Cyrus IMAP Sieve client with StartTLS: Connection reset by peer
Hello,
I am trying to write a Sieve client that would support StartTLS (since
the default sieveshell does not have the StartTLS option). I got the
plain text version of my code to work. However, the StartTLS version
is not working, although, I am sending the identical commands with and
without the encryption.
For the reference, the plain text Sieve client in Python is:
conn.send('AUTHENTICATE PLAIN {' + str(len(user)) + +} +
'\x0d\x0a'+ user + '\x0d\x0a'); re = conn.recv(1024)
conn.send('PUTSCRIPT sieve {' + str(len(scriptFile))+ '+}\x0d\x0a')
conn.send(scriptFile + \n); re = conn.recv(1024)
conn.send('SETACTIVE sieve\x0d\x0a'); re = conn.recv(1024)
conn.send('LOGOUT\x0d\x0a')
The same thing using SSL:
conn.send('STARTTLS\n'); print conn.recv(1024),
sslConn = ssl.wrap_socket(conn)
sslConn.write('AUTHENTICATE PLAIN {' + str(len(user)) + +}
+ '\x0d\x0a'+ user + '\x0d\x0a')
sslConn.write(user+\n); re = sslConn.read()
sslConn.write('PUTSCRIPT sieve {' + str(len(scriptFile))+
'+}\x0d\x0a')
sslConn.write(scriptFile + '\x0d\x0a'); re = sslConn.read()
(1)sslConn.write('SETACTIVE sieve\x0d\x0a'); re = sslConn.read()
sslConn.write('LOGOUT\x0d\x0a')
After the command in (1) the SSL connection fails returning either:
Traceback (most recent call last):
File ./sieveManage.py, line 94, in module
sslConn.write('SETACTIVE sieve\x0d\x0a'); re = sslConn.read()
File /usr/lib/python2.6/ssl.py, line 136, in read
return self._sslobj.read(len)
socket.error: [Errno 104] Connection reset by peer
Or an empty string in 're'.
The Cyrus IMAP 2.3.14 logs for Sieve client with SSL contain:
sieve[26244]: canonified arbatove - arbatove
sieve[26244]: login: host[10.0.0.1] arbatove PLAIN+TLS User logged in
sieve[26244]: Lost connection to client -- exiting
master[28419]: process 26244 exited, status 0
If you want to see the whole client code, I put it here
http://pastebin.com/ALiXccVC
Can you please help me to find the problem?
Thank you very much!
Evgeniy
PS: Earlier I was trying to use Perl's Net::Sieve with TLS. There
StartTLS also failed without a good reason
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus SPAM folder creation
Try using something like this: createonpost: 1 autocreateinboxfolders: Sent|Drafts|Spam|Trash autosubscribeinboxfolders: Sent|Drafts|Spam|Trash Cheers, Evgeniy 2010/5/3 Juan-Francisco Diez Léglise jfd...@adrinfor.com: Hi everyone, I'm new in cyrus-imapd configuration. I install it well and it seems to work fine. But I have a doubt with one thing: ¿Is it possible to create a spam folder automatically when the mailbox is created? I don't find any information in the net about this. I hope someone can explain how to do this. Thanks, Juan-Francisco Diez Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Authorization with ptloader: Linux and LDAP backend combined
Hello, I have got one more problem with Cyrus IMAP and SASL/ptloader, that does not allow me to be entirely happy with my setup. The issue is that I want to be able to store the Cyrus IMAP admin credentials locally on the Linux server, while all other users are using LDAP backend for login. I thought of using PAM in saslauthd, but this does not work, because I also use ptloader on the Cyrus IMAP server and hence all the authentication is working well, but the authorization fails (because ptloader always tries to query LDAP). Is there a way to specify two different auth/author backends for ptloader and SASL? My imapd.conf is here http://pastebin.com/m49b3ea6d Thank you! Best regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Same mailbox with different logins
Thank you for your replies! I've decided to go with canon_user plugin. My next question is how to use this plugin. I am trying to use LDAP as authentication backend. What I could find are following imapd.conf settings: sasl_pwcheck_method: saslauthd sasl_mech_list: login plain sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.example.net/ sasl_ldapdb_canon_attr: mail sasl_canon_user_plugin: ldapd imap_sasl_canon_user_plugin: ldapdb pop3_sasl_canon_user_plugin: ldapdb Will this give me canonified username - firstname.lastn...@domain? Do I need to make changes to LDAP for those settings to work? After I configure this ldapdb plugin I see in logs: mail imaps[10161]: canonified earbatov - earbatov mail imaps[10161]: badlogin: host [10.10.10.10] plain [SASL(-4): no mechanism available: desired canon_user plugin ldapdb not found] mail imaps[10161]: badlogin: host [10.10.10.10] plaintext earbatov SASL(-4): no mechanism available: desired canon_user plugin ldapdb not found I put my complete imapd.conf here http://pastebin.com/m2dbf3951 Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Same mailbox with different logins
Hello, A question: I want users authenticating with two different usernames to Cyrus IMAP to be able to access the same mailbox. For example, I wish this to be the case (login name - mailbox): username - user/firstname.lastn...@domain firstname.lastn...@domain - user/firstname.lastn...@domain What would be the way to proceed? At the moment I have: username - user/username firstname.lastn...@domain - user/firstname.lastn...@domain With the two mailboxes being completely separate. Thank you in advance! Best regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Hello, Finally I am able to get the ptloader working. In my case the major issue was that I used Cyrus IMAP 2.3.7, that has a segmentation fault when reading from LDAP. This issue was previously discussed in http://www.irbs.net/internet/info-cyrus/0608/0129.html I solved the problem by updating to Cyrus IMAP 2.3.14 + doing the above mentioned configuration changes Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Ptloader configuration in Cyrus IMAP
Thank you for your suggestions! They helped me a great deal. The situation is better now, in a sense that ptloader connects to LDAP and finds something. After corrections my imapd.conf: auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 ldap_size_limit: 20 ldap_filter: (uid=%U) ldap_group_filter: (cn=%u) ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn ldap_base: dc=example,dc=com ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_base: ou=groups,ou=people,dc=example,dc=com The LDAP now looks as following: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberUid: earbatov memberUid: user I modified the permissions for the admins group: sam user/postmaster group:admins lrswipkxte The logs for ptloader now have: mail imaps[17540]: ptload(): pinging ptloader mail imaps[17540]: connected with no delay mail imaps[17540]: ptload(): connected mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp = 0x4aa71af0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail ptloader[17538]: accepted connection mail imaps[17540]: ptload sent data mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp = 0x0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail imaps[17540]: ptload read data back mail imaps[17540]: ptload(): empty response from ptloader server mail master[17508]: process 17538 exited, signaled to death by 11 mail master[17508]: service ptloader pid 17538 in READY state: terminated abnormally mail imaps[17540]: No data available at all from ptload() mail imaps[17540]: ptload completely failed: unable to canonify identifier: earbatov mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext earbatov invalid user mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader mail ptloader[17613]: executed mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ The LDAP logs show this: ldap slapd[30259]: conn=20 op=2 SRCH base=ou=groups,ou=people,dc=example,dc=com scope=2 deref=0 filter=(memberUid=earbatov) ldap slapd[30259]: conn=20 op=2 SRCH attr=cn ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= And the ptdump tells: user: admins time: 1250751529 groups: 0 user: cyrusimap time: 1250751556 groups: 0 user: group:admins time: 1250751780 groups: 0 user: postmaster time: 1250751701 groups: 0 Needless to say, the authorization fails, without even giving me access to usual, not shared mailboxes. EA pts_module: ldap This module is currently very difficult to configure, IMHO. That's true. :) But it's doable. I would be glad not to use this pts_module, but if I leave it to defaults I see: mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ mail ptloader[18396]: PTS module afskrb not supported mail master[18364]: process 18428 exited, status 75 mail master[18364]: service ptloader pid 18428 in READY state: terminated abnormally Please refer me to any instructions on pts_module, if I do need to make changes. One more question: I am confused about the role of ldap_group_filter and ldap_group_base. Isn't ldap_member* enough? Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Ptloader configuration in Cyrus IMAP
Dear list, I want to ask your advice on the use of ptloader for LDAP-based authorization in Cyrus IMAP. I configured my Cyrus IMAP to use ptloader: ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 pts_module: ldap ldap_filter: (uid=%U) ldap_base: dc=example,dc=com ldap_group_filter: (cn=%u) ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_method: attribute ldap_member_attribute: member ldap_member_base: ou=users,ou=people,dc=example,dc=com ldap_size_limit: 20 In the LDAP I have the following entries: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com uid: admins member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com uid: earbatov Via cyradm I add needed permissions for admins group: sam user/postmaster admins lrswipkxte Then I successfully authenticate using earbatov UID, but shared folders are not visible in the Thunderbird. Moreover, I do not see any attempts of Cyrus IMAP to query LDAP for authorization information. I know that TLS is working for this LDAP connection. Can you tell where I am wrong? Thank you very much! Regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus IMAP mailboxes with LDAP
Hello, I am looking for a way to store mailbox quotas and ACLs for Cyrus IMAP in LDAP. Is there a ready made solution for this purpose? If not, how can it be possibly done? Thank you! Regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAP SASL authentication failure
Thank you for your suggestions! I figured out what was the problem in my case. This was the OPTIONS setting in /etc/deafault/saslauthd. Since I run my Postfix chrooted I had: OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd In order for cyradm to identify users using I saslauthd, I also added default OPTIONS setting to /etc/default/saslauthd file. So, my final settings look like this: OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd OPTIONS=-c -m /var/run/saslauthd Regards, Evgeniy On Wed, Jun 17, 2009 at 4:12 PM, Jorey Bump l...@joreybump.com wrote: Vladimir Vassiliev wrote, at 06/17/2009 09:02 AM: Here is an extract from my imapd.conf file: admins: cyrus imap_admins: cyrus sasl_mech_list: LOGIN sasl_minimum_layer: 1 sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd Maybe it's because of sasl_minimum_layer: 1 LOGIN gives you no security layer. Indeed. Try: cyradm --user cyrus --auth login localhost -tls Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus IMAP SASL authentication failure
Hello, I have a problem with Cyrus IMAP SASL authentication. When I try to login to create Cyrus IMAP mailboxes, I see the following: $ cyradm --user cyrus --auth login localhost IMAP Password: Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 119 cyradm: cannot authenticate to server with login as cyrus This message appears even when I enter incorrect password. Can I be missing some of the packages (I am running Ubuntu 9.04)? I use sasldb authentication mechanism for saslauthd. Here is an extract from my imapd.conf file: admins: cyrus imap_admins: cyrus sasl_mech_list: LOGIN sasl_minimum_layer: 1 sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd This is what I see in my /var/log/mail.log cyrus/imap[7257]: badlogin: localhost [::1] plaintext cyrus SASL(-1): generic failure: checkpass failed If I try to telnet on imap port I have: Connected to localhost. Escape character is '^]'. * OK computer Cyrus IMAP4 v2.2.13-Debian-2.2.13-14ubuntu3 server ready imap login cyrus password imap NO Login failed: generic failure An interesting thing is that I have already setup Postfix sasldb authentication on the same host and it works fine. Any advice is much apreciated! Thank you in advance! Regards, Evgeniy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
