imtest -u user not what I think it is?
Why is 'cyrus' not being used as the user below? bin:imap ./imtest -u cyrus -v -m login WARNING: no hostname supplied, assuming localhost S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imap.foo.com Cyrus IMAP v2.x server ready Please enter your password: C: L01 LOGIN jblaine {8} - S: + go ahead C: omitted S: L01 NO Login failed: generic failure Authentication failed. generic failure Security strength factor: 0 ^CC: Q01 LOGOUT Connection closed. bin:imap sudo ./imtest -u cyrus -v -m login WARNING: no hostname supplied, assuming localhost S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imap.foo.com Cyrus IMAP v2.x server ready Please enter your password: C: L01 LOGIN root {8} S: + go ahead C: omitted S: L01 NO Login failed: generic failure Authentication failed. generic failure Security strength factor: 0 ^CC: Q01 LOGOUT Connection closed. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: imtest -u user not what I think it is?
Nevermind. I get it now. Is there a known problem with @ in IMAP passwords? Jeff Blaine wrote: Why is 'cyrus' not being used as the user below? bin:imap ./imtest -u cyrus -v -m login WARNING: no hostname supplied, assuming localhost S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imap.foo.com Cyrus IMAP v2.x server ready Please enter your password: C: L01 LOGIN jblaine {8} - S: + go ahead C: omitted S: L01 NO Login failed: generic failure Authentication failed. generic failure Security strength factor: 0 ^CC: Q01 LOGOUT Connection closed. bin:imap sudo ./imtest -u cyrus -v -m login WARNING: no hostname supplied, assuming localhost S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN SASL-IR] imap.foo.com Cyrus IMAP v2.x server ready Please enter your password: C: L01 LOGIN root {8} S: + go ahead C: omitted S: L01 NO Login failed: generic failure Authentication failed. generic failure Security strength factor: 0 ^CC: Q01 LOGOUT Connection closed. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Weekly/Monthly record-keeping / maintenance?
I lied, quoting works when you use the right quotes. Double quotes, not single. my ($rc, $msg) = $cyrus-send('', '', EXAMINE $mb); should become my ($rc, $msg) = $cyrus-send('', '', EXAMINE \$mb\); ... for a better imapdu.pl Jeff Blaine wrote: I tried both a) escaping spaces in $mb b) quoting $mb Neither worked. That's about as far as I delve into Perl anymore, so I'm happy to just retract my note to our users about this tool. Bron Gondwana wrote: On Thu, Apr 02, 2009 at 10:42:23AM -0400, Jeff Blaine wrote: Okay, well, for what it's worth, I fixed all of the problems prohibiting me from running a quota -f to completion. The problem: imapdu.pl is buggy Doh. It fails to do the right thing with mailboxes containing a space in the name. Yeah, that's not entirely a surprise. Spaces in names confuse lots of stuff. ... 1.46 MB 114 msgs INBOX.BMP 1.46 MB 114 msgs INBOX.Bio Stuff 0.00 bytes 0 msgs INBOX.Drafts 1.25 MB 36 msgs INBOX.HLT 1.25 MB 36 msgs INBOX.Information Retrieval ... # $Id: imapdu.pl,v 1.9 2008/04/04 12:47:14 murch Exp $ I don't suppose 'murch', the author of the code reads this list? Yeah, he's around, though he doesn't always see stuff as quickly if it's only sent to the list. I've CC'd him. That said, he's likely not the author - just the last person that changed things. Given that he did a giant sweeping copyright update of nearly every file in the tree a couple of months ago... my ($rc, $msg) = $cyrus-send('', '', EXAMINE $mb); if ($rc eq 'OK') { } else { print failed: $mb: $msg\n; } Apart from being icky perl, that will fail to change mailboxes because the EXAMINE command will have dodgy syntax. I'm not entirely sure why you're not seeing the 'failed' messages though... The $mb needs to be at least quoted - which is why I generally use something like Mail::IMAPTalk that can do correct protocol quoting. Ahh - it probably does output the failed stuff further up. Bron. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Weekly/Monthly record-keeping / maintenance?
Okay, well, for what it's worth, I fixed all of the problems prohibiting me from running a quota -f to completion. The problem: imapdu.pl is buggy It fails to do the right thing with mailboxes containing a space in the name. ... 1.46 MB 114 msgs INBOX.BMP 1.46 MB 114 msgs INBOX.Bio Stuff 0.00 bytes 0 msgs INBOX.Drafts 1.25 MB 36 msgs INBOX.HLT 1.25 MB 36 msgs INBOX.Information Retrieval ... # $Id: imapdu.pl,v 1.9 2008/04/04 12:47:14 murch Exp $ I don't suppose 'murch', the author of the code reads this list? Jeff Blaine wrote: Well, hmm... % sudo -u cyrus /local/mail/cyrus/bin/quota -f user.ahe: usage was 148771194, now 148756681 ... user.william: usage was 107244707, now 107116597 failed opening header for mailbox 'user.jay': System I/O error: %m failed building quota list for '*': System I/O error: %m Apr 1 15:56:12 our.host.org quota[9819]: [ID 136705 local6.error] IOERROR: opening /var/spool/imap/user/jay/cyrus.header: No such file or directory Apr 1 15:56:12 our.host.org quota[9819]: [ID 357877 local6.error] failed opening header for mailbox 'user.jay': System I/O error: Bad file number Apr 1 15:56:13 our.host.org quota[9819]: [ID 809228 local6.error] failed building quota list for '*': System I/O error: Bad file number Wesley Craig wrote: On 31 Mar 2009, at 16:50, Jeff Blaine wrote: What I mean, is, for one example -- a user is currently reporting that 'FETCH' (via the imapdu command) is showing 142 messages totalling 640KB in a folder that is actually completely empty on disk (except for cyrus.* files). Fetch doesn't examine the messages in the mailbox if it doesn't need to. Since you've reonstructed already, I wouldn't expect the seen DB is the problem. Probably the quota. Try rebuilding it. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Weekly/Monthly record-keeping / maintenance?
How about reconstruct -r -f user.hername Nope. FETCH/imapdu.pl reports 142 messages still. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Weekly/Monthly record-keeping / maintenance?
Well, hmm... % sudo -u cyrus /local/mail/cyrus/bin/quota -f user.ahe: usage was 148771194, now 148756681 ... user.william: usage was 107244707, now 107116597 failed opening header for mailbox 'user.jay': System I/O error: %m failed building quota list for '*': System I/O error: %m Apr 1 15:56:12 our.host.org quota[9819]: [ID 136705 local6.error] IOERROR: opening /var/spool/imap/user/jay/cyrus.header: No such file or directory Apr 1 15:56:12 our.host.org quota[9819]: [ID 357877 local6.error] failed opening header for mailbox 'user.jay': System I/O error: Bad file number Apr 1 15:56:13 our.host.org quota[9819]: [ID 809228 local6.error] failed building quota list for '*': System I/O error: Bad file number Wesley Craig wrote: On 31 Mar 2009, at 16:50, Jeff Blaine wrote: What I mean, is, for one example -- a user is currently reporting that 'FETCH' (via the imapdu command) is showing 142 messages totalling 640KB in a folder that is actually completely empty on disk (except for cyrus.* files). Fetch doesn't examine the messages in the mailbox if it doesn't need to. Since you've reonstructed already, I wouldn't expect the seen DB is the problem. Probably the quota. Try rebuilding it. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
'stage.' ???
What's this all about? imap:linus pwd /var/spool/imap imap:linus ls stage. 10014-1214461933-0 14035-1214433131-0 22926-1214436731-0 3797-1214451132-0 10114-1214461933-0 14082-1214479931-0 22931-1214436731-0 3802-1214451132-0 10119-1214461933-0 14084-1214419933-0 22936-1214436731-0 3807-1214451132-0 10124-1214461934-0 14087-1214479931-0 23656-1214425930-0 4047-1214429531-0 10129-1214461934-0 14092-1214479934-0 23704-1214425931-0 4054-1214429531-0 10134-1214461934-0 14097-1214479934-0 2407-1214447531-0 4060-1214429531-0 10139-1214461934-0 14102-1214479934-0 2474-1214447531-0 4881-1214454731-0 10144-1214461935-0 14107-1214479934-0 2479-1214447531-0 4948-1214454731-0 10149-1214461935-0 14112-1214479935-0 2484-1214447531-0 4953-1214454731-0 10154-1214461935-0 14117-1214479935-0 2489-1214447531-0 4958-1214454732-0 10359-104358857014123-1214479936-0 2494-1214447532-0 4963-1214454732-0 1090-1214427292-0 14128-1214479936-0 27817-1214484256-0 4968-1214454732-0 11435-1214472731-0 14133-1214479936-0 28549-1214485744-0 4973-1214454733-0 11451-1214472731-0 15328-1214422330-0 28638-1214485728-0 4978-1214454733-0 11456-1214472731-0 17973-1214465531-0 28931-1214486246-0 4983-1214454733-0 11461-1214472732-0 18586-1214465531-0 29334-1214487131-0 5871-1214458331-0 11466-1214472732-0 18605-1214465532-0 29402-1214487131-0 6043-1214458331-0 11471-1214472732-0 18626-1214465532-0 29443-1214487131-0 6048-1214458331-0 11476-1214472732-0 18637-1214465532-0 29482-1214487131-0 6053-1214458331-0 11481-1214472733-0 18642-1214465533-0 29487-1214487132-0 6058-1214458332-0 11486-1214472733-0 18653-1214465533-0 29492-1214487132-0 6063-1214458332-0 11492-1214472733-0 18658-1214465533-0 29497-1214487132-0 6068-1214458332-0 11497-1214472733-0 18663-1214465534-0 29502-1214487132-0 6073-1214458332-0 1223-1214443931-0 18668-1214465534-0 29507-1214487133-0 6078-1214458332-0 1228-1214443932-0 21077-1214482453-0 29512-1214487133-0 6083-1214459200-0 12329-1214476331-0 21543-1214483531-0 29517-1214487133-0 6855-1214469131-0 1233-1214443932-0 21605-1214483531-0 29522-1214487134-0 6921-1214469131-0 1238-1214443932-0 21630-1214483531-0 29527-1214487134-0 6926-1214469131-0 12662-1214476331-0 21635-1214483531-0 29532-1214487134-0 6931-1214469132-0 12674-1214476331-0 21640-1214483532-0 29537-1214487135-0 6936-1214469132-0 12679-1214476332-0 21645-1214483532-0 29542-1214487135-0 6941-1214469132-0 12684-1214476332-0 21650-1214483532-0 29547-1214487135-0 6946-1214469132-0 12689-1214476332-0 21655-1214483533-0 29850-1214440331-0 6951-1214469132-0 12694-1214476333-0 21660-1214483533-0 3244-1214450204-0 6956-1214469133-0 12699-1214476333-0 21665-1214483533-0 3442-1214450401-0 6961-1214469133-0 12704-1214476333-0 21670-1214483533-0 3535-1214450979-0 704-1214443931-0 12709-1214476333-0 21675-1214483533-0 3685-1214429530-0 75-1214440331-0 12714-1214476333-0 21680-1214483534-0 3695-1214451131-0 772-1214426886-0 13446-1214478572-0 2201-1214447123-0 3772-1214451131-0 7901-1214472209-0 13783-1214433131-0 22372-1214435402-0 3777-1214451131-0 80-1214440331-0 13966-1214479931-0 22736-1214425071-0 3782-1214451131-0 8542-1231956337-0 14025-1214433131-0 22839-1214436731-0 3787-1214451131-0 86-1214440331-0 14030-1214433131-0 22921-1214436731-0 3792-1214451132-0 91-1214440332-0 imap:linus Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Weekly/Monthly record-keeping / maintenance?
Every year or so, a user of ours reports a discrepancy between on-disk usage for their spool compared to what 'FETCH' is reporting (as implemented via imapdu.pl) Compact/Expunge via the client app buys nothing. Clearly we are failing to do something as admins in order to keep our Cyrus instance working up to snuff. Can anyone shed some light on what we're doing wrong? What are the regular maintenance tasks we should be performing to keep everything working as precisely as possible? I found nothing useful in the Wiki regarding this topic. # our imapd.conf with auth options censored configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap unix_group_enable: 0 sieveusehomedir:true autocreatequota:20 duplicate_db: skiplist annotation_db: skiplist mboxkey_db: skiplist mboxlist_db: skiplist # our cyrus.conf START { recover cmd=ctl_cyrusdb -r } SERVICES { imap cmd=imapd listen=imap prefork=5 proto=tcp4 imaps cmd=imapd -s listen=imaps prefork=1 proto=tcp4 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=1 } EVENTS { checkpointcmd=ctl_cyrusdb -c period=10 delprune cmd=cyr_expire -E 3 at=0400 tlsprune cmd=tls_prune at=0400 } Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Weekly/Monthly record-keeping / maintenance?
Andreas Winkelmann wrote: Am Dienstag 31 März 2009 18:09:32 schrieb Jeff Blaine: Every year or so, a user of ours reports a discrepancy between on-disk usage for their spool compared to what 'FETCH' is reporting (as implemented via imapdu.pl) What means on-disk usage for spool ? What I mean, is, for one example -- a user is currently reporting that 'FETCH' (via the imapdu command) is showing 142 messages totalling 640KB in a folder that is actually completely empty on disk (except for cyrus.* files). reconstruct -r user.hername did not change what is reported via 'FETCH'. It did update the cyrus.* files though. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Scripting admin stuff?
In 2000, I wrote a simple script that was fed to cyradm to set all users quota to some value. It appears today that the only option to do something like this is to learn the Cyrus::* Perl modules. Is that correct? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Scripting admin stuff?
Thanks. I shortened it to the following. For those using this, it needs to run as cyrus (or whatever your cyrus user is). #!/linus/mail/cyrus/bin/perl $default_quota = 40; use Cyrus::IMAP::Admin; use Cyrus::IMAP; my $client = Cyrus::IMAP::Admin-new(YOUR_SERVER,143); $client-authenticate; @mailboxes = $client-list('%', 'user.'); foreach $mbx ( @mailboxes ) { @m = @$mbx; $client-setquota($m[0],STORAGE,$default_quota); } Paul M Fleming wrote: Save you the work -- had to do the same thing myself. Modify as needed - for example, i use this with Kerberos auth so no username / password is used. #!/usr/bin/perl use Cyrus::IMAP::Admin; use Cyrus::IMAP; $default_quota = 20; my $client = Cyrus::IMAP::Admin-new(server,143); $client-authenticate; @mailboxes = $client-list('%', 'user.'); foreach $mbx ( @mailboxes ) { @m = @$mbx; ($root, %quota) = $client-quotaroot($m[0]); $cur_usage = $quota{STORAGE}[0]; $cur_quota = $quota{STORAGE}[1]; if ( defined $cur_quota ) { # quota defined if ( $cur_quota $default_quota ) { print $m[0] : below default increasing\n; $client-setquota($m[0],STORAGE,$default_quota); } if ( $cur_quota $default_quota ) { print $m[0] : over default: $cur_quota ($cur_usage / $cur_quota)\n; } } else { print $m[0] : NO QUOTA $cur_usage\n; } } On 3/26/2009 11:03 AM, Jeff Blaine wrote: In 2000, I wrote a simple script that was fed to cyradm to set all users quota to some value. It appears today that the only option to do something like this is to learn the Cyrus::* Perl modules. Is that correct? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Sebastian Hagedorn wrote: Hi Jeff, --On 21. Januar 2009 11:19:31 -0500 Jeff Blaine jbla...@kickflop.net wrote: Sorry for the delay -- I had my wedding and a brief mini-honeymoon to attend to ;) congrats! Thanks :) How about Thunderbird using a password for authentication? Is that an option at all? I realize this is a little all over the road here, but bear with me as I am just trying to get something working at this point for our users who are now without secure IMAP :( With TLS selected in Thunderbird, I am given no choice but to select a client certificate. See attached images. I wonder why that is. The only reason that comes to mind is that you *have* a certificate. I don't and so I'm never asked to use it. So why don't you try removing your certificate? Honestly, I would expect the same to happen that happens when you use SSL, but you never know. I'll try to do this and get back to you. Another user reports that GNU Emacs with the Gnus client works with SSL and port 993. I've confirmed this in the log: Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login: jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in If I configure Thunderbird to do that (SSL via 993), I get the following: Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS server engine: cannot load CA data Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS negotiation failed: myclient.our.com Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal error: tls_start_servertls() failed I have no idea why that happens. I just tried it myself and got the following in our log: Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete - wait Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded - done Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in Could it be that your OpenSSL version or your certificate somehow don't support features that Thunderbird requires? I'm really no expert, but I know that client and server *negotiate* about these things. And the error reads negotiation failed ... FWIW, Thunderbird with SSL on port 993 pops up a box saying incorrect Message authentication code. I forgot to mention that. If your server is accessible over the Internet, perhaps I could try connecting to it with openssl s_client. That might tell us something. You can try that as well, of course. Obvious sanitizing below: bash-2.05# /imapsrv/bin/openssl s_client -connect imapsrv:993 CONNECTED(0004) depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com verify error:num=27:certificate not trusted verify return:1 depth=0 /O=our.com/OU=Servers/CN=imapsrv.our.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=our.com/OU=Servers/CN=imapsrv.our.com i:/O=our.com/OU=Certificate Authority/CN=Our Corporation Primary CA-1 --- Server certificate -BEGIN CERTIFICATE- MIIDWzCCAkOgAwIBAgICKCQw--blah-blah... blah...6nfEfM9VDXKFAQw1EpXU= -END CERTIFICATE- subject=/O=our.com/OU=Servers/CN=imapsrv.our.com issuer=/O=our.com/OU=Certificate Authority/CN=Our Corporation Primary CA-1 --- No client certificate CA names sent --- SSL handshake has read 1427 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 7CFF7259D4E28002.8BC4F829E0C0FC90700 Session-ID-ctx: Master-Key: FDA05F594004CE18421274490D4B93678C4.8DBD9610C89D Key-Arg : None Start Time: 1232559254 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
I raised syslog info to local6.debug and the TLS session with Thunderbird and NO certs shows this: Jan 21 12:59:10 imapsrv imap[1518]: [ID 636471 local6.notice] TLS server engine: cannot load CA data Jan 21 12:59:10 imapsrv imap[1518]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 21 12:59:10 imapsrv imap[1518]: [ID 277171 local6.error] TLS server engine: No CA file specified. Client side certs may not work Jan 21 12:59:10 imapsrv imap[1518]: [ID 574029 local6.debug] SSL_accept() incomplete - wait Jan 21 12:59:10 imapsrv imap[1518]: [ID 192010 local6.debug] decryption failed or bad record mac in SSL_accept() - fail Jan 21 12:59:10 imapsrv imap[1518]: [ID 239158 local6.notice] STARTTLS negotiation failed: myclient.our.com [xx.xx.6.52] Sebastian Hagedorn wrote: Hi Jeff, --On 21. Januar 2009 11:19:31 -0500 Jeff Blaine jbla...@kickflop.net wrote: Sorry for the delay -- I had my wedding and a brief mini-honeymoon to attend to ;) congrats! How about Thunderbird using a password for authentication? Is that an option at all? I realize this is a little all over the road here, but bear with me as I am just trying to get something working at this point for our users who are now without secure IMAP :( With TLS selected in Thunderbird, I am given no choice but to select a client certificate. See attached images. I wonder why that is. The only reason that comes to mind is that you *have* a certificate. I don't and so I'm never asked to use it. So why don't you try removing your certificate? Honestly, I would expect the same to happen that happens when you use SSL, but you never know. Another user reports that GNU Emacs with the Gnus client works with SSL and port 993. I've confirmed this in the log: Jan 21 11:11:03 imapsrv imaps[14170]: [ID 277583 local6.notice] login: jimbo-host.our.com [xx.xx.50.67] jimbo plaintext+TLS User logged in If I configure Thunderbird to do that (SSL via 993), I get the following: Jan 21 11:10:19 imapsrv imaps[14104]: [ID 636471 local6.notice] TLS server engine: cannot load CA data Jan 21 11:10:19 imapsrv imaps[14104]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 21 11:10:19 imapsrv imaps[14104]: [ID 798856 local6.notice] imaps TLS negotiation failed: myclient.our.com Jan 21 11:10:19 imapsrv imaps[14104]: [ID 637875 local6.error] Fatal error: tls_start_servertls() failed I have no idea why that happens. I just tried it myself and got the following in our log: Jan 21 18:17:48 lvr13 imaps[9855]: accepted connection Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() incomplete - wait Jan 21 18:17:48 lvr13 imaps[9855]: SSL_accept() succeeded - done Jan 21 18:17:48 lvr13 imaps[9855]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 21 18:17:53 lvr13 imaps[9855]: login: [redacted] User logged in Could it be that your OpenSSL version or your certificate somehow don't support features that Thunderbird requires? I'm really no expert, but I know that client and server *negotiate* about these things. And the error reads negotiation failed ... If your server is accessible over the Internet, perhaps I could try connecting to it with openssl s_client. That might tell us something. You can try that as well, of course. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
This is fixed! I built OpenSSL 0.9.8j on a whim and noticed it fixed a bizarre problem with OpenSSH 5.1p1 that I was working on in a pre-production environment. We were using an older 0.9.8 rev prior to this. I then did a 'make clean; make; sudo make install' in my cyrus-sasl source tree (which links against the static openssl libs), and did the same for the cyrus-imapd tree. Beats me! Jan 21 15:10:20 imapsrv imap[9928]: [ID 574029 local6.debug] SSL_accept() incomplete - wait Jan 21 15:10:20 imapsrv imap[9928]: [ID 867439 local6.debug] SSL_accept() succeeded - done Jan 21 15:10:20 imapsrv imap[9928]: [ID 379946 local6.notice] starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Jan 21 15:10:20 imapsrv imap[9928]: [ID 529592 local6.notice] login: myclient.our.com [xx.xx.6.52] jblaine plain+TLS User logged in Wesley Craig wrote: On 21 Jan 2009, at 12:41, Jeff Blaine wrote: FWIW, Thunderbird with SSL on port 993 pops up a box saying incorrect Message authentication code. I forgot to mention that. That's interesting. What platform are you running this on? What compiler did you use to build openssl? What optimization flags did you use? (You might try building openssl with reduced optimization and see what results you get.) :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
2.2.12 to 2.3.13 upgrade :
Our happy and functioning 2.2.12 server setup shows the following when switched over to 2.3.13. The odd thing is that we're using skiplist, not berkeley, for our dbs. If anyone has comments, I'd love to hear them. bash-2.05# cat /etc/imapd.conf configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap imap_admins:root cyrus sasl_pwcheck_method:saslauthd sieveusehomedir:true autocreatequota:20 duplicate_db: skiplist tlscache_db:skiplist annotation_db: skiplist tls_cert_file: /var/imap/ca.crt tls_key_file: /var/imap/server.pem tls_ca_file:/var/imap/ca.crt bash-2.05# # /etc/init.d/imap stop Cyrus: Shutting dowm imapd instances Cyrus: Shutting down master process # /etc/init.d/imap start ... Jan 16 05:25:15 imapsrv ctl_cyrusdb[13271]: [ID 866726 local6.warning] DBERROR db4: Program version 4.3 doesn't match environment version Jan 16 05:25:15 imapsrv ctl_cyrusdb[13271]: [ID 866726 local6.warning] DBERROR db4: Skipping log file /var/imap/db/log.000224: historic log version 7 Jan 16 05:25:16 imapsrv ctl_cyrusdb[13271]: [ID 866726 local6.warning] DBERROR db4: /var/imap/db/log.000225: log file open failed: No such file or directory Jan 16 05:25:16 imapsrv ctl_cyrusdb[13271]: [ID 866726 local6.warning] DBERROR db4: PANIC: No such file or directory Jan 16 05:25:16 imapsrv ctl_cyrusdb[13272]: [ID 866726 local6.warning] DBERROR db4: PANIC: fatal region error detected; run recovery Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.2.12 to 2.3.13 upgrade :
Sebastian Hagedorn wrote: Hello Jeff, --On 16. Januar 2009 06:01:48 -0500 Jeff Blaine jbla...@kickflop.net wrote: Our happy and functioning 2.2.12 server setup shows the following when switched over to 2.3.13. The odd thing is that we're using skiplist, not berkeley, for our dbs. If anyone has comments, I'd love to hear them. bash-2.05# cat /etc/imapd.conf configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap imap_admins:root cyrus sasl_pwcheck_method:saslauthd sieveusehomedir:true autocreatequota:20 duplicate_db: skiplist tlscache_db:skiplist annotation_db: skiplist tls_cert_file: /var/imap/ca.crt tls_key_file: /var/imap/server.pem tls_ca_file:/var/imap/ca.crt bash-2.05# what about mboxlist_db? And even if all your dbs *are* skiplist, you might still have remants from previous Berkeley dbs in your /var/lib/imap/db directory. If you are sure you don't need those, just delete them. Obviously the new Cyrus has found a Berkeley environment somewhere ... Thanks for the reply, Sebastian. I found a log.0001 from 2005 in the db directory. When I deleted it, the new 2.3.13 instance started cleanly (so far). Thanks for the nudge in the right direction. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Expire (manually) TLS sessions?
Maybe we're doing something wrong in the process, but it seems that every time we perform offline maintenance (upgrade, whatever) on Cyrus IMAPd ... our users complain that TLS breaks afterward, but then fixes itself in time. I've demonstrated this to myself just now with the upgrade to 2.3.13 from 2.2.12. My TLS session is cached but broken with the new setup (or for whatever other reason). That is, even after restarting Thunderbird, I get the following: Jan 16 06:31:50 imapsrv imap[19690]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com Is there a way to zero/flush all TLS cached sessions? I have to imagine there is, but I don't know how. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Hmm. That's not working for me. bash-2.05# pwd /var/imap # rm tls_sessions.db # /etc/init.d/imap start # Jan 16 06:54:36 imapsrv imap[20300]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 16 06:54:36 imapsrv imap[20300]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com bash-2.05# pwd /var/imap bash-2.05# ls -l tls* tls*: No such file or directory bash-2.05# Sebastian Hagedorn wrote: Hello Jeff, --On 16. Januar 2009 06:38:27 -0500 Jeff Blaine jbla...@kickflop.net wrote: Maybe we're doing something wrong in the process, but it seems that every time we perform offline maintenance (upgrade, whatever) on Cyrus IMAPd ... our users complain that TLS breaks afterward, but then fixes itself in time. I've demonstrated this to myself just now with the upgrade to 2.3.13 from 2.2.12. My TLS session is cached but broken with the new setup (or for whatever other reason). That is, even after restarting Thunderbird, I get the following: Jan 16 06:31:50 imapsrv imap[19690]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com Is there a way to zero/flush all TLS cached sessions? I have to imagine there is, but I don't know how. as before: just delete the tls_sessions files before you start cyrus-imapd. They will be recreated automatically. You could even make that part of the initscript, because those session don't survive a restart anyway. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Sebastian Hagedorn wrote: --On 16. Januar 2009 06:58:06 -0500 Jeff Blaine jbla...@kickflop.net wrote: Hmm. That's not working for me. bash-2.05# pwd /var/imap # rm tls_sessions.db # /etc/init.d/imap start # Jan 16 06:54:36 imapsrv imap[20300]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 16 06:54:36 imapsrv imap[20300]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com bash-2.05# pwd /var/imap bash-2.05# ls -l tls* tls*: No such file or directory bash-2.05# Strange. I know for a fact that it has worked for us in the past. I can't verify that easily right now, because I don't currently have a test set-up. What happens if you touch the file prior to starting imap? I tried that first: cp /dev/null tls_sessions.db Same situation :( Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
More info after increasing local6.info to local6.debug for syslog: accepted connection imapd:Loading hard-coded DH parameters SSL_accept() incomplete - wait decryption failed or bad record mac in SSL_accept() - fail STARTTLS negotiation failed: bva-172.our.com Our TLS all worked fine before the upgrade :( Jeff Blaine wrote: Sebastian Hagedorn wrote: --On 16. Januar 2009 06:58:06 -0500 Jeff Blaine jbla...@kickflop.net wrote: Hmm. That's not working for me. bash-2.05# pwd /var/imap # rm tls_sessions.db # /etc/init.d/imap start # Jan 16 06:54:36 imapsrv imap[20300]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 16 06:54:36 imapsrv imap[20300]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com bash-2.05# pwd /var/imap bash-2.05# ls -l tls* tls*: No such file or directory bash-2.05# Strange. I know for a fact that it has worked for us in the past. I can't verify that easily right now, because I don't currently have a test set-up. What happens if you touch the file prior to starting imap? I tried that first: cp /dev/null tls_sessions.db Same situation :( Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Sebastian Hagedorn wrote: --On 16. Januar 2009 07:48:18 -0500 Jeff Blaine jbla...@kickflop.net wrote: More info after increasing local6.info to local6.debug for syslog: accepted connection imapd:Loading hard-coded DH parameters SSL_accept() incomplete - wait decryption failed or bad record mac in SSL_accept() - fail STARTTLS negotiation failed: bva-172.our.com Our TLS all worked fine before the upgrade :( I'm pretty sure the tls_cache is a red herring. The SSL/TLS code changed a lot between 2.2 and 2.3. My guess would be that there lies the actual problem. I wonder where the line Loading hard-coded DH parameters comes from. I haven't seen that before. Anyway, I guess you need an SSL expert to make sense of that. How old is your certificate? Maybe the new code doesn't like it? Did you build the binary yourself or where did you get it? The certificate is 1 year 10 months old. Everything was built by hand (as it was with our 2.2.12 install as well). I'll try redoing the cert. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
A new cert did not solve the problem: Jan 16 09:41:30 imapsrv imap[12264]: [ID 921384 local6.debug] accepted connection Jan 16 09:41:30 imapsrv imap[12264]: [ID 192010 local6.debug] wrong version number in SSL_accept() - fail Jan 16 09:41:30 imapsrv imap[12264]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com Jeff Blaine wrote: Sebastian Hagedorn wrote: --On 16. Januar 2009 07:48:18 -0500 Jeff Blaine jbla...@kickflop.net wrote: More info after increasing local6.info to local6.debug for syslog: accepted connection imapd:Loading hard-coded DH parameters SSL_accept() incomplete - wait decryption failed or bad record mac in SSL_accept() - fail STARTTLS negotiation failed: bva-172.our.com Our TLS all worked fine before the upgrade :( I'm pretty sure the tls_cache is a red herring. The SSL/TLS code changed a lot between 2.2 and 2.3. My guess would be that there lies the actual problem. I wonder where the line Loading hard-coded DH parameters comes from. I haven't seen that before. Anyway, I guess you need an SSL expert to make sense of that. How old is your certificate? Maybe the new code doesn't like it? Did you build the binary yourself or where did you get it? The certificate is 1 year 10 months old. Everything was built by hand (as it was with our 2.2.12 install as well). I'll try redoing the cert. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
With the tls_ca_file line removed, Thunderbird asked me to specify a client certificate, I chose my cert and entered my password to access it. Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted connection Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS server engine: cannot load CA data Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server engine: No CA file specified. Client side certs may not work Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] SSL_accept() incomplete - wait Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a peer verify Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify error:num=20:unable to get local issuer certificate Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no certificate returned in SSL_accept() - fail Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com Sebastian Hagedorn wrote: --On 16. Januar 2009 09:43:02 -0500 Jeff Blaine jbla...@kickflop.net wrote: A new cert did not solve the problem: Jan 16 09:41:30 imapsrv imap[12264]: [ID 921384 local6.debug] accepted connection Jan 16 09:41:30 imapsrv imap[12264]: [ID 192010 local6.debug] wrong version number in SSL_accept() - fail But it results in a different error message. Jan 16 09:41:30 imapsrv imap[12264]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com That reminds me of something. Try removing this line from your config: tls_ca_file:/var/imap/ca.crt Also, try using different clients. IIRC, there is an issue specifically with Thunderbird and that setting. I don't remember the details, but you should be able to find them in the archives. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Expire (manually) TLS sessions?
Jorey Bump wrote: Jeff Blaine wrote, at 01/16/2009 10:12 AM: With the tls_ca_file line removed, Thunderbird asked me to specify a client certificate, I chose my cert and entered my password to access it. That sounds backwards. My understanding is that setting tls_ca_file is what will cause some clients to prompt for a client certificate, and that commenting out the setting avoids this problem if you don't use client certs. Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted connection Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS server engine: cannot load CA data That's fine. It's a spurious log message as a result of removing tls_ca_file. Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice] imapd:Loading hard-coded DH parameters This is also normal, nothing to worry about. Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server engine: No CA file specified. Client side certs may not work More harmless noise from the removal of tls_ca_file. Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug] SSL_accept() incomplete - wait Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a peer verify Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify error:num=20:unable to get local issuer certificate Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no certificate returned in SSL_accept() - fail Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS negotiation failed: bva-172.our.com This is probably related to your client certificate, now that you don't have a CA store for verification. I don't know why Thunderbird prompted you for a certificate, though. You might want to test from another Thunderbird with no client certs installed. In any case, this might be easier to troubleshoot if you post your imapd.conf (and maybe even cyrus.conf). I found it was a little tricky going upgrading within 2.3.x due to some TLS changes, but I still managed to maintain a very simple configuration. Yours just might need a couple of tweaks. Here ya go: allowplaintext: true configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap imap_admins:root cyrus sasl_pwcheck_method:saslauthd unix_group_enable: 0 sieveusehomedir:true autocreatequota:20 duplicate_db: skiplist annotation_db: skiplist mboxkey_db: skiplist mboxlist_db: skiplist tlscache_db:skiplist tls_session_timeout: 0 tls_cert_file: /var/imap/ca.crt tls_key_file: /var/imap/server.pk START { recover cmd=ctl_cyrusdb -r } SERVICES { imap cmd=imapd listen=imap prefork=5 proto=tcp4 imaps cmd=imapd -s listen=imaps prefork=1 proto=tcp4 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=1 } EVENTS { checkpointcmd=ctl_cyrusdb -c period=10 delprune cmd=cyr_expire -E 3 at=0400 tlsprune cmd=tls_prune at=0400 } Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: imapd.conf option for setting SASL_PATH ?
I'll take that as a no? Jeff Blaine wrote: I need to explicitly override what our Cyrus IMAPd/SASL build is using for SASL_PATH, as it appears to be misusing what has already been explicitly configured: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-saslmsg=9025 That is, it would appear that SASL does not take '--with-plugindir=/wherever' to mean Find plugins here and ONLY here. Instead, it seems to mean, APPEND (not even PREPEND!) /wherever to my compile-time generated list of places to try to find plugins. Is there a sasl_* option for imapd.conf to specify where (and ONLY where) to look for SASL plugins? As you can see, I've already posted to the cyrus-sasl list. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
imapd.conf option for setting SASL_PATH ?
I need to explicitly override what our Cyrus IMAPd/SASL build is using for SASL_PATH, as it appears to be misusing what has already been explicitly configured: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-saslmsg=9025 That is, it would appear that SASL does not take '--with-plugindir=/wherever' to mean Find plugins here and ONLY here. Instead, it seems to mean, APPEND (not even PREPEND!) /wherever to my compile-time generated list of places to try to find plugins. Is there a sasl_* option for imapd.conf to specify where (and ONLY where) to look for SASL plugins? As you can see, I've already posted to the cyrus-sasl list. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: DBERROR
bash-2.05# ls -l *db -rw--- 1 cyrusmail 144 Dec 5 16:56 annotations.db -rw--- 1 cyrusmail 144 Dec 5 16:56 deliver.db -rw--- 1 cyrusmail 144 Dec 5 16:56 mailboxes.db db: total 29618 -rw--- 1 cyrusmail8192 Dec 6 10:57 __db.001 -rw--- 1 cyrusmail 663552 Dec 5 16:56 __db.002 -rw--- 1 cyrusmail 98304 Dec 5 16:56 __db.003 -rw--- 1 cyrusmail 21061632 Dec 5 16:56 __db.004 -rw--- 1 cyrusmail 32768 Dec 5 16:56 __db.005 -rw--- 1 cyrusmail 4 Dec 5 16:56 skipstamp bash-2.05# Alain Spineux wrote: On Dec 5, 2007 11:38 PM, Jeff Blaine [EMAIL PROTECTED] wrote: This is a brand new install. After running tools/mkimap and starting master, I get this. What's the deal? look for files : # ll /var/lib/imap/*.db -rw--- 1 cyrus mail 144 Nov 28 11:01 /var/lib/imap/annotations.db -rw-r--r-- 1 cyrus mail 16384 Dec 6 08:01 /var/lib/imap/deliver.db -rw--- 1 cyrus mail 3760 Nov 28 11:01 /var/lib/imap/mailboxes.db -rw--- 1 cyrus mail 8192 Dec 6 04:01 /var/lib/imap/tls_sessions.db look for access rights. Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: DBERROR
There are no mailboxes. This was a brand new install that I have left untouched until I figure out the cause of this error. If it's throwing an error because there is nothing in the databases yet, I consider that a bug. Alain Spineux wrote: On Dec 6, 2007 5:03 PM, Jeff Blaine [EMAIL PROTECTED] wrote: bash-2.05# ls -l *db -rw--- 1 cyrusmail 144 Dec 5 16:56 annotations.db -rw--- 1 cyrusmail 144 Dec 5 16:56 deliver.db -rw--- 1 cyrusmail 144 Dec 5 16:56 mailboxes.db 144 bytes ! Not a lot ! If you have a backup, try to restore from it (make a copy of *.db and db/* files) before :-) If not try to repair using the log files (in db/*), but db_tools are very user unfriendly :-( Or remove theses files and recreate your mailboxes using cyradm. db: total 29618 -rw--- 1 cyrusmail8192 Dec 6 10:57 __db.001 -rw--- 1 cyrusmail 663552 Dec 5 16:56 __db.002 -rw--- 1 cyrusmail 98304 Dec 5 16:56 __db.003 -rw--- 1 cyrusmail 21061632 Dec 5 16:56 __db.004 -rw--- 1 cyrusmail 32768 Dec 5 16:56 __db.005 -rw--- 1 cyrusmail 4 Dec 5 16:56 skipstamp bash-2.05# Alain Spineux wrote: On Dec 5, 2007 11:38 PM, Jeff Blaine [EMAIL PROTECTED] wrote: This is a brand new install. After running tools/mkimap and starting master, I get this. What's the deal? look for files : # ll /var/lib/imap/*.db -rw--- 1 cyrus mail 144 Nov 28 11:01 /var/lib/imap/annotations.db -rw-r--r-- 1 cyrus mail 16384 Dec 6 08:01 /var/lib/imap/deliver.db -rw--- 1 cyrus mail 3760 Nov 28 11:01 /var/lib/imap/mailboxes.db -rw--- 1 cyrus mail 8192 Dec 6 04:01 /var/lib/imap/tls_sessions.db look for access rights. Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
DBERROR
This is a brand new install. After running tools/mkimap and starting master, I get this. What's the deal? Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: error listing log files: DB_NOTFOUND: No matching key/data pair found Dec 5 17:26:57 alberta.foo.com ctl_cyrusdb[3713]: DBERROR: archive /var/imap/db: cyrusdb error Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?
If anyone wants to assist in testing, here is the bug report I filed just now: https://bugzilla.mozilla.org/show_bug.cgi?id=370178 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?
GSSAPI authentication from Thunderbird to Cyrus IMAP works! You MUST: 1. Specify a FQDN for your IMAP server in Thunderbird's account settings. I was specifying an IP address. Not good enough. 2. The FQDN must resolve somehow. For me, it was a matter of adding info to C:\WINDOWS\System32\drivers\etc\hosts 192.168.168.100 noodle.foo.com 3. Your domain, of course, must map to some Kerberos realm. This is done in your /etc/krb5.conf or krb5.ini for Windows. Here's how mine was setup when working: [realms] JBTEST = { kdc = 192.168.168.100 admin_server = 192.168.168.100 } [domain_realm] foo.com = JBTEST .foo.com = JBTEST 4. Obviously specify 'Secure Authentication' in the IMAP account's properties. 5. In Thunderbird: Tools | Options | Advanced, Config editor set network.auth.use-sspi to false. Jeff Blaine wrote: If anyone wants to assist in testing, here is the bug report I filed just now: https://bugzilla.mozilla.org/show_bug.cgi?id=370178 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?
A little more info, in case anyone finds the time to help me out: I've tried everything I can imagine. saslauthd: saslauthd -a kerberos5 -d (with additional debug code by me!) Feb 9 13:22:20 noodle.foo.com saslauthd[27437]: auth_krb5: krb5_kt_read_service_key returned -1765328203 - going to fini: in k5support_verify_tgt() I can find no information on that Kerberos error, but I most certainly have imap/noodle.foo.com in a readable /etc/krb5.keytab (and truss shows it being read fine). imapd.conf: sasl_pwcheck_method: saslauthd Jeff Blaine wrote: I have a healthy MIT Kerberos 1.5.2 realm and Cyrus IMAP 2.2.12 server configured (SASL 2.1.22). I can't get Thunderbird (latest 1.5 official release) to perform GSSAPI authentication against the Cyrus IMAP server. I have valid Kerberos 5 credentials (for user jblaine) via Kerberos for Windows 3.1. I have restarted Thunderbird. Anyone know how to do this? This is supposed to work if I am not mistaken. Thunderbird states the server does not support secure authentication (which is BS). imtest authenticates (as jblaine) via GSSAPI fine! C: A01 AUTHENTICATE GSSAPI YIICBblahblahblah S: + YIGWBgkqhkblahblah ... S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 56 ... Feb 8 16:36:44 noodle.foo.com imap[26514]: [ID 529592 local6.notice] login: noodle.foo.com [192.168.168.100] jblaine GSSAPI User logged in /etc/imapd.conf reads as follows: configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap imap_admins:root cyrus sieveusehomedir:false autocreatequota:20 duplicate_db: skiplist allowplaintext: false force_sasl_mech:GSSAPI sasl_log_level: 4 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Thunderbird + Kerberos 5 + Cyrus SASL-and-IMAP?
I have a healthy MIT Kerberos 1.5.2 realm and Cyrus IMAP 2.2.12 server configured (SASL 2.1.22). I can't get Thunderbird (latest 1.5 official release) to perform GSSAPI authentication against the Cyrus IMAP server. I have valid Kerberos 5 credentials (for user jblaine) via Kerberos for Windows 3.1. I have restarted Thunderbird. Anyone know how to do this? This is supposed to work if I am not mistaken. Thunderbird states the server does not support secure authentication (which is BS). imtest authenticates (as jblaine) via GSSAPI fine! C: A01 AUTHENTICATE GSSAPI YIICBblahblahblah S: + YIGWBgkqhkblahblah ... S: A01 OK Success (privacy protection) Authenticated. Security strength factor: 56 ... Feb 8 16:36:44 noodle.foo.com imap[26514]: [ID 529592 local6.notice] login: noodle.foo.com [192.168.168.100] jblaine GSSAPI User logged in /etc/imapd.conf reads as follows: configdirectory:/var/imap defaultpartition: default partition-default: /var/spool/imap imap_admins:root cyrus sieveusehomedir:false autocreatequota:20 duplicate_db: skiplist allowplaintext: false force_sasl_mech:GSSAPI sasl_log_level: 4 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
User-deleted folders still on disk?
Using cyrus-2.2.12 We're experiencing a situation where user-deleted folders still remain on disk. Running 'reconstruct -r user.USERNAME' does not address the problem. Is this expected behavior? If so, I'm curious to hear the reasoning. Are we missing an option somewhere? It's confusing our users, as our You are near your quota script shows them, among other things, a 'du -sk' listing of their spool area. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
2.1.13 to 2.2.12 upgrade sanity check
Can I get a sanity check here? - Shutdown - Update /etc/cyrus.conf for cyr_expire -E - Add fulldirhash option to imapd.conf (I assume this is what is meant by setups using a b c ... z for top level dirs, etc) - Run cvt_cyrusdb on mailboxes.db, deliver.db, tls_sessions.db - find /var/imap/user -name \*.seen -exec /MY/PATH/bin/cvt_cyrusdb \{\} flat \{\}.new skiplist \; -exec mv \{\}.new \{\} \; - Startup - No sieve scripts byte compiled, not applicable - Don't use ptloader, not applicable - Don't use idled or notifyd, not applicable --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm failure
I have solved this by setting SASL_* and OPENSSL_* as referenced in Makefile.PL to include every -l -L -R option necessary for linking libsasl2.so into IMAP.so Your perl/imap/README and perl/imap/Makefile.PL need some work. README should mention SASL_INC, SASL_LIB, OPENSSL_INC, and OPENSSL_LIB environment variables referenced in Makefile.PL and describe precisely what they can and/or should contain. Makefile.PL is inconsistent and confusing here: my $SASL_INC = $ENV{SASL_INC}; my $SASL_LIB = $ENV{SASL_LIB} || -lsasl2; my $OPENSSL_INC = $ENV{OPENSSL_INC}; my $OPENSSL_LIB = $ENV{OPENSSL_LIB}; combined with line 63: 'LIBS' = [$SASL_LIB $OPENSSL_LIB -lssl -lcrypto], Make up your mind how you want to do it :) I suggest either: A) Changing: my $SASL_LIB = $ENV{SASL_LIB} || -lsasl2; to: my $SASL_LIB = $ENV{SASL_LIB}; and adding the appropriate '-lsasl2' on the LIBS line 63 ... OR... B) Changing: my $OPENSSL_LIB = $ENV{OPENSSL_LIB}; to: my $OPENSSL_LIB = $ENV{OPENSSL_LIB} || -lssl; Jeff Blaine wrote: I read the long thread (with no resolution) about this from Jan 2003. With our existing AND a brand new fresh/clean Perl 5.6.1 build for the sake of trying to get this to work, I cannot get it to work and cannot make any sense of what the problem is: - Solaris 7 - Cyrus IMAP 2.1.13 (working fine with 100 users - has been for months. Just can't do any administration yet!) - Cyrus IMAP 2.1.14 does the same thing. = cd /cyrus/src/perl-5.6.1 sh Configure -des -Dprefix=/cyrus -Uinstallusrbinperl make make install = % cd /cyrus/lib % ls libacap.alibdb-4.so@ libsasl2.so.2@ libcyrus.a libdb.a@ libsasl2.so.2.0.13* libdb-4.1.a libdb.so@perl5/ libdb-4.1.la libsasl2.la* sasl2/ libdb-4.1.so*libsasl2.so@ % nm libsasl2.so | grep sasl_client_init [521] | 25256| 372|FUNC |GLOB |0|10 |sasl_client_init % = % cd /cyrus/src/cyrus-imapd-2.1.13/perl/imap % SASL_LIB=-L/cyrus/lib -R/cyrus/lib % SASL_INC=-I/cyrus/include % OPENSSL_LIB=-L/usr/rcf/lib -R/usr/rcf/lib % OPENSSL_INC=-I/usr/rcf/include % perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Cyrus::IMAP % make ... [ Output deleted - success and proper -L, -R, and -I options used ] [ as set above! ] ... % make install ... [ Output deleted ] ... % /cyrus/bin/cyradm Can't load '/cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so' for module Cyrus::IMAP: ld.so.1: perl: fatal: relocation error: file /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so: symbol sasl_client_init: referenced symbol not found at /cyrus/lib/perl5/5.6.1/sun4-solaris/DynaLoader.pm line 206. at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44 Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. Compilation failed in require. BEGIN failed--compilation aborted.
cyradm failure
I read the long thread (with no resolution) about this from Jan 2003. With our existing AND a brand new fresh/clean Perl 5.6.1 build for the sake of trying to get this to work, I cannot get it to work and cannot make any sense of what the problem is: - Solaris 7 - Cyrus IMAP 2.1.13 (working fine with 100 users - has been for months. Just can't do any administration yet!) - Cyrus IMAP 2.1.14 does the same thing. = cd /cyrus/src/perl-5.6.1 sh Configure -des -Dprefix=/cyrus -Uinstallusrbinperl make make install = % cd /cyrus/lib % ls libacap.alibdb-4.so@ libsasl2.so.2@ libcyrus.a libdb.a@ libsasl2.so.2.0.13* libdb-4.1.a libdb.so@perl5/ libdb-4.1.la libsasl2.la* sasl2/ libdb-4.1.so*libsasl2.so@ % nm libsasl2.so | grep sasl_client_init [521] | 25256| 372|FUNC |GLOB |0|10 |sasl_client_init % = % cd /cyrus/src/cyrus-imapd-2.1.13/perl/imap % SASL_LIB=-L/cyrus/lib -R/cyrus/lib % SASL_INC=-I/cyrus/include % OPENSSL_LIB=-L/usr/rcf/lib -R/usr/rcf/lib % OPENSSL_INC=-I/usr/rcf/include % perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Cyrus::IMAP % make ... [ Output deleted - success and proper -L, -R, and -I options used ] [ as set above! ] ... % make install ... [ Output deleted ] ... % /cyrus/bin/cyradm Can't load '/cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so' for module Cyrus::IMAP: ld.so.1: perl: fatal: relocation error: file /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so: symbol sasl_client_init: referenced symbol not found at /cyrus/lib/perl5/5.6.1/sun4-solaris/DynaLoader.pm line 206. at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44 Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. Compilation failed in require. BEGIN failed--compilation aborted.
Re: cyradm failure
In the meantime, is there anyone who can tell me how to adjust a user's quota via the files in /var/imap/quota ? I see files to edit, but don't know how to make the changes take effect (they don't seem to on their own). We have a user who's had mail being undelivered for 3 days now because of quota problems and I do not want the messages to bounce back to the senders. Jeff Blaine wrote: I read the long thread (with no resolution) about this from Jan 2003. With our existing AND a brand new fresh/clean Perl 5.6.1 build for the sake of trying to get this to work, I cannot get it to work and cannot make any sense of what the problem is: - Solaris 7 - Cyrus IMAP 2.1.13 (working fine with 100 users - has been for months. Just can't do any administration yet!) - Cyrus IMAP 2.1.14 does the same thing. = cd /cyrus/src/perl-5.6.1 sh Configure -des -Dprefix=/cyrus -Uinstallusrbinperl make make install = % cd /cyrus/lib % ls libacap.alibdb-4.so@ libsasl2.so.2@ libcyrus.a libdb.a@ libsasl2.so.2.0.13* libdb-4.1.a libdb.so@perl5/ libdb-4.1.la libsasl2.la* sasl2/ libdb-4.1.so*libsasl2.so@ % nm libsasl2.so | grep sasl_client_init [521] | 25256| 372|FUNC |GLOB |0|10 |sasl_client_init % = % cd /cyrus/src/cyrus-imapd-2.1.13/perl/imap % SASL_LIB=-L/cyrus/lib -R/cyrus/lib % SASL_INC=-I/cyrus/include % OPENSSL_LIB=-L/usr/rcf/lib -R/usr/rcf/lib % OPENSSL_INC=-I/usr/rcf/include % perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Cyrus::IMAP % make ... [ Output deleted - success and proper -L, -R, and -I options used ] [ as set above! ] ... % make install ... [ Output deleted ] ... % /cyrus/bin/cyradm Can't load '/cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so' for module Cyrus::IMAP: ld.so.1: perl: fatal: relocation error: file /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/auto/Cyrus/IMAP/IMAP.so: symbol sasl_client_init: referenced symbol not found at /cyrus/lib/perl5/5.6.1/sun4-solaris/DynaLoader.pm line 206. at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44 Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Admin.pm line 44. Compilation failed in require at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. BEGIN failed--compilation aborted at /cyrus/lib/perl5/site_perl/5.6.1/sun4-solaris/Cyrus/IMAP/Shell.pm line 60. Compilation failed in require. BEGIN failed--compilation aborted.