Re: Cyrus IMAP 'CAPABILITIES' and 'AUTH=PLAIN'

[Marty Lee]

> 
> I would guess you are missing libsasl2 modules for authentication, which
> your OS probably has packaged in a separate package. You can use
> pluginviewer/saslpluginviewer to view existing plugins. 

Awesome - was looking in entirely the wrong location (assumed it was a
Cyrus thing) and never even contemplated it might be a SASL thing;
especially as users could authenticate against it, even without the
CAPABILITY being shown.

Accounts now syncing, so hopefully we can get this system out of service
by tomorrow…

Thanks again…

marty


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Cyrus IMAP 'CAPABILITIES' and 'AUTH=PLAIN'

[Marty Lee]

Forgive me asking this question, we’ve just had a server disk that’s starting
to die in a remote location, and I’m frantically trying to clone some IMAP
users onto another server - along with a number of other things.

Despite imapd.conf having 'allowplaintext:  yes’ (it’s an internal server)
when logging in, ‘AUTH=LOGIN’ isn’t advertised, yet it works if I manually
try to login. ‘imapsync’ is complaining as it can’t see the LOGIN capability.

I’m about to start looking at the code, but if anyone can let me know if a
setting needs changed, that would be great - clearly, I’ve got a number of
things to try to get off this server ASAP, so any advice would be greatly
appreciated.

Server version is 3.0.4:

[root@imapserver /opt/local/etc/cyrus]# nc localhost 143
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE] imapserver Cyrus IMAP 3.0.4 
server ready
0 CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA 
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ 
SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS 
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS 
LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE 
CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY 
COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE 
X-QUOTA=X-NUM-FOLDERS IDLE

Many regards

Marty


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Upgrading Cyrus from 2.3.16, going to 2.5.11 or 3.0.2 ?

[Marty Lee]

Eric,

I know 3.0 compiles on Solaris 10 & 11; I think the only bit that
didn’t work was the http section to provide caldav/carddav, as the
implementation seems to depend on linux’isms. I got it compiled 
without the calendar and address book functionality (although
that was a couple of months ago and I haven’t done any more with
it as yet).

marty


> On 28 Jun 2017, at 13:39, Eric Luyten  wrote:
> 
> Hi,
> 
> 
> Our environment is Solaris 10 / Intel.
> 
> Are there good reasons to stay away from 3.0 ?
> 
> 
> We have a pretty impressive user count and mail spool volume
> 
> but not a lot of complexity (no murder nor replication, no domains,
> 
> and few, if any, access control extravaganza).
> 
> 
> Thank you in advance for your feedback,
> 
> Eric Luyten, Computing Centre VUB/ULB.
> 
> 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: cyrus 2.4.17 TLS woes

[Marty Lee]

 On 15 Jan 2015, at 12:34, Patrick Goetz pgo...@mail.utexas.edu wrote:
 
 Does anyone have a secure, functional cipher list entry they'd like to
 share?

I’m using the following on 2.4.17-caldav-b10

tls_cipher_list:TLSv1+HIGH:!aNull:@STRENGTH

Functional yes; I won’t make any promises about secure, as I’m
sure someone more enlightened would correct me!

cheers

-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd  f: +44 871 433 8922
Scotland, UK  w: http://www.maui-systems.co.uk



signature.asc
Description: Message signed with OpenPGP using GPGMail

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: cyrus-imapd-2.4.17-caldav-beta9 released

[Marty Lee]

Ken,

the workaround in beta 9 for MacOSX Mavericks works fine - I can now delete 
items from
calendars :-)

Thanks for getting this in - saves me applying the patch myself..

cheers

marty

On 17 Dec 2013, at 14:18, Ken Murchison mu...@andrew.cmu.edu wrote:

 We are pleased to announce the ninth beta release of Cyrus IMAP with 
 integrated calendaring and contacts.  This is a bugfix release with the 
 following changes:
 
 - Fixed bug in parsing of Accept header (now accepts */* and type/*)
 - Fixed telemetry logging bug (old garbage appearing in log)
 - Added a workaround for the DELETE bug in MacOS X 10.9.0 Calendar
   client
 
 The complete list of changes can be found in doc/changes.html in the 
 distribution.
 
 
 This code is based on the stable Cyrus 2.4.17 release with support for 
 HTTP-based services (CalDAV, CardDAV, RSS, and Timezone) added.  All of 
 the standard Cyrus IMAP daemons and utilities should be considered 
 production quality in this release, but the HTTP support is in beta status.
 
 You can download via HTTP or FTP:
 
 http://cyrusimap.org/releases/cyrus-imapd-2.4.17-caldav-beta9.tar.gz
 ftp://ftp.cyrusimap.org/cyrus-imapd/cyrus-imapd-2.4.17-caldav-beta9.tar.gz
 
 Installation documentation will be found in doc/install-http.html in the 
 distribution.
 
 Upgrade documentation will be found in doc/install-upgrade.html in the 
 distribution.
 
 Thanks for your continued support, and we look forward to any and all 
 feedback.
 
 -- 
 Kenneth Murchison
 Principal Systems Software Engineer
 Carnegie Mellon University
 
 
 Cyrus Home Page: http://www.cyrusimap.org/
 List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
 To Unsubscribe:
 https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd  f: +44 871 433 8922
Scotland, UK  w: http://www.maui-systems.co.uk



signature.asc
Description: Message signed with OpenPGP using GPGMail

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Cyrus IMAP / CalDAV

[Marty Lee]

Thanks for all the hard work to get the actual answer Ken; I’ll apply the patch 
to my
local server for me to test (only 2 of us using the calendar stuff at the 
moment) and
wait with baited breath for an apple update :-)

If you get wind of apple fixing things, let me know - if I spot it at this end, 
I’ll send
something out too.

Cheers

marty



On 16 Dec 2013, at 19:09, Ken Murchison mu...@andrew.cmu.edu wrote:

 I confirmed that the DELETE problem is indeed a bug in the Apple client, and 
 that Apple is aware of it. I'm somewhat reluctant to to include a fix in 
 Cyrus for a bug in a client that will hopefully get fixed sooner rather than 
 later. The patch below will work around the problem by making the faulty 
 conditional DELETE a non-conditional one.  But, by doing so we may delete a 
 resource that has been changed by another user/client/session.  Given that we 
 really don't support shared calendars at the moment, this probably isn't a 
 big deal but I don't really want to create potentially bigger problems moving 
 forward.
 
 The real fix is Apple correcting their client to use an If-Match header 
 rather than If-Schedule-Tag-Match header if the resource doesn't have a 
 Schedule-Tag and/or isn't a scheduling object.
 
 
 On 12/14/2013 01:02 PM, Ken Murchison wrote:
 I just committed a fix to git for the 406 response to GET.  I will make
 a beta9 release with this fix, and hopefully with a fix for the DELETE
 issue by early next week.
 
 I have an email into one of the CalDAV experts that I know at Apple to
 see what CalendarServer does with the empty If-Schedule-Tag-Match
 header.  I think its a bug in the Apple client, but I will have to come
 up with a sane workaround for it. In the meantime, this uncommitted
 patch should fix your problem with DELETE:
 
 
 diff --git a/imap/http_caldav.c b/imap/http_caldav.c
 index c00223f..641feb8 100644
 --- a/imap/http_caldav.c
 +++ b/imap/http_caldav.c
 @@ -695,6 +695,7 @@ static int caldav_check_precond(struct transaction_t
 *txn, const void *data,
 
   /* Per RFC 6638, check Schedule-Tag */
   if ((hdr = spool_getheader(txn-req_hdrs, If-Schedule-Tag-Match))) {
 +if (!*hdr[0]) return precond;  /* XXX  Hack for bug in Apple client */
   if (etagcmp(hdr[0], stag)) return HTTP_PRECOND_FAILED;
   }
 
 
 
 
 On 12/14/2013 09:39 AM, Marty Lee wrote:
 No worries.. I'm about to get back onto another train so will back out b8.. 
 Only me using it in earnest, so if you need anything else tested before 
 pushing out, just send me a link.
 
 Marty Lee
 v: 07827 950 918
 
 On 14 Dec 2013, at 14:26, Ken Murchison mu...@andrew.cmu.edu wrote:
 
 Hi Marty,
 
 Thanks for the info.  The 406 is in response to the GET, caused by a bug I 
 introduced when I added support for jCal and xCal data.  I can't believe 
 that this didn't present itself in my testing.  I will need to fix this 
 immediately.  You probably want to downgrade to beta7 in the meantime.
 
 I *think* the problem with DELETE is that iCal is sending an empty 
 If-Schedule-Tag-Match header.  I will need to test this here and possibly 
 talk to the Apple guys to find out why they are sending an empty header, 
 and what they expect the behavior to be.
 
 
 On 12/14/2013 03:09 AM, Marty Lee wrote:
 Ken,
 
 I haven’t but have just taken the opportunity to update to Beta 8 and 
 also to refresh Sqlite, which
 seems to be the source of the error message…
 
 Using cyrus beta 7, the iCal client would delete the event, but when it 
 updated with the server, the
 event would magically just re-appear. With b8, this has changed; now I 
 get a dialog box:
 
 --
 The request for “Marty” in account “Maui” failed.
 
 The server responded with
 “406” to operation CalDAVDeleteEntityQueueableOperation.
 -
 
 Telemetry log:
 
 1387007669DELETE 
 /dav/calendars/user/marty/Default/0C48ECD9-44A7-4F1F-9C87-9A2EF647C574.ics
  HTTP/1.1
 Accept-encoding: gzip, deflate
 Max-forwards: 10
 Accept-language: en-gb
 User-agent: Mac_OS_X/10.9 (13A603) CalendarAgent/174
 Host: 192.168.253.16:1443
 Accept: */*
 Content-length: 0
 X-forwarded-server: dav.maui.co.uk
 If-schedule-tag-match:
 X-forwarded-for: 176.12.107.140
 Authorization: Basic ...
 X-forwarded-host: cal.maui.co.uk
 
 BEGIN:VCALENDAR
 VERSION:2.0
 PRODID:-//Apple Inc.//Mac OS X 10.9//EN
 CALSCALE:GREGORIAN
 BEGIN:VTIMEZONE
 TZID:Europe/London
 BEGIN:DAYLIGHT
 TZOFFSETFROM:+
 RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
 DTSTART:19810329T01
 TZNAME:BST
 TZOFFSETTO:+0100
 END:DAYLIGHT
 BEGIN:STANDARD
 TZOFFSETFROM:+0100
 RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU
 DTSTART:19961027T02
 TZNAME:GMT
 TZOFFSETTO:+
 END:STANDARD
 END:VTIMEZONE
 BEGIN:VEVENT
 CREATED:1387007670GET 
 /dav/calendars/user/marty/Default/0C48ECD9-44A7-4F1F-9C87-9A2EF647C574.ics
  HTTP/1.1
 Accept-encoding: gzip, deflate
 Max-forwards: 10
 Accept-language: en-gb
 User-agent: Mac_OS_X/10.9 (13A603) CalendarAgent/174
 Host: 192.168.253.16:1443
 Accept: */*
 Content-length: 0

Re: Cyrus IMAP / CalDAV

[Marty Lee]

Ken,

I haven’t but have just taken the opportunity to update to Beta 8 and also to 
refresh Sqlite, which
seems to be the source of the error message…

Using cyrus beta 7, the iCal client would delete the event, but when it updated 
with the server, the
event would magically just re-appear. With b8, this has changed; now I get a 
dialog box:

--
The request for “Marty” in account “Maui” failed.

The server responded with
“406” to operation CalDAVDeleteEntityQueueableOperation.
-

Telemetry log:

1387007669DELETE 
/dav/calendars/user/marty/Default/0C48ECD9-44A7-4F1F-9C87-9A2EF647C574.ics 
HTTP/1.1
Accept-encoding: gzip, deflate
Max-forwards: 10
Accept-language: en-gb
User-agent: Mac_OS_X/10.9 (13A603) CalendarAgent/174
Host: 192.168.253.16:1443
Accept: */*
Content-length: 0
X-forwarded-server: dav.maui.co.uk
If-schedule-tag-match: 
X-forwarded-for: 176.12.107.140
Authorization: Basic ... 
X-forwarded-host: cal.maui.co.uk

BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Apple Inc.//Mac OS X 10.9//EN
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:Europe/London
BEGIN:DAYLIGHT
TZOFFSETFROM:+
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
DTSTART:19810329T01
TZNAME:BST
TZOFFSETTO:+0100
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0100
RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU
DTSTART:19961027T02
TZNAME:GMT
TZOFFSETTO:+
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
CREATED:1387007670GET 
/dav/calendars/user/marty/Default/0C48ECD9-44A7-4F1F-9C87-9A2EF647C574.ics 
HTTP/1.1
Accept-encoding: gzip, deflate
Max-forwards: 10
Accept-language: en-gb
User-agent: Mac_OS_X/10.9 (13A603) CalendarAgent/174
Host: 192.168.253.16:1443
Accept: */*
Content-length: 0
X-forwarded-server: dav.maui.co.uk
X-forwarded-for: 176.12.107.140
Authorization: Basic ... 
X-forwarded-host: cal.maui.co.uk

BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Apple Inc.//Mac OS X 10.9//EN
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:Europe/London
BEGIN:DAYLIGHT
TZOFFSETFROM:+
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
DTSTART:19810329T01
TZNAME:BST
TZOFFSETTO:+0100
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0100
RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU
DTSTART:19961027T02
TZNAME:GMT
TZOFFSETTO:+
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
CREATED:20131214T075350Z
UID:0C48ECD9-44A7-4F1F-9C87-9A2EF647C574
DTEND;TZID=Europe/London:20131207T10
TRANSP:OPAQUE
SUMMARY:Change Event Name
DTSTART;TZID=Europe/London:20131207T09
DTSTAMP:20131214T075411Z
SEQUENCE:3
END:VEVENT
END:VCALENDAR
1387007670HTTP/1.1 406 Not Acceptable
Date: Sat, 14 Dec 2013 07:54:30 GMT
Strict-Transport-Security: max-age=600
Vary: Accept-Encoding
Server: Cyrus/v2.4.17-caldav-beta8 Cyrus-SASL/2.1.23 OpenSSL/0.9.8 zlib/1.2.3 
libxml2/2.6.29 SQLite/3.8.2 libical/0.48
Content-Length: 0


I’ll keep looking; I can create and edit events, just not delete them…

marty


On 12 Dec 2013, at 17:30, Ken Murchison mu...@andrew.cmu.edu wrote:

 Hi Marty,
 
 Did you find anything related to this?  I don't have Mavericks yet, but maybe 
 a telemetry log of the client trying to delete an entry would point me in the 
 right direction.
 
 Worst case, I will be with the Apple client developers in early February and 
 can test then.
 
 
 
 On 10/24/2013 07:22 AM, Marty Lee wrote:
 Good afternoon (local time for me!)
 
 Updated my Mac to Mavericks this morning and am now getting the following 
 error from
 the CalDAV part of Cyrus when I try to delete an entry.
 
 dav_exec() step: cannot start a transaction within a transaction
 
 Creation  modification works fine, but iCal on the mac now can’t delete 
 items. I can work
 around this by using a web interface to my calendars, but I just thought I’d 
 mention it here
 that Apple have changed something in iCal with the new version of OS-X.
 
 If I get a chance this weekend, I’ll have a look at the source code and see 
 if I can do
 anything to help.
 
 cheers
 
 marty
 
 
 
 
 -
 Marty Lee e: 
 ma...@maui-systems.co.uk
 
 Technical Directorv: +44 845 869 2661
 Maui Systems Ltd  f: +44 871 433 8922
 Scotland, UK  w: 
 http://www.maui-systems.co.uk
 
 
 
 
 
 
 Cyrus Home Page: 
 http://www.cyrusimap.org/
 
 List Archives/Info: 
 http://lists.andrew.cmu.edu/pipermail/info-cyrus/
 
 To Unsubscribe:
 
 https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
 
 
 -- 
 Kenneth Murchison
 Principal Systems Software Engineer
 Carnegie Mellon University
 

-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd  f: +44 871 433 8922
Scotland, UK  w: http://www.maui-systems.co.uk



signature.asc
Description: Message signed with OpenPGP using GPGMail

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Cyrus IMAP / CalDAV

[Marty Lee]

Good afternoon (local time for me!)

Updated my Mac to Mavericks this morning and am now getting the following error 
from
the CalDAV part of Cyrus when I try to delete an entry.

dav_exec() step: cannot start a transaction within a transaction

Creation  modification works fine, but iCal on the mac now can’t delete items. 
I can work
around this by using a web interface to my calendars, but I just thought I’d 
mention it here
that Apple have changed something in iCal with the new version of OS-X.

If I get a chance this weekend, I’ll have a look at the source code and see if 
I can do
anything to help.

cheers

marty




-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd  f: +44 871 433 8922
Scotland, UK  w: http://www.maui-systems.co.uk



signature.asc
Description: Message signed with OpenPGP using GPGMail

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Cyrus+CalDAV

[Marty Lee]

Hi,

I've been playing with the latest Cyrus beta which includes the CalDAV  CardDAV
additions - from a personal perspective, almost all seems ok.

Server is a Solaris 10 (x86) box; clients are mainly Mac OSX (Mountain Lion) and
some PCs (Thunderbird/Lightning).

One question that Ken or someone may already know and one issue that I need to 
track
down further.

The question first: I've got two users that have permission to read each others
Default calendar (lr9) - but I'm guessing that the list of calendars returned to
the Mac calendar app only includes calendars for the actual user, not shared 
ones,
as the shared calendars can't be seen… does this sound right, or should I be 
able
to see the shared calendars (or need to do something to make it work)?

I've also seem similar with the CardDAV interface - I use a DAV client to pull 
down
all my contacts and put them into a local LDAP server for address book lookups 
for
a number of other apps. This works if I use my username+password, but not if I 
use a different account with permissions to read my Default address book (lr).

The issue I've seen revolves around adding pictures to vCards - some existing 
cards have pictures (copied from existing Mac address book), but changing 
pictures or adding new cards with photos seems to cause problems - I suspect 
it's 'segfaulting' the server process, but I'm not 100% certain of that yet, so 
I won't log a bug just yet…


Anyone else tried any of these scenario's and able to say whether they've had 
success or not - maybe I'm just too bleeding edge and dive into the code myself 
(which I'll do anyway, I just don't want to spend time doing something someone 
has already worked out!).

Cheers

Marty



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Recently-APPENDed messages not showing up as RECENT responses after NOOP

[John J Lee]

On Mon, 4 Sep 2006, Kjetil Torgrim Homme wrote:


On Sat, 2006-09-02 at 15:48 +, John J Lee wrote:

The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries
to add an X-Spambayes-Classification header to emails it has classified,
in order to record whether it thought the mail was spam or not.  It does
that by creating a new message with the added header, then deleting the
old message (if there's a better way, I'd be grateful to learn about it).


oh yes, please use flags!  Cyrus supports arbitrarily chosen flags by
clients, see PERMANENTFLAGS.  (of course, other IMAP servers aren't as
advanced, so you may want to keep this wasteful APPEND/STORE/EXPUNGE
hack around for those.)


Aha!  Thanks.  If anybody has any pointers to sample client code, I'd be 
grateful.


Still, the old-style SpamBayes code should also be fixed for 
non-flags-capable servers -- see below re Courier (and it'll take me a 
while to get around to attempting to implement the flags-based version).




As soon as SpamBayes creates the new message, it tries to find the new
message's UID.  To do that, it first looks for a RECENT response.  If it
doesn't have one it its buffer, it sends a NOOP command.


you can't trust RECENT, if a different client is connected, your
SpamBayes client may not be told about the message, since only one
client will be notified.


If that doesn't
result in a RECENT response, it keeps polling, issuing NOOP commands up to
100 times (it doesn't sleep() between each poll).  If that fails, it dies
horribly :-/


this is really unnecessary.  when the APPEND is done, SpamBayes can
simply do a SEARCH to find the message with the Message-ID and fetch its
UID.


OK, I was mistaken about the reason is does this loop.  The loop is there 
not to find the UID (the code does indeed do a SEARCH for that), but 
rather to wait until the new message is available, prior to SEARCHing for 
the UID.


Does that make more sense, or is there still a better way to do it?



2. Does this reveal a bug in the Cyrus implementation?


hard to tell.  is it the only client?


I don't understand your question.  Is SpamBayes the only client of Cyrus? 
No.  Did you mean is Cyrus the only server that fails with this client 
code?  Seems not: somebody reported Courier failing intermittently too.



John

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Recently-APPENDed messages not showing up as RECENT responses after NOOP

[John J Lee]

Hi

I'm trying to figure out why a Python spam-filtering program, SpamBayes, 
crashes for me when running in IMAP client spam-classification mode 
against a Cyrus IMAP server, version Cyrus v2.3.7-fmsvn9188 (the server 
is one of the mail.messagingengine.com ones from fastmail.fm).


I should say upfront that I imagine it may well be that the fault is with 
SpamBayes.  TBH, the reason I'm posting here is that a). it's clear the 
SpamBayes issue will only get fixed if I do it myself, and b). I've little 
doubt that any fix I come up with without the help of an IMAP guru would 
be a pure hack, a server resource hog and not work for other people.


The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries 
to add an X-Spambayes-Classification header to emails it has classified, 
in order to record whether it thought the mail was spam or not.  It does 
that by creating a new message with the added header, then deleting the 
old message (if there's a better way, I'd be grateful to learn about it). 
As soon as SpamBayes creates the new message, it tries to find the new 
message's UID.  To do that, it first looks for a RECENT response.  If it 
doesn't have one it its buffer, it sends a NOOP command.  If that doesn't 
result in a RECENT response, it keeps polling, issuing NOOP commands up to 
100 times (it doesn't sleep() between each poll).  If that fails, it dies 
horribly :-/


So, two questions:

1. Is the algorithm above a sane one?  Maybe I should ask instead is
   there a better one?

2. Does this reveal a bug in the Cyrus implementation?  If not, might it
   be a useful extension of Cyrus IMAP to support this kind of usage?


Thanks in advance for any help


John


Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Recently-APPENDed messages not showing up as RECENT responses after NOOP

[John J Lee]

On Sat, 2 Sep 2006, John J Lee wrote:
[...]
The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries to 
add an X-Spambayes-Classification header to emails it has classified, in 
order to record whether it thought the mail was spam or not.  It does that by 

[...]

That's not quite right -- in fact, it adds a new message and deletes the 
old one whenever it wants to move oe modify a message, I think.  The 
add/delete operation might involve moving the mail to another mailbox, 
adding the spam classification header, adding a unique ID header for 
SpamBayes' internal use, etc.



John


Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

cyradm login problems

[Lee Nau]

I am using cyrus 2.1.18-1 with the imaps protocol. The sasl
authentication method is shadow. Whenever I issue the cyradm
command, specifically cyradm --user cyrus localhost --auth
login I am met with an IMAP password: prompt. The cyrus user's
system and sasldb password are the same, and entering it at this prompt
results in being returned to the shell with roughly two tabs of
whitespace before the prompt. If I issue the command cyradm
--user cyrus localhost (leaving off the auth method), I am
returned to the shell without any prompt for passwords. Any help
would be greatly appreciated.

-Lee

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Mysql Based Database Storage

[Lee]

One of the biggest problems we see with cyrus is its lack of ability  
to do true high-availability, particularly in a scaleable manner. I  
know one option is to do murder with multiple sans, but this is far  
from true scaleability (one san can only be located in one place in  
the country, and only contains one copy of the data) and even further  
from true HA (teh san is a single point of failure, perhaps  
replication to another san might be a solution, but its not at all  
cost effective).

Anyway, I was looking at mysql cluster in mysql 5.1 (plans) and it  
seems like this might be a true solution to virtually all the  
problems with running highly scaleable, high-availability cyrus  
installations.

Has anyone implemented, or at least thought of implementing a mysql  
based backend for mail and database storage for cyrus? How utterly  
complex an endeavor might it be? What might be the biggest  
foreseeable problems?

Best,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

System I/O Error

[Lee Hoffman]

We had a kernel hang the other day and after a reboot and full fsck  
(ext3), two email accounts seem to not be able to receive mail any  
longer. The other accounts on the system are unaffected.

joe123 is one of the users. joe123 can login, but all mail sent to  
the account just sits in the local postfix queue. The error log shows:

Apr 29 11:18:56 [postfix/lmtp] D53ED17BC130: to=[EMAIL PROTECTED],  
relay=/export/cyrus/imap/socket/lmtp[/export/cyrus/imap/socket/lmtp],  
delay=333843, status=deferred (host /export/cyrus/imap/socket/lmtp[/ 
export/cyrus/imap/socket/lmtp] said: 451 4.3.0 System I/O error (in  
reply to RCPT TO command))
Apr 29 11:18:56 [lmtpunix] DBERROR: error fetching user.joe123:  
cyrusdb error

I tried running reconstruct -rf user/joe123, but it didnt solve the  
problem.

The error fectching user.joe123 is particularly odd since we use the  
/ separator not ..

Does anyone have any idea how to solve this problem?
Thanks,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Hardware RAID Level Performance

[Lee]

1. Use 2.6.10+ ext3, with all hashing enabled
2. Use an external journal in a fast device (not the RAID5 array)
Cyrus 2.3 CVS code enables you to split indexes and cyrus db files 
into
their own partition. That's where most of the i/o activity is 
concentrated,
so you only need to optimize that partition. The mail spool that 
remains can
be raid5.
This is probably the best way to do it, especially if you have some
non-volatile solid-state disks around as it was suggested  in this list
sometime ago...
Do you have a particular suggestion for brand/model of device? It would 
obviously have to be redundant (or capable of being made redundant) and 
cost effectiveness would be critical.

Thanks,
L
Yes, ext3 does have its problems, depending on how many users and how 
big
mailboxes you have. I'd recommend reiserfs.
I've heard bad things about reiserfs' capabilities to withstand
corruption *and* to be repaired later. Something that I'd take into 
account
when choosing the FS for the big spools.  But maybe reiserfs has 
non-joke
repair utilities these days...

--
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Hardware RAID Level Performance

[Lee]

We're rebuilding our mail cluster using two servers clustered together 
with DRBD/heartbeat. We've run DRBD/heartbeat before, so Im fairly 
comfortable with teh performance implications of that.

What i'm wondering is, how the hardware raid level on the two poweredge 
2650s (aacraid perc3/di controller) using linux 2.6 kernel and EXT3 
will effect the performance of cyrus. In the past we've always used 
raid 10, believing that it offered a significant performance boost over 
raid 5 for write intensive apps like cyrus. Recently however i noticed 
that CMU is actually using RAID 5 on its arrays. Obviously being able 
to use RAID 5 would be terrific as it would give us significantly more 
storage for the buck.

What are the implication of raid 10 vs. raid 5 with cyrus? Are they 
significant? Does EXT3 play into the discussion?

Thanks,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: cyrus-IMAP cluster

[Lee]

We use drbd and heartbeat on the backend mail servers (active/passive, 
data is real time replicated from active-passive). Has worked very 
reliably for several years, however it is not the most clean solution. 
I've heard / read bad things about GFS based shared storage (cyrus wiki 
actually has a section on it).

Apple just released their Xsan product though, seems like it might be a 
good solution.

L
On Jan 10, 2005, at 8:09 PM, Chad A. Prey wrote:
I am wondering if any of you out there are running cyrus in a cluster?
If so, how did you do it? and how would you do it if you had to do it
all over again?
We are currently using cyrus with perdition which works fine, however,
ideally the situation would be that a user could connect to either IMAP
server though a load-balancer with the /var/spool/imap folders shared
between both machines on a Fibre channel disk array.
We only have 1200 users but they are heavy, abusive users. Our current
cyrus build is on WBEL (like RHEL) 2.4 kernel. I am especially keen to
hear from those that have actually done this.
--
Chad A. Prey
Sr. Systems Administrator
Salk Institute for Biological Studies
cell - (858)967-1051
phone - (858) 453-4100 x 1930

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Squatter Error

[Lee]

Running squatter i get the following error on a specific user's folder:
fatal error: Internal error: assertion failed: squat_internal.c: 161: 
v64 = 0

After which squatter dies.
I tried reconstructing the folder, but it hasnt made a difference. 
Since squatter terminates on this folder, i can't get squatter to 
process everything.

Any ideas?
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Squat Failure Behavior Improvement?

[Lee]

Im running cyrus 2.2.10, and when i run squat -r -s, squat fails on 
certain messages or users because there is one corrupt message in the 
user's mailbox. This isnt a huge issue in itself because i can 
obviously remove the corrupt file or run reconstruct and then restart 
squat. The bigger issue, is that on a system with 1000s of users, if i 
plan to run squat as an automatic event in the future, i now have to 
worry that one corrupt message in even a single message will stop 
squatter in its tracks and i wont know it unless i'm constantly 
watching the logs for it.

Is there a reason squat is not designed to simply continue indexing 
after a message or user fails to be indexed? This seems like a pretty 
big problem for anyone running a large system where occasional file 
corruption is inevitable. Is there something i can do to fix this 
problem?

Thanks,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Cyr_expire Spiraling Out of Control - help!

[Lee]

We recently upgraded to the latest cyrus/sasl. We were using 2.1, so we 
need to convert the DBs over to skiplist and update cyrus.conf. We did 
that and moved over without problem.

Two days after moving to 2.2, we discovered that all of a sudden mail 
was being queued and not delivered on the box. The servers spit out 
errors about deliver.db. To solve the problem i removed deliver.db and 
everything in the db/* folder. After restarting cyrus, queued mail 
quickly started dropping and started being delivered.

After this happened i believed it was the result of running squatter 
for the first time (and subsequently failed). However today im looking 
at the top process list and there are several cyr_expire process 
running from each of last few days (since rebooting cyrus). They are 
taking up 99% of the CPU and mkaing the load on the dual proc server 
near 4.0.

Does anyone have any idea why cyr_expire is spiraling out of control 
and overloading the system?

here's out cyrus.conf:
# standard standalone server implementation
START {
  # do not delete this entry!
  recover   cmd=ctl_cyrusdb -r
  # this is only necessary if using idled for IMAP IDLE
#  idledcmd=idled
}
# UNIX sockets start with a slash and are put into /var/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap  cmd=imapd listen=imap prefork=5
  imaps cmd=imapd -s listen=imaps prefork=2
  # pop3cmd=pop3d listen=pop3 prefork=3
  # pop3s   cmd=pop3d -s listen=pop3s prefork=1
  sieve cmd=timsieved listen=sieve prefork=1
  # at least one LMTP is required for delivery
#  lmtp cmd=lmtpd listen=lmtp prefork=0
#  lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=1
   lmtpunix cmd=lmtpd listen=/export/cyrus/imap/socket/lmtp 
prefork=1
#   lmtpunix cmd=lmtpd 
listen=/export/cyrus/postfix/spool/private/lmtp prefork=1

  # this is only necessary if using notifications
#  notify   cmd=notifyd listen=/var/imap/socket/notify 
proto=udp prefork=1
}

EVENTS {
  # this is required
  checkpointcmd=ctl_cyrusdb -c period=30
  # this is only necessary if using duplicate delivery suppression
  delprune  cmd=cyr_expire -E 3 period=1440
  # this is only necessary if caching TLS sessions
  tlsprune  cmd=tls_prune period=1440
  # delete old spam
  purgetrashcmd=ipurge -d 21 -f user/%/spam at=0530
  purgetrashcmd=ipurge -d 1 -f user/%/spam-notcaught at=0330
}
Sincerely,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Funding Cyrus High Availability

[Lee]

mysql does not have multi-master functionality, and it's replication, 
is quite honestly, a joke.  You may have mis-spoken and are talking 
about the up-and-coming mysql cluster or the mysql max product (both 
of which i'm much less familiar with).

Indeed i was talking about mysql cluster (which is now included with 
teh distro). Im pretty convinced having talked with some mysql peeps, 
that cluster will eventually (not too distant future) be VERY bullet 
proof. I just figured that writing cyrus to use mysql (or SQL SPEC) as 
a backend might kill two birds with one stone, and create a better 
general platforms for growth. None the less, id would love to see just 
replication is everyone if mysql back is out.

L
cut
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Funding Cyrus High Availability

[Lee]

My vote would be for active/active, its usually more reliable and of 
course it builds in better scaleability. I imagine the the main 
question of everyone will be how the choice of active/active or 
active/passive will effect cost/time of implementation.

L
On Sep 17, 2004, at 1:16 PM, Ken Murchison wrote:
David Lang wrote:
On Thu, 16 Sep 2004, Ken Murchison wrote:
Question:   Are people looking at this as both redundancy and 
performance, or just redundance?
for performance we already have murder, what we currently lack is 
redundancy. once we have redundancy then the next enhancement is 
going to be to teach murder about it so that it can failover to the 
backup box(s) as needed, but for now simply having the full data at 
the backup location would be so far ahead of where we are now that 
the need to reconfigure murder for a failover is realitivly trivial 
by comparison.

Actually what I was really asking, is are people looking for an 
active-active config and an active-passive config?

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Funding Cyrus High Availability

[Lee]

What do people think about a bounty program like horde's:
http://www.horde.org/bounties/
Basically people can make paypal donations to fund certain features. 
For something like the high availability support, Im guessing that ALOT 
of people would donate small to large amounts of cash to see this 
functionality implemented ( i certainly would).

What do you all think?
L
On Sep 16, 2004, at 5:30 AM, Paul Dekkers wrote:
Hi,
Ken Murchison wrote:
I wouldn't hold out hope of anything being available in some 
months.

I wrote my replication code two years ago, and submitted it to Rob 
and Ken about this time last year. Neither I or they have put any 
significant work into the code since then. As I indicated in my 
previous message, we all have other priorities right now.
I can imagine, but I hoped that priorities would change a bit with 
the amount of users that repeatedly
This link appears dead.  All I get is To clipboard.
Oops. There was never supposted to be a link :-)
interest in this feature and with the money we are willing to put in 
:-|
I'm willing to work on it if there is money available.  You are the 
only one that has says that you would commit money.  Where are the 
rest of the folks?  Based on the number of people that stepped up to 
pay for virtdomains support (zero), I'm guessing there are fewer out 
there willing to spend money than you think.  But I could be wrong.
I'm happy to see that there are indeed others interested in this ;-)
Other than the altnamespace project ($5000) that I did for a 
(unnamed) company in Texas, Jeremy Howard at Fastmail is the only one 
who has consistently paid for features.  I'll let him disclose what 
he has spent, if he chooses to, but its safe to say that its been 
more than just pizza and beer.
I expected more then pizza and beer, so that's no surprise :-)
I'd have to look at David's patch again and discuss things with CMU 
to get a good time estimate, but I'm guessing that a project like 
this would cost a few thousand dollars.
Ok, I'll start a discussion with our management based on your latest 
estimation ($3000-$5000) and I'll let you know about the results. 
(Might take a while, I think at least not this week. If you have more 
details (for instance time estimation) let me know.)

Bye,
Paul

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Funding Cyrus High Availability

[Lee]

I imagine for a big project like this, refunds could be given. I think 
its more a matter of finding someone to deal with this. Id be happy to 
do it, but i think it would be best if Ken or another core developer 
that everyone knows and already trusts is in charge of holding the 
cash. Any Ideas Ken?

I would bet that if a Fund Cyrus Replication link were made 
prominently on the cyrus homepage, 3-5k could be raised in less than a 
month.

L
P.S. Ken, not sure if this would be easier or more complex, but another 
alternative here might be to write a mysql backend to cyrus, which 
would eliminate the need to worry about redundancy given mysql's 
multimaster functionality (this might also provide better 
searching/sort/access and enormous scaleability to the cyrus backends).

On Sep 16, 2004, at 4:58 PM, [EMAIL PROTECTED] wrote:
Hello All,
I would be willing to pay for this function. Though I am just a 
startup, and
have very little capital. Most I could prolly do is $100 to $200. Not 
much.
My fear, which maybe the fear of others is the risk of putting money 
in, but
there not being enough support by others to reach the cash goal. Thus 
the
project never is done. What happens in that case ?

Thanks,
On Thursday 16 September 2004 11:00 am, you wrote:
What do people think about a bounty program like horde's:
http://www.horde.org/bounties/
Basically people can make paypal donations to fund certain features.
For something like the high availability support, Im guessing that 
ALOT
of people would donate small to large amounts of cash to see this
functionality implemented ( i certainly would).

What do you all think?
L
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: High availability ... again

[Lee]

Has anyone used GFS with cyrus? Could one theoretically create a 
redundant, loadbalancing cluster using two boxes, GFS and a SAN?

Lee
On Jun 28, 2004, at 9:43 AM, Etienne Goyer wrote:
Ben Carter wrote:
Etienne Goyer wrote:
Tore Anderson word of wisdom where :
  There's a third option, which is the one I prefer the most:  
shared
 block device.

Well, I did not consider that option since the SAN become a single 
point-of-failure, and that is a big no-no according to the 
specifications I have at the moment.

If it would have been possible, it would have been my first choice 
though.
Do you consider the SAN a SPOF even if you have multiple paths to it 
from each server and it has no internal SPOF?  If so, isn't your 
cluster or your single physical location a SPOF?
Two location, a single path (20 Mb/s) between the two.  Thinking about 
it, the SPOF is actually the link between the two location.  The 
situation is pretty much toasted as there cannot be a fully redundant 
setup.  Case closed !

On a similar note, RedHat have apparently bought Sistina, and GPLed 
GFS.  This is great news for HA under Linux, IMHO.  I will be testing 
it soon.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: dspam cyrus

[Lee]

Christiano,
We're considering something very much like what you're describing. 
Would you mind passing on postfix, dspam (and any other pertinent) 
configs? It would save quite a bit of time screwing around with stuff.

Also, we're somewhat concerned about introducing mysql as an additional 
dependancy for our mailsystem (we use it on large scale websites, and 
have nothing but problems instability wise). Im curious how mysql with 
dspam has been treating you, and how much volume your managing on it. 
Has mysql crashed on you yet? If so, did mail delivery halt?

Thanks,
Lee
On Jun 22, 2004, at 5:28 PM, Christiano Anderson wrote:
Palle Girgensohn [EMAIL PROTECTED] writes:
Does anyone have experience of running dspam  cyrus?  (with sendmail
 without procmail)
I use Postfix + Dspam + Cyrus and it works very fine.
On Postfix I created two different transports: users with individual
dspam database and users with global dspam database.
Postfix pipes the messages to dspam, it makes the check, includes the
header if message is spam or not and after that delivers to
cyrdeliver. Each user has a sieve rule which moves the message to the
spam folder if it is classified as spam.
It is a good solution, I have been used it for 1 year.
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Cyrus HA Scalable Solution? Rsync

[Lee]

We (my company) uses DRBD (http://drbd.cubit.at/) with heartbeat and cyrus quite
successfully. To distribute load we use multiple heartbeat/drbd backend
clusters. Each cluster is comprised of 2 machines connected together via
gigabit ethernet cards and serial links. Postfix references ldap (for you
mysql) to determine which backend cluster the user's mailbox resides on.
Perdition or Cyrus Murder can be used to proxy the user logging in to check
mail to the correct backend machine. This solution provides unlimited
scalability and pretty good redunancy.

DRBD is a good innexpensive solution. Its proved to be fast and pretty reliable.
I would recommend it if you are on a budget. If you have unlimited cash, a
kimberlite / SAN cluster might be another good option (havent tried it, but
have heard good things). 

Lee

Quoting Michael Loftis [EMAIL PROTECTED]:

 
 
 --On Tuesday, May 25, 2004 14:39 -0700 Kevin Baker [EMAIL PROTECTED] 
 wrote:
 
 
  Thought? This is obviously just a sketch... but I haven't
  seen a this done before as far as the failover solution
  with rsync and thought it might work pretty well.
 
 rsync sucks for large numbers of files/directories.  It has to build an 
 in-memory tree before it even starts syncing.
 
 what would be 'nice' to see is something built inside of cyrus to handle 
 multiple backends but that's a pretty complicated bit of beast.  (no i'm 
 not volunteering ;) )
 
 
 --
 GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E 
 ---
 Cyrus Home Page: http://asg.web.cmu.edu/cyrus
 Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
 List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
 


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Delivering to a folder

[Lee]

Ken, that did it. Thank you.

One last question, are there any security risks to having all of a 
user's mailboxes postable by anonymous?

Thanks again,
Lee
On Dec 26, 2003, at 10:15 AM, Ken Murchison wrote:

Lee wrote:

We're using postfix - lmtp - cyrus 2.1.16 on a redhat 9 box.
When I try to send a message to [EMAIL PROTECTED] its always 
delivered to the user's inbox. What do i need to do to get the 
messages delivered to the folder?
Assuming that user above is a placholder for the real userid, set 
the ACL on user/user/folder so that the 'anonymous' or 'anyone' 
userid has the 'p' (post) right.


Our imapd.conf is attached below.
Thanks,
Lee
IMAPD.CONF:
# Cyrus Imapd Configuration
configdirectory: /export/cyrus/imap
partition-default: /export/cyrus/spool/imap
admins: admin
tls_cert_file: /export/cyrus/server.pem
tls_key_file: /export/cyrus/server.pem
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: localhost
autocreatequota: 0
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /export/cyrus/sieve
sendmail: /usr/sbin/sendmail
#sieve_maxscriptsize: 32
#sieve_maxscripts: 5
# Get rid of folders as subfolders of INBOX
altnamespace: yes
unixhierarchysep: yes


--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Delivering to a folder

[Lee]

We're using postfix - lmtp - cyrus 2.1.16 on a redhat 9 box.

When I try to send a message to [EMAIL PROTECTED] its always 
delivered to the user's inbox. What do i need to do to get the messages 
delivered to the folder?

Our imapd.conf is attached below.

Thanks,
Lee
IMAPD.CONF:

# Cyrus Imapd Configuration

configdirectory: /export/cyrus/imap
partition-default: /export/cyrus/spool/imap
admins: admin
tls_cert_file: /export/cyrus/server.pem
tls_key_file: /export/cyrus/server.pem
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: localhost
autocreatequota: 0
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /export/cyrus/sieve
sendmail: /usr/sbin/sendmail
#sieve_maxscriptsize: 32
#sieve_maxscripts: 5
# Get rid of folders as subfolders of INBOX
altnamespace: yes
unixhierarchysep: yes

Re: High Availability Email

[Lee]

Gary,
We use multiple two-box mailstore clusters running cyrus, drbd, and 
linux-ha to store the actual mail. On top of this we have loadbalancers 
running a set of ldap boxes for authentication, and perdition to 
loadbalance the frontend mail connections.

DRBD + Heartbeat (linux-ha) for the backend mail store boxes has worked 
for over a year for us, but If you have the cash I recommend using 
two-box redundantly shared fibrechannel SANs instead ... a lot more 
expensive, but less wonky.

L

On Saturday, August 30, 2003, at 09:26 AM, Gary C. New wrote:

I am gearing up to migrate our systems to a high availability email 
topology and was wondering what the current solutions are to provide 
such an architecture?

I need a solution that synchronizes/mirrors/replicates user mail 
stores across several physical servers for redundency.

Some of my research has pointed me to Cyrus Murder and the MUPDATE 
protocol, but it sounds like even in this type of configuration the 
back-end server would still be a single point of failure.

Suggestions?

Thanks.

Gary

Can't delete old folders from before ALTNAMESPACE

[Lee]

Hey All,
One of our users has the following folders listed in his account:
user/joe/INBOX/A =D (\HasChildren)
user/joe/INBOX/A =D/Accounts (\HasNoChildren)
These folders don't exist because the were remnants of our mail system 
before we turned on ALTNAMESPACE. The problem is that when I try to 
delete the folder in cyradm or in outlook, cyrus just returns errors.

Any ideas?

Thanks,
Lee

Re: Can't delete old folders from before ALTNAMESPACE

[Lee]

You should be able to delete these from within cyradm as an admin, 
unless
somebody deleted stuff by hand from the filesystem.
I think that might be the problem.

When i try to SAM the folders pre-deletion in cyradm, i get a:

setaclmailbox: admin: lcp: System I/O error

Is there a way to force remove cyrus' internal list of those folders?

L

On Monday, June 16, 2003, at 01:50 PM, Ken Murchison wrote:

Quoting Lee [EMAIL PROTECTED]:

Hey All,
One of our users has the following folders listed in his account:
user/joe/INBOX/A =D (\HasChildren)
user/joe/INBOX/A =D/Accounts (\HasNoChildren)
These folders don't exist because the were remnants of our mail system
before we turned on ALTNAMESPACE. The problem is that when I try to
delete the folder in cyradm or in outlook, cyrus just returns errors.
Any ideas?
You should be able to delete these from within cyradm as an admin, 
unless
somebody deleted stuff by hand from the filesystem.

What errors are you getting from cyradm?

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: Can't delete old folders from before ALTNAMESPACE

[Lee]

I created the directories spool/imap/user/joe/INBOX and INBOX/A =D and 
INBOX/A =D/Accounts, then i ran recontruct -R on user/joe, but that 
just returned the following errors:

user.joe.INBOX.A =D: System I/O error Bad file descriptor
user.joe.INBOX.A =D.Accounts: System I/O error Bad file descriptor
This is odd since we're using the / as the directory seperator not . 
(which we used to use a long time ago).

BTW i also tried creating and reconstructing two top level directory 
folders spool/imap/user.joe.INBOX.A =D and spool/imap/user.joe.INBOX.A 
=D .Accounts, but it didn't change the error I recieved when running 
reconstruct.

Any other ideas?

L

On Monday, June 16, 2003, at 03:16 PM, Rob Siemborski wrote:

On Mon, 16 Jun 2003, Lee wrote:

You should be able to delete these from within cyradm as an admin,
unless
somebody deleted stuff by hand from the filesystem.
I think that might be the problem.
Don't do that! ;)

To fix the problem, recreate the directories in the filesystem,
reconstruct the mailboxes, and then delete them properly via cyradm.
Is there a way to force remove cyrus' internal list of those folders?
Not any easy ways, there are some test utilities for cyrusdb 
functionality
that let you manipluate the database on a per-key basis.  They're in 
the
distribution, but they're a use-at-your-own-risk sort of thing.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

Re: Can't delete old folders from before ALTNAMESPACE

[Lee]

Will this cause any problems with seen / unseen flags (or anything for 
that matter)?

L

On Monday, June 16, 2003, at 03:34 PM, John Alton Tamplin wrote:

Lee wrote:

You should be able to delete these from within cyradm as an admin, 
unless
somebody deleted stuff by hand from the filesystem.
I think that might be the problem.

When i try to SAM the folders pre-deletion in cyradm, i get a:

setaclmailbox: admin: lcp: System I/O error

Is there a way to force remove cyrus' internal list of those folders?
If you deleted them without Cyrus knowing about it, your best bet is 
to take Cyrus down, dump the mboxlist (ctl_mboxlist -d file.txt), 
edit the text version of the file to remove things that are no longer 
there, and then undump the mboxlist (ctl_mboxlist -u -f file.txt), and 
then bring everything up.  You really should not be deleting things 
under Cyrus's control except through Cyrus.

--
John A. Tamplin   Unix System Administrator
Emory University, School of Public Health +1 404/727-9931

Re: Geographically Redundant mail stores

[Lee]

We looked into a number of solutions to do what you're doing, and the 
best solution (within our budget) was to use block level syncing 
software like drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) 
with heartbeat (linux-ha). Basically replicates a all data written to 
disc on the primary to the secondary and handles switching from primary 
to secondard when it detects that the primary is down.

L

On Tuesday, March 18, 2003, at 06:58 PM, Michael Fair wrote:

On Tue, 18 Mar 2003, Michael Fair wrote:

I'm doing some work on how to create a somewhat
reliable geographically redundant mail system.
Since I'm guessing you don't want to hear the reasons that this won't 
work
(synchronizing UIDs and flags, for example, is hard), I won't go into
that.


Thanks.  I've given up on trying to provide a perfect/correct
solution.  Instead I'm shooting for something more along the
lines of being able to look at a live backup and then synchronizing
any new mail that comes in.  State flags and other things above
and beyond the email messages themselves are not a concern (but
would be nice to have).
The main problem is just that if the main server is ever unavailable
communications come to a grinding halt.  Since we have people
outside the office as well as in, we wanted some way for them to
at least continue to send/receive new mail.
I've been thinking about this problem for some time, and at the
moment the best concepts I have going are:
1) Use Cyrus 2.2 and have the NNTP server sync the mailboxes.
   (This does nothing for state flags and probably will not
help with the creation/deletion of new folders)
2) Create a file locking server that replaces the file
   locking calls with something that is cross machine compatible
   then use Coda, Intermezzo, or NFS to mirror the file store.
3) Turn Cyrus on the backup server off, use rsync to copy all
   the files from one server to the other (making the UID/GIDs
   match on the two servers shouldn't be a problem), then in the
   event of a failure activate the Cyrus server, then flush the
   MTA queue to deliver the queued mail to Cyrus (the queued mail
   will that which has been delivered since primary failure).
   It would look like I restored from a backup (which wouldn't
   be too far from the truth).
   (This is just admin intensive, and slow, and assumes that an
admin will always be available to manually make the changes)
4) Enhance Mailsync which does a good job at synchronizing
the mail stores for an individual user to do an entire
mail store.
(Without enhancement it needs to be setup per user.)
(With enhancment, by default an administrator cannot read
 the emails within users mailboxes and therefore cannot
 sync them)
5) Wait for people smarter than myself to add redundancy to
   Cyrus directly (perhaps with a Group Communication Library
   like Spread or something similar).



 Instead I'll answer your main question directly.

My question was that the only user I know that
can see the whole tree is an admin user.  But
by default admin users can't select the mailboxes
because they don't have the proper permissions.
Admin users can authorize as any user they want.  So simply have the 
admin
user authorize as each user, and they can get to that mailbox with no
trouble.

Note that if you SELECT a mailbox as a user, it *will* change the 
state of
\Recent flags for the user.
Is there a reliable way to query the known list of users?
I thinking of big loop:
foreach $user (@users) { syncMailbox($user); }
I suppose I could just use the output of saldblistusers
as STDIN input to the perl script (or the perl script
could run it directly) since that's the backend I use.
Or doing a List of the user folder one level deep.
Any other ideas?

How would you do it?

The problem is:
When the primary mail site is down, all email communication
ceases despite the availability of other sites that could
handle the load.
In addition to allowing sending/receiving of new email,
The system must integrate any new mail back into the main
site when it becomes available again.
The system should allow people to see all their email and
folders older than some sane value (like 1 hour prior
to main site failure (shorter times preferred)).
The system may (as added bonus points and extra special
kudos) preserve flag states for users email.
Just as an FYI, the systems are Debian servers running
Henrique's amazingly wonderful packages.
The servers are Cyrus 2.1, Postfix 1.1.11, both integrated
with sasldb for Authentication (SMTP AUTH is only allowed
during a TLS session with Postfix - not that it matters).
Site A has a 4MB link, Site B has 1.5MB link.
-- Michael --

Re: Cyrus emails backup

[Lee]

Yes, just backup your /var/mail and /var/spool/mail folders.

Lee

On Wednesday, January 22, 2003, at 01:03 AM, test s wrote:


Hi,

Does anyone knows how to backup cyrus emails?

_
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

Re: backup mail server

[Lee]

I am in the process of testing out this same setup at present under
Linux
and I have a couple of questions.

1) How large is your Cyrus installation (# of accounts,  # of
simultaneous


286 Accounts, usually around 10-15 simultaneous IMAP connections.  Total
spool size is 4.2 gigs, this includes stage and all user data. We've 
designed this system to scale to 1500 accounts per box, but havent 
fully tested under that load yet though.

connections and IMAP spool size)
2) What DRBD protocol are you using A,B or C and over what file system
(EXT2, LVM, EXT3 ???)


DRBD protocol C / Ext3


3) Are you using block replicated disks for both your IMAP spool 
your IMAP
directory (Mailboxes DB etc)?


Yes, we are using block replication for everything directly related to
services running on this system.

L

Re: backup mail server

[Lee]

drbd configuration file:

resource drbd0 {
protocol=C
fsckcmd=fsck.ext2 -p -y

inittimeout=60
skip-wait=yes

disk {
do-panic
disk-size=66621523
}

net {
sync-rate=6M
tl-size=5000
timeout=60
connect-int=10
ping-int=10
}


on box1 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.1
port=7789
}

on box2 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.2
port=7789
}

}

Boxes are connected together via serial and etho links.

L

On Saturday, January 11, 2003, at 05:10 PM, [EMAIL PROTECTED] wrote:







On Sat, Jan 11, 2003 at 01:38:11PM -0500, Lee wrote:

We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and
linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box
mailstores (one active, one hotspare, continuously in-sync). Works
beautifully.



Are you using the drdb from CVS on a 2.4.x kernel? Could you provide
details of the drdb version and OS off list?


A copy/paste of your config file would also be great as example, if 
they do
not contain too much sensitive data of course which shouldn't be the
case...

Thanks

Marc

C.DTF

Re: backup mail server

[Lee]

- Are you using other tools like heartbeat or in the same kind ? If yes
which tool ?


Yes, we're using hearbeat. Heres the requisite config:

/etc/ha.d/haresources:
servname.host.com 100.102.248.46 datadisk::drbd0 cyrus postfix


- From your drbd configuration file I can see that you are using 
/dev/sda6
as physical disk, is that your Cyrus partition (/var/spool/imap) ?


sda6 is our data partitiion where we keep /var/spool/imap /var/imap/ 
/var/spool/mail and all of our configuration files.

L


Thanks
Marc


drbd configuration file:

resource drbd0 {
 protocol=C
 fsckcmd=fsck.ext2 -p -y

 inittimeout=60
 skip-wait=yes

 disk {
 do-panic
 disk-size=66621523
 }

 net {
 sync-rate=6M
 tl-size=5000
 timeout=60
 connect-int=10
 ping-int=10
 }


 on box1 {
 device=/dev/nb0
 disk=/dev/sda6
 address=10.0.0.1
 port=7789
 }

 on box2 {
 device=/dev/nb0
 disk=/dev/sda6
 address=10.0.0.2
 port=7789
 }

}

Boxes are connected together via serial and etho links.

L

On Saturday, January 11, 2003, at 05:10 PM, [EMAIL PROTECTED] wrote:







On Sat, Jan 11, 2003 at 01:38:11PM -0500, Lee wrote:

We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and
linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box
mailstores (one active, one hotspare, continuously in-sync). Works
beautifully.



Are you using the drdb from CVS on a 2.4.x kernel? Could you provide
details of the drdb version and OS off list?


A copy/paste of your config file would also be great as example, if
they do
not contain too much sensitive data of course which shouldn't be the
case...

Thanks

Marc

C.DTF

Re: backup mail server

[Lee]

We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and 
linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box 
mailstores (one active, one hotspare, continuously in-sync). Works 
beautifully.

L


On Saturday, January 11, 2003, at 10:26 AM, Ken Murchison wrote:



Greg Sidleinger wrote:


I have a small cyrus setup that only a few users use but I want to 
setup
some kind of live backup system for it.  I would really just like to
have two cyrus servers that keep the same mail boxes on them so if one
fails (hardware, software crash, smurfs, etc...) the other will have a
back up the mail and continue to receive mail.  I was reading up on 
the
murder stuff for cyrus but am not sure if it is what I want and if I
have the spare systems to support everything.  If anyone could point 
me
in the right direction it would be great.

Maintaining a hot spare machine _might_ be possible by using the NNTP
support in Cyrus 2.2, since this is what NNTP does, but nothing has 
been
done on this front.

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Administrate Sieve?

[Lee]

We use an ldap directory with SSHA hashing on passwords stored in ldap 
as the backend for our cyrus 2.1.X implementation. We are currently 
trying to add a set of sieve scripts to EVERY user's account. Since we 
cant actually access a user's password (since they're hashed in ldap) I 
was hoping to login to sieve as an administrator and add the scripts to 
each user's account. This doesnt seem possible though. Does anyone have 
a suggestion how I might go about adding sieve scripts to users 
accounts using some sort of administrative account or by making a 
global (server-wide) set of sieve scripts?

Thanks,
Lee

Sieve Server-Wide

[Lee]

Hey All,
I've setup spamassassin / amavisd-new  to tag spam with an X-Spam 
header. I want to now tell cyrus to filter those emails into the users 
spam folder. I found a sieve script that does this, but I'm wondering 
if there is a way to apply the script to all users on the server. Is 
there some sort of shared or default sieve user/directory that 
affects all users or some way to have all users' sieve dir simply be a 
single directory?

Thanks,
Lee

Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

[Lee Hoffman]

I've been pulling my hair out with this for nearly 4 days now. I have
cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:

SASL:
./configure --enable-plain --disable-krb4
--with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib

IMAP:
./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
--with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no

Basically I CYRUS-SASLAUTHD-LDAP

For some reason users intermittently will be prompted for their password
over and over. The sasl debug log show the following lines when that
happens:

Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than
one entries found (uid=superman).
Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
service=imap realm=

(ldap logs show nothing)

The user always exists in the ldap directory. In fact 75% of the time
they can login and use mail without problems. It seems like when I
restart the ldap directory the AUTHFAILS stop happening for a while. I
have the ldap directory restarting ldap every 5 minutes now, which seems
to be keeping the AUTHFAILS to a minimum (but they are still happening).


I immediately figured it was an LDAP problem. However, I've now tried
openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each
of these three versions on two different servers (one with redhat, one
with debian). Both servers were completely different hardware. I also
tried different versions of the ldap client library (and of course
recompiled cyrus and sasl after trying each) on the cyrus server.
Nothing stops these intermittent AUTHFAILS. 

Does anyone have any idea whats going on? I'm desperate. Any ideas would
be appreciated.

Thanks,
Lee



SASLAUTHD.CONF:

ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
ldap_bind_pw: password
ldap_auth_method: bind
ldap_search_base: ou=users,dc=location,dc=com
ldap_debug: 5000
ldap_timeout: 15 # tried multiple values here too
ldap_time_limit: 15 # tried multiple values here too


IMAPD.CONF

configdirectory: /export/cyrus/imap
partition-default: /export/cyrus/spool/imap
admins: admin
#sasl_pwcheck_method: pam

tls_cert_file: /export/cyrus/server.pem
tls_key_file: /export/cyrus/server.pem

allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: localhost
autocreatequota: 1
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
#sievedir: /usr/sieve
#sendmail: /usr/sbin/sendmail
#sieve_maxscriptsize: 32
#sieve_maxscripts: 5

# Get rid of folders as subfolders of INBOX
altnamespace: yes 
unixhierarchysep: yes

RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

[Lee Hoffman]

Hey Igor,
Running ldapsearch when the server is printing the AUTHFAILS returns
what you would expect, the single user account entry for the user. Based
on the fact that restarting the ldap server seems to help, one would
think that its an ldap server problem. But I just done see how that can
be since Ive run 3 different versions of openldap, on two different
servers, and the ldap server load never goes above 0.10. 

Any other ideas?

Thanks,
Lee 

-Original Message-
From: Igor Brezac [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 6:39 PM
To: Lee Hoffman
Cc: [EMAIL PROTECTED]
Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL


On Fri, 20 Sep 2002, Lee Hoffman wrote:

 I've been pulling my hair out with this for nearly 4 days now. I have
 cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:

 SASL:
 ./configure --enable-plain --disable-krb4
 --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib

 IMAP:
 ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
 --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no

 Basically I CYRUS-SASLAUTHD-LDAP

 For some reason users intermittently will be prompted for their
password
 over and over. The sasl debug log show the following lines when that
 happens:

 Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more
than
 one entries found (uid=superman).
 Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
 service=imap realm=

 (ldap logs show nothing)

 The user always exists in the ldap directory. In fact 75% of the time
 they can login and use mail without problems. It seems like when I
 restart the ldap directory the AUTHFAILS stop happening for a while. I
 have the ldap directory restarting ldap every 5 minutes now, which
seems
 to be keeping the AUTHFAILS to a minimum (but they are still
happening).


 I immediately figured it was an LDAP problem. However, I've now tried
 openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried
each
 of these three versions on two different servers (one with redhat, one
 with debian). Both servers were completely different hardware. I also
 tried different versions of the ldap client library (and of course
 recompiled cyrus and sasl after trying each) on the cyrus server.
 Nothing stops these intermittent AUTHFAILS.

 Does anyone have any idea whats going on? I'm desperate. Any ideas
would
 be appreciated.



Are there any other saslauthd lines in the syslog?  What happens when
you run
ldapsearch -x -b ou=users,dc=location,dc=com -D
cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman
on the command line after you start getting AUTHFAIL messages?
How many entries, if any, are returned?

Your configuration looks good.



 SASLAUTHD.CONF:

 ldap_servers: ldaps://server1.com # (tried ldap and ldaps here)
 ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com
 ldap_bind_pw: password
 ldap_auth_method: bind
 ldap_search_base: ou=users,dc=location,dc=com
 ldap_debug: 5000
 ldap_timeout: 15 # tried multiple values here too
 ldap_time_limit: 15 # tried multiple values here too


 IMAPD.CONF

 configdirectory: /export/cyrus/imap
 partition-default: /export/cyrus/spool/imap
 admins: admin
 #sasl_pwcheck_method: pam

 tls_cert_file: /export/cyrus/server.pem
 tls_key_file: /export/cyrus/server.pem

 allowanonymouslogin: no
 allowplaintext: yes
 sasl_mech_list: PLAIN
 servername: localhost
 autocreatequota: 1
 reject8bit: no
 quotawarn: 90
 timeout: 30
 poptimeout: 10
 dracinterval: 0
 drachost: localhost
 sasl_pwcheck_method: saslauthd
 #sievedir: /usr/sieve
 #sendmail: /usr/sbin/sendmail
 #sieve_maxscriptsize: 32
 #sieve_maxscripts: 5

 # Get rid of folders as subfolders of INBOX
 altnamespace: yes
 unixhierarchysep: yes




-- 
Igor

RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL

[Lee Hoffman]

Igor,
Here's my slapd.conf.


SLAPD.conf:

---

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /export/openldap/etc/schema/core.schema
include /export/openldap/etc/schema/misc.schema
include /export/openldap/etc/schema/cosine.schema
include /export/openldap/etc/schema/inetorgperson.schema
include /export/openldap/etc/schema/horde.schema
include /export/openldap/etc/schema/domain.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile /usr/local/var/slapd.pid
argsfile/usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath/usr/local/libexec/openldap
# moduleloadback_ldap.la
# moduleloadback_ldbm.la
# moduleloadback_passwd.la
# moduleloadback_shell.la

# Define global ACLs to disable default read access.
defaultaccess none

access to * by self read
by dn=cn=softwareAdmin,ou=software,dc=domain,dc=com write
by dn=cn=postfixAdmin,ou=software,dc=domain,dc=com read
by dn=cn=listAdmin,ou=software,dc=domain,dc=com read
by * auth


###
# ldbm database definitions
###

databaseldbm
suffix  dc=location,dc=com
rootdn  cn=Manager,ou=software,dc=location,dc=com

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  {SSHA}jklasdjklajasd83qkl9002002sadsasda

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory   /export/openldap/var/openldap-ldbm

# Indices to maintain
index default pres,eq
index objectClass,uid,cn,trbcPublicEmailAddress,trbcDomainName

loglevel 0

# TLS / SSL
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /export/openldap/etc/ldapcert.pem
TLSCertificateKeyFile /export/openldap/etc/ldapkey.pem
TLSCACertificateFile /export/openldap/etc/demoCA/cacert.pem

replogfile /export/openldap/replog

# Replication
replica host=ldap2.domain.com:389
binddn=cn=Replicator,ou=software,dc=location,dc=com
bindmethod=simple credentials=password



 I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.

That would be great. I really appreciate you taking the time to help.

Sincerely,
Lee


-Original Message-
From: Igor Brezac [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 7:59 PM
To: Lee Hoffman
Cc: [EMAIL PROTECTED]
Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL


On Fri, 20 Sep 2002, Lee Hoffman wrote:

 Hey Igor,
 Running ldapsearch when the server is printing the AUTHFAILS returns
 what you would expect, the single user account entry for the user.
Based
 on the fact that restarting the ldap server seems to help, one would
 think that its an ldap server problem. But I just done see how that
can
 be since Ive run 3 different versions of openldap, on two different
 servers, and the ldap server load never goes above 0.10.

 Any other ideas?


saslauthd can be at fault here, but I am not convinced yet.  What does
your slapd.conf look like?

I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.

I run a similar setup without any problems except I use a different OS.

-Igor

 Thanks,
 Lee

 -Original Message-
 From: Igor Brezac [mailto:[EMAIL PROTECTED]]
 Sent: Friday, September 20, 2002 6:39 PM
 To: Lee Hoffman
 Cc: [EMAIL PROTECTED]
 Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL


 On Fri, 20 Sep 2002, Lee Hoffman wrote:

  I've been pulling my hair out with this for nearly 4 days now. I
have
  cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
 
  SASL:
  ./configure --enable-plain --disable-krb4
  --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
 
  IMAP:
  ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
  --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
 
  Basically I CYRUS-SASLAUTHD-LDAP
 
  For some reason users intermittently will be prompted for their
 password
  over and over. The sasl debug log show the following lines when that
  happens:
 
  Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more
 than
  one entries found (uid=superman).
  Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman
  service=imap realm=
 
  (ldap logs show

SSL Certificate Authority

[Lee Hoffman]

Hey all,
So after finally getting ssl working with a self-signed certificate, Im
trying to make the certificate legit by getting a Thawte signed
certificate. I read through the cyrus docs and followed them to create
the original self-signed server.pem file (which worked). My question is
how do I then generate a CSR from that server.pem file, that I can then
submit to thawte? Likewise, when I get the new certificate back from
thawte, do I just paste it into the existing server.pem file, replacing
the key part of the file? Also, does the command cyrus recommends
openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout
/var/imap/server.pem -days 365 create a 128 bit key pair?

BTW, I also tried following the instructions for Openssl key/csr/crt
creation on thawte's website (see below). I then changed the cyrus.conf
to point to the new key and self-signed certificate and it caused cyrus
to reject ssl logins with the error: unable to get private key from
'/var/imap/servername.com.key' (which does exist and is readable by the
cyrus user. 

 Thawte Openssl instructions ---

Step 1. Go to your SSL directory
cd /usr/local/ssl/private

Step 2. Generate a private key 
openssl genrsa -des3 -rand file1:...:file5 1024  www.xxx.com.key
Now PLEASE backup your www.xxx.com.key and make a note of the
passphrase.
Losing your key will cost you money!

Step 3. Go to your certs directory 
cd /usr/local/ssl/certs

Step 4. Generate a CSR from your key 
openssl req -new -key ../private/www.xxx.com.key  www.xxx.com.csr

Step 5. Generate a self-signed certificate 
openssl req -x509 -key ../private/www.xxx.com.key -in www.xxx.com.csr  
www.xxx.com.crt





Clearly I don't know what I'm doing here. Any help would be much
appreciated.

Sincerely,
Lee

RE: SSL/TLS

[Lee Hoffman]

Scratch that, that error prints out occasionally even when Im not trying
to log in via ssl.

Lee


-Original Message-
From: Ken Murchison [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 2:52 PM
To: Lee Hoffman
Cc: 'Cyrus Mailing List'
Subject: Re: SSL/TLS



Lee Hoffman wrote:
 
 When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993
 
 The following is printed:
 
 CONNECTED(0003)
 
 Then it just hangs.

Check imapd.log for errors.  Is imaps listed in /etc/services?

Ken
-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

RE: SSL/TLS

[Lee Hoffman]

When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993

The following is printed:

CONNECTED(0003)

Then it just hangs.

L

-Original Message-
From: Ken Murchison [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 11:31 AM
To: Lee Hoffman
Cc: Cyrus Mailing List
Subject: Re: SSL/TLS



Lee Hoffman wrote:
 
 This is VERY weird!!! When I telnet into the mailserver on 993:
 
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 . logout
 ^X
 
 No commands works, yet it says that its connected! '. logout' does
 nothing, '. starttls' does nothing etc... I checked inetd, and other
 services running, and none bind to 993. Could the master process be
 listening on 993 and then *not* spawning a new imapd -s when a
 connection comes in??

Port 993 is IMAP over SSL (imaps) which expects an SSL negotiation to be
made as soon as the connection is opened.  Try doing this instead:

openssl s_client -connect localhost:993



 -Original Message-
 From: Scott M Likens [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, May 22, 2002 2:41 AM
 To: Lee Hoffman; 'Jeff Bert'; [EMAIL PROTECTED]
 Subject: RE: SSL/TLS
 
 *sigh*
 
 Telnet to your imap port and please verify that the STARTTLS command
 exists...
 
 Easiest way to do that instead of doing . logout
 
 do . starttls
 
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 * OK shell Cyrus IMAP4 v2.1.4 server ready
 . starttls
 . OK Begin TLS negotiation now
 
 like that
 
 *bleh*
 
 Stop using imtest like a golden rule folks.  Use an ACTUAL mail client
 to
 test things!!!
 
 --On Wednesday, May 22, 2002 12:58 AM -0400 Lee Hoffman
 [EMAIL PROTECTED] wrote:
 
  Here is my imapd.conf:
 
  configdirectory: /var/imap
  partition-default: /var/spool/imap
  admins: adminuser
  sasl_pwcheck_method: PAM
 
  tls_cert_file: /var/imap/server.pem
  tls_key_file: /var/imap/server.pem
 
  (/var/imap/server.pem exists and is readable by the cyrus user)
 
  ok running:  'imtest -t  -u lee -a lee -r servername.com
  servername.com' gets auth working, but still no STARTTLS:
 
  C: C01 CAPABILITY
  S: * OK servername.com Cyrus IMAP4 v2.0.16 server ready
  S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
 ID
  NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
  THREAD=REFERENCES IDLE
  S: C01 OK Completed
  Password:
  C: L01 LOGIN lee {8}
  + go ahead
  C: omitted
  L01 OK User logged in
  Authenticated.
  Security strength factor: 0
 
  Any other ideas?
 
  Lee
 
 
  -Original Message-
  From: Jeff Bert [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, May 22, 2002 12:28 AM
  To: Lee Hoffman; [EMAIL PROTECTED]
  Subject: RE: SSL/TLS
 
  did you add these to your imapd.conf:
 
  tls_ca_path: /path-to-ca-folder/
  tls_ca_file: /path-to-ca-file/
  tls_cert_file: /path-to-cert-file/
  tls_key_file: /path-to-key-file/
 
  ?
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]On Behalf Of Lee
 Hoffman
  Sent: Tuesday, May 21, 2002 8:21 PM
  To: [EMAIL PROTECTED]
  Subject: SSL/TLS
 
 
  Hey all,
  I'm trying to get SSL/TLS working on cyrus 2.0.16. I followed the
  instructions to a T to create the certificate. I also compiled
 cyrus
  -with-ssl=/usr/local/ssl (the latest version of openssl is
installed,
  and working with the sshd daemon). Anyway, cyrus (which is
  authenticating off PAM/ldap) works fine. However, as soon as I try
to
  enable ssl from my email client, the client is unable to connect to
  the
  server. I tried telneting into the box on port 993 and cyrus does
  answer.
 
  Here is the output from imtest:
 
  Server-name:~# imtest -t  -u lee server-name.com
  C: C01 CAPABILITY
  S: * OK server-name.com Cyrus IMAP4 v2.0.16 server ready
  S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE
UIDPLUS
  ID
  NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
  THREAD=REFERENCES IDLE
  S: C01 OK Completed
  Password:
  C: L01 LOGIN root {8}
  + go ahead
  C: omitted
  L01 NO Login failed: authentication failure
  Authentication failed. generic failure
  Security strength factor: 0
 
 
  What really worries me is that STARTTLS is even listed in
 CAPABILITIES
  (it should be shouldn't it?).
 
  My cyrus.conf file:
 
  # standard standalone server implementation
 
  START {
# do not delete these entries!
mboxlist  cmd=ctl_mboxlist -r
deliver   cmd=ctl_deliver -r
 
# this is only necessary if using idled for IMAP IDLE
  #  idledcmd=idled
  }
 
  # UNIX sockets start with a slash and are put into
/var/imap/sockets
  SERVICES {
# add or remove based on preferences
imap  cmd=imapd listen=imap prefork=5
imaps cmd=imapd -s listen=imaps prefork=1
  #  pop3 cmd=pop3d listen=pop3 prefork=3
  #  pop3scmd=pop3d -s listen=pop3s prefork=1
  #  sievecmd=timsieved listen=sieve prefork=0
 
# at least one LMTP is required

RE: SSL/TLS

[Lee Hoffman]

The log was already at local6.debug. When I try to login, no imapd -s
process is spawned, and the logs show nothing at all (atleast that I can
discern, there are a number of users logging in and out, so theres a lot
of stuff being printed).

It seems to me that it's a problem with master not spawning (it listens,
but then doesn't spawn). 

Im going to try a recompile without the --with-ssl, any other ideas
before I do so (Im trying to avoid it since this is a live server)?

Thanks again,
Lee

P.S. Not that it should matter, but Im doing pam/ldap auth.

-Original Message-
From: Ken Murchison [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 3:13 PM
To: Lee Hoffman
Cc: 'Cyrus Mailing List'
Subject: Re: SSL/TLS



Lee Hoffman wrote:
 
 Im not sure if its being caused by login attempts via ssl (although it
 seems to happen when I try to login via ssl from a mail client or when
I
 run the command below), but imapd prints the following:
 
 May 22 14:55:51 servername master[18641]: process 28462 exited, status
0
 
 Yes, imaps is listed in /etc/services


Alright.  Crank the imap logging level up to local6.debug and restart
syslogd.

Try to make another connection, and see if an 'imapd -s' gets spawned. 
Look in imapd.log and do a 'ps -f -u cyrus'.

If you have a running 'imapd -s', then do an strace on it to see what it
is doing.

Ken


 -Original Message-
 From: Ken Murchison [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, May 22, 2002 2:52 PM
 To: Lee Hoffman
 Cc: 'Cyrus Mailing List'
 Subject: Re: SSL/TLS
 
 Lee Hoffman wrote:
 
  When I run /usr/local/ssl/bin/openssl s_client -connect
localhost:993
 
  The following is printed:
 
  CONNECTED(0003)
 
  Then it just hangs.
 
 Check imapd.log for errors.  Is imaps listed in /etc/services?
 
 Ken
 --
 Kenneth Murchison Oceana Matrix Ltd.
 Software Engineer 21 Princeton Place
 716-662-8973 x26  Orchard Park, NY 14127
 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

[was RE: SSL/TLS ] - SOLVED!!!!!!

[Lee Hoffman]

That was a typo in my email, I was compiling --with-openssl not
--with-ssl.

The good news is that I figured what the problem is though! Now
EVERYTHING is working!! Woo Hoo! 

Basically I had manually compiled openssl-0.9.6b. For ssh there is non
need to add the shared configure flag (which compiles shared libraries
as well as normal libraries). However, when cyrus is compiled it needs
the libssl.so shared library (which I originally didn't compile with
openssl). So I just recompiled openssl and added the shared flag (which
made the shared library). Then I recompiled cyrus:

./config ... --with-openssl=/usr/local/lib (where libssl.so is
installed).

BAM, ssl/tls works !!

Long story short for those using debian 2.2, make sure you either
install libssl-dev or if you compile openssl manually, make sure you add
the shared flag to your openssl ./config .

Thank you for all your help,
Lee   

-Original Message-
From: Jeff Bert [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 8:53 PM
To: Lee Hoffman
Cc: 'Cyrus Mailing List'
Subject: RE: SSL/TLS

i looked in the compile notes for 2.0.16 and I think maybe you have
the option wrong... maybe you should try:

--with-openssl=/usr/local/ssl

and not --with-ssl

Jeff

 -Original Message-
 From: Lee Hoffman [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, May 22, 2002 4:50 PM
 To: 'Jeff Bert'; 'Ken Murchison'
 Cc: 'Cyrus Mailing List'
 Subject: RE: SSL/TLS
 
 
 So when I restart cyrus I get the same as jeff when I run netstat.
 
 I'm beginning to wonder if this maybe a compile issue. I just tried
 recompiling without --with-ssl, didn't change anything. I also tried a
 bunch of different compile time options, nothing helps. My original
 configure was:
 
 ./configure  --with-cyrus-group=cyrus --with-cyrus-user=cyrus
 --with-sasldir=/usr/local --with-dbdir=/usr/local/BerkeleyDB.3.3
 --with-ssl=/usr/local/ssl
 
 I then started to look through the config.log file, and I noticed the
 following error:
 
 configure:3631: gcc -o conftest -g -O2
 -I/usr/local/BerkeleyDB.3.3/include -I/usr/local/include
 -L/usr/local/BerkeleyDB.3.3/lib
-Wl,-rpath,/usr/local/BerkeleyDB.3.3/lib
 -L/usr/local/BerkeleyDB.3.3/lib -L/usr/local/lib
 -Wl,-rpath,/usr/local/lib  conftest.c -lssl -lcrypto  -lfl  -ldb-3
15
 /usr/bin/ld: cannot find -lssl
 
 I tried adding /usr/local/ssl/lib to ld.so.conf, but ofcourse that
didnt
 change anything because that's only for runtime. 
 
 Does any of the above spark any insights with anyone?
 
 Thanks,
 Lee
 
 -Original Message-
 From: Jeff Bert [mailto:[EMAIL PROTECTED]] 
 Sent: Wednesday, May 22, 2002 4:36 PM
 To: Lee Hoffman
 Cc: 'Cyrus Mailing List'
 Subject: RE: SSL/TLS
 
 also, i'd do a 'netstat -an | grep 993' to see if anything is
listening
 on that port... i get:
 
 tcp   0   0.0.0.0:993 0.0.0.0:*   LISTEN
 
 and my imaps port works.
 
 Jeff
 
  -Original Message-
  From: Jeff Bert [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, May 22, 2002 1:16 PM
  To: Lee Hoffman
  Cc: 'Cyrus Mailing List'
  Subject: RE: SSL/TLS
 
 
  maybe you should look in /etc/xinetd.d/ and see if there is an imaps
  file floating unwarranted in there.  maybe some other process is
  intercepting
  it... i know this is a wild guess
 
  jeff
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]]On Behalf Of Ken
 Murchison
   Sent: Wednesday, May 22, 2002 12:35 PM
   To: Lee Hoffman
   Cc: 'Cyrus Mailing List'
   Subject: Re: SSL/TLS
  
  
  
  
   Lee Hoffman wrote:
   
The log was already at local6.debug. When I try to login, no
imapd
 -s
process is spawned, and the logs show nothing at all (atleast
  that I can
discern, there are a number of users logging in and out, so
  theres a lot
of stuff being printed).
   
It seems to me that it's a problem with master not spawning
  (it listens,
but then doesn't spawn).
  
   If its listening but not spawning, master probably thinks there is
a
   process already running which can service this.  The 'available'
 count
   can get screwed up if a process gets killed but master doesn't
know
   about it.
  
   I would try restarting master.
  
Im going to try a recompile without the --with-ssl, any other
 ideas
before I do so (Im trying to avoid it since this is a live
 server)?
  
   This probably won't make a difference.  imapd would complain if
your
   tried to do SSL/TLS and it wasn't compiled with it.
  
  
  
-Original Message-
From: Ken Murchison [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 3:13 PM
To: Lee Hoffman
Cc: 'Cyrus Mailing List'
Subject: Re: SSL/TLS
   
Lee Hoffman wrote:

 Im not sure if its being caused by login attempts via ssl
  (although it
 seems to happen when I try to login via ssl from a mail
  client or when
I
 run the command below), but imapd prints the following:

 May 22 14:55:51 servername master[18641]: process 28462

RE: Webmail for Cyrus Imap ?

[Lee Hoffman]

I LOVE YOU ALL!!! I've been working on this problem with IMP/MD5/php 4
for 3 days now to no avail. Sure enough I removed sasldb and boom! It
worked. 

BTW, does anyone know how to get cyradm to use pam to authenticate an
admin (when I try to tell it to use pam, it wont let me in). The only
way Ive been able to use cyradm was to saslpasswd the administrator user
and then auth off of sasl for that user (but obviously I cant do that
anymore If I want IMP to work ).

Thanks,
Lee


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, December 13, 2001 1:59 AM
To: Robert Scussel
Cc: [EMAIL PROTECTED]
Subject: Re: Webmail for Cyrus Imap ?

Robert Scussel schrieb am Wed, Dec 12, 2001 at 09:51:21PM -0500:
* Thanks, first of all for the help getting cyrus working with 
* saslauthd-pam...
* 
* I have been trying for days now to get the latest IMP(3.0) with the 
* latest Horde(2.0) to work with cyrus.  The problem now is that imp
tries 
* to use the protocol imap to logon, which then tries to logon via
* 
*   CRAM-MD5, sasldb2, and even kerberos
* 
* It doesn't appear to try pam/plain/saslauthd login.


Most webmailers I saw (e.g. aeromail, twig) did a CAPABILITY upon
connect
and tried to do the most secure authentication first.  So if your server
lists CRAM-MD5 in its capability list, the webmailer will try that
before
trying PLAIN.

We debugged this down to the code of imap-2001 which is the library that
is mostly used by PHP for IMAP issues.  So if you set up a PHP
webmailer, 
you can't help this behaviour because its hardcoded into the lib.

We finally did a very nasty workaround: As we use LDAP-via-PAM as
authen-
tication backend, we do not need the sasldb - and when completely
removing
/etc/sasldb, Cyrus IMAP stops sending CRAM-MD5 in its capability list. 


- Birger

SASL-LDAP Patch = Ahhh!

[Lee Hoffman]

Title: SASL-LDAP Patch = Ahhh!






Hey All,

So Im trying to compile Cyrus-sasl with the SASL-Auth-LDAP patch (http://sourceforge.net/projects/cyrus-utils/) and cyrus-sasl 1.5.24.

I untar everything and run:

patch -p1  sasl-ldap+mysql.patch

autoheader 

autoconf

automake -i

export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include

export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib

./configure --with-ldap=/usr/local/lib 

make 

make install

Everything goes without a hitch. Then I try to run cyradm myserver.mydomain.com and enter the root users password from the ldap directory and then I get the following error:

IMAP Password: 

 Login failed: ldap_basedn not defined at /usr/local/lib/site_perl/i386-linux/Cyrus/IMAP/Admin.pm line 78

cyradm: cannot authenticate to server with as root

and the following is printed to the auth log:

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307

Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307


Please help! Ive been working on this for over a month, and have been getting nowhere.

Thanks in advance,

Lee

RE: Master Segmentation Fault - SOLVED!

[Lee Hoffman]

I finally got it!!! The first piece was obviously to delete the line db
from services in /etc/nsswitch.conf. The second piece of the puzzle was
that I had to recompile sasl executing the following commands before
configuring:

export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include
export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib

Boom! Everything now works. 

Thanks again for all your help.

Lee

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mika
Iisakkila
Sent: Monday, October 22, 2001 3:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Master Segmentation Fault

Lee Hoffman wrote:
 Thanks a bunch for the advice. I deleted db from /etc/nsswitch.conf
and
 viola, master stopped segfaulting on launch.
...
 Oct 21 13:09:27 grass master[1520]: about to exec
 /usr/local/cyrus/bin/imapd
 Oct 21 13:09:27 grass master[1508]: process 1520 exited, signaled to
 death by 11

Well, it's obvious that now that the master runs, all its children
are still dying, probably for the same reason. Did you try setting
LD_LIBRARY_PATH to point to where you have the DB-3 libraries
(those that you linked with) prior to running master? Does
ldd imapd show that those libraries are actually getting selected
instead of libdb or libdb2? Do you have other db references in
nsswitch.conf? Can't think of anything else...

--mika

RE: Master Segmentation Fault

[Lee Hoffman]

Dear Mika,
Thanks a bunch for the advice. I deleted db from /etc/nsswitch.conf and
viola, master stopped segfaulting on launch.

Unfortunately, IMAP still isnt working though. When I run:
/usr/local/bin/imtest -m login foobar

I get the following error:

gethostbyname: No such file or directory
failure: Network initialization

Also, I can telnet to port 143, but when postfix delivers mail to cyrus
(for example to the testuser account), the mail is never delivered and
the following processes are run, and never die (even if the box is
restarted, the same processes reappear):

642 ? S 0:00 pipe -n cyrus -t unix flags=R user=cyrus
argv=/usr/cyrus/bin/deliver -e -m ${extension
  
643 ? S 0:00 /usr/cyrus/bin/deliver -e -m  testuser


When I start master, master shows up under running processes, but imapd
doesn't. 

The following appears in the logs:

---

9:27 grass master: unable to change limit of file descriptors available
Oct 21 13:09:27 grass master[1508]: process started
Oct 21 13:09:27 grass master[1509]: about to exec
/usr/local/cyrus/bin/ctl_mboxlist
Oct 21 13:09:27 grass ctl_mboxlist[1509]: running mboxlist recovery
Oct 21 13:09:27 grass ctl_mboxlist[1509]: done running mboxlist recovery
Oct 21 13:09:27 grass service-imap[1518]: executed
Oct 21 13:09:27 grass master[1520]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass service-imap[1520]: executed
Oct 21 13:09:27 grass master[1519]: about to exec
/usr/local/cyrus/bin/pop3d
Oct 21 13:09:27 grass service-pop3[1519]: executed
Oct 21 13:09:27 grass master[1508]: process 1520 exited, signaled to
death by 11
Oct 21 13:09:27 grass service-pop3[1521]: executed
Oct 21 13:09:27 grass master[1521]: about to exec
/usr/local/cyrus/bin/pop3d
Oct 21 13:09:27 grass service-imap[1522]: executed
Oct 21 13:09:27 grass master[1508]: process 1519 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1518 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1516 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1521 exited, signaled to
death by 11
Oct 21 13:09:27 grass service-imap[1523]: executed
Oct 21 13:09:27 grass master[1522]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass master[1508]: process 1522 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1523]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass master[1508]: process 1512 exited, status 0
Oct 21 13:09:27 grass master[1508]: process 1523 exited, signaled to
death by 11


---


Any idea whats going on? Any help would be much appreciated.

Thanks,
Lee


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mika
Iisakkila
Sent: Sunday, October 21, 2001 4:19 AM
To: [EMAIL PROTECTED]
Subject: Re: Master Segmentation Fault

Lee Hoffman wrote:
 Ive followed the directions to a T, while compiling cyrus sasl (w/ldap
 support) and cyrus (2.0.16) (with ssl support) on a debian 2.2r3
distro
 box. The compilation and installation report no errors. I follow the
 installation directions, and ensure that all the directories exist and
 have the correct permissions. When I run master though, I get a
 Segmentation Fault and imapd isn't started. The error log reads:

Welcome to the club. I spent a good deal of a day chasing this,
and the culprit is that Debian stable (2.2r3, currently) comes
with an old version of DB. I went to great lengths to ensure that
cyrus compiled and dynalinked with my own DB 3.1 libraries, and
the damn thing still crashed.

The problem is that for some unfathomable reasons, nsswitch in
Debian uses DB first by default, even though nothing is stored in DB
files in normal installations. Library version clash during imap/pop3
service lookup - crash. Your /etc/nsswitch.conf has a line

services: db files

Remove the db. If it still doesn't help, the system db libraries are
probably still getting in the way, and you could try setting
LD_LIBRARY_PATH to point to the correct place prior to running master.

--mika

Re: sasldb-error

[Rocky S. Lee]

I think it is because of the read permission of the sasldb file.
My cyrus user is cyrus:mail, so

chgrp mail /etc/sasldb
and
chmod g+r /etc/sasldb

It's OK.

BTW: One can find the answer of his question from the archive.
  I did so.

- Original Message - 
From: Christoph Krempe [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 28, 2001 11:25 PM
Subject: sasldb-error


 Hi,
 
 I'm trying to run cyrus 2.0.14 together with BerkeleyDB 3.2.9 and 
 cyrus-sasl 1.5. 
 
 I compiled:
 
 BerkeleyDB3.2.9:
 ./configure
 
 cyrus-imap: 
 ./configure  --disable-sieve --with-auth=unix 
   --with-sasl=/usr/local/lib --with-dbdir=/usr/local/BerkeleyDB.3.2
 
 cyrus-sasl:
 ./configure --with-pwcheck=/var/pwcheck --with-pwcheck_method=shadow
 
 Compiling + installing seemed to be ok.
 
 /etc/imapd.conf look like
 
 configdirectory: /var/imap
 partition-default: /var/spool/imap
 umask: 077
 admins: cyrus root
 srvtab: /var/imap/srvtab
 allowanonymouslogin: no
 postmaster: [EMAIL PROTECTED]
 sasl_passwd_check: shadow 
 
 /usr/local/sbin/pwcheck is running, socket is /var/pwcheck/pwcheck
 
 After I start master, I get an error message in 
 /var/log/messages:
 
 Jun 28 17:14:13 hal master[30997]: about to exec /usr/cyrus/bin/imapd
 Jun 28 17:14:13 hal service-imap[30997]: executed
 Jun 28 17:14:13 hal imapd[30997]: unable to open Berkeley db /etc/sasldb: Invalid 
argument
 
 Any idea what's wrong here? 
 
 Gru?Ch. Krempe
 
 ---
 Freie Universitaet Berlin   Christoph Krempe
 Universitaetsbibliothek Systemverwaltung
 - Rechenzentrum -   Tel: 030/838 54583
 Garystrasse 39  Fax: 030/838 54582
 14195 Berlinhttp://www.ub.fu-berlin.de/~ck