Inconsistent sieve parse errors
I had posted about a week ago about Debugging Sieve scripts. Unfortunately, I
didn't get any response and unfortunately, I'm still having problems with Sieve
behaving erratically. For reference, my Cyrus-IMAP install is version 2.1.16
on Red Hat Linux.
We use two packages to generate Sieve scripts - websieve and the Ingo module
from the Horde project. I'm seeing oddities with scripts produced by both
packages.
Example: a user goes on vacation and uses websieve to turn on their vacation
notice. They come back and turn off the notice. Some commented out
Pseudo-Code from websieve is left in the default script file and this causes
parse errors
Sieve script:
# Mail rules for user user_name
# Created by Websieve version 0.61i
##PSEUDO script start
#vacation1[EMAIL PROTECTED], [EMAIL PROTECTED]I will be out of the
office from date, returning date. If there is an emergency, email User Name
[EMAIL PROTECTED] or call phone numberoff
#modebasic
The essense of this script is five commented out lines (the one that starts with
vacation wraps), and two blank lines with only CR/LF. Yet this file generates
the following error:
sieve parse error for user_name: line 6: parse error, unexpected STRING
So sieve appears to be ignoring hash marks that should serve as comments.
Second oddity is my own script, which I mentioned in my previous message.
Periodically (and it appears to be message load related), Sieve will just stop
filtering and messages that should be filtered into mailboxes drop into my
INBOX. This appears to be triggered by turning on the vacation messages, as I
start to see the messages appear during the time I'm out of the office and in
this case, at least two weeks after I'm back and the vacation message is off.
I use Ingo to generate my script and thinking it was something in that module
causing the problem, I restored my script that was working fine prior to being
out of the office. A diff revealed absolutely no changes, except the timestamp
in the comment, created by Ingo.
The following error message appears in the log:
sieve parse error for kevin_myer: line 3: parse error, unexpected STRING
and lines 1,2, and 3 are:
# sieve filter generated by Ingo (February 7, 2005, 2:04 pm)
require fileinto;
So I'm puzzled what's wrong here. And why it only happens sporadically. And
why, before I turn on the vacation message, it doesn't happen at all.
And yet another oddity from my script:
# sieve filter generated by Ingo (February 7, 2005, 2:04 pm)
require fileinto;
# Dell OMSA problems
if anyof ( header :comparator i;ascii-casemap :contains Subject Dell
problems, header :comparator i;ascii-casemap :contains Subject Alert from
ERA ) {
redirect [EMAIL PROTECTED];
keep;
stop;
}
The error generated:
sieve parse error for kevin_myer: line 7: address '[EMAIL PROTECTED]': parse
error, unexpected '@', expecting $
So do I have a whole bunch of buggy user scripts? Or is sieve acting up?
Cyrus-imapd has been restarted since I first had these problems, to update an
SSL certificate. The problems persist.
Thanks for any input or feedback or suggestions.
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Debugging Sieve scripts
Hello, I have a problem that periodically crops up, then usually goes away and I never get around to diagnosing the root cause of it. It seems to be triggered whenever I set a vacation/out of office message. When I enable a vacation message, messages that would normally be filed into folders start appearing in my INBOX. It becomes annoying quickly when you come back and have to sort through 300+ messages to find the things you want to see (other mail is list mail and system log messages). Normally, disabling the vacation notification solves the problem but this time it didn't. What I find even stranger is there appears to be no rhyme or reason for letting one message be filtered and another not. I'm getting a lot of virus notifications for the latest version of the Bagle worm. The majority of these are filed into my virus folder. A few end up in my INBOX. All should be caught by the same sieve script but aren't. Same with list mail and system log messages. The bulk are filtered properly but a few sneak through into my INBOX. The messages that come through appear to be identical in nature to the messages that are filed. It appears as if Sieve gets periodicaly overwhelmed, and just gives up on filtering for short periods of time. I haven't been able to rule out that there's a bug in the program that I use to generate the scripts (Ingo 1.0.1 from the Horde project). So I'm wondering if there is a way I can take a message that made it by Sieve, and somehow run Sieve in test mode, in much the same manner you can test ClamAV or SpammAssassin on a message and have it report back what the results are for a single message. I'd like to have it run through my sieve script, show me the matches and then tell me what it would have done with the message. Short of there being a bug in the script itself, does anyone else have any ideas why Sieve behaves erratically, apparently triggered by turning vacation notices on, and then will eventually clear itself up? Thanks, Kevin -- Kevin M. Myer Senior Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Ok to kill single imapd processes?
Hello, We are running an installation of Cyrus IMAPd. There is one particular imapd process hanging around that has been terminated on the other end (i.e. laptop is no longer there, device in between doing NAT has been rebooted and our firewall shows no connection). However, the mail server still thinks the connection is open. http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=killmsg=28259 pretty much describes the symptoms we are seeing. There are cyrus.cache.NEW and cyrus.index.NEW files hanging around, although as Rob points out, these are often red herrings. However, mail cannot currently be delivered to this user and the timestamp of the last mail delivery is just a little before those new files were created. The mail client is Thunderbird and if the creation of the .NEW files is related to an expunge, then likely, this user was logging out of Thunderbird at the time. My overall question would be: can I safely kill the two phantom imapd processes that are hanging around? I know they're managed by the master process but their existence is apparently causing message delivery to fail via LMTP for this user and the mail server is delivering mail with minutes of delay instead of seconds for all users. I'm fairly certain its all related but I really don't want to bounce the entire master process in the middle of the day, unless things continue to deteriorate. Version info: Red Hat Linux 7.3, Cyrus IMAPd 2.1.11, using skiplist for mbox and seen, db3 for duplicate and tls, and flat for subs. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Red Hat Linux/BDB dependencies upgrade questions
Hello, I have an update scheduled for our mail server over the Christmas break (assuming I can get all the snags worked out of the upgrade process). Where I currently am: Cyrus-IMAPd v2.1.0pre (from CVS just before SASLv2 was required) Cyrus-SASL v1.5.27 w/ Simon Loader's LDAP patch Red Hat Linux 7.1 w/ all errata applied Berkeley DB is Red Hat's packages, version 3.2.9 Where I want to go: Cyrus-IMAPd v2.1.11 Cyrus-SASL v2.1.10 using saslauthd w/ LDAP authenticaiton Red Hat Linux 7.3 w/ all errata applied skiplist backend The snag I ran into is this: I restored my /var/imap from my production mail server to my test mail server, from backup. For starters, I used Simon Matter's Cyrus IMAP RPM and his conversion scripts and upgraded my RPM on the test server. While the conversion script appeared to run, checking the logs showed that not to be the case. My log showed this: cvt_cyrusdb[25043]: DBERROR db3: Program version 3.3.11 doesn't match environment version 3.2.9 I think this is easily explained - Red Hat 7.1 uses BDB 3.2.9 and Red Hat 7.3 uses BDB 3.3.11 (but it has a 3.2.X compatibility library). But suffice to say, I've not been able to get anything thats in BDB format into skiplist format. I've done the following: db32_dump the database files (mailboxes.db, tls_sessions.db, and deliver.db) to text, then db_load the text file to a new database. The size of the database is cut in about a half but cvt_cyrusdb complains about the same above problem. So I temporarily made libdb3.3 disappear and recompiled Cyrus, so it would link with libdb3.2 and reinstalled. Then the message changes to: cvt_cyrusdb[22807]: incorrect version of Berkeley db: compiled against 3.3.11, linked against 3.2.9 This is probably because in Red Hat 7.3, while they provide a compatibility 3.2 library, they don't provide the 3.2 headers so I'm thinking it linked against 3.2 but used the 3.3 headers. So where I'm headed now in my thinking is to leave the server at Red Hat 7.1 until I get everything converted to skiplist, then upgrade to 7.3, at which point it won't matter (hopefully) what version of BDB I have installed. For that to work, I need to make sure that there are no BDB version dependencies in Cyrus IMAP. By that I mean are there any other databases (besides mailboxes.db, deliver.db and tls_sessions.db) that need to be convereted from BDB to skiplist? FWIW, the /var/imap/users/* flat databases converted to skiplist just fine. What about the cyrus.* files in a user's mailbox (cyrus.index, cyrus.header, and cyrus.cache)? And is /var/imap/db/* simply the database transaction log? Or do I have to worry about converting that to something else as well? Bottom line is this: if I convert mailboxes.db, deliver.db and tls_sessions.db from BDB 3.2.9 - skiplist, then upgrade to a new version of BDB and Red Hat Linux 7.3, are there any other databases I need to upgrade? Or is there an easier way to deal with different BDB versions across the Red Hat distributions so that I can upgrade to 7.3 first, turn on some environment compatibility flag, and migrate to skiplist? The general concensus I gather from this list seems to be that skiplist is the way to go but running configure --help at least says that db3 or flat databases are the default for all the databases listed (duplicate-db, mboxlist-db, seen-db, subs-db, and tls-db). I know Simon's RPMs use skiplist for a number of those but if skiplist is the way to go, why isn't it the default? If anyone has been down this road before, I'd appreciate your insight. Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140
Question: How to specify path to saslauthd mux socket in imapd.conf?
Hi, With the recent Cyrus IMAP buffer overflow exploit, its time to upgrade our mail server. I've been sitting on a Cyrus IMAP 2.1.X CVS install from right before the SASL2 requirement went into effect and have been holding off on upgrading until I can figure out a decent path to go from SASL1 - SASL2 and still keep LDAP authentication working. Currently, I'm using Simon's LDAP authentication patch for SASLv1. I have four different domains, all being served out of different trees on the same directory server. With sasl_auto_transition turned on, CRAM-MD5 and DIGEST-MD5 authentication works after an initial plaintext login (done at account setup on a local network). Since saslauthd only supports plaintext passwords for LDAP authentication, I'm thinking that if I trade the stronger SASL authentication off for requiring TLS for the entire IMAP conversation (via , I don't give anything up security-wise. In other words, I can rely on the transport layer to provide encryption, instead of a higher layer and that way email can't be sniffed either. So I upgraded to the latest versions of Cyrus SASL (2.1.10) and Cyrus IMAP (2.1.11) today on my test server. I got saslauthd working fine with LDAP for one Cyrus IMAP virtual domain (the altconfig type meaning I specify a full set of services per domain, bound to a unique IP address and I have a unique imapd.conf for each domain, I'm not talking about the newer virtual domain support). What I still need to figure out is how to specify which saslauthd mux socket for each domain's imap process to connect to. I know how to start multiple saslauthd's and specify which socket for them to create but I need to know how to specify in /etc/imapd.conf which of those sockets to connect to. I can't seem to find that documented anywhere (probably because its only in this special case scenario that you'd even need to use it :) Also, is it reasonable to think that most major IMAP clients could handle talking to a server that only listens on imaps (basically my forcing of TLS idea above)? I know my webmail client, IMP, can handle that but can most other standalone clients handle imaps well and will they barf over self-signed certificates? As always, if there's a simpler way to do this whole thing, I'd like to hear about it. What I have now works extremely well, so I'm not inclined to change it too much but I could be missing something very obvious too. I know there's supposedly an OpenLDAP 2.X internal auxprop plugin in the works but that won't help me too much since our directory server is iPlanet DS. Maybe its time to bite the bullet and migrate directory server platforms too... Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140
Re: Question: How to specify path to saslauthd mux socket in imapd.conf?
As usual, I find the answer in the documentation shortly after I release my question to the list. You can specify sasl_saslauthd_path in imapd.conf and that works. What doesn't work is that the SASL documentation claims that: saslauthd_path SASL Library Path to saslauthd run directory (not including the /mux named pipe) system dependant I couldn't get it to work without including the /mux named pipe, both when launching saslauthd with the -m option and in imapd.conf. I'm not subscribed to the sasl list so maybe someone who straddles both lists can commit a fix (or maybe I'm reading the documentation wrong, in which case I need to commit a fix to my brain). Ex: Directory is /var/test named pipe should be /var/test/mux If I start saslauthd with: saslauthd -m /var/test -a ldap and include in imapd.conf: sasl_saslauthd_path: /var/test saslauthd complains that: FATAL: /var/test: Address already in use Including the mux named pipe causes this to work so I think the documentation should read that you DO need to include the mux named pipe or maybe the saslauthd_path option should be changed to saslauthd_mux_path. Now I just need to test and make sure multiple different instances of saslauthd don't clobber each other's internal structures. FWIW, this is on Red Hat Linux 7.1 (and a half because I ended up backporting so many packages from newer releases) on Intel hardware. Kernel is 2.4.9-smp-34 - I'll probably be updating to RedHat 7.3 over Christmas break. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140
Periodic squat index corruption with IMP
Hi, I'm having some trouble with cyrus.squat files (apparently) becoming corrupt. This has been especially, if not wholly isolated, to users who are using IMP webmail to access email. The symptoms are that a user can login to IMP but no messages are visible. Their INBOX may list either N to Nscreen of Ntotal messages (where N to Nscreen is the message range you are viewing and Ntotal is the total number of messages in the folder) or it may list 0 of 0 messages. If I delete the cyrus.squat file, then everything displays fine again. All users are equally affected with no user exhibiting this symptom more than another. I get between 1-5 requests a week about this problem and we have something like 1000 users or so on the server. Server info: Dell PowerEdge 4400, 1Gb RAM, RAID1 boot, RAID5 mailspool, dual 1Ghz Pentium III kernel: Red Hat Linux 2.4.9-31smp OS: Red Hat Linux 7.1 with latest updates (plus some pulls from 7.2 or Rawhide) Berkeley DB: 3.2.9 Cyrus IMAP: 2.1.0pre (from CVS, mid October, 2001) Cyrus SASL: 1.5.27 + LDAP patch MTA: postfix I don't see too many squatter changes committed to CVS from October, 2001 to the present but of course one of the commits could fix this very bug. I'm trying to find out if anyone else has seen this and if so, if they resolved it. One further note: the only database errors that I ever see logged are like so: Mar 5 15:39:02 oak lmtpd[21789]: DBERROR db3: 2 lockers Mar 5 15:39:13 oak lmtpd[21789]: DBERROR db3: 3 lockers Mar 5 15:39:13 oak lmtpd[21789]: DBERROR db3: 4 lockers Mar 5 15:39:13 oak lmtpd[21789]: DBERROR db3: 3 lockers Mar 5 15:39:14 oak lmtpd[21789]: DBERROR db3: 4 lockers Mar 5 15:39:17 oak lmtpd[21789]: DBERROR db3: 2 lockers Mar 5 15:45:51 oak lmtpd[21789]: DBERROR: error closing: DB_INCOMPLETE: Cache flush was unable to complete Mar 5 15:45:51 oak lmtpd[21789]: DBERROR: error closing deliverdb: cyrusdb error Archives of this mailing list would seem to indicate that none of those warnings are anything to worry about, unless they're nonstop. For what its worth, I will be upgrading to the latest 2.1.X release, once I get time to test it and figure out how to go from SASL1 - SASL2 and still keep using LDAP for authentication. Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
syslog/pop3 weird interaction
Hello, I don't think the message I drafted about this yesterday made it to the list - browser must have crashed before I got a chance to send it. Here's the scoop: Cyrus IMAP 2.1.0pre from CVS of several weeks ago Cyrus SASL 1.5.27 with LDAP patch Red Hat Linux 7.1 w/ all updates + some stuff from 7.2 beta I changed my syslog configuration so that syslog didn't sync the log files for a few entries (/var/log/maillog, /var/log/messages, etc.) About a minute after I restarted syslog to make these changes go into affect, a user walked in and said that she couldn't check her email. Another minute and I had a whole cadre of users telling me the same thing. I wasn't sure why restarting syslog would have any effect on this but it turns out it did. When I telneted to port 110 on the mail server, the POP3 dialog went something like this (not verbatim but close enough): telnet mail 110 Connected to mail. Escape character is '^]'. +OK mail.iu13.org Cyrus POP3 v2.1.0pre server ready user XXX +OK Name is a valid mailbox pass XXX 38 some syslog stuff about setting CRAM-MD5 38 some syslog stuff about setting DIGEST-MD5 38 some syslog stuff about setting PLAIN +OK Maildrop locked and ready Now apparently what was happening is that what had been going to syslog was now being echoed to the POP3 connection. This had the effect of causing the POP3 connection to fail, since the OK came after the 38 garbage. Its almost as if the cyrus master process got its file descriptors mixed up. A restart of the cyrus master process cleared this up but not before causing a little panic. I'd welcome any explanations as to why restarting a related but unobtrusive process, like logging, caused this to happen. Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140 - End forwarded message -
SASL LDAP patch - way to specify multiple servers?
Hello, I'm using the patch that allows LDAP authentication with the SASL libraries. Is there a way to specify multiple servers to bind to so that in the event that a directory server becomes unavailable, a backup could be used? Short of that, what are folks doing in terms of high-availiblity/redundancy for LDAP? I've thought through scenarios of using heartbeat to determine which machines are up and updating DNS accordingly. I also suppose you could do something with a virtual IP address in a similar manner and actually get some load balanacing out of it too but haven't a clue where to start with that. So what are you doing with LDAP to make sure its available all the time? THis also spills over into postfix for the same reasons: if the main directory server goes down, mail will start to bounce since my virtual maps are in LDAP. Any thoughts or suggestions would be greatly appreciated. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140
SNMP Howto for Cyrus?
Hello, I would like to pull SNMP data out of my Cyrus IMAP server. However, there's a confusing array of snmp haze surrounding the source code. Is much of the code in the snmp directory deprecated? Is tugowar still used? It looks deprecated to me since it depends on the older CMU AgentX implimentation. The code for the cyrus master process looks like it has SNMP generation built in to it instead. And when I do a trace of the master process, I see the master process trying to send OIDs to a socket, /tmp/.snmp_door, which doesn't exist. Should Cyrus be creating that socket or should the UCD-SNMP daemon be creating it? I can't find any code that would indicate that Cyrus should be creating this, except in tugowar.c, and since I can't compile that and since others at CMU have stated (I think) that the ucd-snmp implimentation of AgentX is the one being used, I'm lead to believe that Cyrus isn't creating that socket. So, how does one get SNMP data out of a Cyrus IMAP server? Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Vacation, sieve and DEFAULT_SENDMAIL path
On Wed, 10 Oct 2001, Ken Murchison wrote: #define DEFAULT_SENDMAIL (/usr/lib/sendmail) If you were looking at this line of code, you should've seen that DEFAULT_SENDMAIL is the _fallback_ value for the sendmail config option (line 429). From imapd.conf(5): sendmail: /usr/lib/sendmail The pathname of the sendmail executable. Sieve uses sendmail for sending rejections, redirects and vacaAD tion responses. Ugh, my bad. I totally missed that config option. Familiarity with skimming man pages evidently breeds contempt for the actual content of the man pages after awhile :) Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Hacking cyrus-sasl to support realms w/ LDAP authentication
Awhile back, I seem to recall someone (Amos Gouaux I believe) commenting about one of the limitations of the LDAP patch to the SASL library was that it didn't support realms. This is now becoming an issue for me, since I am supporting multiple domains and since there is the potential for userid collisions. I am wondering if anyone has found away to work around this. From what I can read in the source of the SASL code, it looks like the realm, if not specified, gets set to the hostname of the machine. In reading through the archives, it appears there were a number of requests to add a configurable realm option to imapd.conf, which apparently have never amounted to anything (see the thread http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrussearchterm=realmmsg=5575). In looking through the Cyrus IMAPd code, it also appears that realm support is largely, if not wholly, dependent on kerberos. I know that the whole concept of realms stems from its usage in a kerberos environment but I think it makes equal sense when dealing with hosting multiple domains and using a different authentication method. So, where would be the proper place to address this? Should the sasl-ldap patch be modified to set the realm based on which address was connected to? Or should imapd.conf be extended so that it supports a sasl_realm option? Or doesn't this make sense at all in a non-kerberos environment? Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Vacation, sieve and DEFAULT_SENDMAIL path
Hello, This is mainly for archive purposes in case anyone else has the same problems I did and thinks to search the archives first. I have spent quite a few hours trying to figure out why my sieve vacation scripts were not working with postfix. I upgraded my Berkeley DB libraries from 3.1.17 to 3.2.9. I straced all manner of processes. And I finally found out the problem. The relevant error log that showed up was: 421 4.3.0 lmtpd: couldn't exec There's a little bit of code in both imap/lmtpd.c and imap/lmtpdproxy.c that is very sendmail-centric. In particular, line 426 of the 2.1pre CVS states: #define DEFAULT_SENDMAIL (/usr/lib/sendmail) Thats all well and good if you're using sendmail but my postfix install, while symlinking /usr/sbin/sendmail to postfix didn't symlink /usr/lib/sendmail to postfix. Hence, sendmail was never getting executed and the vacation reply was never being generated. I didn't find this information listed anywhere in any of the sieve documentation or any of the Cyrus IMAP documention. As soon as I made the symlink, and sent a message, I got a response, although I'm not sure if the message I received back had the proper headers. One header read: From SIZE Wed, 10 Oct 2001 11:57:19 -0700 Seems odd to me - maybe thats a figment of the fact that postfix doesn't quite emulate sendmail 100%. I can't believe that I'm the first person to encounter this problem but if I am, then hopefully this little email will help others resolve it more quickly. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Many Cyrii, many IPs, RH7.1
Jenn, It can be done and its not too difficult. No patches are needed to the cyrus-imapd code base. The only patch I had to make to my setup was to cyrus-sasl and that was to add LDAP as an authentication source. I had only one problem when compiling for Red Hat 7.1 and that was with library dependencies between ucd-snmp and rpm packages. I fixed that with a small patch to the configure script. What problems are you having? (And if you detest using RPMs, why are you using Red Hat ? ;) The HOWTO that was posted by John Amodeo, which I think you are referring to, is fairly complete. The differences between his setup and mine is I use lmtp for final delivery and he was using the cyrus deliver agent (although I think he's since switched to lmtp). Also, I'm doing Postfix a little bit differently. Instead of running multiple copies of postfix, I'm just running one copy and hence one queue, and using postfix's virtual domain support. I have one LDAP alias map for each domain and haven't uncovered any problems yet. The only downside is all my mail appears to come from the same machine but I'm just going to name an interface relay and use that. I wish I knew a way to have postfix use a specified interface for outbound mail, based on which domain it was coming from. Anyone running postfix know how to do this? Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Many domains, one Cyrus
On Thu, 4 Oct 2001, Michael Fair wrote: You cannot, at this time, have multiple domains and one Cyrus in the way you want it. There's nothing more to say. Given the current constraints it cannot be done. You must go to a multiple Cyrus solution unless you are willing to change login identifiers. To accomplish this using only one machine and without changing login IDs you must use 1 IP address per domain and run multiple master processes. Thats not entirely true, assuming you have multiple ip addresses to use. You do need to use 1 IP address per domain but you only need to run one master process. Using the -C (altconfig) option and having each imapd/pop3/whatever process only bind to that 1 ip address, you can then specify different authentication sources for different domains. As a result, you end up with multiple separate authentication realms and the desired result of having identicial userids for different domains. No need to modify userids or anything else. No modifications necessary to the source either. Now if you don't have IP addresses to burn, this could be a problem... And you can't do virtual-hosting ala HTTP 1.1 but thats more a limitation of the IMAP4v1 spec than of Cyrus. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Changing filesystems, backup strategies
If so, which filesystem is most appropriate? ext3 is very easy to implement, but I can't imagine that it could make that big of a difference in performance. Reiserfs, jfs, etc. I understand may also be options. I would like to hear the consensus best fs for cyrus from the list, please. Along those lines, I'd like to hear any success stories that folks have had with Reiserfs. My one experience with it on my workstation so far has been bad but that was over half a year ago and I'm happily running ext3 on my workstation now so I've had no cause to try it. I haven't tried reiser on any of our servers yet but am thinking about it for services that might be able to take advantage of it. THanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Compilation fails under Red Hat 7.1 - libucdmibs.so undefinedreference
On Mon, 14 May 2001, Devdas Bhagat wrote: On Sat, 12 May 2001, Hans Deragon spewed into the ether: I cannot figure out what library provided the `smux_listen_sd' symbol. I think its the SNMP libraries. Devdas Bhagat Its in libucdmibs.so: [myer@pegmatite myer]$ nm /usr/lib/libucdmibs.so | grep smux_listen_sd U smux_listen_sd And as it shows, its undefined. I tried to track down why but could never figure it out. I suspect there's something funny going on when the library is linked but I'm not library expert. So I just recompiled the ucd-snmp RPMS and disabled the smux MIB in the spec file. That took care of the compilation problem and hopefully, Cyrus doesn't require the smux MIB. -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Re: Virtual domains, SASL, PAM, LDAP
On Thu, 12 Apr 2001, John C. Amodeo wrote: A quick question... We downloaded the patches form Openldap.org, but looking at the source, there are no provisions to pass ldap_server or ldap_basedn. Am I missing something here? The code in the pwcheck_ldap.c suggests that you need to hard-code the ldap information in, then compile. We are using the latest CVS, with the -C config option, and patches found at http://www.surf.org.uk/patches/index.html Is the the correct patch to use? Does anyone have any advise on how to get this going? The e-mail below suggests it is pretty effortless, but all attempts we have made have failed. Thanks, -John I have it running here, although I backed out the mysql stuff from the surf patches. In your /etc/imapd.conf, replace sasl_pwcheck_method: PAM with sasl_pwcheck_method: ldap and add: sasl_ldap_server: your ldap server sasl_ldap_basedn: your basedn Then create a separate /etc/otherimapd.conf in which you have different sasl_ldap_server and sasl_ldap_basedn configs. Then in /etc/cyrus.conf, for each IP address you want to listen to, create the following entries (replacing address# with the IP address, although you needn't necessarily name your config files with IP addresses - just use something meaningful, like maybe the hostname): imap-address# cmd="imapd -C /etc/address#imap.conf" listen="address#:imap" prefork=0 pop3-address# cmd="pop3 -C /etc/address#imap.conf" listen="address#:pop3" prefork=0 I tested this with sendmail 11.2 and found that I also had to create separate lmtp sockets for each address I wanted to receive mail for - I simply generated two sendmail.cf files that only bound sendmail to a particular IP address and I hard coded the lmtp socket into the sendmail.mc file I used to generate the .cf file. I have this working here - two IP addresses on the same box, with one imap and pop3 processing listening on each. Both IP addresses use SASL for authenticatiom and I can use multiple LDAP servers and multiple basedns very nicely. Mail is stored in separate spools for each IP address and I can have identical uids for multipe addresses (i.e [EMAIL PROTECTED] and [EMAIL PROTECTED] both work but are separate mail boxes). Thanks much to Michael Clark for pointing out the sasl_ldap patches. That definitely allows me to use Cyrus the way I want to (although I'd much prefer to specify multiple trees/servers in the pam_ldap config so that _all_ services can take advantage of this, not just cyrus and sendmail). Very cool. The only problem I've run into is that I probably should generate a new directory for sendmail's config files and databases for each instance of sendmail I've run but I should easily be able to create a template sendmail.mc and modify that for each instance. Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
RFC: Virtual domains, SASL, PAM, LDAP
Hello, I have been working on a mail server project that will need to potentially serve many virtual domains. One of the design requirements is that any consolidation of existing mail servers to this one server be transparent to the end user (with maybe the exception of a password change). This means that a) uid must be the same, b) server name must be the same and c) email address must be the same. To that end, I've tested the following: Cyrus, latest CVS, sendmail 8.11.2, pam_ldap used with Netscape Directory Server 4.12 With the latest CVS of cyrus, I'm using the -C alternate config file option to cause the master process to bind an imapd process for each domain we serve. While this means we have to use at least one IP address for each domain, it allows us to separate the domains nicely and keeps users from one domain out of another domain. It also means that the design requirements b and c are potentially met. Combined with an instance of sendmail bound to each IP address as well, I think I have the SMTP, IMAP, and POP3 bases virtually covered (pun intended). The only remaining hurdle is authentication/user enumeration. Since I'm binding sendmail (or postfix - still haven't settled on one or the other), I can specify a different LDAP map for each IP address I'm bound to which will be much more efficient than just having sendmail search our entire directory tree and which allows for duplicate uid's in separate domains. But with Cyrus, I need to somehow pass information up the stack pertaining to the IP address the request came from. In turn, with a pam_ldap module that is IP-address aware, I can switch directory trees based on IP-address and I think my problem will be solved. In other words, say I have two imap sockets listening: 172.0.0.1:143 and 172.0.0.2:143, both for different domains. A request comes in on 172.20.0.1. SASL would grab the IP address of the local end of the connection and pass that to PAM, along with the user id and password. Then, the pam_ldap module would first check its config file to see what LDAP tree to use for that IP address, then do it search and return. Currently, the config file for pam_ldap is /etc/ldap.conf and it has directives like: host hostname base directory path ldap_version version What I would propose to do is add support to pam_ldap so that it would support the following config syntax: host[172.0.0.1] hostname of directory server host[172.0.0.2] hostname of directory server - can be same or different base[172.0.0.1] dc=domain1,dc=blah base[172.0.0.2] dc=domain2,dc=blah I dropped a note to [EMAIL PROTECTED] and Luke thought this might be doable but he needed to think about it some more. I think it would really extend pam_ldap and nss_ldap and allow the mixing and matching of a bunch of directories. What do others think of this approach? I'd appreciate any comments, good or bad. Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
Working virtual domain examples (IMAP and MTA)?
Hello, In the past, I have seen several mentions of patches to Cyrus to allow it to serve virtual domains. Does anyone have a collection of these patches available and further, what are the realistic chances of having something like this rolled into the main release? I have been struggling to get a commercial package working with our setup and requirements (account info store on LDAP server, need to serve virtual domains) so I'm back to the drawing board with this. Here's my wishlist: 1) LDAP integration: password, aliases, forwarding, etc. should all be retrieved from LDAP 2) The ability of the IMAP/POP3/MTA daemons to do either name-based virtual hosting or the ability to listen to multiple IP addresses and then based on which address the request comes from, a corresponding tree is used for authentication, etc. In other words, if a request comes in on address 1, it looks up the user under the LDAP tree dc=domain1,dc=com, if address 2, it looks up the user under the LDAP tree dc=domain2,dc=com. If the daemons are name-based virtual hosting aware, it picks the directory tree based on the name. 3) Scaleability (not just in terms of running well on a single machine but also the ability to somewhat effortlessly run a cluster of machines) 4) Preferrably the need to _NOT_ create local user accounts (like Cyrus already supports) Conceptually, I could see this running several ways. Run a virtual domain IMAP/POP3 daemon (i.e. patched Cyrus). Then run a MTA that listens to multiple addresses but distinguishes between requests on them (so that [EMAIL PROTECTED] can't check [EMAIL PROTECTED]'s mail). Or run multiple copies of a MTA, with each copy of the MTA having a separate config file and bound to only one interface. If you have something running similar to this, I'd love to hear from you. I'd prefer to use Cyrus for IMAP/POP3 since I've had good success with it in the past. For the MTA, I have used sendmail in the past, because it worked well and I was familiar with it but I'm open to postfix or (maybe) qmail or some-yet-to-be-determined-MTA-that-I'm-unaware-of. Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717)-560-6140
