SASL/Sieve problems
I recently had to rebuild a Cyrus 2.2 Mail Server. I cloned the root partition first. Built the new system. copied the appropriate configuration from the old system, checked permissions and got everything running. Cyrus IMAP works fine. cyradm works fine. but sieve filters on accounts are inactive - they are present in /var/spool/sieve And sieveshell will not authenticate. authlog has lots of cyrus/sieve errors every time I try to run sieveshell. basically sieveshell appears to be running through a bunch of SASL authentication methods (NTLM, OTP, DIGEST-MD5, ..) and failing each and finally complaining that there are no worthy mechs I have scoured the old system and I can not find anywhere that sieve/SASL is configured separately from cyrus imap - and my imapd.conf, and cyrus.conf have not changed. I am using sasldb for authentication. I have run sasldblistusers2 with expected results, checked permissions on everything sasl related. What am I missing ? How can cyrus imap be using SASL correctly but sieve is not ? -- Dave Lynch DLA Systems Software Development:Embedded Linux 717.627.3770 [EMAIL PROTECTED]http://www.dlasys.net fax: 1.253.369.9244Cell: 1.717.587.7774 Over 25 years' experience in platforms, languages, and technologies too numerous to list. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Outlook does not delete but displays deleted messages asstrike-trough
Bill Kearney wrote: I think outlook's utterly crappy handling of IMAP is a more powerful motivator. Outlook Express, on the other hand, does a fine job of supporting IMAP. But the regular Outlook 2003 and past versions have had absolutely crappy IMAP handling. Such that it makes it almost impossible to use OL2003 against an IMAP server. I long since gave up on it for IMAP access. I migrated users from Outlook MAPI, to Outlook IMAP against an exchange server in preparation for migrating to Cyrus. For all its flaws Outlook IMAP works better than Outlook MAPI. The only new problem was that Outlook IMAP would not properly use the Outlook special folders like calendar, tasks and contacts when accessed via IMAP. All Microsoft's Contacts, tasks, etc are is specially formated messages. It would be really nice if tbird was able to parse those messages, and use them as contacts, or calendar items. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Is it possible to store user contact/ address book in imap server?
I like Evolution, but as best as I can tell: With there MAPI connector (which I do not have) you can access contacts,... But with straight evolution you can not access contacts, tasks, etc created by outlook users. You can create evolution contacts, etc. Which I believe are in a standards compliant format. But you still can not access those create by outlook. Finally, evolution only runs under Linux and like it or not for the moment I need W32 IMAP clients. Ultimately, Outlook is evil. But there does not exist a W32 client that duplicates its functionality. There are kludges, but I am not looking to replace one mess with another. The best I have seen thus far is evolution - BUT evolution is Linux only, and like it or not I can't go there yet, and evolution does not understand existing Outlook contacts etc. when stored on an IMAP server, so I can not even just use it myself. -Original Message- From: Jonathan Marsden [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 1:42 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Is it possible to store user contact/ address book in imap server? On 15 Jul 2003, David H. Lynch, Jr. writes: There is nothing special about contact/address book information. There is no reason you can not store contacts, tasks, calendar items, ... In any IMAP server you choose. All they are is specially formatted messages. The Problem is that there are no IMAP clients that can properly understand and treat those messages as contacts, tasks, ... No IMAP clients? Ximian Evolution might qualify as one? :-) For most enterprises, MS Outlook is the de facto expected and desired client, like it or loathe it, for this sort of email plus calendaring plus contacts setup. The (commercial) Bynari Insight Connector addin for Outlook handles this. It is IMO far from perfect as an overall email/ calendaring/ contacts solution, and has had some significant stability issues on the client in the past. But if you really need this functionality, it does get the job done. While officially Bynari will only support it when used with their Insight Server, Insight Server is really a package of Postfix + Cyrus + Apache + ProFTPd and a pretty web-based management interface, so it can be used against Cyrus if you are willing to experiment a little. Jonathan -- Jonathan Marsden| Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan| missions worldwide
RE: Is it possible to store user contact/ address book in imap server?
There is nothing special about contact/address book information. There is no reason you can not store contacts, tasks, calendar items, ... In any IMAP server you choose. All they are is specially formatted messages. The Problem is that there are no IMAP clients that can properly understand and treat those messages as contacts, tasks, ... With enormous difficulty it is possible to view contacts etc. stored on an IMAP server with Outlook 2000. But it is not possible to edit them or save new ones. I had hopes that Outlook 2002 would resolve this - but it actually made the situation worse. You can not even succeed in viewing a contact on an IMAP server. Outlook actually goes out of its way to have less functionality when talking IMAP than MAPI.
altnamespace question
Does subaddressing work when altnamespace is enabled ? I am sending to [EMAIL PROTECTED] But the message ends up users inbox. Folder exists, and it has the correct name, the case is right and I have lmtp downcase on anyway.
RE: Cyrus IMAPd 2.1.10 Released
The critical question is what do you want to accomplish ? If all you are after is a plain ASCII text copy of the documentation, then yes plain text is the easiest to maintain. I think pretty much anything can be maintained at a distance. I am not sure how one is superior to the other there. But the moment you start talking about wanting it in multiple formats you better seriously look at something else. There are other choices besides SGML/XML/DOCBook, and a religious war could ensue over trying to compare them. The easiest to use is always the one you already know. But assuming that you do not have allot of knowledge invested in one, then I would suggest DocBook. It is SGML/XML compliant, there are lots of tools, it can be easily translated to anything, And from what I can see it is getting very heavily used. But if somebody will actually maintain the documentation, I would not care what they used. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dennis K Sent: Saturday, November 16, 2002 6:25 PM To: 'Oleksandr Firsov' Cc: [EMAIL PROTECTED] Subject: RE: Cyrus IMAPd 2.1.10 Released Correct me if I'm wrong, SGML and XML were interrelated, closely, Plus, XSLT transformations are a pain in themselves altogether, to the point where plain text wins in terms of maintenance and production. I believe a set of plaintext documentation can be maintained with RCS, CVS or SCCS without problems by a distanced dev team, while XSLT will require proper usage by the author manuals etc... LaTex (Tex) are not stone age, XML has been around for a while as well, just not used, but around. (All this IMHO of course) - DK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Oleksandr Firsov Sent: Friday, November 15, 2002 9:56 AM To: Rob Siemborski; Andrew McNamara Cc: [EMAIL PROTECTED] Subject: Re: Cyrus IMAPd 2.1.10 Released Guys/girls What do You talking about? doc tool, LaTex, etc... That is stone age terms. I am not familiar with product discussed above, but for structured data exist de-facto standard which used for such purposes. This is XML( kind of SGML ) and some technology around. In few words, for such kind of docs you need DTD (structure definition file ) , XML -formatted document and XSL transformation files. If noone familiar with DTD, there are tools to create it from sample XML. Then there are bunch of XML editors, which can use DTD for making edition much easy. Depend of target format (text, HTML, PDF, DOC, etc), should be created XSL transformations. For HTML and text, it is better to do it manually. But you can use automated tools as well. We are using this technology for web site and applications configuration. I can tell more... SunS - Original Message - From: Andrew McNamara [EMAIL PROTECTED] To: Rob Siemborski [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, November 14, 2002 9:44 PM Subject: Re: Cyrus IMAPd 2.1.10 Released I feel that moving back to only plaintext is a step backwards. I don't know much about SGML myself, so I'm not sure I'd want to be stuck maintaining that, but it sounds interesting enough (and it would be nice to have general tools for keeping the documentation formatted, instead of worrying when htmlstrip would next break). You could do worse than look at the Python documentation. The production doco is current LaTeX with a bunch of custom macros. HTML, PDF, etc are generated off the master LaTex markup. There is a background project to use SGML (I think), but it's not there yet. Our company (not me personally) looked at doco tools a while back and came to the conclusion that LaTeX was still the best choice out of a bad lot - SGML was the next closest, although the tools were still rather imature. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/
RE: SASL Docs
Sorry, I was not meaning to imply that you were responsible for the documentation. I believe many months ago Ken produced an ASCII chart that graphically represented much of this. I did not understand it at the time, and I am not sure I fully grasp it yet, but I am an architect and I tend to think visually. Is the distinction between auxprop methods that use auxprop and those that do not, the requirement for a database (outside of any that Kerberos, etc might maintain on its own) ? LDAP has been uses for authentication - much the same was as rimap, But I do understand that it is really a directory database, not an authentication protocol. All I was trying to say regarding LDAP, MySQL, ... is that some methods require an independent database, and there are a variety of choices for that database. I believe I grasp the difference between saslauthd, auxprop and other SASL native methods. If I do not want to have to maintain an independent database of users and secrets of some kind, my choices are GSSAPI, LOGIN, PLAIN, krb4, ANONYMOUS, and saslauthd. krb4 and ANONYMOUS are not relevant to what I need. While I have not yet succeeded with GSSAPI, there appears to be sufficient documentation, and my problems are most likely with the idiosyncrasies of integrating with M$'s Kerberos. God forbid M$ should actually follow a standard. Unless LOGIN or PLAIN trigger PAM, they do not help either. saslauthd is inherently less secure, but that is not a huge problem as for the moment the clients I have to deal with are going to be providing plain text passwords anyway. saslauthd provides another set of choices, the most potentially useful to me are kerberos5 and pam. What little information I can find on saslauthd/kerberos5 seems to indicate that it does not require as much to be configured correctly as SASL/GSSAPI, but I can not find any documentation, It does not appear to take information from the local kerberos configuration, when I tried it, the auth.log messages indicated a blank realm (nor I suspect where the kdc was to validate against) regardless of the realm information in imapd.conf or whatever was appended to the user ID. Which leaves me stuck with PAM primarily because I can get there and there is significantly more information regarding configuring it. -Original Message- From: Rob Siemborski [mailto:rjs3;andrew.cmu.edu] Sent: Thursday, November 07, 2002 9:24 AM To: David H. Lynch Jr. Cc: [EMAIL PROTECTED] Subject: RE: SASL Docs On Thu, 7 Nov 2002, David H. Lynch Jr. wrote: It does not help that virtually all the HOWTO's that are on the net, as well as the book, are all pretty much obsolete and this particular issue is the one they are most out of date about. These resources aren't maintained by us, so there is very little we can do about this. Most aspects of setting Cyrus IMAP up are not particularly difficult. But authorization/authentication is excruciatingly complex. This is because it is a complicated issue. Integrating cleanly with the number of different authentication/authorization systems that are in production throughout the world results in a large number of possibilities. let me see if I understand correctly: no method except sasldb actually depends on sasldb. sasldb isn't a method per se. It's just an auxprop plugin. Think of it as a database access method. However some methods require some form of local user database, and sasldb can be used to supply that database for those methods. Yes. The methods that do NOT require a local user database are: LOGIN, PLAIN, GSSAPI, Kerberos_V4, and ANONYMOUS. These are the methods that don't require an auxprop plugin. (local above means specific to SASL, since LDAP or MYSQL could be remote) I'm not sure what the distinction here is. MySQL can supply the needed information as it is distributed by SASL. There's also an LDAP auxprop plugin that is available from a third party, but we're not interested in integrating for various reasons. I am assuming LDAP for SASL purposes is only a place to store under information NOT an authentication method ? LDAP is only a directory access protocol, and therefor a place to store information. It's not an authentication method at all As best as I can tell the distinction between auxprqop methods and saslauthd methods, is that an auxprop method could involve exchanging authentication information
RE: SASL Docs
While I still hope to get something else working - In my perfect world I would have kerberos working between the systems (right now I have working krb5.conf, and a keytab, and I can kinit against the W2K KDC, but saslauthd/pam_krb5, saslauthd/kerberos5 and GSSAPI all are unhappy) of course in my dreams either MIT or Heimdal kerberos knows how to work as the kdc for W2K, and maybe openldap knows how to replace M$'s LDAP, In fact while I am dreaming AutoCAD runs under Linux and W2K can go to @#$?. In a less perfect world (or maybe not) I would have either saslauthd/pam_smbpass or saslauthd/pam_winbind working. I am working on that right now, with marginal success. But I could give up soon and then I would settle for anything that did not require me to maintain multiple user lists all over the place. Anyway, yes I would greatly appreciate whatever information you can share on authenticating against a W2K AD. This is probably the only thing stopping me from killing off exchange. Exchange has died for me almost every xmas holiday for the past 4 or 5 years, requiring massive amounts of effort to recover and just generally ruining my holiday. My goal is to kill it off before it kills me. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-info-cyrus;lists.andrew.cmu.edu] On Behalf Of Hank Beatty Sent: Thursday, November 07, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: Re: SASL Docs David, I have a setup where I have Cyrus is using saslauthd. Saslauthd is setup to use PAM. Pam is using PAM_LDAP and PAM_LDAP is authenticating against a MS AD domain controller. That was probably the long way around, but it made sense at the time. If you (or anyone else) is interested in how I did this let me know.
SASL Docs
I have successfully setup a auxprop/sasldb configuration, but I have been unsuccessful in getting any authorization/authentication scheme that is more complex working. My problems seem to come from a weak understanding of SASL. I have searched the net, the archives, and while there are RFC's and programming information I have not found anything that approximates a users guide to using SASL. If I select a particular authentication module - say GSSAPI or NTLM, where does it get any configuration information it might need, and how do I figure out what options there are ? I have even looked through the source for some of the modules and cursory looks are not revealing. Can someone point me to some kind of user docs for libsasl 2.1.9 ? Something that would answer questions like: Do all methods depend on sasldb ? What are the options for each module and how do you set them ? What is the difference between LOGIN and PLAIN ? In the short run I am looking to do as much of the authorization/authentication against something(Kerberos, NTLM, LDAP, ?) in a W2K domain, and have as little duplicate setup on the Linux system. In the long run I hope to kill off all W2K servers and move those services to Linux, but today I would settle for not having to create and maintain a whole new database of user ID's and Passwords on the Linux Servers.
Authentication
I have to confess to a great deal of confusion regarding authentication issues. I am trying to get to a point were I can move Cyrus in to replace an exchange system. I am getting tired of doing recovery of the exchange mailstore when it bin-annually decides to self destruct. Almost all the clients are outlook 2000 using IMAP. Does the IMAP client have to support the authentication method chosen ? I have not read the details of the IMAP spec, but wouldn't Outlook have to support Kerberose to be able to make use of it ? I would like to run Cyrus as a black box on a Linux machine. I do not ca re and would probably prefer if the accounts on the Linux machine had nothing to do with the mail accounts. I would prefer that the mail accounts were authorized against a W2K DC. I am gathering that gives my authentication choices of: PAM NTLM K5 LDAP Or K5 direct from SASL. Since I do not need the IMAP users to validate in any other way on the Linux box, a SASL direct method seems more appropriate than PAM. Which seems to suggest K5. However trying to connect Cyrus via K5 to a W2K DC seems to have an enormous number of unknowns. If the only thing I am using K5 for is Cyrus, do I need any other client or server authentication tools - I.E. Heimdal, or MIT K5 on the Linux box ? Do I need to create a service account on the W2K DC for Cyrus ? Do I need to create a machine account for the Linux box ? After I have all of this working - if that is even possible, is Outlook going to be happy ?
