troubleshooting an unified config
=2004
prefork=1
imap cmd=proxyd listen=imap prefork=1
pop3 cmd=pop3d listen=pop3 prefork=0
kpop cmd=pop3d -k listen=kpop prefork=0
sieve cmd=timsieved listen=2000 prefork=1
# fud
fud cmd=fud listen=fud prefork=0 proto=udp
# relay mail correctly
lmtpunix cmd=lmtpproxyd listen=/home/golan/var/imap/socket/lmtpproxy
prefork=1
}
EVENTS {
checkpointcmd=ctl_cyrusdb -c period=5
}
unibox -- imapd.conf
+
configdirectory: /home/golan/var/imap
# DO NOT leave any SPACE at the end of any config setting
# AR
partition-default: /home/golan/var/spool/imap
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasldb_path: /home/golan/etc/sasldb2
force_sasl_client_mech: PLAIN
sieve_admins: cyrus, golan
sievedir: /home/golan/var/spool/sieve
virtdomains: yes
altnamespace: yes
allowallsubscribe: yes
allowusermoves: 1
backbox_mechs: PLAIN
unibox_mechs: PLAIN
# we don't want sieve referrrals
sieve_allowreferrals: 0
admins: golan backend1 murder unified1 [EMAIL PROTECTED] [EMAIL PROTECTED]
# How to get to the mupdate server (this machine)
mupdate_config: unified
mupdate_username: backend1
mupdate_password: Password
mupdate_server: mupbox
mupdate_port: 2004
mupdate_authname: backend1
# How to get to the backends
proxy_authname: murder
backbox_password: Password
unibox_password: Password
proxyservers: murder
syslog_prefix: unified
mupbox -- cyrus
+
START {
mboxlist cmd=ctl_cyrusdb -r
}
SERVICES {
mupdate cmd=/home/golan/cyrus-imapd-2.3.7-mupdate/bin/mupdate -m
listen=2004 prefork=1
}
EVENTS {
checkpointcmd=ctl_cyrusdb -c period=5
}
mupbox -- imapd.conf
+
configdirectory: /home/golan/var/imap
partition-default: /tmp # because it is not used
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasldb_path: /home/golan/etc/sasldb2
force_sasl_client_mech: PLAIN
auxprop_plugin: sasldb
virtdomains: yes
altnamespace: yes
allowallsubscribe: yes
backbox_mechs: PLAIN
unibox_mechs: PLAIN
# we don't want sieve referrrals
sieve_allowreferrals: 0
allowusermoves: 1
admins: golan backend1 [EMAIL PROTECTED] # should I use box names here?
proxyservers: murder
proxy_authname: murder
backbox_password: Password
--
Jesus Roncero [EMAIL PROTECTED]
System Developer
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
proxyd or imapd on unified config?
Hi all, I am actually progressing on getting a murder installation, but I am still having some problems getting it. My installation is a bit different. I have two different machines, one of them being a backend and the other one being a frontend/backend server in unified mode as well as running the mupdate process in master mode. For this, there are two different installations on that machine on different directories. Apparently, it is possible to have this configuration. Basically I have some test mailboxes and shared folders on the backend. If I start with a fresh /var/imap directories in the frontend/backend (one for the unified config, another for the mupdate process), and execute ctl_mboxlist -m on the backend, the mupdate process receives all the mailboxes information and stores it on its mailbox.db database. The frontend/backend mailboxes.db file is empty. So far this is how it should work. The frontend/backend server is running imapd processes as proxyd processes (as they should be able to proxy to the other backend, and also be able to serve if there local mailboxes. The thing is that, when I connect to the frontend/backend proxyd (imap) it replies with an mailbox does not exist error. It looks as it is looking in its local database instead of querying mupdate and then proxying it to the backend. So, can this configuration be done? Does any of you have a similar installation? I guess that I am right running the proxyd processes on the frontend/backend unified server, right? Any ideas? Best regards. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Running murder in unified config
Andrew Morgan wrote: You would need to run the mupdate master as a separate installation of cyrus (at least a separate configdirectory). The backend and the mupdate master cannot share the same mailboxes.db file. Just guessing on that part, but it seems logical to me. Ah, now it does. I wasn't really aware that they both share the same mailboxes.db file. Fair enough. Thanks :) -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Running murder in unified config
Hi all,
Again with one of my questions. I am trying to run a murder
installation, with two boxes. My idea is to run a frontend/backend box
in unified config and one extra backend. The thing I was trying to set
up is to run the frontend/backend/mupdate master on the same box, but it
looks like it is not possible. Looking at the source code at
imap/mupdate.c we have something like this:
if (masterp
config_mupdate_config == IMAP_ENUM_MUPDATE_CONFIG_UNIFIED) {
/* XXX We currently prohibit this because mailboxes created
* on the master will cause local mailbox entries to be propagated
* to the slave. We can probably fix this by prepending
* config_servername onto the entries before updating the slaves.
*/
fatal(can not run mupdate master on a unified server, EC_USAGE);
}
I found one other reference on the mailing list but no answers:
http://www.irbs.net/internet/info-cyrus/0604/0307.html
So, is there anyway to run the mupdate master on the same node where the
frontend/backend unified config is running? or do I need to place it
in a different box? on one backend?
Many thanks.
--
Jesus Roncero [EMAIL PROTECTED]
System Developer
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
question about moving mailboxes in a murder environment
Hi all, Again here ;). I have a couple of questions. I am trying to migrate an old cyrus 2.2.12 installation to the latest cyrus, using a murder environment. My idea is to build a unified system, in which the old cyrus would work as a frontend and backend at the same time, so almost everything should work as before. Also, I would add a first backend which would initially not have any mailboxes. So, would the move mailbox operation work (providing everything is set up correctly) to move some mailboxes to the new backend? And, I have some shared folders right now. Can they be moved as well to the backend as normal mailboxes? Cheers. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Failing to authenticate on the frontends
Andrew Morgan wrote: Oops, I forgot about that detail. We locally patched referrals out of our IMAP proxies. Umm, isn't there an option on the configuration to disable referrals? If not, do you have that patch available? I've attached the patch to this message. We use it with Cyrus v2.2.12 here. I don't know if it works or applies cleanly to v2.3.x. thank you very much. Well, it doesn't, because on cyrus-imap-2.3.7 there are different filenames than those. But, in order to disable the referrals, it's easy. It's the option to add a new configuration parameter what's more difficult. Anyway, thanks again. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Failing to authenticate on the frontends
Michael Loftis wrote: I guess that's what CRAM-MD5 is for, but the frontend refuses to talk to the backend if it is presented with CRAM-MD5 only. Is there any way to do this or I am doing something really wrong? :) See earlier in this thread. It's not at all possible in stock Cyrus. You have to patch it to allow that. I've got one for older versions of cyrus, 2.1.17 ish, but they'll need cleanup. Thanks to Henrique de Moraes Holscuh who provided me with them. Really? I've been reading the source code and looks like these are the options for the mechanisim in the communication between the frontends and backends, at least what I have been able to understand: * DIGEST-MD5. It's secure and send all the data afterwards encrypted. * Cram-MD5. It's secure and send the data in the clear. But it doesn't work on backend-frontend because it is not able to do proxying. * Login. It's not secure and does not support proxying. * Plain. It's not secure but it is able to do proxying. But, it needs to be sent under an extra security layer. So, it requires TLS to be enabled. So, the thing is that when you have referrals disabled and you are going to have all backends in a private network, looks like it's a waste of resources to be encrypting the data transferred between back and frontends. Anyway, I am now testing a pacth to cyrus where TLS has been disabled only when using PLAIN between the components of a murder system. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Failing to authenticate on the frontends
Michael Loftis wrote: Authentication of the user happens at the frontend. The frontend then uses the proxy credentials to authorize as the user on the backend. The backends don't need a full user database, just the proxy information. Yes and no. If an IMAP client support referrals, the frontends will return a referral to the appropriate backend. So, the client may connect to the backend as well in some cases. Oops, I forgot about that detail. We locally patched referrals out of our IMAP proxies. Umm, isn't there an option on the configuration to disable referrals? If not, do you have that patch available? Also, one question on the communication between the frontends and backends. I made them speak using TLS and plain, but would like to use CRAM-MD5 or DIGEST-MD5 and no TLS at all. Is that possible? Because when I disable TLS and force it to use the MD5 thing, the frontend complains that there are no mechs available. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Failing to authenticate on the frontends
Jesus Roncero wrote: Oops, I forgot about that detail. We locally patched referrals out of our IMAP proxies. Umm, isn't there an option on the configuration to disable referrals? If not, do you have that patch available? Also, one question on the communication between the frontends and backends. I made them speak using TLS and plain, but would like to use CRAM-MD5 or DIGEST-MD5 and no TLS at all. Is that possible? Because when I disable TLS and force it to use the MD5 thing, the frontend complains that there are no mechs available. Umm, I got it to work using DIGEST-MD5, but apparently, all communications are encrypted after the authentication. Is there a way in which all the communications between the frontends and the backends are *not* encrypted, except, probably, the authentication dialog? I guess that's what CRAM-MD5 is for, but the frontend refuses to talk to the backend if it is presented with CRAM-MD5 only. Is there any way to do this or I am doing something really wrong? :) -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Failing to authenticate on the frontends
Hi, So I got the whole murder system running. Apparently, both the frontend server and the backend server can communicate. I have a backend server that has a couple of mailboxes, one of which is called joe. I'm using a sasldb file on both of the machines (backend and frontend) to store users and passwords. The problem is that when I connect to the frontend using an imap client, the authentication fails, as using telnet: [EMAIL PROTECTED]:/etc$ telnet localhost 143 * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] frontend Cyrus IMAP4 v2.3.7 server ready 1 login joe password 1 NO Login failed: authentication failure However, if I _add_ a user/password joe to the local user database at the frontend, then it works: [EMAIL PROTECTED]:/etc$ ../sasl/sbin/saslpasswd2 -c -f sasldb2 joe [...] [EMAIL PROTECTED]:/etc$ telnet localhost 143 * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS] frontend Cyrus IMAP4 v2.3.7 server ready 1 login joe password 1 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE URLAUTH] User logged in And from here on, an IMAP client is able to browse and see all the messages at joe's mailbox. So, the question is, isn't the frontend supposed to contact the backend responsible of that mailbox in order to authenticate the user? or it needs to have joe's password at the frontend as well? Best wishes. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Trying to install murder
Hi, I am trying to get a murder installation on a couple of test machines, on one of which I don't have root access, so I installed a patched version of cyrus-imapd-2.3.7 which can be started from a regular user. Because of this, all ports are high ports. The configuration is as follows: Frontend server + mupdate server configured. Apparently everything works ok on high ports. the mupdate server listens at port number 2004. Configured with PLAIN and LOGIN and sasldb. Backend server. Configured with PLAIN and LOGIN and sasldb. I am following the instructions from: http://cyrusimap.web.cmu.edu/imapd/install-murder.html And each machine has the configuration options set as in the document. So, basically I have two running installations of cyrus-imapd-2.3.7 with cyrus-sasl-2.1.22 and db-4.4.20 that apparently run ok. Accessing them with the cyradm work and I can do the usual stuff, like creating the mailboxes, etc. Even from the backend I can connect to the frontend using cyradm and it lets me do the usual stuff (except create mailboxes as that is not allowed on the frontends). When I was about to test the system with the tool ctl_mboxlist -mw All I got is a couldn't connect to mupdate server on the command line and a couldn't authenticate to backend server. (Although I am trying to authenticate against the frontend server, I guess). Anyway, I have debugged the application and found out that it fails when it reaches the function backend_authenticate in backend.c, which makes a call to saslclient and that one to sasl_client_start, which is part of the sasl library. From what I have seen, what sasl_client_start is iterate through the mechlist that the frontend presents and through the backend list comparing them, but somehow fails with an error like No worthy mechs found. The backend definitely contacts the frontend as I checked it by sniffing the network. So, as this is getting fairly complicated with many different configurations and options, instead of digging even more into the depths of sasl and cyrus source code ;) i'd like to ask here in case anyone could give me any hints or suggestions. I have not copied any configuration file not to make this email eternally long, but would do. Well, I think this is all, for now. Thanks at least for reading :) -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Trying to install murder
Jesus Roncero wrote: Hi, I am trying to get a murder installation on a couple of test machines, on one of which I don't have root access, so I installed a patched I have found why it was not working with me. After googling extensively with no luck at all (I got some hints though), I found in one of my work colleagues mail archives the solution, from this mailing list. It is from a message dated in January 2006. The reason google doesn't find it is (probably) because there are no archives from January at http://lists.andrew.cmu.edu/pipermail/info-cyrus/ Anyway, so here it goes so it can be properly archived. Apparently murder needs to do all the comunications between the frontends and the backends using CRAM-MD5 or TLS, if not, it would refuse to start. Looks like that is not documented anywhere or I am getting blind. Anyway, hope that it helps. I guess that you will hear more about me as soon as I step into more problems :) Best regards. -- Jesus Roncero [EMAIL PROTECTED] System Developer Tel: +44 (0) 845 666 7778 http://www.mxtelecom.com Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
