrote: imap[4628]: accepted connection imap[4628]: badlogin: localhost [127.0.0.1] plaintext john SASL(-13): user not found: checkpass failed Oscar, Are these logs from the frontend or backend? Dan, These logs are the frontend. The user authentication to the frontend system will need to succeed before the proxy authentication to the backend happens. Verify your sasl_pwcheck_method and sasl_* config items are correct on the frontend. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Authentication system failure in Cyrus Aggregator
On 11/01/10 15:56 -0300, Oscar Nuñez wrote: configdirectory: /var/imap partition-default: /var/spool/imap servername: Server_4.mat.utfsm.cl allowplaintext: yes allowusermoves: yes allowsubscribes: yes admins: cyrus sievedir: /var/imap/sieve sendmail: /usr/sbin/sendmail sasl_minimum_layer: 0 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: login plain lmtpsocket: /var/imap/socket/lmtp mupdate_server: Server_3 mupdate_authname: murder mupdate_username: murder mupdate_realm: auxprop mupdate_password: proxy_authname: frontend proxy_password: proxyd_disable_mailbox_referrals: 1 On Mon, Jan 11, 2010 at 3:14 PM, Dan White dwh...@olp.net wrote: On 11/01/10 15:08 -0300, Oscar Nuñez wrote: imap[4628]: accepted connection imap[4628]: badlogin: localhost [127.0.0.1] plaintext john SASL(-13): user not found: checkpass failed Do you have a user named john in sasldb2 on your frontend? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: NOTICE: Debian is moving sieve to its IANA allocated port (4190)
On 09/12/09 09:49 -0500, Adam Tauno Williams wrote: On Tue, 2009-12-08 at 19:10 -0500, Matt Selsky wrote: Has any client software been updated to use port 4190? Not that I've seen. --- Ahh, Debian, you make me love CentOS more every day. I've filed a bug (#559923) against Debian's Avelsieve package to change its default configuration (for new installations) to use port 4190. I would hope that change gets passed on to upstream when/if this issue affects more OSs. In my opinion, new installations should consider using 4190 and existing installations should use whatever works best. If you do not intend to change Sieve ports for timsieved, then it'd be best to change your cyrus.conf file now so you're not surprised in the future. E.g., if you have: sieve cmd=timsieved listen=sieve prefork=0 maxchild=100 then changing to this: sieve cmd=timsieved listen=2000 prefork=0 maxchild=100 will help mitigate problems if your OS decides to modify your /etc/service unexpectedly. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Question about cyrus ACL synchronisation - permission denied
On 25/11/09 12:43 +0100, Nicolas Chauvet wrote:
acl oneuser: [lrsid]
setting acl INBOX oneuser lrsid
Could not set acl: 12 NO Permission denied
I'm not quite following the --folderrec INBOX.${u} --regextrans2
's/(.*)/INBOX/' parts.
I'm not sure either, but this is needed to pick the right mailbox on the
source serveur.
Which mailbox are you applying the ACLs to? user/abuse?, or 'INBOX'?
In this case, I try to set ACL on user/abuse.
From what the above error indicates, it appears to be applying ACLs to
'INBOX' rather than user/abuse, which would agree with how I'm interpreting
the 'regextrans2' option in your command. It appears to be replacing all
mailboxes with 'INBOX' on the destination server.
Also, note that if your intent is to connect as an admin user,
'INBOX' has no useful semantics for user mailboxes, on either the origin
server or the destination. INBOX only applies when connecting as a
user, viewing his personal mailboxes.
For more information, see:
http://cyrusimap.web.cmu.edu/imapd/overview.html#mboxname
RFC 2342
With the way you have specified your authentication and authorization
identities, imapsync will ultimately assume the identity of 'oneuser' on
both servers, rather than 'cyrus', which means that you are not going to
have admin rights (unless oneuser is an admin).
What I have done so I imapsync assume the indentity of oneuser instead of
cyrus ?
Because actually I cannot necessarily have the password of oneuser.
Yes. Typically you take this approach when you don't have the user's
password (or care to use it), but you wish to connect as the user, which
makes since if you're trying to copy over that user's seen state and
subscriptions. But you should not expect to have any admin rights.
See:
man (5) imapd.conf (option: proxyservers)
RFC 3501 page 28
RFC page 14
However, it doesn't make a lot of sense to me if you're copying over ACLs.
It would make more sense to do that as an administrative user *once*,
after/before you've ran the sync script for all your users.
How can I only sync ACL without also synchronising mailbox ?
Perhaps with:
--folderrec user
--syncacls
--justfolders
--user1 cyrus
--password1 secret1
--user2 cyrus
--password2 secret2
and since your source server appears to use hierarchy separator '.', and
the new server '/', you may or may not need:
--regextrans2 's/\./\//'
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Question about cyrus ACL synchronisation - permission denied
On 24/11/09 20:16 +0100, Nicolas Chauvet wrote:
I'm trying to use imapsync between two cyrus-imapd servers.
At this time, synchronization of user mailbox went fine, with both
content and ACL. (using the cyrus account).
But when I'm trying to use imapsync to synchronize ACL for shared
maiboxes, I obtain this error:
acl oneuser: [lrsid]
setting acl INBOX oneuser lrsid
Could not set acl: 12 NO Permission denied
The cyrus account owns rights on the destination mailbox:
MAILHOST lam user/abuse
abuse lrswikxtecd
cyrus lrswipkxtecda
Right on the source mailbox are differents:
lam user.dsi
oneuser lrswipcda
twouser lrd
thiruser lrswipcda
cyrus lrswipcda
Why ACL aren't synchronized using this imapsync command:
imapsync --buffersize 8192000 \
--syncinternaldates --syncacls \
--user1 oneuser \
--subscribed \
--include INBOX --exclude Brouillons --exclude ments --exclude user \
--folderrec INBOX.${u} --regextrans2 's/(.*)/INBOX/' \
--host1 liszt.cacc --authuser1 cyrus --authmech1 PLAIN --ssl1
--password1 secret1 \
--host2 localhost --authuser2 cyrus --authmech2 PLAIN --password2
secret2 --ssl2 \
--user2 oneuser
I'm not quite following the --folderrec INBOX.${u} --regextrans2
's/(.*)/INBOX/' parts.
Which mailbox are you applying the ACLs to? user/abuse?, or 'INBOX'?
With the way you have specified your authentication and authorization
identities, imapsync will ultimately assume the identity of 'oneuser' on
both servers, rather than 'cyrus', which means that you are not going to
have admin rights (unless oneuser is an admin).
You might consider running imapsync twice to reduce complexity - once where
you authz as oneuser, for synchronizing messages and seen state properly,
and a second time where you authz as the cyrus user for synchronizing acls.
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Question about 'flagged' attribute
On 23/11/09 10:17 +0100, Julien Vehent wrote: I was wondering if there were any undergoing work to extend the flagged attribute of IMAP into something more configurable ? I am thinking of some sort of labelling similar to what is implemented on gmail, for example, but also with the wirtual folders in Outlook and extended tagging in Thunderbird. Per RFC 3501 (page 63): PERMANENTFLAGS Followed by a parenthesized list of flags, indicates which of the known flags the client can change permanently. Any flags that are in the FLAGS untagged response, but not the PERMANENTFLAGS list, can not be set permanently. If the client attempts to STORE a flag that is not in the PERMANENTFLAGS list, the server will either ignore the change or store the state change for the remainder of the current session only. The PERMANENTFLAGS list can also include the special flag \*, which indicates that it is possible to create new keywords by attempting to store those flags in the mailbox. It appears 2.3.x supports '\*': dwh...@thebrain:~$ imtest ... cut Authenticated. 111 select INBOX * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] cut 111 OK [READ-WRITE] Completed 222 store 1 +flags (reallyreallyimportant) * FLAGS (\Answered \Flagged \Draft \Deleted \Seen reallyreallyimportant) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen * reallyreallyimportant \*)] 222 OK Completed 333 search keyword reallyreallyimportant * SEARCH 1 333 OK Completed (1 msgs in 0.000 secs) 444 logout * BYE LOGOUT received 444 OK Completed Connection closed. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Child mailboxes quota question
On 22/11/09 23:28 -0800, Nybbles2Byte wrote: Is there any inheritance, or are there limits on child mailboxes based on quotas up the parent chain? Also, what is the difference between GetQuotaRoot and GetQuota? I read the RFC but I didn't really pick up a clear distinction. See: http://cyrusimap.web.cmu.edu/imapd/overview.html#quota SetQuota and GetQuota take as a parameter a quota root, which in the above example would be one of: user.bovik user.bovik.list user.bovik.saved GetQuotaRoot would take any of the mailboxes and display all applicable (parent) quota roots. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Odd auth issue: Windows 7 + Outlook auth fails
On 22/11/09 19:16 -0400, Marc G. Fournier wrote: Okay, I'm running a setup that has worked for years, but my mother just upgraded their computer to Windows 7 with a full version of Outlook, and can no longer connect ... So, I logged in via vnc and played around, and I'm getting the most odd results ... If i put her login id as u...@hub.org, the servers sees u...@org ... but, if I do something like u...@hub.hub.org, the server sees u...@hub.hub.org ... same if I do something like u...@.hub.org, the server sees the whole address properly ... its only if I do the proper format of u...@hub.org does it truncate off the hub. part of it, which doesn't authenticate ... Everything used to work fine for her, when she was on XP, but I'm really having trouble with seeing this as a Win problem when different formats do appear to work properly ... Everything else works fine .. my iphone connects fine, my alpine client works fine ... so as far as I can tell, everything *should* work fine ... IMAP/POP? Which version of Cyrus SASL and IMAPd are you running? What does your sasl configuration look like? (grep sasl /etc/imapd.conf) What are you 'virtudomains' and 'defaultdomain' config items? Verify that user and u...@hub.org are not admin users. If you suspect Outlook or Cyrus is mucking up the username, use a wire level capture tool (with ssl/tls temporarily turned off) to find out exactly who is at fault. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Quick SASL question
On 16/11/09 16:39 -0400, Patrick Boutilier wrote: I am setting up a murder environment in testing. The backends use SASL with pam for imap/pop authentication. I have to configure a user for proxyservers on the backends for the frontends to use. Is there anyway to configure it so that the proxyservers user can be in /etc/sasldb2 while still using pam for the real users? Patrick, You can specify more than one pwcheck method in imapd.conf, e.g.: sasl_pwcheck_method: saslauthd auxprop -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: general question, how to do this?
On 13/11/09 08:46 -0500, Adam Tauno Williams wrote: One user is out sick, another user asked me to search the first user's email for a specific message. If I had found that message and the second user wanted to access that message in the second user's normal INBOX would I do this: # cd /var/spool/imap/a/user/auser # cp 99. /var/spool/imap/b/user/buser # su - cyrus # reconstruct -r user.buser # exit # exit Don't do any of the above. Just grant the use the rights to access the other user's folder. Except that that grants access to all of that users messages rather than a specific message. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Questions about ctl_cyrusdb
On 11/11/09 10:43 +0100, Andre Brandt wrote: Hi, last night, after an accident, my mailserver ran out of space within half an hour. After solving the problem, I thought, that the problem was gone. What I didn't know was, that, after solving the original problem, cyrus started to create more than 6600 files unter /var/lib/cyrus/db. (log.0) Each file with a size of 10mb. After starting cyrus again, I can see, that ctl_cyrusdb recovers the database. But this takes a _very_ long time :( As I found in documentation, files under /var/lib/cyrus/db can be safely deleted, when no cyrus process is running - is this right? What are this files for? What kind of information do they contain? How can It happen, that cyrus writes more than 70 GB of logs? When the server has nearly no work to do? Andre, See the database-formats.html file located in the source distribution, also found here: http://tinyurl.com/yzn8wke -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: general question, how to do this?
On 11/11/09 13:08 -0600, Mike Eggleston wrote: One user is out sick, another user asked me to search the first user's email for a specific message. If I had found that message and the second user wanted to access that message in the second user's normal INBOX would I do this: # cd /var/spool/imap/a/user/auser # cp 99. /var/spool/imap/b/user/buser # su - cyrus # reconstruct -r user.buser # exit # exit The message was not found, so no urgent need for this. I want to know how for next time. pinky:~# imtest -a cyrus localhost cut S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 128 111 select user.auser cut 111 OK [READ-WRITE] Completed 222 uid copy 99 user.buser 222 OK [COPYUID 1089193296 1 1480] Completed 333 logout * BYE LOGOUT received 333 OK Completed Connection closed. Where 'cyrus' is an admin. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm lm returns empty list but mailboxes are accessible via
On 30/10/09 23:20 +0800, John Mok wrote: I checked the /var/log/auth.log, and found the following error when cyradmlm returned a empty list :- Oct 29 08:36:13 imapsv01 perl: encoded packet size too big (4156 4096) Does it remind you how to solve the problem? Yes. See: http://markmail.org/message/qvgd6gspvpx2cije I believe this problem went away when I changed or upgraded my Heimdal libraries (and recompiled sasl). I'm currently using Heimdal 1.1 libraries. I believe I had this problem on the older 0.7.x libraries. The problem appears to be that the client is advertising a max out buffer of 4096, but is sending a packet of data larger than that (incorrectly). It's probably due to a problem between cyrus sasl and which ever kerberos library you're using. OpenLDAP client utilities provide a -O to specify security-options (e.g. -O maxbufsize=4096), but I don't know of a way to do that with cyrus clients without recompiling the defaults in sasl. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm lm returns empty list but mailboxes are accessible via
On 29/10/09 09:52 +0800, John/SML wrote: kinit j...@grt.citizen.co.jp cyradm --user john imapsv01.grt.citizen.co.jp imap At the beginning, console command lm showed a list of mailboxes on the IMAP server. After adding over 90 mailboxes, suddenly lm showed empty list, but the mailboxes are accessible from MTA (Postfix) and from mail client (Thunderbird) via GSSAPI / Kerberos :- Are you trying to connect as an administrator (john) to view all mailboxes? Or are you trying to just view john's mailboxes? Verify in your logs that you are authenticating as the user you are expecting to. If you have virtdomains enabled, see: http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html particularly the Administration section. I've had similar problems as you when not getting the admin config correct: If virtdomains are enabled and you are connecting as 'cyrus', you might need to add 'cy...@my-default-domain.org'. Or in your case, john. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm lm returns empty list but mailboxes are accessible via
On 29/10/09 08:33 -0500, Dan White wrote: If you have virtdomains enabled, see: http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html particularly the Administration section. I've had similar problems as you when not getting the admin config correct: If virtdomains are enabled and you are connecting as 'cyrus', you might need to add 'cy...@my-default-domain.org'. Or in your case, john. I think I have that totally wrong. If you have virtdomains enabled, you must specify a default domain, and then specify an unqualified username in your admin config. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm lm returns empty list but mailboxes are accessible via
I checked the server log and it read that I passed GSSAPI login. The most interesting point is that cyradm seems get crashed after first failure :- Is it a bug in the cyrus-admin-2.2 package on Ubuntu 6.06.2 LTS? That rings a bell too. I don't recall what my resolution was. Does it happen when doing non GSSAPI authentication? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: authentication and/or sieve problem?
On 28/10/09 00:47 -0700, Maria McKinley wrote: ella:/var/log# testsaslauthd -u test -p xxx -s smtp 0: OK Success. ella:/var/log# testsaslauthd -u test -p xxx -s imaps 0: NO authentication failed ella:/var/log# testsaslauthd -u test -p xxx -s imap 0: OK Success. Can you provide sanitized copies of the following?: Your saslauthd startup options (e.g. /etc/default/saslauthd) Your saslauthd.conf if it exists your PAM configuration for smtp, imaps and imap if appropriate TLS seems to work just fine for smtp: Oct 28 00:13:21 ella postfix/smtpd[5794]: initializing the server-side TLS engine Oct 28 00:13:21 ella postfix/smtpd[5794]: connect from c-76-28-239-89.hsd1.wa.comcast.net[76.28.239.89] Oct 28 00:13:21 ella postfix/smtpd[5794]: setting up TLS connection from c-76-28-239-89.hsd1.wa.comcast.net[76.28.239.89] ... But I get tls errors regarding imaps: Oct 26 06:36:35 ella cyrus/imaps[18356]: Fatal error: tls_start_servertls() failed Permissions problem? Can your cyrus user read the TLS files you've specified in imapd.conf? If not, please include sanitised copies of your imapd.conf and cyrus.conf. I'm not entirely sure how big of a deal this is, since we use ssl over imaps to check mail, but it does seem to be causing a problem with filters/sieve. When someone attempts to change filters using squirrelmail, the connection times out, and the logs fill with imaps tls errors. Oct 28 00:37:45 ella cyrus/sieve[7080]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Oct 28 00:37:48 ella cyrus/imaps[7082]: imaps TLS negotiation failed: [10.208.108.93] Oct 28 00:37:48 ella cyrus/imaps[7082]: Fatal error: tls_start_servertls() failed What does your sieve entry look like in cyrus.conf? What's your squirrelmail sieve (avelsieve?) configuration look like? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAP GSSAPI for multiple AD domains
On 22/10/09 22:38 +0800, John Mok wrote: Oct 22 15:35:02 imapsv01 cyrus/imap[19466]: badlogin: John.sml.citizen.co.jp [10.144.1.192] GSSAPI [SASL(-13): authentication failure: user komat...@go.citizen.co.jp is not allowed to proxy] I checked with imtest and it passed successfully :- imtest -m GSSAPI imapsv01.grt.citizen.co.jp The IMAP config. /etc/imapd.conf follows :- virtdomains: yes defaultdomain: grt.citizen.co.jp sasl_pwcheck_method: saslauthd The ...not allowed to proxy would seem to indicate that the client is sending an authorization identity, and that it does not match the authentication identity derived from GSSAPI. What does your 'loginrealms:' entry look like in imapd.conf? Are you specifying a(n authorization) username within the email client? If so, try including go.citizen.co.jp in your loginrealms config, and configuring 'komat...@go.citizen.co.jp' as your authorization identity in your client, or perhaps not specify it at all. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ACL question
On 21/10/09 17:54 +0200, Dietmar Rieder wrote: Hi, is there a possibility to set an acl to a folder outside the users INBOX hierarchy such as a user can not delete it but at the same time it should be possible for her/him to create and delete subfolders in that folder. e.g. The users INBOX is : user.testuser The folder outside is: archive.testuser With the following acl: localhost lam archive.testuser testuser lrswipkxtecd Dietmar, See RFC 4314 for an explanation of the acl flags. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ACL question
On 21/10/09 18:05 +0200, Dietmar Rieder wrote: Dietmar, See RFC 4314 for an explanation of the acl flags. Dan, thanks for your hint. I did that already but (maybe I'm to stupid) I couldn't figure out a set of flags, that would meet my needs... If I'm reading right: Mailbox management: CREATE - k right on a nearest existing parent mailbox. When a new mailbox is created, it SHOULD inherit the ACL from the parent mailbox (if one exists) in the defined hierarchy. ... it appears the sub mailbox will always get the same ACL as the parent mailbox. You might have to modify the ACL of the sub mailbox after its created. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: painful mupdate syncs between front-ends and database server
On 19/10/09 16:38 -0400, Michael Bacon wrote: I say mostly because while most of the times the thing handles our 80,000 users and 14,000+ simultaneous connections like a champ, some of the time, we get some extreme pain, mostly due to syncs between the MUPDATE master and the front-end servers. What database type are you using for mailboxes.db? This might provide some optimization tips, if you haven't already parsed it: http://cyrusimap.web.cmu.edu/imapd/install-perf.html -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: saslauthd w/postfix smtp only works the first time
On 29/09/09 23:10 -0400, ravi raju wrote: Folks, I set up cyrus sasl2 to work with postfix smtp server. I am able to send e-mail by authenticating via sasl the first time after I start the saslauthd process. When I send another e-mail, it doesn't work. I looked through different logs, here is what I find: 1. Start saslauthd. I checked the status, several pids start up. Starting saslauthd [ OK ] Creating hardlink from /var/lib/sasl2/mux to /var/spool/postfix/var/lib/sasl2/ saslauthd (pid 29638 29636 29634 29628 29627) is running... 2. Send e-mail. Everything works. 3. I checked the /var/log/syslog to make sure the connection was terminated after it was first opened when sending e-mail. 4. Try sending another e-mail from the same box. E-mail is not sent. 5. I see most of the saslauthd process are shutdown at this point. Status only shows one process running saslauthd (pid 29627) is running... 6. After I force restart saslauthd, I can send another e-mail. At any point in time, I am able to only send one e-mail. Anyone has a clue what is going on? I appreciate your time and help with this. Is postifix authenticating to LMTP? or is your mail client authenticating to Postfix? Either way, I recommend using lmtptest or smtptest to trouble shoot. You can find them in the cyrus-imapd distribution. To further trouble shoot with us, please provide (sanitized) copies of the following: postfix syslog of a good and bad email delivery attempt any corresponding imapd/lmtpd syslog entries any corresponding auth syslog entries (cyrus sasl) Also, please provide your imapd.conf configuration, or at least the output of 'grep sasl /etc/imapd.conf', your postfix sasl configuration if appropriate (the contents of /etc/postfix/sasl/*), and your postfix lmtp/deliver configuration. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: INBOX Prefix problem with sasldb authentication
On 23/09/09 21:30 +0200, Frédéric MERCIER wrote: Authentication with sasldb2 : myserver:~# telnet localhost 993 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] myserver.mydomain.net Cyrus IMAP v2.3.15 server ready . login t...@mydomain.net mypassword . OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE URLAUTH] User logged in . list * * * LIST (\HasChildren) . user.test * LIST (\HasChildren) . user.test.Administratif etc ... user.test is not set as INBOX Prefix. The result is that my MUA is not able to find my mails ... The 'user' prefix is displayed for mailboxes that the authenticated user has ACL access to, but is not perceived to be the user's own mailboxes. Or in other words, if you were to authenticate as jsmith, and attempt to view the mailboxes for msmith, you will get the 'user' prefix. cyrus imapd believes that t...@mydomain.net and test are different users. You can either create a mailbox for t...@mydomain.net, or configure your virt domain options (defaultdomain). -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus stopped delivery
On 23/09/09 14:00 -0700, rvh wrote: Hi,The cyrus server was shutdown over night. After restarting this morning it won't accept mail for clients. Everything I've tried has failed. I am on cyrus 2.1. The errors I'm seeing now are: DBERROR: error exiting application: DB_RUNRECOVERY: Fatal error, run database recovery and unable to create imap listener socket: Address family not supported by protocol This is a production server that has been in service for quite a while without change. Suggestions greatly appreciated. Can you tell from the logs which database it's giving the DBERROR for? Some databases can safely be removed. Can you include your /etc/cyrus.conf config? -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus stopped delivery
I'm CCing the list.
On 23/09/09 14:56 -0700, rvh wrote:
Over the last several restarts of cyrus the database error has
not come up so that might have been resolved. Now it's just the:
unable to create imap listener socket: Address family not supported by
protocol
I'll include the cyrus.conf file below.
SERVICES {
# --- Normal cyrus spool, or Murder backends ---
# add or remove based on preferences
imapcmd=imapd -U 30 listen=imap prefork=0 maxchild=100
#imaps cmd=imapd -s -U 30 listen=imaps prefork=0
maxchild=100
pop3cmd=pop3d -U 30 listen=pop3 prefork=0 maxchild=50
#pop3s cmd=pop3d -s -U 30 listen=pop3s prefork=0
maxchild=50
# At least one form of LMTP is required for delivery
# (you must keep the Unix socket name in sync with imap.conf)
lmtpcmd=lmtpd -a listen=localhost:lmtp prefork=0
maxchild=20
# lmtpunix cmd=lmtpd listen=/var/run/cyrus/socket/lmtp
prefork=0 maxchild=20
# --
# useful if you need to give users remote access to sieve
# by default, we limit this to localhost in Debian
sieve cmd=timsieved listen=localhost:sieve prefork=0
maxchild=100
# this one is needed for the notification services
notify cmd=notifyd listen=/var/run/cyrus/socket/notify
proto=udp prefork=1
It appears to be complaining about your imap line in SERVICES. It's saying
that the address family is not supported. I assume that it's trying to
listen on tcp6 socket.
Try adding proto=tcp4, like this:
imapcmd=imapd -U 30 listen=imap proto=tcp4 prefork=0
maxchild=100
If that works for imap, you'll need to replicate for pop3, lmpt and sieve.
See the man page for cyrus.conf for more information.
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Same mailbox with different logins
On 21/09/09 12:11 +0300, Evgeniy Arbatov wrote: Thank you for your replies! I've decided to go with canon_user plugin. My next question is how to use this plugin. I am trying to use LDAP as authentication backend. What I could find are following imapd.conf settings: sasl_pwcheck_method: saslauthd sasl_mech_list: login plain sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.example.net/ sasl_ldapdb_canon_attr: mail sasl_canon_user_plugin: ldapd imap_sasl_canon_user_plugin: ldapdb pop3_sasl_canon_user_plugin: ldapdb Will this give me canonified username - firstname.lastn...@domain? Do I need to make changes to LDAP for those settings to work? After I configure this ldapdb plugin I see in logs: mail imaps[10161]: canonified earbatov - earbatov mail imaps[10161]: badlogin: host [10.10.10.10] plain [SASL(-4): no mechanism available: desired canon_user plugin ldapdb not found] mail imaps[10161]: badlogin: host [10.10.10.10] plaintext earbatov SASL(-4): no mechanism available: desired canon_user plugin ldapdb not found I put my complete imapd.conf here http://pastebin.com/m2dbf3951 Evgeniy, ldapdb, as a canon_user plugin, is not currently found in the 2.1.23 cyrus sasl release. You will need to obtain cyrus sasl source from CVS. There is an upcoming 2.1.24 sasl release that hopefully includes this functionality. Documentation is found within 'docs/options.html' in the sasl source. You will need to configure your openldap server to support proxy authorization, as discussed here: http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization 'sasl_auxprop_plugin: ldapdb' is probably not necessary, since you are using saslauthd for login/plain (only) authentication. Assuming you have openldap proxy authorization set up properly for your environment, the mail attribute (per your config) should return the username you wish to ultimately use. cyrus imap will pretty much remain ignorant of which username you originally authenticated as, and use the identity returned from sasl when searching for mailboxes and applying ACLs. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Same mailbox with different logins
On 21/09/09 11:35 +0200, Rudy Gevaert wrote: Hi, I haven't taken the time to read the other replies but we here allow people to log in with username OR firstname.lastn...@domain.com. (At the bottom of the reply is a question regarding canon plugin and shared folders) If I would have to redo our setup I would go with - some...@domain.com - rewriting whatever.they.w...@domain.com to some...@domain.com with a proxy in front of it (IMAP/POP proxy is no problem, but what about a SIEVE proxy? Can nginx do this? Bron? Perdition can't. :)) Or rewriting with the canon plugin. With a canon_user plugin, all protocols should be supported, including sieve. This is one of the main reasons we moved away from perdition in our environment. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: -authz no longer working?
On 04/09/09 11:49 -0600, John Masterson wrote: If I use cyradm to authenticate directly as the user in question, then I correctly see the shared mailboxes. But when I authenticate as the cyrus admin user and -authz as the user I am interested in, no such luck. The ability to authz is controlled by the proxyservers option within /etc/imapd.conf. In your syslog (auth) log, you should not see the administrator connecting. When you successfully authz, you should see the proxied user connecting. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: -authz no longer working?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/09/09 13:50 -0600, John Masterson wrote: Thanks. The server I'm connecting to has the 'cyrus' user listed in proxyservers in /etc/imapd.conf: proxyservers: cyrus mupdate When i connect via cyradm and an authz argument, the log on the destination server indicates I am 'cyrus', not the user I provided in my authz arg: $ cyradm --user cyrus --authz johnm mbe1 IMAP Password: mbe1.msomt.modwest.com Log: Sep 4 13:47:43 mbe1 cyrus/imap[17219]: login: mgmt.modwest.com [204.11.245.21] cyrus plaintext User logged in Looks like this problem is related to the mechanism that you are connecting with. If I explicitly request the 'PLAIN' mechanism, then I see: Sep 4 15:06:25 neo cyrus/imap[28930]: login: vpn.olp.net [67.217.151.100] dwhite PLAIN User logged in but if I do the LOGIN mechanism (which I think is really the RFC 3501 6.2.3 login command, which doesn't support authz), then I get something similar to what you're getting: Sep 4 15:06:00 neo cyrus/imap[28930]: login: vpn.olp.net [67.217.151.100] cyrus plaintext User logged in - -- Dan White -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqhdNsACgkQjEHNWladFEXGCwCgp4/ZRh3/HN/hlHjTVhqz8n0U ILsAn2OH2p460aY+UXlbjktUtQqaMcmX =XjSP -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: -authz no longer working?
On 04/09/09 15:01 -0600, John Masterson wrote: Sep 4 14:59:09 mbe1 cyrus/imap[18587]: badlogin: mgmt.modwest.com [204.11.245.21] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Sep 4 14:59:39 mbe1 cyrus/imap[18587]: login: mgmt.modwest.com [204.11.245.21] cyrus plaintext User logged in You probably do not have this turned on in /etc/imapd.conf: # Allow plaintext logins by default (SASL PLAIN) allowplaintext: yes You can either: * connect using TLS (which will provide the required security bits), then connect with PLAIN * enable the allowplaintext option * or connect with another mechanism (like DIGEST-MD5) which would also provide the appropriate level of network security. you might also need to adjust your sasl_minimum_layer setting. -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Postfix + Cyrus error with GSSAPI/kerberos - Mailbox does not exist
On 14/08/09 16:44 +0800, John/SML wrote: Hi, I am trying to setup a mail server using Postfix + Cyrus with virtual domains and GSSAPI/kerberos. I checked the log /var/log/mail.log and the incoming e-mail could be delivered to the mailbox successfully. The problem is that the Thunderbird mail client prompts an error Mailbox does not exist while checking inbox :- cyradm lm user/nicky@kdcsv01.auth.hk1.sml.citizen.co.jp (\HasNoChildren) === begin of mail.log === Aug 14 16:32:18 kdcsv01 cyrus/master[1552]: about to exec /usr/lib/cyrus/bin/imapd Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: executed Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: accepted connection Aug 14 16:32:19 kdcsv01 cyrus/imap[1552]: login: John.sml.citizen.co.jp [10.144.1.192] nicky.mok GSSAPI User logged in === end of mail.log === === begin of imapd.conf === sasl_mech_list: gssapi pam pam is not valid here, but it's not causing any breakage. virtdomains: yes defaultdomain: auth.hk1.sml.citizen.co.jp Your mailbox is nicky@kdcsv01.auth.hk1.sml.citizen.co.jp and your default domain is auth.hk1.sml.citizen.co.jp. What format is your kerberos principal (does it include kdcsv01?). -- Dan White signature.asc Description: Digital signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to test timsieved
On 14/08/09 09:59 +0200, Paul van der Vlis wrote:
Dan White schreef:
I used the -d option in /etc/default/saslauthd and restarted saslauthd.
In another terminal I tried sivtest, where the authentication was wrong.
But, in the debug I see that the authentication was OK for saslauthd.
-
p...@sigmund:/root$ sivtest -v localhost
S: IMPLEMENTATION Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1
S: SASL PLAIN
S: SIEVE fileinto reject envelope vacation imapflags notify
subaddress relational regex
S: STARTTLS
S: OK
Please enter your password:
C: AUTHENTICATE PLAIN {20+}
AHBhdWwAZXJ1NGJjZw==
S: NO Authentication Error
Authentication failed. generic failure
Security strength factor: 0
-
--
sigmund:/etc/pam.d# /etc/init.d/saslauthd restart
Restarting SASL Authentication Daemon: saslauthdsaslauthd[29778] :main
: num_procs : 5
saslauthd[29778] :main: mech_option: NULL
saslauthd[29778] :main: run_path : /var/run/saslauthd
saslauthd[29778] :main: auth_mech : pam
saslauthd[29778] :cache_alloc_mm : mmaped shared memory segment on
file: /var/run/saslauthd/cache.mmap
saslauthd[29778] :cache_init : bucket size: 92 bytes
saslauthd[29778] :cache_init : stats size : 36 bytes
saslauthd[29778] :cache_init : timeout: 28800 seconds
saslauthd[29778] :cache_init : cache table: 944764 total bytes
saslauthd[29778] :cache_init : cache table: 1711 slots
saslauthd[29778] :cache_init : cache table: 10266 buckets
saslauthd[29778] :cache_init_lock : flock file opened at
/var/run/saslauthd/cache.flock
saslauthd[29778] :ipc_init: using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[29778] :detach_tty : master pid is: 0
saslauthd[29778] :ipc_init: listening on socket:
/var/run/saslauthd/mux
saslauthd[29778] :main: using process model
saslauthd[29779] :get_accept_lock : acquired accept lock
saslauthd[29778] :have_baby : forked child: 29779
saslauthd[29778] :have_baby : forked child: 29780
saslauthd[29778] :have_baby : forked child: 29781
saslauthd[29778] :have_baby : forked child: 29782
saslauthd[29779] :rel_accept_lock : released accept lock
saslauthd[29780] :get_accept_lock : acquired accept lock
saslauthd[29779] :cache_get_rlock : attempting a read lock on slot: 1682
saslauthd[29779] :cache_lookup: [login=paul] [service=]
[realm=sieve]: not found, update pending
saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682
saslauthd[29779] :cache_get_wlock : attempting a write lock on slot: 1682
saslauthd[29779] :cache_commit: lookup committed
saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682
saslauthd[29779] :do_auth : auth success: [user=paul]
[service=sieve] [realm=] [mech=pam]
saslauthd[29779] :do_request : response: OK
--
I just did some quick testing on my system and cannot authenticate to
timsieved as a user who's mailbox does not exist.
I have a mailbox for dwh...@olp.net, but not dwhite. Here's the results of
a few tests:
Works:
imtest -a dwhite -m PLAIN localhost
imtest -a dwh...@olp.net -m PLAIN localhost
sivtest -a dwh...@olp.net -m PLAIN localhost
Doesn't work:
sivtest -a dwhite -m PLAIN localhost
Based on that, I'm assuming that a mailbox for paul needs to exist to
authenticate. Is that that the case?
--
Dan White
signature.asc
Description: Digital signature
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to test timsieved
On 13/08/09 12:01 +0200, Paul van der Vlis wrote:
Duncan Gibb schreef:
Paul van der Vlis wrote:
C: AUTHENTICATE PLAIN {16+}
AHBhdWwAZXJ1NGJj
I hope you changed your password after you posted that ;-)
Let me echo that statement, since it looks like you're logging in as root!
Your password is now publicly known.
Aug 13 11:27:40 sigmund cyrus/timsieved[16455]: badlogin:
localhost[127.0.0.1] PLAIN authentication failure
Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth
failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM
auth error]
Try:
testsaslauthd -u username -p password
testsaslauthd -u username -p password -s sieve
testsaslauthd -u username -p password -s imap
Do you get different answers?
If not, can you include the output of 'grep sasl /etc/imapd.conf'?
(assuming there is no sensitive information), and the contents of your
/etc/default/saslauthd?
What is your authentication backend?
saslauthd - pam - unix
In the pam modules for both imap and sieve I have:
@include common-auth
@include common-account
--
Dan White
signature.asc
Description: Digital signature
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to test timsieved
On 13/08/09 16:56 +0200, Paul van der Vlis wrote: Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM auth error] testsaslauthd -u username -p password testsaslauthd -u username -p password -s sieve testsaslauthd -u username -p password -s imap Do you get different answers? No, they give all: 0: OK Success. when I do it as root or as user cyrus. But when I execute testsaslauthd as another user, it fails with a connect() : Permission denied. But this is also the case on the other machine what works correct. It looks like you're configured to allow members of the sasl group to access the saslauthd mux, so that error is to be expected. sasl_mech_list: PLAIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd #sasl_auxprop_plugin: sasldb sasl_auto_transition: no /etc/default/saslauthd: START=yes MECHANISMS=pam MECH_OPTIONS= THREADS=5 OPTIONS=-c Maybe this is important: sigmund:~# ls -ld /var/run/saslauthd lrwxrwxrwx 1 root root 37 2009-07-22 14:01 /var/run/saslauthd - /var/spool/postfix/var/run/saslauthd/ sigmund:~# ls -ld /var/spool/postfix/var/run/saslauthd/ drwx--x--- 2 root sasl 200 2009-07-22 14:02 /var/spool/postfix/var/run/saslauthd/ sigmund:~# ls -l /var/spool/postfix/var/run/saslauthd/ total 929 -rw--- 1 root root 0 2009-07-22 14:02 cache.flock -rw--- 1 root root 945152 2009-07-22 14:02 cache.mmap srwxrwxrwx 1 root root 0 2009-07-22 14:02 mux -rw--- 1 root root 0 2009-07-22 14:02 mux.accept -rw--- 1 root root 6 2009-07-22 14:02 saslauthd.pid Looks fine. I wonder if timsieved is calling saslauthd with different options, like with a realm. I'd be curious what you're seeing when saslauthd is in debug mode. -- Dan White signature.asc Description: Digital signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: authid translation using SASL sql auxprop
Michael Ulitskiy wrote: Hello, Is there a way in cyrus/sasl to transparently change user authid according to result of some sql query? I.e. I want that if user successfully authenticates as user 'john' to transparently change his authid to user 'jack' and so let him see user.jack as his INBOX. After initial reading of documentation I thought I could something like the following: sasl_sql_select: SELECT password as userPassword, mailbox as authid FROM emails WHERE username='%u' and domain='%r' I can do all kind of username/domain translation within sql domain (views/stored procedures/etc) so there's no problem to authenticate someone as someone else there, but how can I change the authid? Can it be done with Cyrus/SASL? Thanks, Michael, Cyrus SASL provides a canonicalization plugin hook to provide that service. The result of the canonicalization action determines what user id gets passed up to the calling application. Currently, there is only an LDAP canon_plugin, and it's only available in CVS. See 'doc/plugprog.html' in the source tree, and: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/~checkout~/src/sasl/doc/options.html?rev=1.33;content-type=text/html for ldapdb documentation. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Architectural mistake in cyrus ?
Denis BUCHER wrote: 5. WOAW !!! I think I was able to do what I want but it's 100% kludgy ! How to do it : a) Define a FAKE domain as default domain ! I used aaa.ch b) Create your mail admin as cyrus (without domain !) c) Login into cyradm with cy...@aaa.ch (NOT with cyrus !) And it works... Not really elegant but it seems to be the only solution (???) What do you think ? Denis I think that functionality agrees with my understanding of the documentation. Please note that changing virtual domain settings may break existing mailboxes... For instance, creating a mailbox of 'u...@default.domain' before setting a default domain, then setting 'defaultdomain: default.domain' in your imapd.conf will probably break access to that mailbox. You may want to consider rebuilding your mailstore if feasible, after finalizing your configuration. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 'PLAIN encryption needed to use mechanism' error
Blake, What sasl lines do you have in /etc/imapd.conf. Do you have any proxies installed? pop3PRTC in your syslog looks suspicious...: Usually, pop3 and imap will offer the same mechanisms based on this config item: sasl_mech_list: x x x if this line is commented out, then sasl should attempt to initialize all available mechs. Be on the lookout for customization like this (which overrides the sasl_mech_list config item): pop3_mech_list: x x x imap_mech_list: x x x - Dan Blake Hudson wrote: Thanks for the reply Scott. I can auth as you described using the User/Pass method (allowplaintext: is already set to 1 and I've also tried sasl_minimum_layer: 0 at the same time). My concern is that over port 110 the server is only advertising CRAM-MD5 and DIGEST-MD5. POP3s appears to be advertising PLAIN. Why isn't PLAIN advertised over both? --Blake Original Message Subject: Re: 'PLAIN encryption needed to use mechanism' error From: Scott M. Likens d...@yazzy.org To: Blake Hudson bl...@ispn.net Cc: info-cyrus@lists.andrew.cmu.edu Date: Wednesday, July 29, 2009 1:30:46 AM Hi Blake, Actually pop3 by default should be using plain, like d...@desolation telnet localhost pop3 ~ Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK desolation Cyrus POP3 v2.3.14 server ready 8505169291665378509.1248848...@desolation user root +OK Name is a valid mailbox pass toor +OK Mailbox locked and ready However, if you man imapd.conf you will notice there is such an option as, allowplaintext: 0 You may need to change that to 1, in order for plaintext ala pop3 to work. Scott On Jul 28, 2009, at 10:44 PM, Blake Hudson wrote: Original Message Subject: 'PLAIN encryption needed to use mechanism' error From: Blake Hudson bl...@ispn.net To: info-cyrus@lists.andrew.cmu.edu Date: Wednesday, July 29, 2009 12:13:52 AM I recently setup a new server and everything tested well. However, once in production I am seeing errors like the following: pop3PRTC[20896]: badlogin: [204.x.x.x] PLAIN encryption needed to use mechanism I wasn't aware that POP utilized other mechanisms? I can login just fine with telnet and tbird, and cannot replicate this error myself. Any ideas? --Blake Looks like the POP side is not advertising LOGIN/PLAIN auth types while the imap side is. Is this the intended behavior? In my imapd.conf i have the following mech list defined: sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 -- POP3-- +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 173180331313918 17429.1248845...@twinp auth +OK List of supported mechanisms follows DIGEST-MD5 CRAM-MD5 .. --IMAP-- * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready I suppose this is likely a bad client that is not refreshing its mech list after the server switch, but I'd still like to know how to resolve the issue server side (if possible). -Blake Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html !DSPAM:4a6fe485262521931426455! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 'PLAIN encryption needed to use mechanism' error
Blake Hudson wrote: Original Message Subject: Re: 'PLAIN encryption needed to use mechanism' error From: Dan White dwh...@olp.net mailto:dwh...@olp.net To: Blake Hudson bl...@ispn.net mailto:bl...@ispn.net Cc: info-cyrus@lists.andrew.cmu.edu mailto:info-cyrus@lists.andrew.cmu.edu Date: Wednesday, July 29, 2009 2:49:51 AM I see your cyrus server is outputting the full mech list via 110... wonder why mine isn't? YOURS- +OK 1114961040.1248853...@neo neo Cyrus POP3 Murder v2.3.12-Debian-2.3.12-1-5 server ready auth +OK List of supported mechanisms follows CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 LOGIN All of these are explicitly set in my sasl_mech_list. GSSAPI and OTP require SASL library configuration. The others, including PLAIN/LOGIN should not. . MINE- +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 163906105530322 97444.1248854...@twinp auth +OK List of supported mechanisms follows DIGEST-MD5 CRAM-MD5 . Do you have either of the following specified? sasl_minimum_layer: X sasl_maximum_layer: X Have you specified a '-p xxx' within cyrus.conf for imap but not pop3? Are you using TLS/SSL when connecting via IMAP but not POP3? Sounds like your telnetting, so that's probably not the case. Setting sasl_log_level: 7 in imapd.conf might provide more information in your syslog. Looks like the POP side is not advertising LOGIN/PLAIN auth types while the imap side is. Is this the intended behavior? In my imapd.conf i have the following mech list defined: sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 -- POP3-- +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 173180331313918 17429.1248845...@twinp auth +OK List of supported mechanisms follows DIGEST-MD5 CRAM-MD5 .. --IMAP-- * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 SASL-IR] twinP Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready I suppose this is likely a bad client that is not refreshing its mech list after the server switch, but I'd still like to know how to resolve the issue server side (if possible). -Blake Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 'PLAIN encryption needed to use mechanism' error
Blake Hudson wrote: Original Message Subject: Re: 'PLAIN encryption needed to use mechanism' error From: Dan White dwh...@olp.net To: Blake Hudson bl...@ispn.net Cc: info-cyrus@lists.andrew.cmu.edu Date: Wednesday, July 29, 2009 3:20:08 AM NO SSL r...@twinp src]# pop3test -m PLAIN -a xxx mail.xxx.com S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 12408582082392233762.1248855...@twinp C: CAPA S: +OK List of capabilities follows S: SASL DIGEST-MD5 CRAM-MD5 S: STLS S: EXPIRE NEVER S: LOGIN-DELAY 0 S: TOP S: UIDL S: PIPELINING S: RESP-CODES S: AUTH-RESP-CODE S: USER S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5 S: . Please enter your password: C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw== S: -ERR [AUTH] authenticating: encryption needed to use mechanism Authentication failed. generic failure Security strength factor: 0 quit +OK Connection closed. SSL [r...@twinp src]# pop3test -s -m PLAIN -a xxxmail.xxx.com verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: +OK twinP Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-2.el5 server ready 832124781731685216.1248855...@twinp C: CAPA S: +OK List of capabilities follows S: SASL DIGEST-MD5 LOGIN PLAIN CRAM-MD5 S: EXPIRE NEVER S: LOGIN-DELAY 0 S: TOP S: UIDL S: PIPELINING S: RESP-CODES S: AUTH-RESP-CODE S: USER S: IMPLEMENTATION Cyrus POP3 server v2.3.7-Invoca-RPM-2.3.7-2.el5 S: . Please enter your password: C: AUTH PLAIN xxxuc3Rlc3QAdGVzdDEyMw== S: +OK Mailbox locked and ready Authenticated. Security strength factor: 256 quit +OK Connection closed. - It sure seems like pop is picking up on different sasl security settings (such as the sasl_minimum_layer or the noplaintextwithouttls option). However, IMAP seems to obey these just fine as configured with the same config file. Agreed. A possible work around until you figure out the issue would be to add '-p 256' within cyrus.conf, for your pop3 entry (see man pop3d). That would emulate a sasl security layer of 256 bits, and would be treated as if you had connected via SSL when you hadn't. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 'PLAIN encryption needed to use mechanism' error
Blake Hudson wrote: Agreed. A possible work around until you figure out the issue would be to add '-p 256' within cyrus.conf, for your pop3 entry (see man pop3d). That would emulate a sasl security layer of 256 bits, and would be treated as if you had connected via SSL when you hadn't. - Dan That does indeed resolve the issue, so do you think this is a Cyrus SASL problem or a Cyrus IMAP (POP) problem? Also, do you have the same -p option specified? I'm wondering if others are experiencing the same problem - all of our servers are on the same version of cyrus 2.3.7 (from RHEL) or older and seem to exhibit the same behavior. --Blake I do not have it specified on my primary cyrus store. My relevant configuration: neo:~# grep 'sasl\|plaintext' /etc/imapd.conf | grep -v '^#' allowplaintext: yes sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI OTP EXTERNAL sasl_pwcheck_method: auxprop saslauthd sasl_keytab: /etc/krb5.keytab-mailstore sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://hiro.olp.net ldap://ando.olp.net sasl_ldapdb_mech: GSSAPI sasl_ldapdb_canon_attr: uid pop3_sasl_canon_user_plugin: ldapdb sasl_log_level: 7 sasl_auto_transition: no neo:~# cat /etc/cyrus.conf | grep -v '#' | grep 'pop\|imap' imapcmd=imapd -U 30 -D listen=imap prefork=0 maxchild=200 imapunixcmd=imapd -U 30 listen=/var/run/cyrus/socket/imap prefork=0 maxchild=100 imapscmd=imapd -s -U 30 listen=imaps prefork=0 maxchild=200 pop3cmd=pop3d -U 30 listen=pop3 prefork=0 maxchild=200 pop3unixcmd=pop3d -U 30 listen=/var/run/cyrus/socket/pop3 prefork=0 maxchild=100 pop3scmd=pop3d -s -U 30 listen=pop3s prefork=0 maxchild=100 I'm running version 2.3.12. However, on an older server, I *do* have the -p option specified for my imap sessions, probably because I ran into a similar situation as you, but I was too lazy dig in to the real issue. That server is running 2.3.10, and has this configuration (i don't use pop3 on this server): gandalf:~# grep 'sasl\|plaintext' /etc/imapd.conf | grep -v '^#' allowplaintext: yes sasl_mech_list: PLAIN GSSAPI sasl_pwcheck_method: saslauthd sasl_keytab: /etc/krb5.keytab-mailstore sasl_auto_transition: no gandalf:~# cat /etc/cyrus.conf | grep -v '#' | grep 'pop\|imap' imapcmd=imapd -U 30 -p 256 -D listen=imap prefork=0 maxchild=100 provide_uuid=2 imapunixcmd=imapd -U 30 -p 256 -D listen=/var/run/cyrus/socket/imap prefork=0 maxchild=100 provide_uuid=2 imapscmd=imapd -s -U 30 listen=imaps prefork=0 maxchild=100 provide_uuid=2 pop3cmd=pop3d -U 30 listen=pop3 prefork=0 maxchild=50 provide_uuid=2 pop3scmd=pop3d -s -U 30 listen=pop3s prefork=0 maxchild=50 provide_uuid=2 - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Architectural mistake in cyrus ?
Denis BUCHER wrote: Hello Andrew, Andrew Morgan a écrit : I already asked this question as an help request here some time ago, but noone was able to solve this bug in cyrus, and I think this issue should be addressed : 1] Problem : How to set quota for a user being in another domain than the main domain ?? 2] More precisely : How to access other (virtual) domains in cyradm : su - cyrus cyradm --user cyrus localhost lm Here I see all mailboxes from our main domain, for example : user.dbucherml.ML (\HasChildren) user.dbucherml.ML.Fournisseurs (\HasChildren) user.dbucherml.ML.Fournisseurs.Acer (\HasNoChildren) user.dbucherml.ML.Fournisseurs.Microsoft (\HasChildren) user.dbucherml.ML.Fournisseurs.Microsoft.MSPRP (\HasNoChildren) But as you can see I don't have any @hsolutions.ch or @anything.else 3] Global admin : Some people said my cyrus user is maybe not a global admin, but noone was able to help me make it global. I mean, some people and some web page gave me some techniques to make it global, but none worked. What are your current settings in imapd.conf for: servername: admins: defaultdomain: sasl_pwcheck_method: virtdomains: servername: hostname.MY MAIN DOMAIN (replaced with real values) admins: cyrus cyrus@MY MAIN DOMAIN sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN virtdomains: on hashimapspool: true = I don't have any defaultdomain: but I already tried with main domain, or with alternative domain, it never solved the problem... = authentification is based on LDAP See: http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html In particular, the 'Administration' section. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Can't log into IMAP but pop3 works
J. Pilfold-Bagwell wrote: Hi All, I have a problem where I can log into cyrus using POP3 but can't with imap. Telnet sessions return the following: sysad...@smbserver:~$ telnet localhost 110 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. +OK smbserver Cyrus POP3 v2.2.13-Debian-2.2.13-13ubuntu3 server ready 545339973.1247349...@smbserver quit +OK Connection closed by foreign host. sysad...@smbserver:~$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. Are there any hints in your syslog that something is going awry? - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap final setup problems
Nybbles2Byte wrote: Hello Dan, I just wanted to clarify one thing so no one gets the wrong idea. When I rebuilt the data there was still one problem and that was the badlogin I was getting. I tracked it down just now to fetchmail polling Cyrus. This must have been a leftover from the guy before because I have never touched fetchmail and don't know anything about it except what I read in the last 30mins. From what I can see it is meant to strengthen the communication between two other parts of a mail system. However, my Postfix and Cyrus are on the same computer so as I see it Fetchmail could do little more than be an overhead. Would you happen to know if that is a fair assessment because I really am very new to all this and I noticed that Fetchmail is not mentioned in either the Postfix or the Cyrus documentation or books I have gathered. Thanks, -Reg Reg, Fetchmail's documentation is located here: http://fetchmail.berlios.de/ When I did use fetchmail, it was to download a copy of my email from another provider's POP3 mailserver down into my own personal IMAP server (via local SMTP). I'm not sure why one would configure fetchmail to connect to an IMAP server running on local host. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap final setup problems
Nybbles2Byte wrote:
However, it stopped receiving messages after two tests and looking at
the logs it said it was at it's quota limit so I went back to cyradm
to set the quota (I didn't bother the first time so it was at zero)
and I got a quota permission denied error. This was from the same
admin, I created the user with and it showed that the admin had all
rights.
I then used the admin to create another user and immediately tried to
set the quota of that new user and got the same permission denied
error. I could however remove the user that I could no set the quota for.
Below, you've specified 'altnamespace: 1'. When connecting via an admin
user, altnamespace is ignored, which may complicate what you're
expecting to see.
Also, you've specified 'autocreatequota: 5', which limits the user to
5KBs of space.
What do your cyradm createmailbox and setquota commands look like?
You have 'virtdomains: on'. Personally, I prefer configuring
'virtdomains: userid'. 'doc/install-virtdomains.html' within the source
documents the difference. It might matter when connecting as an admin
user (without specifying a domain name).
That is my first problem but I have two other as follow:
Sieve is not working when I try to telnet to it and I get this error:
neutrino:~ # telnet mydomain.com sieve
Trying nnn.nn.nn.nn...
telnet: connect to address nnn.nn.nn.nn: Connection refused
Your sieve entry in cyrus.conf looks correct. Verify that the service is
running with 'fuser 2000/tcp' or 'netstat -an | grep LISTEN | grep
2000'. If not, there should be something in syslog about why it couldn't
start. Locate where your cyrus binaries are installed (/usr/sbin ?) and
verify there's a timesieved binary located there.
Also, stop cyrus, and make sure something else isn't already listening
on port 2000, like inetd or xinetd.
If it is starting, but crashing somewhere, you can use the debug_command
(in imapd.conf) to trouble shoot. See:
https://langhorst.com/cgi-bin/dwww//usr/share/doc/cyrus21-common/README.Debian.debug.gz
for some usage scenarios.
The last thing is I am getting a badlogin error in my cyrus log as
you can see below:
Jul 8 08:12:00 neutrino SeoWS/imap[20686]: badlogin: localhost
[127.0.0.1] CRAM-MD5 [SASL(-13): user not found: no secret in database]
Jul 8 08:12:00 neutrino SeoWS/imap[20694]: sql auxprop plugin using
mysql engine
Jul 8 08:12:03 neutrino SeoWS/imap[20686]: sql plugin Parse the
username reg
I don't know what that could be.
- Dan
# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
# DEFAULT DOMAIN
imap cmd=imapd listen=imap
prefork=0
# imapscmd=imapd -slisten=imaps
prefork=0
# pop3cmd=pop3dlisten=pop3prefork=0
# pop3scmd=pop3d -slisten=pop3s
prefork=0
sievecmd=timsievedlisten=sieve
prefork=0
lmtpunixcmd=lmtpd
listen=/var/lib/imap/socket/lmtp prefork=0
notifycmd=notifyd
listen=/var/lib/imap/socket/notify proto=udp prefork=0
}
*IMAPD.CONF
*altnamespace: 1
autocreatequota: 5
unixhierarchysep: 1
virtdomains: on
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Please change the DNS lookup = defaultdomain process, and use defaultdomain as the default domain.
j...@endries.org wrote: Argh, vent time. I don't know if this is fixed in later versions, I really really hope so, but this machine has 2.2 on it. This problem is a huge PITA. I've ran into it before and stumbled across a random (trial-and-error) workaround each time, though I don't remember what they were...I don't change these things very often. The problem, which I believe is a ridiculous bug, has to do with the combination of DNS lookups, defaultdomain and virtdomains. I don't really know if virtdomains is involved, but since I run with them enabled I'll mention it. See: doc/install-virtdomains.html within the source tarball for documentation on this (the man page is a little lacking). setting virtdomains to 'userid', and removing the default domain may do what you want. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sasl_pwcheck_method
li...@oliver-block.eu wrote: Hello everybody, I configured cyrus imapd on a Opensuse 11 machine following the recommedation in a README file. Now I discovered the following - for me odd behavior - which might depend on a misconfiguration. /etc/imap.conf: sasl_pwcheck_method: saslauthd /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH=pam If a user logs into cyrus (I used mtest from uw-imap because of it's debug messages) it takes 4 trials (3 with CRAM-MD5 and a final with plain password) before the login succeeds. By chance I've found a tutorial which recommends adding a user to sasldb2. I tried that and without any additional changes to the configuration the first login attempt succeeds. I wonder if someone could tell me 1. Why did it take 4 attempts using the system credentials 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 3. Why did the sasldb2 approach succedd at all without any configuration changes. When authenticating via CRAM-MD5, the pwcheck_method will be ignored. Your chosen pwcheck_method should only be referenced when authenticating via a 'plaintext' authentication mechanism - LOGIN or PLAIN. The fact that mtest attempted to authenticate via CRAM-MD5 probably means that you are advertising CRAM-MD5 support within imapd.conf. When authenticating via a mechanism which utilizes a shared secret, such as CRAM-MD5, your auxprop configuration will be used (sasl_auxprop_plugin). The default auxprop plugin is sasldb. If you are advertising CRAM-MD5 support in /etc/imapd.conf, but do not have the user configured in an auxprop store, then CRAM-MD5 should always fail. 1. Why did it take 4 attempts using the system credentials mtest is probably falling back to PLAIN after 3 unsuccessful CRAM-MD5 login attempts. 2. Why did it succeed with one attempts after a user with the same username and different password was added to sasldb2 3. Why did the sasldb2 approach succedd at all without any configuration changes. Because adding the user to your (default) auxprop store allowed CRAM-MD5 to succeed. If you are planning to support CRAM-MD5, you'll want to use: sasl_pwcheck_method: auxprop which will provide some consistency between PLAIN logins and CRAM-MD5 logins. It will not allow you to use PAM and you'll need to configure your users in /etc/sasldb2. If you don't care about supporting CRAM-MD5, then remove it from your 'sasl_mech_list', and you can stick with saslauthd and PAM. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Api for seen state, perl preferred
LALOT Dominique wrote: Hello, I'm following a previous thread. I would like to be able to open a seen skiplist database in order to verify if a particular user has red its mail. If possible, a way to do that in PERL would be perfect. Thanks in advance Dom Connecting via IMAP would be more portable. See 'imtestExample.pl' within Mail::IMAPClient for something to start with. With that script, you would do, e.g.: ./imtestExample.pl -m DIGEST-MD5 -a cyrus -u dwh...@olp.net -w mysecret where 'cyrus' is an admin, and 'dwh...@olp.net' is the user who's mailbox you want to examine. You'll need to add logic to the script to view seen state. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mupdate - GSSAPI authentication
David Mayo wrote: Hi guys, This morning we created a principal mupd...@bath.ac.uk and added that to the key tab on sauber for the IMAP server, and it authenticated fine. It would appear there is a bug somewhere meaning that primary/insta...@realm style principals cannot be used as clients to mupdate. /etc/krb.equiv should let you canonicalize primary/insta...@realm to something easier for cyrus to digest. See Kerberos vs. Unix Authorization in doc/overview.html (in the release tarball). - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: reading seen state as cyrus priviledged user
LALOT Dominique wrote: Hello, I would like to run scripts for deleting unread old mails. But using the imap API, I can only read the good seen status if I logged as the user. Checking as cyrus tells me, that nothing has been read. Is there an su option for imap? How can I do that? You can authenticate as an admin, and authz as the user you wish to see seen state for. E.g.: imtest -m DIGEST-MD5 -a cyrus -u dwh...@olp.net localhost Depending on your environment, the '/vendor/cmu/cyrus/imapd/sharedseen' annotation may be useful. See the 'cyradm' man page for details. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: reading seen state as cyrus priviledged user
Reinaldo de Carvalho wrote: On Mon, May 11, 2009 at 11:37 AM, Dan White dwh...@olp.net wrote: Depending on your environment, the '/vendor/cmu/cyrus/imapd/sharedseen' annotation may be useful. See the 'cyradm' man page for details. Where can I find (not in the code) all supported annotations by cyrus? The doc/changes.html file is the only place I know of, but I don't think it's comprehensive. perl/imap/IMAP/Shell.pm implies that the following are supported: [\_sc_mboxcfg, 'mailbox [comment|condstore|expire|news2mail|sharedseen|sieve|squat] value', - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re:
Kővári János wrote:
Kővári János wrote:
/ Postfix uses saslauthd, which is configured for PAM. It works
// perfectly, with plain/login/cram/digest mechanisms, with or without
// tls/ssl, absolutely no problems with it. Saslauth tests are all fine
// obviously.
// So I decided to use this with cyrus imap too. Set it to use the same
// saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.
// Since then, I can not login with plain or login mechs, because they
// aren't being offered at all by cyrus imapd. I can login with cram or
// digest fine.
// I understand that plain login isn't offered by default, only after a
// successfull tls session setup, but if I understand correctly, the
// allowplaintext: yes option should still force imapd to offer plain
// logins. But it doesn't. I tried it with different sasl_min|max_levels,
// to no avail.
/
Please include the following information, so we can get a better idea of
your setup:
Postfix and Cyrus IMAP version
Postfix SASL config:
grep sasl main.cf
cat /etc/postfix/sasl/smtpd.conf (or wherever smtpd.conf it located on
your system)
Hello Dan,
Postfix version: 2.5.4
Cyrus IMAP version: 2.2.13
smtpd_sasl_auth_enable = yes
/cat /etc/postfix/sasl/smtpd.conf/
saslauthd_version: 2
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
/cat /etc/imapd.conf/
allowplaintext: yes
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasl_auto_transition: no
/cat /etc/default/saslauthd/
START=yes
PWDIR=/var/spool/postfix/var/run/saslauthd
PARAMS=-m ${PWDIR}
PIDFILE=${PWDIR}/saslauthd.pid
MECHANISMS=pam
MECH_OPTIONS=
THREADS=5
OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd
/#(I think the options line is wrong, the -m part is unneded, but it
was like that, and it works...)/
The way that you have postfix configured, it will use saslauthd (only)
for plain and login. It (via SASL) will use your auxprop store to
authenticate the cram-md5 and digest-md5 mechanisms. I'm assuming that
you have configured your users in /etc/sasldb2, since you are
authenticating to imapd via digest-md5.
'allowplaintext: yes' should be all you need to support plain/login on
an in-the-clear connection. Since they are being offered after a TLS
connection, it's almost if there's a typo in your config for that command.
also:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
is a typo in /etc/imapd.conf. It should be:
sasl_saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
For trouble shooting, you might want to comment out
'sasl_pwcheck_method: saslauthd', which will direct imapd to use all
available pw_check methods (including auxprop) for plain/login.
- Dan
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap plaintext authentication with saslauth PAM
Dan White wrote: Also, since your Postfix works, try duplicating its config in /etc/imapd.conf: Is your postfix running chroot'd? If so, where is the sasldb2 file that it's using located? In /var/spool/postfix/etc ? If so, try adding to /etc/imapd.conf: sasl_sasldb_path: /var/spool/postfix/etc/sasldb2 - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap plaintext authentication with saslauth PAM
Kővári János wrote: For trouble shooting, you might want to comment out 'sasl_pwcheck_method: saslauthd', which will direct imapd to use all available pw_check methods (including auxprop) for plain/login. I did that too. When it's commented out, the plain and login methods are still not being offered, but neither cram nor digest! And I can not login at all. Doesn't accept any passwords. So I reverted it to saslauthd. Try: sasl_pwcheck_method: auxprop and see if that works. Also, since your Postfix works, try duplicating its config in /etc/imapd.conf: sasl_saslauthd_version: 2 sasl_pwcheck_method: saslauthd sasl_mech_list: plain login cram-md5 digest-md5 You'll also need: sasl_saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux and remove: sasl_auto_transition: no Make sure the cyrus user has permissions to access the mux: sudo -u cyrus ls /var/spool/postfix/var/run/saslauthd/mux - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap plaintext authentication with saslauth PAM
Kővári János wrote: Dan White írta: Is your postfix running chroot'd? If so, where is the sasldb2 file that it's using located? In /var/spool/postfix/etc ? If so, try adding to /etc/imapd.conf: sasl_sasldb_path: /var/spool/postfix/etc/sasldb2 - Dan Yes, it's chroot'd. I have sasldb2 both in chroot and /etc. Both are readable by cyrus. I don't think it's the problem, I remember when I forgot to add users to sasldb2 and tried to login, I got an error message in the logs, saying: no secret in the database or something. So it does find the database. (But I can be wrong, it was quite some time ago...) But previously I was using sasldb2 without problems, so I assuem it is set up more or less correctly. And please keep in mind, that I *don't* want sasldb, this whole thing with saslauthd is about avoiding sasldb2 and to use plaintext authentication with PAM-only. Have a good weekend to everyone reading this! :) Janos True, I'm just trying to reproduce your Postfix environment in Cyrus imapd. I think you must be using sasldb when performing cram/disgest authentication, not PAM (since saslauthd/PAM do not support them). - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap plaintext authentication with saslauth PAM
Kővári János wrote: I have a postfix relay server and a (local) cyrus imap server on the same machine. Everything was fine until I thought, I change the imap authentication from sasldb to saslauth, to have global authentication on postfix and cyrus. Postfix uses saslauthd, which is configured for PAM. It works perfectly, with plain/login/cram/digest mechanisms, with or without tls/ssl, absolutely no problems with it. Saslauth tests are all fine obviously. So I decided to use this with cyrus imap too. Set it to use the same saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs. Since then, I can not login with plain or login mechs, because they aren't being offered at all by cyrus imapd. I can login with cram or digest fine. I understand that plain login isn't offered by default, only after a successfull tls session setup, but if I understand correctly, the allowplaintext: yes option should still force imapd to offer plain logins. But it doesn't. I tried it with different sasl_min|max_levels, to no avail. This is the first thing I don't understand. The second is: after establishing a tls or ssl connection, plain and login are offered, but I can not login with these mechs. (I'm using imtest to test it all.) However, with testsaslauth, I am able to authenticate fine. I'm quite new to cyrus and linux systems, but I read all kinds of manuals and FAQs nd documentation, and googled a lot, but I was unable to find the culprit. So you are my last hope. If nothing else works, I leave it as is, with digest and cram it works and it's more secure. Or I go back to sasldb, which is less comfortable for me... Please include the following information, so we can get a better idea of your setup: Postfix and Cyrus IMAP version Postfix SASL config: grep sasl main.cf cat /etc/postfix/sasl/smtpd.conf (or wherever smtpd.conf it located on your system) Your cyrus imap.conf config saslauthd does not support cram-md5 or digest-md5, so you may be (also) using the sasldb auxprop in Postfix. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Update installation to new features: metadata partition, delayed delete
Leena Heino wrote: Meta data partition: If I want to update our cyrus installation to use metadata partition, then how is this done. Do I manually create the similar directory structure to the new metadata partition as I have now in the conventional mixed data partition? Do I manually copy over the cyrus.* metadata files from the conventional mixed data partition to metadata partition? After those are done, then just change the configuration settings in the imapd.conf to use the new the meta data partition? Delayed delete: If I want to use this feature do I have to do more than just change the delete_mode configuration setting to delayed and adjust cyr_expire event in the cyrus.conf accordingly? Leena, With regards to the metadata partition, there is documentation located in the doc/install-upgrade.html file located in the source tarball release. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Pop process hangs in the write()
ram wrote: I have problem at a clients end exactly same as described in this http://marc.info/?l=info-cyrusm=108967188821511w=2 A pop process blocks at write() for any mail at random. And they start getting pop lock issues I have checked with the customer , there is no IDS on their network Is there any other way I can debug this issue You could enable telemetry logging, which should help to rule out a problem with the client. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus DB Errors DBERROR: error fetching user.username even after reconstructs
Josh Whitver wrote: Thanks, but I've already gone in via cyradm and deleted the mailboxes and recreated them, and following the steps above, completely rebuilt the mailboxes.db file last night - same problems. Thank you Mario, but I think my princess is in another castle! :) Josh, To get more details about what's going on underneath the hood, you can use the debug_command option (man imapd.conf) to obtain a back trace of the hanging imapd process. For some configuration scenarios, see: https://langhorst.com/cgi-bin/dwww//usr/share/doc/cyrus21-common/README.Debian.debug.gz If you know the specific mailbox that is causing the problem, and you want to only debug specific IMAP connections, you could configure (in /etc/cyrus.conf): imapcmd=proxyd -U 30 listen=1.2.3.4:imap prefork=0 maxchild=200 imaplh cmd=imapd -U 30 -D listen=127.0.0.1:imap prefork=0 maxchild=200 where 1.2.3.4 is the address your users connect to. And then connect to the 127.0.0.1 imap port to debug that user's connection. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus DB Errors DBERROR: error fetching user.username even after reconstructs
Dan White wrote: imapcmd=proxyd -U 30 listen=1.2.3.4:imap prefork=0 maxchild=200 imaplh cmd=imapd -U 30 -D listen=127.0.0.1:imap prefork=0 maxchild=200 Typo. That's what I get for cutting and pasting from different systems. Both cmds should be imapd. I'm assuming you're not proxying. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Lmtp w/ Postfix and LDAP: change mailbox name when saving mail.
k bah wrote: cyrus-imapd-2.3.8 cyrus-sasl-2.1.22 postfix-2.4.5 On my LDAP server, the uid field of each user (person) is: username~domain.org. I correctly set up cyrus and saslauthd to authenticate with the username as the LDAP field above. A simple Horde hook does the job to make u...@whatever domain he/she typed into user~whatever domain When authenticating, if the mailbox does not exist it gets created (autocreatequota is nonzero on imapd.conf). The mailbox is created following that naming convention (username~domain..). ... Is it possible to (automatically) create mailboxes with that naming convention? I want cyrus to save mail to username~domain.org instead of username. You can use the ldapdb user canonicalization patch for SASL (See CVS) for situations like this. It won't automatically created mailboxes, but it will direct cyrus IMAP to use an alternative name before referencing the mailbox. For example: sasl_ldapdb_uri: ldap://ldap.example.org sasl_ldapdb_mech: GSSAPI sasl_ldapdb_canon_attr: uid #sasl_canon_user_plugin: ladpdb #imap_sasl_canon_user_plugin: ldapdb #pop3_sasl_canon_user_plugin: ldapdb #nntp_sasl_canon_user_plugin: ldapdb #sieve_sasl_canon_user_plugin: ldapdb lmtp_sasl_canon_user_plugin: ldapdb Where 'lmtp' matches the name you use within /etc/cyrus.conf. This would direct cyrus imap, after authenticating, to look up the 'uid' attribute within LDAP, and use it as the effective username (and mailbox name). You would not need to change your authentication setup from saslauthd to ldapdb auxprop, since auxprop plugins and user canonicalization plugings can function independently. See the '/doc/options.html' documentation for cyrus SASL for more options (in CVS). - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Lmtp w/ Postfix and LDAP: change mailbox name when saving mail.
Dan White wrote: sasl_ldapdb_uri: ldap://ldap.example.org sasl_ldapdb_mech: GSSAPI sasl_ldapdb_canon_attr: uid #sasl_canon_user_plugin: ladpdb #imap_sasl_canon_user_plugin: ldapdb #pop3_sasl_canon_user_plugin: ldapdb #nntp_sasl_canon_user_plugin: ldapdb #sieve_sasl_canon_user_plugin: ldapdb lmtp_sasl_canon_user_plugin: ldapdb On second thought, this probably won't do anything useful, since the user is not authenticating to LMTP. A Postfix regex map (or LDAP map) may be able to convert the recipient before it gets handed off to LMTP. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldapdb auxprop configuration
Lars Hanke wrote: hermod:/# saslpluginviewer -a Installed auxprop mechanisms are: ldapdb sasldb List of auxprop plugins follows Plugin ldapdb , API version: 4 supports store: yes Plugin sasldb , API version: 4 supports store: yes Didn't know this tool so far. Should it say something different? No, that confirms that ldapdb is installed. Does your /var/log/auth.log or /var/log/syslog give you anything useful? /var/log/syslog: Jan 2 22:31:15 hermod cyrus/master[3432]: about to exec /usr/lib/cyrus/bin/imapd Jan 2 22:31:15 hermod cyrus/imap[3432]: executed Jan 2 22:31:15 hermod cyrus/imap[3432]: accepted connection Jan 2 22:31:17 hermod cyrus/master[3425]: process 3432 exited, signaled to death by 11 Jan 2 22:31:17 hermod cyrus/master[3425]: service imap pid 3432 in BUSY state: terminated abnormally 'signaled to death by 11' is a big red flag... your imapd process is seg faulting. It's possibly caused by an old SASL/OpenLDAP reentrant bug (are you running an old version of libldap?). You can specify a debug_command in your imapd.conf to generate a back trace. See: https://langhorst.com/cgi-bin/dwww//usr/share/doc/cyrus21-common/README.Debian.debug.gz - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus SASL Hack: Always pass authentication for one host
ram wrote:
I am trying to write a hack into pam and always pass authentication for
a particular host
So I modified pam_mysql.c , but the issue is for cyrus I am always
getting rhost as null
This is what I put in pam_mysql.c
PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
int argc, const char **argv) {
pam_get_item(pamh, PAM_RHOST,(PAM_GET_ITEM_CONST void **)rhost);
syslog(LOG_INFO,RHOST = %s, rhost);
I always get rhost as null. Is there a way I can get rhost set
ram,
If I understand you goal, a similar question was posted in June:
http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-June/029296.html
- Dan
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus ACLs and groups from LDAP
Christopher DeMarco wrote: I want to put a group: into an ACL, but I want to expand the group using LDAP rather than /etc/groups. A thread from this list circa 2006 seems to indicate that if PAM uses LDAP (or NIS for that matter), that Cyrus will use LDAP without even knowing it. I'd actually prefer that Cyrus do this explicitly -- for clarity's sake and because I don't want to switch the mail server over to LDAP-via-PAM authentication just yet. Is it possible, and if so, how? Thanks! Christopher, The option unix_group_enable controls how cyrus searches groups. If enabled, cyrus will search using the system getgrent call and, depending on your OS, can make use of various NSS modules to retrieve group information. It doesn't use ldap-pam, but can use nss-ldap, nss-ldapd, nss-mysql etc. (on at least Linux and Solaris). This wouldn't affect how you currently to authentication, only how group ACL authorization performs. You should also be able to use the ldap ptloader module to perform authorization, but I have not tried that. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: basing user's mailbox name on different ldap attribute than authentication id
Hal Deadman wrote: I am working with a custom java webmail application that accesses Cyrus imap configured with sasl/pam_ldap for authentication. The user's login names for the webmail client are based on the ldap cn attribute but the mailboxes in Cyrus are based on the ldap mailNickname attribute. The webmail client passes the mailNickname attribute as the username when it authenticates to Cyrus. example: cn=john.smith mailNickname=ea9d92f15f608c44a7b4fdccf3f02bc5 I am introducing SSO via JA-SIG CAS and pam-cas. I would like to authenticate to IMAP using the cn (since that's what pam-cas will get when it validates the CAS service ticket) but I still want the mailboxes to be based on the mailNickname attribute. Is there a way to have the user's mailbox be based on a different ldap attribute than their authentication id? Perdition can do that, and probably several other IMAP proxies. Perdition can proxy pop3 and imap connections but does not proxy sieve connections. Another option is to use the SASL ldapdb user canonicalization plugin, which is more of a generic solution, and can be used with most/all cyrus services. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Sieve Authentication
Antonio, The sieve protocol is defined in RFC 3028. 'sivtest' should be easier than telnet though. However, as mentioned in the documentation, you'll probably want to use sieveshell to manipulate scripts. - Dan Antonio Talarico wrote: Thanks now i can authenticate with sieve, But i have another problem. How is the syntax to place a script on the server once authenticated by telnet? Thanks for the help 2008/10/10 Dan White [EMAIL PROTECTED]: Antonio Talarico wrote: Hi Which file contains the configuration for users who can authenticate. How can enable a user to log in and add script. Thank you Antonio, Authentication is handled by the Cyrus SASL library as configured in your imapd.conf (the lines beginning with sasl_). Documentation can be found in the man page for imapd.conf, /doc/install-auth.html located within the cyrus-imapd source, and the /doc/ subdirectory located within the cyrus-sasl source. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Sieve Authentication
Antonio Talarico wrote: Hi Which file contains the configuration for users who can authenticate. How can enable a user to log in and add script. Thank you Antonio, Authentication is handled by the Cyrus SASL library as configured in your imapd.conf (the lines beginning with sasl_). Documentation can be found in the man page for imapd.conf, /doc/install-auth.html located within the cyrus-imapd source, and the /doc/ subdirectory located within the cyrus-sasl source. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Jumping a bunch of Cyrus imap versions, and moving to a new machine...
John Ackermann N8UR wrote: 1.5.19 to 2.2.13, to be exact. I have a small mail system (about half a dozen users, and 3GB of mail store) that I am migrating from an old Debian box to a new one. Obviously, this is a pretty major version leap. Any suggestions about the simplest way to get this move/upgrade accomplished? It's not a big deal if we have to shut down mail services for a few hours to do database updating or whatever might be required. John, /doc/install-upgrade.html (within the latest cyrus-imapd source) has some advice for upgrading. Debian specific documentation can be found in /usr/share/doc/cyrus-imapd-2.2/ - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: querying message flags -- finding list of unread message
lartc wrote:
hi all,
is there a way to query a message store to find what message are unread
in a user's inbox?
You can use IMAP search to find that out (e.g. with imtest). Remember
that by default, seen state is not shared between users, so you'll need
to authorize as the owner of the mailbox to see their seen state.
Assuming you want to view seen state for user abrown, you could do:
imtest -m GSSAPI imap.example.com -u abrown
...
Authenticated.
c select user/abrown
* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk)
* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk
\*)]
* 6 EXISTS
* 0 RECENT
* OK [UNSEEN 1]
* OK [UIDVALIDITY 1188505352]
* OK [UIDNEXT 614]
* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox
* OK [URLMECH INTERNAL]
c OK [READ-WRITE] Completed
c search seen
* SEARCH 3 5
c OK Completed (2 msgs in 0.000 secs)
c search not seen
* SEARCH 1 2 4 6
c OK Completed (4 msgs in 0.000 secs)
c fetch 1,2,4,6 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])
* 1 FETCH (FLAGS (\Seen NonJunk) BODY[HEADER.FIELDS (DATE FROM)] {116}
Date: Mon, 19 May 2008 05:01:08 -0400 (EDT)
From: cut
)
* 2 FETCH (FLAGS (\Seen) BODY[HEADER.FIELDS (DATE FROM)] {88}
From: cut
Date: Mon, 19 May 2008 03:15:16 -0700
)
* 4 FETCH (FLAGS (\Seen NonJunk) BODY[HEADER.FIELDS (DATE FROM)] {132}
Date: Mon, 19 May 2008 11:04:09 -0400 (EDT)
From: cut
)
* 6 FETCH (FLAGS (\Seen NonJunk) BODY[HEADER.FIELDS (DATE FROM)] {116}
From: cut
Date: Tue, 20 May 2008 11:30:40 -0500
)
c OK Completed (0.000 sec)
Or you could do the same with an IMAP client of course.
- Dan
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap Benchmark
faris wrote: Dear Bron, If i upgrade cyrus-imap to a newer version, will it effect the current mailboxes ? When we partition drives, we make (3 drives) raid5 array with ext3 partitions. we can expand RAM but how can we Also u said to split meta for more effeciency.. how can we do split it? Thanks, Faris Faris, There are several upgrade issues addressed in the documentation, including how to split meta data into its own partition. See 'doc/install-upgrade.html' in the latest release. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAP and saslauthd
Egoitz Aurrekoetxea wrote: Hi mates, I'm running Cyrus IMAP without saslauthd with cyrus-sasl library at this moment and integrated with Postfix. The OS I'm running is FreeBSD... it has taken me sometime to set up this testing server... I have tried several times to set cyrus imap auth against saslauthd... I can't get my goal so now have had to switch to auxprop with mysql... but this IMHO has a little disadvantage... with saslauthd and X number of procceses forked you have like a pool of connections (what in postfix config is called proxy daemon too) but without saslauthd and with bulk connections to database through auxprop perhaps you could cause DOS to you're mysql server if you receive a dictionarie attack for example... I have read that it's possible to set saslauthd with mysql BUT without crypted passwords on database... that wouldn't mind me... could you please advise some howto or doc please? All doc I found is for being set up with crypted passwords and through pam... but this has run me into some troubles in freebsd... because I think pam-mysql doesn't work quite nice on freebsd... so could you please advise me some doc or howto setup cyrus imap and postfix auth through saslauthd? I think it's a concept problem because I don't understand quite well how saslauth works and will config file reads and so... Egoitz, See the man page for saslauthd for available saslauthd backend mechanisms. Other than PAM, you may be able to use nss-mysql along with the getpwent or shadow backends. saslauthd is also documented in 'doc/sysadmin.html' in the sasl source. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder with Virtual Domains - deliveries from postfix fail
Dan Gaudette wrote: Hello, I have Cyrus Murder 2.3.12p2 up and running (1 frontend, 1 backend, 1 mupdate), however when I enable virtdomains I receive the following error on the frontend: imapd/lmtp[]: verify_user (frontend.example.com!user.steve) failed: Mailbox does not exist Everything else seems to work fine (IMAP, POP, creating/deleting mailboxes with domain administrators), but the frontend server fails with the above message when receiving the email addressed to [EMAIL PROTECTED] from Postfix (separate machine). Postfix returns: [EMAIL PROTECTED]: host xxx.xx.xx.xxx[xxx.xx.xx.xxx] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) I've tried recreating the mailbox after virtdomains was enabled, but with the same result. Am I missing something in my Cyrus configuration, or is this an issue with Postfix? Dan, I ran into a similar error during my install, but I don't recall if this is what got me around it: On the Front end: virtdomains: on On the Backend: virtdomains: userid On the Mupdate server: virtdomains: on I have Postfix and lmtp (proxy) running on the frontend as well. I can provide more config if you'd like. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder with Virtual Domains - deliveries from postfix fail
Dan Gaudette wrote: Thanks Dan, but I'm still getting the same error. It'd be awesome if you could provide some more config. http://support.olp.net/cyrus/ - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sasl canon_user
Ashay Chitnis wrote: Hi all, I am having cyrus-imapd and cyrus-sasl running on the Mail Server with saslauthd passing the authentication to ldap server. This is working fine. I have to integrate it with my AD server. The problem is my ldap server uses the uid as [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] to authenticate. But the AD server takes the user name as abc. Is there any way i can use mapping in saslauthd so that [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] is take by imapd but ONLY for authentication [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] is mapped to abc? On net i saw there is a canon_user plugin in cyrus sasl, anyone has idea how to use it to achieve the above objective? Ashay, You may be able to accomplish this by specifying a defaultdomain of xyz.com, assuming that you have virtdomains: userid' set. If not, there is an ldapdb canon_user plugin in CVS (sasl). Documentation is included in the doc/options.html file. It requires that your ldap server support authc/authz (proxy) authentication and the 'whoami' extended operation. It works independently of your authentication configuration, so you should not have to use the ldapdb auxprop plugin (but you may want to). My imapd.conf looks like: sasl_ldapdb_uri: ldap://ldap.example.net sasl_ldapdb_mech: GSSAPI sasl_ldapdb_canon_attr: uid imap_sasl_canon_user_plugin: ldapdb pop3_sasl_canon_user_plugin: ldapdb The ldapdb canon_user plugin works by authenticating as a user with escalated permissions (in my case a GSSAPI user) and using the submitted username 'abc' as the authorization identity. It will search for the attribute you specified in 'ldapdb_canon_attr' within the user's (abc's) entry, and return it as the canonicalized username. imapd with use the canonicalized username ([EMAIL PROTECTED]) when searching for the user's mailbox. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Abusing the sync protocol for fun and profit.
Bron Gondwana wrote:
Attached are three perl modules,
Cyrus/SyncClient.pm
Cyrus/ImapReplica.pm
Mail/IMAPTalk.pm
I'm including this copy of Mail::IMAPTalk because without it, the clever
'literal' stuff doesn't work properly. I'll prod Rob to clean it up and
re-package it and push it to CPAN so I can depend on that version and
have things all be happier.
Thanks Bron,
This works great for me. I'm able to synchronize between my old
2.1.17 server, with a perdition proxy frontend end, to my newer
2.3.10 server.
I had a hiccup in the SyncClient.pm module during DIGEST-MD5
authentication.
I changed to PLAIN, using the following changes, to get it working:
42c42
my $mech = 'DIGEST-MD5';
---
my $mech = 'PLAIN';
65c65
for (1..2) {
---
for (1..1) {
69c69,72
$io-print(MIME::Base64::encode_base64($res, '') . \r\n);
---
my $encoded_response = MIME::Base64::encode_base64($res,
'');
if (! $encoded_response eq '') {
$io-print($encoded_response . \r\n);
}
- Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LMTP/LDAP configuration issue
Jean-Francois Stenuit wrote: Hello list, Altough I succeeded in configuring saslauthd to speak to an active directory server on my gentoo machine, I'm unable to get cyrus lmtpd deliver mail in a correct way. My /etc/imapd.conf looks like : configdirectory:/var/imap partition-default: /var/spool/imap sievedir: /var/imap/sieve tls_ca_path:/etc/ssl/certs tls_cert_file: /etc/ssl/cyrus/server.crt tls_key_file: /etc/ssl/cyrus/server.key admins: cyrus hashimapspool: yes allowanonymouslogin:no allowplaintext: no ldap_uri: ldap://dc1.chryseis.be/ ldap_base: cn=Users,dc=chryseis,dc=be ldap_filter: (sAMAccountName=%u) ldap_version: 3 ldap_id: [EMAIL PROTECTED] ldap_password: --password-- sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN But my logs still show : Feb 18 11:44:42 bach lmtpunix[21989]: executed Feb 18 11:44:42 bach lmtpunix[21989]: sql_select option missing Feb 18 11:44:42 bach lmtpunix[21989]: auxpropfunc error no mechanism available Feb 18 11:44:42 bach lmtpunix[21989]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Feb 18 11:44:42 bach lmtpunix[21989]: auxpropfunc error invalid parameter supplied Feb 18 11:44:42 bach lmtpunix[21989]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb Feb 18 11:44:42 bach lmtpunix[21989]: accepted connection Feb 18 11:44:42 bach lmtpunix[21989]: lmtp connection preauth'd as postman Feb 18 11:44:42 bach lmtpunix[21989]: verify_user(user.jfs) failed: Mailbox does not exist The _sasl_plugin_load errors can be ignored here I think. If you're not using either the sql or ldapdb auxprop plugins, you can remove them from your system to get rid of these errors in your logs. See 'pluginviewer', and look for the plugins directory, typically in /usr/lib/sasl2. The last error looks like the critical error. You should verify that the mailbox 'user.jfs' exists. And no ldap query is performed (I have a tcpdump running in another window). I don't think you would get any ldap traffic except during user authentication, unless your SMTP server is performing authentication for LMTP via saslauthd. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Is Cyrus SASL still under active development
Torsten Schlabach wrote: CVS compiles on my Linux box, On mine as well, now. Well, it did not compile on the day I was writing the original message. I did a cvs update make distclean ./configure make now and it worked. I will test that canon_user patch to libldapdb.c (maybe Dan White will do the same, to be on the save side), then I know at least two people looking forward to 2.1.23. Great to see it included. I'll try to test it tonight. Thanks, - Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Imapd/Sasl/Ldap
Joshua Van Horn wrote: Hi, I have compiled sasl-2.1.22 against openladp-2.3.39. After setting up the saslauthd.conf file, I was able to successfully authenticate against our SunONE LDAP server using testsaslatuhd. My issues arise when I start the cyrus-imapd program. I am able to login via Thunerbird/random IMAP client just fine, but I see the following errors flooding the /var/log/auth.log file: Jan 22 13:41:28 cyrustest2 imaps[19846]: [ID 702911 auth.error] auxpropfunc error invalid parameter supplied Jan 22 13:41:28 cyrustest2 imaps[19846]: [ID 702911 auth.debug] _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb I have tried various settings in the imapd.conf to try to rectify this, but have been unsuccessful. What bothers me is that I do not use the auxprop pwcheck method for sasl. Joshua, You should be able to remove the ldapdb plugin, if you are not using it, to get rid of these errors. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: can i build a sasl module with support for encrypted passwords?
rupert wrote: Hi, i have my murder cluster running, with passwords stored in a mysql DB. The only thing that bugs me now is that the passwords are stored in plaintext inside the DB. I am using fedora8 and will switch to CentOS once everything runs fine. Can i build a rpm module for sasl that exist beside the packages that are in the repositries? like cyrus-sasl-md5.i386, cyrus-sasl-plain.i386, cyrus-sasl-devel.i386, cyrus-sasl-md5.i386 ... I tried to compile cyrus-sasl.2.19 with the pwcheck patch, but it just messed everythign up. Any other solutions? And why is such a important thing not standard? Hi Rupert, I think the MySQL PAM plugin is one possible way to support hashed passwords. You would need to disable all mechanisms which depend on the auxprop plugin and depend on a clear text password (such as DIGEST-MD5). You'll need to configure your pwcheck_method to include saslauthd, and then configure saslauthd to use PAM to authenticate. I'm not familiar with the pwcheck patch, but it shouldn't be required in this scenario. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Plugging into the imap system
Gabriele Bulfon wrote: Hello, I would like to know if there is some way of plugging into the system with custom agents to be notified of any event happening on the imap server. For example, I would like some code of mine to be called when new messages are: written into mailboxes, deleted from mailboxes, modified etc. etc. The main reason for this is to implement a synchronization code. We're using the cyrus imap server not only for mails but also for other informations stored as attachments into emails (agenda events, contacts and others) into specific folders, and these objects are handled by client softwares. It would be great to be able to implement our servers with add on software of ours being able to intercept objects modifications and mantain event synchronization informations (for example to deliver the same data to mobile devices). Thanx for any help Gabriele Bulfon. If you're not synchronizing to another server, you can enable the sync log and write a script to monitor it for changes. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
Guillermo Gómez wrote: Ive been looking on how to work cyrus imap with mysql and found two options: cyrus pam with pam_mysql cyrus sasl sql plugin In the first one it look like the store can have the password encrypted MD5 The second one needs the passwords in the clear in the db customer says they have a mysql db with md5 passwords in it. Im still confused on how this should work, can anyone please give me some insights on this regard pam_mysql would correlate to saslauthd, and the cyrus sasl plugin would correlate to auxprop. See documentation on the SASL pwcheck_method setting (sasl_pwcheck_method in /etc/imapd.conf). When set to saslauthd, the pwcheck_method will allow the use of the PLAIN and LOGIN mechanisms, and will pass the username and password from the client on to PAM. PAM can internally hash the password and compare it against an already md5/crypted password. When set to auxprop, SASL will retrieve the cleartext password and use it to compare (in the case of PLAIN and LOGIN), or to use in multi-step negotiation of other mechanisms, such as DIGEST-MD5. The auxprop plugin gives you the ability to authenticate using the PLAIN, LOGIN, DIGEST-MD5, CRAM-MD5, NTLM and OTP mechs (and probably more). saslauthd only gives you the ability to authenticate using PLAIN and LOGIN (I believe), which may or may not be sufficient for you. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: digest-md5 password store
Guillermo Gómez wrote: Thanks Dan, im reading and trying to digest all the material available. What the customer wants is: 1.- md5-digest between imap client/server (squirrelmail/cyrus-imapd) 2.- md5 encrypted passwords stored in mysql db (cyrus-imap-??) Is this combination possible? I've seen mention of a way to store md5 hashes for use with DIGEST-MD5, but I believe it has to be the md5 of 'user:realm:password'. See RFC 2831, section 3.9. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to limit pop/imap login password attempts
Dan White wrote: A modification to the ldapdb plugin could probably be made to perform a simple bind just after the step where it retrieves the userPassword attribute. On second thought, that doesn't actually work. The auxprop plugin doesn't know anything about the password, or sasl exchange, that the users performs, only what the correct userPassword is... - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Help with xfermailbox
Dan White wrote: Dan White wrote: Wesley Craig wrote: If I recall correctly, this is a bad interaction/bug between Cyrus IMAPd and Cyrus SASL. I see you're running IMAP 2.3.10. What version of SASL? 2.1.22 from Debian etch with a couple of customizations to ldapdb, which itself it compiled against openldap 2.3.30. I've also compiled by sasl against heimdal libraries rather than the (debian) default mit. I just recompiled sasl on both backends to use mit libraries, for gssapi. No luck. Same two errors (syslog and auth). - Dan Regarding the call to kick_mupdate and the attempt to open the file socket, could I be missing an entry in my cyrus.conf file? Thanks, - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Help with xfermailbox
Wesley Craig wrote: I didn't look too hard at your other errors. Looking back now, I wonder how you have mupdate_config set? The kick_mupdate error you're getting isn't associated with the standard setting, tho it appears from your description that you are otherwise using a standard murder config. Are you trying to deploy a unified murder? I'm trying to do a standard murder, but could be going about things the wrong way. Here are the mupdate lines from each of my configs: kaled (mupdate master and frontend): none, other than an mupdate_admins entry gandalf (backend one): mupdate_server: kaled.olp.net mupdate_config: standard neo (backend two): mupdate_server: kaled.olp.net mupdate_config: standard I also have replication configured on neo (but not currently used). Is xfermailbox valid in a standard murder? Should I be using renamemailbox from a frontend? - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Help with xfermailbox
Wesley Craig wrote: On 16 Nov 2007, at 15:53, Dan White wrote: Nov 16 13:44:57 neo cyrus/imap[6171]: decoding error: generic failure; SASL(-1): generic failure: , closing connection A fuller version of this error is probably recorded in your auth log. :wes Here's from my syslog.conf: Nov 17 09:25:02 neo cyrus/imap[11281]: decoding error: generic failure; SASL(-1): generic failure: , closing connection and from my auth.log Nov 17 09:25:02 neo cyrus/imap[11281]: encoded packet size too big (4156 4096) - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Help with xfermailbox
I'm experiencing errors when attempting to transfer a mailbox
from one backend to another in a murder environment.
This is my first try, so this could be due to misconfiguration.
I have three servers in my setup:
kaled.olp.net - MUPDATE master and frontend
gandalf.olp.net - backend #1
neo.olp.net - backend #2
When I issue the command xfermailbox user/9183641498
neo.olp.net from gandalf, I receive the error:
gandalf.olp.net xfer user/9183641498 neo.olp.net
xfermailbox: The remote Server(s) denied the operation
And in neo's (destination backend) logs, I see:
Nov 16 14:16:18 neo cyrus/imap[6183]: accepted connection
Nov 16 14:16:19 neo cyrus/imap[6183]: login: gandalf.olp.net
[65.161.252.87] cyrus-gandalf.olp.net GSSAPI User logged in
Nov 16 14:16:19 neo cyrus/imap[6183]: kick_mupdate: can't connect
to target: No such file or directory
Sometimes I also get (in addition to the No such file or
directory error):
Nov 16 13:44:57 neo cyrus/imap[6171]: decoding error: generic
failure; SASL(-1): generic failure: , closing connection
The relevant portion of the code that generates this error
appears to be in mupdate-client.c:
strlcpy(buf, config_dir, sizeof(buf));
strlcat(buf, FNAME_MUPDATE_TARGET_SOCK, sizeof(buf));
memset((char *)srvaddr, 0, sizeof(srvaddr));
srvaddr.sun_family = AF_UNIX;
strcpy(srvaddr.sun_path, buf);
len = sizeof(srvaddr.sun_family) + strlen(srvaddr.sun_path) + 1;
r = connect(s, (struct sockaddr *)srvaddr, len);
if (r == -1) {
syslog(LOG_ERR, kick_mupdate: can't connect to target:
%m);
goto done;
}
FNAME_MUPDATE_TARGET_SOCK is defined in mupdate-client.h as:
#define FNAME_MUPDATE_TARGET_SOCK /socket/mupdate.target
I can't find any sockets named mupdate.target on neo (my
destination backend).
Relevant configurations can be found at:
http://support.olp.net/cyrus/kaled-imapd.conf
http://support.olp.net/cyrus/kaled-cyrus.conf
http://support.olp.net/cyrus/gandalf-imapd.conf
http://support.olp.net/cyrus/gandalf-cyrus.conf
http://support.olp.net/cyrus/neo-imapd.conf
http://support.olp.net/cyrus/neo-cyrus.conf
I'm running 2.3.10, with several Debian patches.
Thanks for any help,
--
Dan White [EMAIL PROTECTED]
BTC Broadband
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
