RE: Cyrus murder auth issue

2015-07-28 Thread Forster, Gabriel 
On 07/28/15 16:37 +, Forster, Gabriel wrote:
>Hello,
>
>This was asked in the Kolab list, but they mentioned this list may be more 
>appropriate:
>
>Trying to get Kolab 3.4 setup in a distrubuted environment. The last piece of 
>the puzzle seems to be getting Cyrus configured correctly for a murder 
>environement. Currently, only using 1 frontend and one backend.
>
>mupdatetest and testsaslauthd checks seem to work fine. But, when trying to 
>create a user account using the command-line cyradm tools, from the backend, 
>I'm getting the following error:
>
>
>cyradm -t "" -u kolab -w "${password}" ${cyrus_host}
>
>verify error:num=18:self signed certificate
>
>> cm user/kolab3test
>
>verify error:num=18:self signed certificate
>
>Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118
>
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>
>
>and directly from the frontend:
>
>> cm user/kolab3test
>
>Password:
>
>IMAP Password:
>
>  Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm 
> line 118
>
>cyradm: cannot authenticate to [redacted.fqdn.backend.server]
>
>
>/var/log/messages on the backend only shows "perl: No worthy mechs found"
>
>and /var/log/maillog says:
>
> imap[27001]: SASL bad userid authenticated
>
>imap[27001]: badlogin: [redacted.fqdn.frontend.server] [10.2.1.26] PLAIN 
>[SASL(-13): authentication failure: bad userid authenticated]

Check your auth facility syslog (e.g. /var/log/auth.log) as well.

Verify your configuration with:

http://cyrusimap.org/docs/cyrus-imapd/2.5.4/install-murder.php

For further assistance, provide redacted copies of your /etc/imapd.conf,
/etc/cyrus.conf, and saslauthd.conf (if existing) files for both the
frontent and backend servers.

--
Dan White

___

Thanks for the response. Redacted versions of /etc/imapd.conf, 
/etc/saslauthd.conf and /etc/cyrus.conf for both frontend and backend servers 
are below.

BACKEND /etc/imapd.conf
configdirectory: /srv/imap/be/lib
# partition-default: /var/spool/imap
partition-default: /srv/imap/be/spool

# admins: kolab
admins: kolab
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
# sasl_pwcheck_method: saslauthd
sasl_pwcheck_method: saslauthd
# sasl_mech_list: PLAIN LOGIN
sasl_mech_list: PLAIN
# allowplaintext: no
allowplaintext: 1


 tls_server_cert: /var/imap/server.pem
 tls_server_key: /var/imap/server.pem
# tls_server_ca_file: /var/imap/server.pem
# tls_client_ca_file: /var/imap/server.pem

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13
auth_mech: pts
pts_module: ldap

ldap_servers: {redacted}
ldap_sasl: 0

ldap_base: ou=people,o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o={redacted},dc={redacted},dc={redacted}
ldap_password: F@{redacted}
ldap_filter: {redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_bind_dn: uid={redacted},ou=People,o=intra,dc={redacted},dc={redacted}
ldap_password: {redacted}
ldap_filter:{redacted}
ldap_user_attribute: uid
ldap_group_base: o=intra,dc={redacted},dc={redacted}
ldap_group_filter: 
(&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=People,o=intra,dc={redacted},dc={redacted}
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10

# allowallsubscribe: 0
allowallsubscribe: 1
allowusermoves: 1
altnamespace: 1
hashimapspool: 1
unixhierarchysep: 1

annotation_definitions: /etc/imapd.annotations.conf
sieve_extensions: fileinto reject envelope body vacation imapflags notify 
include regex subaddress relational copy date index

anysievefolder: 1
fulldirhash: 0
sieveusehomedir: 0
# sieve_allowreferrals: 0
sieve_allowreferrals: 1

lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1

deletedprefix: DELETED
delete_mode: delayed
expunge_mode: delayed

# This value not in Kolab 2
postuser: shared

# Only run a murder on the master site

# We run a discreet murder
mupdate_config: standard

# Mailbox master runs on the first frontend
mupdate_server: {redacted}
mupdate_port: 3905
mupdate_authname: {redacted}
mupdate_username: {redacted}
mupdate_password: {redacted}-

# proxyservers: murder
proxyservers: {redacted}
proxy_authname: {redacted}
proxy_password: {redacted}-

# virtdomains: userid
virtdomains: off

FRONTEND /etc/imapd.conf

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: {redacted}
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail

sasl_pwcheck_method: saslauthd auxprop
sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN
allowplaintext: 1

auth_mech: pts
pts_module: ldap



ldap_servers: ldap://{redacted}



ldap_sasl: 0
ldap_base: ou=people

Cyrus murder auth issue

2015-07-28 Thread Forster, Gabriel 
Hello,

This was asked in the Kolab list, but they mentioned this list may be more 
appropriate:

Trying to get Kolab 3.4 setup in a distrubuted environment. The last piece of 
the puzzle seems to be getting Cyrus configured correctly for a murder 
environement. Currently, only using 1 frontend and one backend.

mupdatetest and testsaslauthd checks seem to work fine. But, when trying to 
create a user account using the command-line cyradm tools, from the backend, 
I'm getting the following error:


cyradm -t "" -u kolab -w "${password}" ${cyrus_host}

verify error:num=18:self signed certificate

> cm user/kolab3test

verify error:num=18:self signed certificate

Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118

cyradm: cannot authenticate to [redacted.fqdn.backend.server]


and directly from the frontend:

> cm user/kolab3test

Password:

IMAP Password:

  Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm 
line 118

cyradm: cannot authenticate to [redacted.fqdn.backend.server]


/var/log/messages on the backend only shows "perl: No worthy mechs found"

and /var/log/maillog says:

 imap[27001]: SASL bad userid authenticated

imap[27001]: badlogin: [redacted.fqdn.frontend.server] [10.2.1.26] PLAIN 
[SASL(-13): authentication failure: bad userid authenticated]



Gabriel Forster | Email and Directory Services

This message, including any attachments, is the property of Sears Holdings 
Corporation and/or one of its subsidiaries. It is confidential and may contain 
proprietary or legally privileged information. If you are not the intended 
recipient, please delete it without reading the contents. Thank you.

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

RE: deleting emails directly

2015-03-04 Thread Forster, Gabriel 
John, 

That script would likely be very helpful to many. Can it be put up on github, 
posted to the list or similar? Otherwise, I would sure appreciate it myself.

Thanks,
Gabe


From: info-cyrus-bounces+gabriel.forster=searshc@lists.andrew.cmu.edu 
[info-cyrus-bounces+gabriel.forster=searshc@lists.andrew.cmu.edu] on behalf 
of Sebastian Hagedorn [haged...@uni-koeln.de]
Sent: Wednesday, March 04, 2015 7:06 AM
To: John Wade
Cc: info-cyrus@lists.andrew.cmu.edu
Subject: Re: deleting emails directly

--On 4. März 2015 05:33:44 -0600 John Wade  wrote:

> The tool  we wrote for phishing scans the Cyrus imap server's imap spool
> file systems looking for a specific text string in specific user's
> mailboxes in recent messages.  Te search can be done either recursively
> or just the inbox.It then looks for and replaces another specific
> text string (usually the phishing URL) with a string, like "Phishing URL
> removed by the Information Technology department".

Strictly speaking you would have to change the message's UID or the
mailbox's UIDVALIDITY as well. Messages are guaranteed to be immutable by
RFC 3501, section 2.3.1.1.
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.

This message, including any attachments, is the property of Sears Holdings 
Corporation and/or one of its subsidiaries. It is confidential and may contain 
proprietary or legally privileged information. If you are not the intended 
recipient, please delete it without reading the contents. Thank you.

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus