Re: cyrus accounts and monitoring activity/usage
have cyrus log to syslog if you haven't. Then use one of the many syslog parsing packages to gather those stats. Actually, a simple perl script on /var/log/messages would work. Or maybe get/write an extension to logwatch ( http://logwatch.org ) that'll gather those stats . joe ritter wrote: Hello, Some time ago we began offering some free email accounts. We are using Cyrus/Squirrelmail and Sendmail. I am interested in looking at stats such as users that have never logged in, users that have accessed their account in the last 30 days, 60 days and 90 days etc. We are using auxprop and sasldb2 for authentication. I wanted to see from some of you what the best way to get this data is. I also wanted to see how some of you were going about this for reporting and account deleteion. I am sure there are some gotchas involved. Thanks in advance. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- Kervin Pierre http://kervin.net/ [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
2.2a, virtual domains and squirrelmail
Has anyone tried using squirrelmail with 2.2 virtual domains and got it to work with a mailbox on a virtual domain? http://www.squirrelmail.org/ -- Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
financial support - Re: Per-Domain-Quota in 2.2 with virtual domainsturned on ?
Rob Siemborski wrote: doc/readme.html: If you wish to provide financial support to the Cyrus Project, send a check payable to Carnegie Mellon University to Project Cyrus Computing Services Carnegie Mellon University 5000 Forbes Ave Pittsburgh, PA 15213 USA I'm not sure it can be stated more clearly than that. With a prominent link on the website, and the ability to use paypal or credit card? -- Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Per-Domain-Quota in 2.2 with virtual domains turned on ?
Ken Murchison wrote: This biggest problem here is that once again there is no incentive to do so. Neither I nor CMU have any (current) use for the virtdomain code. I did the current implementation because I got sick of hearing all of the bitching on the list about the lack of support. What bothers me most is that those people who can benefit the most from such support (eg, ISPs), don't seem willing to either pay for such support (either past or future work) or do the work themselves. Hey, just got round to reading this. Not a flame, I agree. I'm not really in a position to offer support financially, but I think part of the problem is that there isn't an advertised way to financially support Cyrus development. Maybe your organization could offer a product based on cyrus, and promote buying that as one way to support cyrus. Or maybe a donation page can be setup? Just a few suggestions. --Kervin
Add mailbox automatically
Just a thought, I am working on some PHP scripts to manage mailboxes and I have to use passthough calls to execute cyradm to add mailboxes. I'd like to avoid opening a shell from the web for security and performance reasons. So what if a valid login to cyrus created a mailbox if one did not exist? Ie. does a 'cm $login' if sasl or saslauthd reports that $login and it's password succeeded. That way all a sysadmin using LDAP would have to do is do an ldap_add() to create a mailbox. This would be true for MySQL users as well. -- = Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: saslauthd performance anxiety
[EMAIL PROTECTED] wrote: directory it's binding to is quite slow (it's actually a slapd instance running a shell backend which routes bind requests to different places depending on the usercode - don't ask...). Because saslauthd makes Maybe you should seriously consider moving from back-shell to back-perl, which you can optimize much more and is probably quicker right of the bat, since it does not spawn a separate process for the interpreter. Better still, have you thought of back-meta or back-ldap? These were designed for ldap routing. I suspect you're optimizing the the wrong bottleneck. -- = Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
PHP Cyradm extension - Re: Add mailbox automatically
Thanks. I didn't know you could do that. BTW, I browsed the PHP manual for more IMAP stuff and came across a Cyradm extension http://www.php.net/manual/en/ref.cyrus.php . It is undocumented. Has anyone used this extension with success?? --Kervin Scott Russell wrote: On Wed, Jan 01, 2003 at 05:16:12PM -0500, Kervin L. Pierre wrote: Just a thought, I am working on some PHP scripts to manage mailboxes and I have to use passthough calls to execute cyradm to add mailboxes. I'd like to avoid opening a shell from the web for security and performance reasons. Here's a PHP function that I use to create user mailboxes with. It could use some clean up but it works for us. Beware line wraps. function imap_acct_create ($mailbox, $quota=) { // creates user.$mailbox in cyrus 2.1.5 global $imap_error; $imap = @imap_open({localhost:143/imap/notls}, cyrus, passwd, OP_HALFOPEN); if (!$imap) { $imap_error = imap_last_error(); return FALSE; } // create the new top level mailbox $ret = @imap_createmailbox($imap, {localhost}user..$mailbox); if (!$ret) { $imap_error = imap_last_error(); @imap_close($imap); return FALSE; } // if needed, set the account quota if ($quota != ) { $ret = @imap_set_quota($imap, user..$mailbox, $quota); if (!$ret) { $imap_error = imap_last_error(); @imap_close($imap); return FALSE; } } @imap_close($imap); // if we get here everything worked return TRUE; } -- = Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: someoone are using saslauthd+ldaps?
Another option is to run a LDAP replica on your email server. Configure replication to use tls. Configure saslauthd to connect to localhost ( 127.0.0.1 specifically ). With this encryption is not necessary. You get a substantial speed increase, as you save encryption plus ldap lookups over the network. --Kervin Oliver Jones wrote: I've been trying to use saslauthd with pam and ldap+tls (ldaps) but I'm having saslauthd core dump on me. It might be worthwhile avoiding pam_ldap altogether and just use saslauthd's native ldap support. Regards On Sun, 2002-12-29 at 03:42, Felix Cuello wrote: /Hello! I'm working with saslauthd+pam+ldaps but in theory, saslauthd could works with LDAPS without pam authentication. Someone are using saslauthd + ldaps?, because my saslauthd works fine with LDAP but not with LDAPS... Felix / -- *Oliver Jones * Senior Software Engineer ** Deeper Design Limited. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.deeperdesign.com http://www.deeperdesign.com +64 (21) 41-2238 -- = Kervin Pierre [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: saslatuhd, ldap, login incorrect :(
saslauthd+ldap is very reliable for me. I had this one issue which seem ed to occur when I restarted OpenLDAP, but I think that's been fixed in CVS. Maybe you should upgrade LDAP to 2.1.x series? Try running ethereal and listening to the ldap traffic when the bad logins occur. Or running OpenLDAP with extra logging. --Kervin Felix Cuello wrote: Hello! I'm actually working with Cyrus 2.1.9 and sasl2.1.9 and sometimes (solved the entrophy problem) my POP server sometimes returns incrrect username or password. It could be because I'm using ldap beta support of saslauthd?. I'm working with LDAP 2.0.23. Thanks a lot! Felix
Re: LDAP Howto??
you don't need one :) Since LDAP is only used for authentication ( at least currently ), you only need to configure SASL to look to LDAP for auth, and have Cyrus use saslauthd feature. Cyrus is configured as normal. saslauthd comes with a nice document on configuring for LDAP, it is in the saslauthd directory of in the cyrus source. It's a straight forward process, no schema changes are necessary. Igor did a good job on this. --Kervin Gregory Chagnon wrote: Does anyone have any good resources for integrating Cyrus with OpenLDAP? I could use any help! Thanks!! -GC _ Broadband? Dial-up? Get reliable MSN Internet Access. http://resourcecenter.msn.com/access/plans/default.asp
Re: How stable is 2.2?
I've been using it for a week or two in production no serious issues yet. --Kervin Tarjei Huse wrote: Hi, I'm going to upgrade my server in a few weeks, and in that respect, I'm considering going all the way to 2.2. How stable is 2.2 now? Tarjei
Re: ldap saslauthd minor issue
ok. well something else caused saslauthd to lose its connection to start searching as anonymous. I'm sure I did not change the configuration, and restarting saslauthd fixed the problem. --Kervin Igor Brezac wrote: On Wed, 23 Oct 2002, Kervin L. Pierre wrote: If the ldap server goes offline temporarily, and saslauthd binds with a special user, when the ldap server gets back online, saslauthd tries to use anonymous instead of the priviledged user. No. anonymous in the code means whatever you passed as lak_bind_dn. Or so it looks like on my machine. So I guess whenever the ldap server is restarted saslauthd will need to be restarted as well? You do not need to restart saslauthd. saslauthd will reconnect when the ldap server(s) comes back online. I tested this quite extensively with both auth methods. -Igor
Re: sendmail problem
Look at /var/log/maillog . It should give you a brief message on why the message was deferred. eg. dsn=4.0.0, stat=Deferred: Connection timed out with mail.domain.com --Kervin Dan Bishop wrote: Need some help. Email began acting up yesterday (or over the weekend). We can receive messages OK but we are having problems sending messages. Most don't get sent and the few that do take 3-5 minutes (in Messenger) to send. Linux Redhat, Sendmail Cyrus on the Linux side Netscape Messenger (some Outlook) IMP (webmail) on the client side. Novell 5.0 BorderManager 3.0 on the network. Webmail sends messages, but Messenger Outlook do not. I tried to flush the mail queue but it does not work. I type sendmail -v -q at the terminal and we get the message: Running /var/spool/mqueue/(a message number) (sequence 1 of 66) email address... Connecting to cyrus... email address... Deferred If I use Webmin in a browser, and click on the button Flush Mail Queue it brings up the following: Forcing the attempted delivery of mail with the command /usr/sbin/sendmail -v -q .. Running /var/spool/mqueue/g9MINvR03821 (sequence 1 of 67) [EMAIL PROTECTED]... Connecting to cyrus... [EMAIL PROTECTED]... Deferred What does the Deferred message mean? And why the difference in number of messages (66 or 67)? There are more messages in /var/spool/mqueue. Should they not be included in the total number of messages above, in the queue? We have restarted sendmail a number of times, and have even gone so far as to restart Linux. But all to no avail. I am headed home for the night (to see what I can find on the Internet), but thought to post this message before I leave.
ldap saslauthd minor issue
If the ldap server goes offline temporarily, and saslauthd binds with a special user, when the ldap server gets back online, saslauthd tries to use anonymous instead of the priviledged user. Or so it looks like on my machine. So I guess whenever the ldap server is restarted saslauthd will need to be restarted as well? --Kervin
Re: sasl 2.1.9 + LDAPS problem
Did you say ldapsearch worked on the commandline? '-d -1' if you want all the debug info. You can also use the openssl commands s_server and s_client for debugging ldaps. That's probably more helpful then ethereal. 'man s_server' and 'man s_client' for more info. PS. For speed, if you have a busy mail server or you're paying for the bandwidth ldap uses, how about running a replica on your mail server and have saslauthd use '-H ldap://127.0.0.1/' or 'ldapi://' to connect to it. You can use ldaps for replication. This should speed-up your config considerably. --Kervin Igor Brezac wrote: On Wed, 16 Oct 2002, Felix Cuello wrote: Here are the stdout of slapd. What do you think? Hmmm, unfortunately this is not telling me much. It indicates that a connection came in, but it is not an ldaps session. Did you run a saslauthd/ldaps session? You should see a lot more debug info including TLS trace. I just tested saslauthd/ldaps on sasl-2.1.9 and it works fine. I used openldap 2.1.6 (server and API) which should be more difficult to setup because openldap 2.1 API verifies the server ceritifcate and 2.0 does not. Someone please correct me if I am wrong. ;) -Igor thanks for your time and patience! Felix @(#) $OpenLDAP: slapd 2.0.23-Release (Thu Feb 21 12:43:53 EST 2002) $ [EMAIL PROTECTED]:/usr/src/build/73902-i386/BUILD/openldap-2.0.23/build-krb5/servers/slapd daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: socket() failed errno=97 (Address family not supported by protocol) daemon: initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: socket() failed errno=97 (Address family not supported by protocol) daemon: initialized ldaps:/// daemon_init: 2 listeners opened slapd init: initiated server. slap_sasl_init: initialized! slapd startup: initiated. slapd starting ldap_pvt_gethostbyname_a: host=upsoluciones, r=0 daemon: conn=0 fd=10 connection from IP=200.69.213.9:1478 (IP=0.0.0.0:31746) accepted. --- Felix Cuello [EMAIL PROTECTED] Qodiga/its http://www.qodiga.com /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ ---
Re: passing envelope recipient with sendmail
Christian, thanks for the tip. I tried it, but it did not work by itself. I had to edit the generated cf file and under the 'Parse1' part of 'Rule 0', change... R$+ $=w . $#cyrusv2 $: $1 regular local name To... R$+ $=w . $#cyrusv2 $: $1 $2 . regular local name I have no idea what this change breaks :) but it seems to be the only way I can get sendmail to pass the full address to cyrus. --Kervin Christian Schulte wrote: Kervin L. Pierre wrote: Hi, The virtual server doc says... Delivering mail To deliver mail to your virtual domains, configure your MTA so that the envelope recipient (RCPT TO) passed to lmtpd is fully qualified with the correct domain. What does this equate to in terms of sendmail configuration? Sendmail passes the recipients address without the domain part for me, and thus the mail bounces. thanks, --Kervin You have to change your cyrusv2.mc file: S=EnvFromSMTP/HdrFromL, R=EnvToSMTP/HdrToSMTP, E=\r\n, Change the rules and it will work!
passing envelope recipient with sendmail
Hi, The virtual server doc says... Delivering mail To deliver mail to your virtual domains, configure your MTA so that the envelope recipient (RCPT TO) passed to lmtpd is fully qualified with the correct domain. What does this equate to in terms of sendmail configuration? Sendmail passes the recipients address without the domain part for me, and thus the mail bounces. thanks, --Kervin
[patch]saslauthd+ldap+virtual_domains
Hi, attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d' macro in ldap_search_base option to the domain context derived from the realm '%r'. eg. ldap_search_base: ou=people, %d in saslauthd.conf if realm is 'domain.tld', the ldap search base will expand to 'ou=people,dc=domain,dc=tld' Does imapd always provide the realm in a virtual server environment when authenticating users? Is it safe to assume that the realm is 'domain.tld' or more specifically the domain given to mkimap script? Is this correct/incorrect/unnecessary? --Kervin --- lak.c.orig Mon Oct 14 01:15:25 2002 +++ lak.c Mon Oct 14 14:37:23 2002 -68,11 +68,11 static int lak_config_getswitch(const char *, int ); static int lak_config(const char *, LAK_CONF **); static int lak_escape(const char *, char **); -static int lak_filter(LAK *, const char *, const char *, char **); +static int lak_filter(LAK *, const char *, const char *, const char *, char **); static int lak_connect(LAK *); static int lak_bind(LAK *, char, const char *, const char *); static int lak_init(const char *, LAK **); -static int lak_search(LAK *, const char *, const char **, LDAPMessage **); +static int lak_search(LAK *, const char *, const char *, const char **, LDAPMessage +**); static int lak_retrieve(LAK *, const char *, const char *, const char **, LAK_RESULT **); static int lak_auth_custom(LAK *, const char *, const char *, const char *); static int lak_auth_bind(LAK *, const char *, const char *, const char *); -327,45 +327,77 * %% = % * %u = user * %r = realm + * %d = realm as a domain context * Note: calling function must free memory. */ -static int lak_filter(LAK *lak, const char *username, const char *realm, char **result) +static int lak_filter(LAK *lak, const char *filter, const char *username, const char +*realm, char **result) { - char *buf; - char *end, *ptr, *temp; + char *buf, *domain_str = NULL; + char *temp; + const char *ptr, *end; char *ebuf; - int rc; + int rc, i,j; /* to permit multiple occurences of username and/or realm in filter */ /* and avoid memory overflow in filter build [eg: (|(uid=%u)(userid=%u)) ] */ - int percents, realm_len, user_len, maxparamlength; + int percents, realm_len, user_len, domain_len, maxparamlength; - if (lak-conf-filter == NULL) { + if (filter == NULL) { syslog(LOG_WARNING|LOG_AUTH, filter not setup); return LAK_FAIL; } - /* find the longest param of username and realm */ + /* expand domain only if we have a realm */ + if( realm!=NULL strlen(realm)3) + { + /* find the size of the domain string */ + domain_len = 0; + for(i=0;istrlen(realm);i++) + if(realm[i]=='.') + domain_len++; + /* strlen(,dc=) is equal to 4 */ + /* strlen(dc=) is equal to 3 */ + domain_len = domain_len*4 + strlen(realm) + 3; + + domain_str=calloc(1,domain_len+1); + if(domain_str == NULL) { + syslog(LOG_ERR|LOG_AUTH, Cannot allocate memory); + return LAK_NOMEM; + } + + strncat(domain_str, dc=, 3); + for(i=0,j=3;istrlen(realm);i++) { + if(realm[i]=='.') { + strncat(domain_str[j], ,dc=, 4); + j += 4; + } + else domain_str[j++] = realm[i]; + } + } + + /* find the longest param of username, realm or domain context*/ user_len=strlen(username); realm_len=strlen(realm); if( user_len realm_len ) maxparamlength = user_len; else maxparamlength = realm_len; + if( maxparamlength domain_len ) + maxparamlength = domain_len; /* find the number of occurences of percent sign in filter */ - for( percents=0, buf=lak-conf-filter; *buf; buf++ ) { - if( *buf == '%' ) percents++; + for( i=0,percents=0; istrlen(filter); i++ ) { + if( filter[i] == '%' ) percents++; } - buf=malloc(strlen(lak-conf-filter) + (percents * maxparamlength) +1); + buf=malloc(strlen(filter) + (percents * maxparamlength) +1); if(buf == NULL) { syslog(LOG_ERR|LOG_AUTH, Cannot allocate memory); return LAK_NOMEM; } buf[0] = '\0'; - ptr=lak-conf-filter; + ptr=filter; end = ptr + strlen(ptr); while ((temp=strchr(ptr,'%'))!=NULL ) { -404,6 +436,18 syslog(LOG_WARNING|LOG_AUTH, Realm not available.); } break; +
[patch]saslauthd+ldap+virtual_domains
Hi, http://my.fit.edu/~kpierre/lak.c.1.patch patch to cyrus/saslauthd/lak.c to allow it to expand '%d' macro in ldap_search_base option to the domain context derived from the realm '%r'. eg. ldap_search_base: ou=people, %d in saslauthd.conf if realm is 'domain.tld', the ldap search base will expand to 'ou=people,dc=domain,dc=tld' Does imapd always provide the realm in a virtual server environment when authenticating users? Is it safe to assume that the realm is 'domain.tld' or more specifically the domain given to mkimap script? Is this correct/incorrect/unnecessary? --Kervin
Re: [patch]saslauthd+ldap+virtual_domains
Thanks for the clarification, How about an option to extract the domain context from %u for the search base? ie. The option derive %d from %u instead of %r I think there's an opportunity to greatly improve the search times. The global search may have to go through hundreds of thousands of records, while a more directed search may just be single scope search with a few hundred records to look at. Thanks, --Kervin Igor Brezac wrote: On Mon, 14 Oct 2002, Kervin L. Pierre wrote: Hi, attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d' macro in ldap_search_base option to the domain context derived from the realm '%r'. eg. ldap_search_base: ou=people, %d in saslauthd.conf if realm is 'domain.tld', the ldap search base will expand to 'ou=people,dc=domain,dc=tld' Does imapd always provide the realm in a virtual server environment when authenticating users? Is it safe to assume that the realm is 'domain.tld' or more specifically the domain given to mkimap script? Is this correct/incorrect/unnecessary? In most cases an organization will have one realm. Realms should not be confused with domains. In virtual domain setup, %u will look like [EMAIL PROTECTED] and unless you setup a realm, %r will be blank. So, %d is not necessary in this case.
Re: [patch] search domain from %u
I modified the patch to take the search domain from the username %u, for virtual server environments. http://my.fit.edu/~kpierre/lak.c.2.patch PS. I am not having luck with the global search ( ie. the current method, -b ), I keep getting object not found although a search under a specific domain context works ( ie. -b ou=... ). Let me know what you think --Kervin Igor Brezac wrote: On Mon, 14 Oct 2002, Kervin L. Pierre wrote: Hi, attached is a patch to cyrus/saslauthd/lak.c to allow it to expand '%d' macro in ldap_search_base option to the domain context derived from the realm '%r'. eg. ldap_search_base: ou=people, %d in saslauthd.conf if realm is 'domain.tld', the ldap search base will expand to 'ou=people,dc=domain,dc=tld' Does imapd always provide the realm in a virtual server environment when authenticating users? Is it safe to assume that the realm is 'domain.tld' or more specifically the domain given to mkimap script? Is this correct/incorrect/unnecessary? In most cases an organization will have one realm. Realms should not be confused with domains. In virtual domain setup, %u will look like [EMAIL PROTECTED] and unless you setup a realm, %r will be blank. So, %d is not necessary in this case.
saslauthd,ldap,virtual_domains
Is there are way to dynamically modify ldap_search_base attribute of saslauthd so that it searches are particular DIT of the LDAP server? eg. a way to split the realm ( %r ) macro, then building a search base off that. ie. ldap_search_base: ou=people,%d Where %d explodes to dc=domain,dc=tld, derived from the realm, %r. I say this because I think it's a fairly common setup to have domains as... ou=people,dc=domain1,dc=tld ou=people,dc=domain2,dc=tld ... Or maybe I'm just weird :) Has this been done? Is it somehow necessary? Thanks, --Kervin
Re: hierarchical grouping of users
Another interesting package is ispman http://sourceforge.net/projects/ispman/ It uses LDAP for its datastore. --Kervin Mike O'Rourke wrote: There is a package called web-cyradm that uses a mysql or pgsql (a recent addition) database for user management and authentication. With it you can group your users and you can set and change quotas for all users in a group. The project's home page is here: http://www.delouw.ch/linux/web-cyradm/index.php I have played with it, but want to migrate to an LDAP solution, so I did not invest much time in it. Jules Agee said: Some of what you suggest is possible if you set up an LDAP directory. Specifically, the maildap program that is distributed with OpenLDAP allows you do deliver mail to a hierarchy of groups. The difference is that the group expansion is done in the area of the MTA (where it belongs). I am using it right now in production and it works great. If I remember correctly, someone submitted a few patches to the list a while back for using LDAP to manage quotas, but I don't recall whether it was hooked into the group mechanism or just single-user quota info stored in the directory. -Jules Mark Keasling wrote: Hi, I have a question about user management. (Well not me in particular but it was raised here and I've been tasked with finding out.) Currently user management seems to be done on a one by one basis. Won't management become difficult when users number in the thousands or tens of thousands? Has there been or is there being done any work on groups in particular hierarchical groups? The groups could be used as a target for management tasks such as setting quotas, access restrictions and what not. A change made to the group would be propagated to all of the members. The functionality could also be extended to mail delivery so that mail sent to the group could optionally be delivered to the members. Any thoughts? Regards, Mark Keasling -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284
CVS questions
Hi, I'm about to build/configure CVS imapd 2.2 branch for virtual domain support with a single IP. I have a few questions before I start. What are the CVS branches, tags available for download? Which do I use if I want 2.2 branch? http://asg.web.cmu.edu/cyrus/download/anoncvs.html gives a CVS checkout command without a branch tag, is that the 2.2 source? What sasl do I use for 2.2 imapd? If CVS, again which branch should I checkout? Thanks, --Kervin