Re: Cyrus IMAP 'CAPABILITIES' and 'AUTH=PLAIN'
> > I would guess you are missing libsasl2 modules for authentication, which > your OS probably has packaged in a separate package. You can use > pluginviewer/saslpluginviewer to view existing plugins. Awesome - was looking in entirely the wrong location (assumed it was a Cyrus thing) and never even contemplated it might be a SASL thing; especially as users could authenticate against it, even without the CAPABILITY being shown. Accounts now syncing, so hopefully we can get this system out of service by tomorrow… Thanks again… marty Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus IMAP 'CAPABILITIES' and 'AUTH=PLAIN'
Forgive me asking this question, we’ve just had a server disk that’s starting to die in a remote location, and I’m frantically trying to clone some IMAP users onto another server - along with a number of other things. Despite imapd.conf having 'allowplaintext: yes’ (it’s an internal server) when logging in, ‘AUTH=LOGIN’ isn’t advertised, yet it works if I manually try to login. ‘imapsync’ is complaining as it can’t see the LOGIN capability. I’m about to start looking at the code, but if anyone can let me know if a setting needs changed, that would be great - clearly, I’ve got a number of things to try to get off this server ASAP, so any advice would be greatly appreciated. Server version is 3.0.4: [root@imapserver /opt/local/etc/cyrus]# nc localhost 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE] imapserver Cyrus IMAP 3.0.4 server ready 0 CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE Many regards Marty Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Solaris (11) support
Jean-Crishtophe, we use Cyrus on Solaris, but at the moment, haven’t used Murder - so can’t offer advice etc on that one directly. We’ve got a couple of big projects under way at the moment for some customers - once we’ve got those sorted, I can try to get a test setup going and see what happens - but it would be in a couple of weeks time at the earliest… marty - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 131 564 1980 Maui Systems Ltd w: http://www.maui-systems.co.uk Scotland, UK > On 18 Jun 2018, at 11:03, Jean-Christophe Delaye > wrote: > > On 06/18/2018 05:25 AM, ellie timoney wrote: >> Hi Jean-Christophe, > > Thanks Ellie for your inputs. >> >> On Fri, Jun 15, 2018, at 5:49 PM, Jean-Christophe Delaye wrote: >>> So this is why the first part of my >>> question was to known if there are many running murder systems running >>> on Solaris (11) and why I can't find specifics notes about >>> compiling/installing Cyrus imapd on this operating system. >> >> The main contributors to Cyrus development are not running Solaris, either >> personally or organisationally, so Solaris support doesn't get a lot of >> direct attention. >> >> There are a few people out there running Cyrus on Solaris (not sure if >> they're using murder or not). They usually pop up on the list with >> Solaris-compatibility issues/patches not long after new releases where we've >> accidentally broken something on Solaris, which we greatly appreciate! :) > > Yes, I tried the running unit tests (Version 2.1-3) on my setup and > found the following issue on the backend: > > Suite: backend > Test: badhost ...passed > Test: badservice ...passed > Test: sasl_plain ...Server failed to find requested SASL mechanism > "PLAIN" FAILED >1. ./cunit/backend.testc:198 - CU_ASSERT_PTR_NOT_NULL_FATAL(be) > Test: sasl_digestmd5 ...passed > Test: multiline_caps ...Server failed to find requested SASL mechanism > "PLAIN" FAILED >1. ./cunit/backend.testc:314 - CU_ASSERT_PTR_NOT_NULL_FATAL(be) > Test: oneline_caps ...Server failed to find requested SASL mechanism > "PLAIN" FAILED >1. ./cunit/backend.testc:314 - CU_ASSERT_PTR_NOT_NULL_FATAL(be) > Test: starttls ...Server failed to find requested SASL mechanism > "PLAIN" FAILED >1. ./cunit/backend.testc:408 - CU_ASSERT_PTR_NOT_NULL_FATAL(be) > > But,it's not easy for me to go further; I'll continue investigating > > > Run Summary:Type TotalRan Passed Failed Inactive > suites 39 39n/a 00 > tests432432427 50 > asserts 829800 829800 829795 5 n/a > > > Cheers > >> >> I have no access to Solaris, and so additional insight to offer. But I'd be >> very happy to accept/merge patches to code/documentation for you if you get >> things working properly. >> >> Cheers, >> >> ellie >> >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus >> > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Upgrading Cyrus from 2.3.16, going to 2.5.11 or 3.0.2 ?
Eric, I know 3.0 compiles on Solaris 10 & 11; I think the only bit that didn’t work was the http section to provide caldav/carddav, as the implementation seems to depend on linux’isms. I got it compiled without the calendar and address book functionality (although that was a couple of months ago and I haven’t done any more with it as yet). marty > On 28 Jun 2017, at 13:39, Eric Luyten wrote: > > Hi, > > > Our environment is Solaris 10 / Intel. > > Are there good reasons to stay away from 3.0 ? > > > We have a pretty impressive user count and mail spool volume > > but not a lot of complexity (no murder nor replication, no domains, > > and few, if any, access control extravaganza). > > > Thank you in advance for your feedback, > > Eric Luyten, Computing Centre VUB/ULB. > > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.4.17 TLS woes
> On 15 Jan 2015, at 12:34, Patrick Goetz wrote: > > Does anyone have a secure, functional cipher list entry they'd like to > share? I’m using the following on 2.4.17-caldav-b10 tls_cipher_list:TLSv1+HIGH:!aNull:@STRENGTH Functional yes; I won’t make any promises about secure, as I’m sure someone more enlightened would correct me! cheers - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 845 869 2661 Maui Systems Ltd f: +44 871 433 8922 Scotland, UK w: http://www.maui-systems.co.uk signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus-imapd-2.4.17-caldav-beta9 released
Ken, the workaround in beta 9 for MacOSX Mavericks works fine - I can now delete items from calendars :-) Thanks for getting this in - saves me applying the patch myself.. cheers marty On 17 Dec 2013, at 14:18, Ken Murchison wrote: > We are pleased to announce the ninth beta release of Cyrus IMAP with > integrated calendaring and contacts. This is a bugfix release with the > following changes: > > - Fixed bug in parsing of Accept header (now accepts */* and /*) > - Fixed telemetry logging bug (old garbage appearing in log) > - Added a workaround for the DELETE bug in MacOS X 10.9.0 Calendar > client > > The complete list of changes can be found in doc/changes.html in the > distribution. > > > This code is based on the stable Cyrus 2.4.17 release with support for > HTTP-based services (CalDAV, CardDAV, RSS, and Timezone) added. All of > the standard Cyrus IMAP daemons and utilities should be considered > production quality in this release, but the HTTP support is in beta status. > > You can download via HTTP or FTP: > > http://cyrusimap.org/releases/cyrus-imapd-2.4.17-caldav-beta9.tar.gz > ftp://ftp.cyrusimap.org/cyrus-imapd/cyrus-imapd-2.4.17-caldav-beta9.tar.gz > > Installation documentation will be found in doc/install-http.html in the > distribution. > > Upgrade documentation will be found in doc/install-upgrade.html in the > distribution. > > Thanks for your continued support, and we look forward to any and all > feedback. > > -- > Kenneth Murchison > Principal Systems Software Engineer > Carnegie Mellon University > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 845 869 2661 Maui Systems Ltd f: +44 871 433 8922 Scotland, UK w: http://www.maui-systems.co.uk signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus IMAP / CalDAV
Thanks for all the hard work to get the actual answer Ken; I’ll apply the patch
to my
local server for me to test (only 2 of us using the calendar stuff at the
moment) and
wait with baited breath for an apple update :-)
If you get wind of apple fixing things, let me know - if I spot it at this end,
I’ll send
something out too.
Cheers
marty
On 16 Dec 2013, at 19:09, Ken Murchison wrote:
> I confirmed that the DELETE problem is indeed a bug in the Apple client, and
> that Apple is aware of it. I'm somewhat reluctant to to include a fix in
> Cyrus for a bug in a client that will hopefully get fixed sooner rather than
> later. The patch below will work around the problem by making the faulty
> conditional DELETE a non-conditional one. But, by doing so we may delete a
> resource that has been changed by another user/client/session. Given that we
> really don't support shared calendars at the moment, this probably isn't a
> big deal but I don't really want to create potentially bigger problems moving
> forward.
>
> The real fix is Apple correcting their client to use an If-Match header
> rather than If-Schedule-Tag-Match header if the resource doesn't have a
> Schedule-Tag and/or isn't a scheduling object.
>
>
> On 12/14/2013 01:02 PM, Ken Murchison wrote:
>> I just committed a fix to git for the 406 response to GET. I will make
>> a beta9 release with this fix, and hopefully with a fix for the DELETE
>> issue by early next week.
>>
>> I have an email into one of the CalDAV experts that I know at Apple to
>> see what CalendarServer does with the empty If-Schedule-Tag-Match
>> header. I think its a bug in the Apple client, but I will have to come
>> up with a sane workaround for it. In the meantime, this uncommitted
>> patch should fix your problem with DELETE:
>>
>>
>> diff --git a/imap/http_caldav.c b/imap/http_caldav.c
>> index c00223f..641feb8 100644
>> --- a/imap/http_caldav.c
>> +++ b/imap/http_caldav.c
>> @@ -695,6 +695,7 @@ static int caldav_check_precond(struct transaction_t
>> *txn, const void *data,
>>
>> /* Per RFC 6638, check Schedule-Tag */
>> if ((hdr = spool_getheader(txn->req_hdrs, "If-Schedule-Tag-Match"))) {
>> +if (!*hdr[0]) return precond; /* XXX Hack for bug in Apple client */
>> if (etagcmp(hdr[0], stag)) return HTTP_PRECOND_FAILED;
>> }
>>
>>
>>
>>
>> On 12/14/2013 09:39 AM, Marty Lee wrote:
>>> No worries.. I'm about to get back onto another train so will back out b8..
>>> Only me using it in earnest, so if you need anything else tested before
>>> pushing out, just send me a link.
>>>
>>> Marty Lee
>>> v: 07827 950 918
>>>
>>>> On 14 Dec 2013, at 14:26, Ken Murchison wrote:
>>>>
>>>> Hi Marty,
>>>>
>>>> Thanks for the info. The 406 is in response to the GET, caused by a bug I
>>>> introduced when I added support for jCal and xCal data. I can't believe
>>>> that this didn't present itself in my testing. I will need to fix this
>>>> immediately. You probably want to downgrade to beta7 in the meantime.
>>>>
>>>> I *think* the problem with DELETE is that iCal is sending an empty
>>>> If-Schedule-Tag-Match header. I will need to test this here and possibly
>>>> talk to the Apple guys to find out why they are sending an empty header,
>>>> and what they expect the behavior to be.
>>>>
>>>>
>>>>> On 12/14/2013 03:09 AM, Marty Lee wrote:
>>>>> Ken,
>>>>>
>>>>> I haven’t but have just taken the opportunity to update to Beta 8 and
>>>>> also to refresh Sqlite, which
>>>>> seems to be the source of the error message…
>>>>>
>>>>> Using cyrus beta 7, the iCal client would delete the event, but when it
>>>>> updated with the server, the
>>>>> event would magically just re-appear. With b8, this has changed; now I
>>>>> get a dialog box:
>>>>>
>>>>> --
>>>>> The request for “Marty” in account “Maui” failed.
>>>>>
>>>>> The server responded with
>>>>> “406” to operation CalDAVDeleteEntityQueueableOperation.
>>>>> -
>>>>>
>>>>> Telemetry log:
>>>>>
>>>>> <1387007669>>>> /dav/calendars/user/marty/Default/0C48ECD9-44A7-4F1F-9C87-9A2EF647C574.ics
>
Re: Cyrus IMAP / CalDAV
Ken, I haven’t but have just taken the opportunity to update to Beta 8 and also to refresh Sqlite, which seems to be the source of the error message… Using cyrus beta 7, the iCal client would delete the event, but when it updated with the server, the event would magically just re-appear. With b8, this has changed; now I get a dialog box: -- The request for “Marty” in account “Maui” failed. The server responded with “406” to operation CalDAVDeleteEntityQueueableOperation. - Telemetry log: <13870076691387007670>HTTP/1.1 406 Not Acceptable Date: Sat, 14 Dec 2013 07:54:30 GMT Strict-Transport-Security: max-age=600 Vary: Accept-Encoding Server: Cyrus/v2.4.17-caldav-beta8 Cyrus-SASL/2.1.23 OpenSSL/0.9.8 zlib/1.2.3 libxml2/2.6.29 SQLite/3.8.2 libical/0.48 Content-Length: 0 I’ll keep looking; I can create and edit events, just not delete them… marty On 12 Dec 2013, at 17:30, Ken Murchison wrote: > Hi Marty, > > Did you find anything related to this? I don't have Mavericks yet, but maybe > a telemetry log of the client trying to delete an entry would point me in the > right direction. > > Worst case, I will be with the Apple client developers in early February and > can test then. > > > > On 10/24/2013 07:22 AM, Marty Lee wrote: >> Good afternoon (local time for me!) >> >> Updated my Mac to Mavericks this morning and am now getting the following >> error from >> the CalDAV part of Cyrus when I try to delete an entry. >> >> dav_exec() step: cannot start a transaction within a transaction >> >> Creation & modification works fine, but iCal on the mac now can’t delete >> items. I can work >> around this by using a web interface to my calendars, but I just thought I’d >> mention it here >> that Apple have changed something in iCal with the new version of OS-X. >> >> If I get a chance this weekend, I’ll have a look at the source code and see >> if I can do >> anything to help. >> >> cheers >> >> marty >> >> >> >> >> - >> Marty Lee e: >> ma...@maui-systems.co.uk >> >> Technical Directorv: +44 845 869 2661 >> Maui Systems Ltd f: +44 871 433 8922 >> Scotland, UK w: >> http://www.maui-systems.co.uk >> >> >> >> >> >> >> Cyrus Home Page: >> http://www.cyrusimap.org/ >> >> List Archives/Info: >> http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> >> To Unsubscribe: >> >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > -- > Kenneth Murchison > Principal Systems Software Engineer > Carnegie Mellon University > - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 845 869 2661 Maui Systems Ltd f: +44 871 433 8922 Scotland, UK w: http://www.maui-systems.co.uk signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus IMAP / CalDAV
Good afternoon (local time for me!) Updated my Mac to Mavericks this morning and am now getting the following error from the CalDAV part of Cyrus when I try to delete an entry. dav_exec() step: cannot start a transaction within a transaction Creation & modification works fine, but iCal on the mac now can’t delete items. I can work around this by using a web interface to my calendars, but I just thought I’d mention it here that Apple have changed something in iCal with the new version of OS-X. If I get a chance this weekend, I’ll have a look at the source code and see if I can do anything to help. cheers marty - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 845 869 2661 Maui Systems Ltd f: +44 871 433 8922 Scotland, UK w: http://www.maui-systems.co.uk signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus+CalDAV
Hi, I've been playing with the latest Cyrus beta which includes the CalDAV & CardDAV additions - from a personal perspective, almost all seems ok. Server is a Solaris 10 (x86) box; clients are mainly Mac OSX (Mountain Lion) and some PCs (Thunderbird/Lightning). One question that Ken or someone may already know and one issue that I need to track down further. The question first: I've got two users that have permission to read each others Default calendar (lr9) - but I'm guessing that the list of calendars returned to the Mac calendar app only includes calendars for the actual user, not shared ones, as the shared calendars can't be seen… does this sound right, or should I be able to see the shared calendars (or need to do something to make it work)? I've also seem similar with the CardDAV interface - I use a DAV client to pull down all my contacts and put them into a local LDAP server for address book lookups for a number of other apps. This works if I use my username+password, but not if I use a different account with permissions to read my Default address book (lr). The issue I've seen revolves around adding pictures to vCards - some existing cards have pictures (copied from existing Mac address book), but changing pictures or adding new cards with photos seems to cause problems - I suspect it's 'segfaulting' the server process, but I'm not 100% certain of that yet, so I won't log a bug just yet… Anyone else tried any of these scenario's and able to say whether they've had success or not - maybe I'm just too bleeding edge and dive into the code myself (which I'll do anyway, I just don't want to spend time doing something someone has already worked out!). Cheers Marty Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Recently-APPENDed messages not showing up as RECENT responses after NOOP
On Mon, 4 Sep 2006, Kjetil Torgrim Homme wrote: On Sat, 2006-09-02 at 15:48 +, John J Lee wrote: The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries to add an X-Spambayes-Classification header to emails it has classified, in order to record whether it thought the mail was spam or not. It does that by creating a new message with the added header, then deleting the old message (if there's a better way, I'd be grateful to learn about it). oh yes, please use flags! Cyrus supports arbitrarily chosen flags by clients, see PERMANENTFLAGS. (of course, other IMAP servers aren't as advanced, so you may want to keep this wasteful APPEND/STORE/EXPUNGE hack around for those.) Aha! Thanks. If anybody has any pointers to sample client code, I'd be grateful. Still, the old-style SpamBayes code should also be fixed for non-flags-capable servers -- see below re Courier (and it'll take me a while to get around to attempting to implement the flags-based version). As soon as SpamBayes creates the new message, it tries to find the new message's UID. To do that, it first looks for a RECENT response. If it doesn't have one it its buffer, it sends a NOOP command. you can't trust RECENT, if a different client is connected, your SpamBayes client may not be told about the message, since only one client will be notified. If that doesn't result in a RECENT response, it keeps polling, issuing NOOP commands up to 100 times (it doesn't sleep() between each poll). If that fails, it dies horribly :-/ this is really unnecessary. when the APPEND is done, SpamBayes can simply do a SEARCH to find the message with the Message-ID and fetch its UID. OK, I was mistaken about the reason is does this loop. The loop is there not to find the UID (the code does indeed do a SEARCH for that), but rather to wait until the new message is available, prior to SEARCHing for the UID. Does that make more sense, or is there still a better way to do it? 2. Does this reveal a bug in the Cyrus implementation? hard to tell. is it the only client? I don't understand your question. Is SpamBayes the only client of Cyrus? No. Did you mean "is Cyrus the only server that fails with this client code"? Seems not: somebody reported Courier failing intermittently too. John Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Recently-APPENDed messages not showing up as RECENT responses after NOOP
On Sat, 2 Sep 2006, John J Lee wrote: [...] The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries to add an X-Spambayes-Classification header to emails it has classified, in order to record whether it thought the mail was spam or not. It does that by [...] That's not quite right -- in fact, it adds a new message and deletes the old one whenever it wants to move oe modify a message, I think. The add/delete operation might involve moving the mail to another mailbox, adding the spam classification header, adding a unique ID header for SpamBayes' internal use, etc. John Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Recently-APPENDed messages not showing up as RECENT responses after NOOP
Hi I'm trying to figure out why a Python spam-filtering program, SpamBayes, crashes for me when running in IMAP client spam-classification mode against a Cyrus IMAP server, version "Cyrus v2.3.7-fmsvn9188" (the server is one of the mail.messagingengine.com ones from fastmail.fm). I should say upfront that I imagine it may well be that the fault is with SpamBayes. TBH, the reason I'm posting here is that a). it's clear the SpamBayes issue will only get fixed if I do it myself, and b). I've little doubt that any fix I come up with without the help of an IMAP guru would be a pure hack, a server resource hog and not work for other people. The problem occurs when SpamBayes (specifically, sb_imapfilter.py) tries to add an X-Spambayes-Classification header to emails it has classified, in order to record whether it thought the mail was spam or not. It does that by creating a new message with the added header, then deleting the old message (if there's a better way, I'd be grateful to learn about it). As soon as SpamBayes creates the new message, it tries to find the new message's UID. To do that, it first looks for a RECENT response. If it doesn't have one it its buffer, it sends a NOOP command. If that doesn't result in a RECENT response, it keeps polling, issuing NOOP commands up to 100 times (it doesn't sleep() between each poll). If that fails, it dies horribly :-/ So, two questions: 1. Is the algorithm above a sane one? Maybe I should ask instead "is there a better one"? 2. Does this reveal a bug in the Cyrus implementation? If not, might it be a useful extension of Cyrus IMAP to support this kind of usage? Thanks in advance for any help John Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
cyradm login problems
I am using cyrus 2.1.18-1 with the imaps protocol. The sasl authentication method is shadow. Whenever I issue the cyradm command, specifically "cyradm --user cyrus localhost --auth login" I am met with an "IMAP password:" prompt. The cyrus user's system and sasldb password are the same, and entering it at this prompt results in being returned to the shell with roughly two tabs of whitespace before the prompt. If I issue the command "cyradm --user cyrus localhost" (leaving off the auth method), I am returned to the shell without any prompt for passwords. Any help would be greatly appreciated. -Lee Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Mysql Based Database Storage
One of the biggest problems we see with cyrus is its lack of ability to do true high-availability, particularly in a scaleable manner. I know one option is to do murder with multiple sans, but this is far from true scaleability (one san can only be located in one place in the country, and only contains one copy of the data) and even further from true HA (teh san is a single point of failure, perhaps replication to another san might be a solution, but its not at all cost effective). Anyway, I was looking at mysql cluster in mysql 5.1 (plans) and it seems like this might be a true solution to virtually all the problems with running highly scaleable, high-availability cyrus installations. Has anyone implemented, or at least thought of implementing a mysql based backend for mail and database storage for cyrus? How utterly complex an endeavor might it be? What might be the biggest foreseeable problems? Best, Lee --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
System I/O Error
We had a kernel hang the other day and after a reboot and full fsck (ext3), two email accounts seem to not be able to receive mail any longer. The other accounts on the system are unaffected. joe123 is one of the users. joe123 can login, but all mail sent to the account just sits in the local postfix queue. The error log shows: Apr 29 11:18:56 [postfix/lmtp] D53ED17BC130: to=<[EMAIL PROTECTED]>, relay=/export/cyrus/imap/socket/lmtp[/export/cyrus/imap/socket/lmtp], delay=333843, status=deferred (host /export/cyrus/imap/socket/lmtp[/ export/cyrus/imap/socket/lmtp] said: 451 4.3.0 System I/O error (in reply to RCPT TO command)) Apr 29 11:18:56 [lmtpunix] DBERROR: error fetching user.joe123: cyrusdb error I tried running reconstruct -rf user/joe123, but it didnt solve the problem. The error fectching user.joe123 is particularly odd since we use the "/" separator not ".". Does anyone have any idea how to solve this problem? Thanks, Lee --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Hardware RAID Level & Performance
1. Use 2.6.10+ ext3, with all hashing enabled 2. Use an external journal in a fast device (not the RAID5 array) Cyrus 2.3 CVS code enables you to split indexes and cyrus db files into their own partition. That's where most of the i/o activity is concentrated, so you only need to optimize that partition. The mail spool that remains can be raid5. This is probably the best way to do it, especially if you have some non-volatile solid-state disks around as it was suggested in this list sometime ago... Do you have a particular suggestion for brand/model of device? It would obviously have to be redundant (or capable of being made redundant) and cost effectiveness would be critical. Thanks, L Yes, ext3 does have its problems, depending on how many users and how big mailboxes you have. I'd recommend reiserfs. I've heard bad things about reiserfs' capabilities to withstand corruption *and* to be repaired later. Something that I'd take into account when choosing the FS for the big spools. But maybe reiserfs has non-joke repair utilities these days... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Hardware RAID Level & Performance
We're rebuilding our mail cluster using two servers clustered together with DRBD/heartbeat. We've run DRBD/heartbeat before, so Im fairly comfortable with teh performance implications of that. What i'm wondering is, how the hardware raid level on the two poweredge 2650s (aacraid perc3/di controller) using linux 2.6 kernel and EXT3 will effect the performance of cyrus. In the past we've always used raid 10, believing that it offered a significant performance boost over raid 5 for write intensive apps like cyrus. Recently however i noticed that CMU is actually using RAID 5 on its arrays. Obviously being able to use RAID 5 would be terrific as it would give us significantly more storage for the buck. What are the implication of raid 10 vs. raid 5 with cyrus? Are they significant? Does EXT3 play into the discussion? Thanks, Lee --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus-IMAP cluster
We use drbd and heartbeat on the backend mail servers (active/passive, data is real time replicated from active->passive). Has worked very reliably for several years, however it is not the most clean solution. I've heard / read bad things about GFS based shared storage (cyrus wiki actually has a section on it). Apple just released their Xsan product though, seems like it might be a good solution. L On Jan 10, 2005, at 8:09 PM, Chad A. Prey wrote: I am wondering if any of you out there are running cyrus in a cluster? If so, how did you do it? and how would you do it if you had to do it all over again? We are currently using cyrus with perdition which works fine, however, ideally the situation would be that a user could connect to either IMAP server though a load-balancer with the /var/spool/imap folders shared between both machines on a Fibre channel disk array. We only have 1200 users but they are heavy, abusive users. Our current cyrus build is on WBEL (like RHEL) 2.4 kernel. I am especially keen to hear from those that have actually done this. -- Chad A. Prey< Sr. Systems Administrator Salk Institute for Biological Studies cell - (858)967-1051 phone - (858) 453-4100 x 1930 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Squatter Error
Running squatter i get the following error on a specific user's folder: fatal error: Internal error: assertion failed: squat_internal.c: 161: v64 >= 0 After which squatter dies. I tried reconstructing the folder, but it hasnt made a difference. Since squatter terminates on this folder, i can't get squatter to process everything. Any ideas? Lee --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Squat Failure Behavior Improvement?
Im running cyrus 2.2.10, and when i run squat -r -s, squat fails on certain messages or users because there is one corrupt message in the user's mailbox. This isnt a huge issue in itself because i can obviously remove the corrupt file or run reconstruct and then restart squat. The bigger issue, is that on a system with 1000s of users, if i plan to run squat as an automatic event in the future, i now have to worry that one corrupt message in even a single message will stop squatter in its tracks and i wont know it unless i'm constantly watching the logs for it. Is there a reason squat is not designed to simply continue indexing after a message or user fails to be indexed? This seems like a pretty big problem for anyone running a large system where occasional file corruption is inevitable. Is there something i can do to fix this problem? Thanks, Lee --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyr_expire Spiraling Out of Control - help!
We recently upgraded to the latest cyrus/sasl. We were using 2.1, so we
need to convert the DBs over to skiplist and update cyrus.conf. We did
that and moved over without problem.
Two days after moving to 2.2, we discovered that all of a sudden mail
was being queued and not delivered on the box. The servers spit out
errors about deliver.db. To solve the problem i removed deliver.db and
everything in the db/* folder. After restarting cyrus, queued mail
quickly started dropping and started being delivered.
After this happened i believed it was the result of running squatter
for the first time (and subsequently failed). However today im looking
at the top process list and there are several cyr_expire process
running from each of last few days (since rebooting cyrus). They are
taking up 99% of the CPU and mkaing the load on the dual proc server
near 4.0.
Does anyone have any idea why cyr_expire is spiraling out of control
and overloading the system?
here's out cyrus.conf:
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idledcmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=2
# pop3cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
# lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
lmtpunix cmd="lmtpd" listen="/export/cyrus/imap/socket/lmtp"
prefork=1
# lmtpunix cmd="lmtpd"
listen="/export/cyrus/postfix/spool/private/lmtp" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpointcmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="cyr_expire -E 3" period=1440
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" period=1440
# delete old spam
purgetrashcmd="ipurge -d 21 -f user/%/spam" at=0530
purgetrashcmd="ipurge -d 1 -f user/%/spam-notcaught" at=0330
}
Sincerely,
Lee
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Funding Cyrus High Availability
My vote would be for active/active, its usually more reliable and of course it builds in better scaleability. I imagine the the main question of everyone will be how the choice of active/active or active/passive will effect cost/time of implementation. L On Sep 17, 2004, at 1:16 PM, Ken Murchison wrote: David Lang wrote: On Thu, 16 Sep 2004, Ken Murchison wrote: Question: Are people looking at this as both redundancy and performance, or just redundance? for performance we already have murder, what we currently lack is redundancy. once we have redundancy then the next enhancement is going to be to teach murder about it so that it can failover to the backup box(s) as needed, but for now simply having the full data at the backup location would be so far ahead of where we are now that the need to reconfigure murder for a failover is realitivly trivial by comparison. Actually what I was really asking, is are people looking for an active-active config and an active-passive config? -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Funding Cyrus High Availability
mysql does not have multi-master functionality, and it's replication, is quite honestly, a joke. You may have mis-spoken and are talking about the up-and-coming mysql cluster or the mysql max product (both of which i'm much less familiar with). Indeed i was talking about mysql cluster (which is now included with teh distro). Im pretty convinced having talked with some mysql peeps, that cluster will eventually (not too distant future) be VERY bullet proof. I just figured that writing cyrus to use mysql (or SQL SPEC) as a backend might kill two birds with one stone, and create a better general platforms for growth. None the less, id would love to see just replication is everyone if mysql back is out. L --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Funding Cyrus High Availability
I imagine for a big project like this, refunds could be given. I think its more a matter of finding someone to deal with this. Id be happy to do it, but i think it would be best if Ken or another core developer that everyone knows and already trusts is in charge of holding the cash. Any Ideas Ken? I would bet that if a "Fund Cyrus Replication" link were made prominently on the cyrus homepage, 3-5k could be raised in less than a month. L P.S. Ken, not sure if this would be easier or more complex, but another alternative here might be to write a mysql backend to cyrus, which would eliminate the need to worry about redundancy given mysql's multimaster functionality (this might also provide better searching/sort/access and enormous scaleability to the cyrus backends). On Sep 16, 2004, at 4:58 PM, [EMAIL PROTECTED] wrote: Hello All, I would be willing to pay for this function. Though I am just a startup, and have very little capital. Most I could prolly do is $100 to $200. Not much. My fear, which maybe the fear of others is the risk of putting money in, but there not being enough support by others to reach the cash goal. Thus the project never is done. What happens in that case ? Thanks, On Thursday 16 September 2004 11:00 am, you wrote: What do people think about a bounty program like horde's: http://www.horde.org/bounties/ Basically people can make paypal donations to fund certain features. For something like the high availability support, Im guessing that ALOT of people would donate small to large amounts of cash to see this functionality implemented ( i certainly would). What do you all think? L --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Funding Cyrus High Availability
What do people think about a bounty program like horde's: http://www.horde.org/bounties/ Basically people can make paypal donations to fund certain features. For something like the high availability support, Im guessing that ALOT of people would donate small to large amounts of cash to see this functionality implemented ( i certainly would). What do you all think? L On Sep 16, 2004, at 5:30 AM, Paul Dekkers wrote: Hi, Ken Murchison wrote: I wouldn't hold out hope of anything being available in "some months". I wrote my replication code two years ago, and submitted it to Rob and Ken about this time last year. Neither I or they have put any significant work into the code since then. As I indicated in my previous message, we all have other priorities right now. I can imagine, but I hoped that priorities would change a bit with the amount of users that repeatedly This link appears dead. All I get is "To clipboard". Oops. There was never supposted to be a link :-) interest in this feature and with the money we are willing to put in :-| I'm willing to work on it if there is money available. You are the only one that has says that you would commit money. Where are the rest of the folks? Based on the number of people that stepped up to pay for virtdomains support (zero), I'm guessing there are fewer out there willing to spend money than you think. But I could be wrong. I'm happy to see that there are indeed others interested in this ;-) Other than the altnamespace project ($5000) that I did for a (unnamed) company in Texas, Jeremy Howard at Fastmail is the only one who has consistently paid for features. I'll let him disclose what he has spent, if he chooses to, but its safe to say that its been more than just pizza and beer. I expected more then pizza and beer, so that's no surprise :-) I'd have to look at David's patch again and discuss things with CMU to get a good time estimate, but I'm guessing that a project like this would cost a few thousand dollars. Ok, I'll start a discussion with our management based on your latest estimation ($3000-$5000) and I'll let you know about the results. (Might take a while, I think at least not this week. If you have more details (for instance time estimation) let me know.) Bye, Paul --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: High availability ... again
Has anyone used GFS with cyrus? Could one theoretically create a redundant, loadbalancing cluster using two boxes, GFS and a SAN? Lee On Jun 28, 2004, at 9:43 AM, Etienne Goyer wrote: Ben Carter wrote: Etienne Goyer wrote: Tore Anderson word of wisdom where : There's a third option, which is the one I prefer the most: shared block device. Well, I did not consider that option since the SAN become a single point-of-failure, and that is a big no-no according to the specifications I have at the moment. If it would have been possible, it would have been my first choice though. Do you consider the SAN a SPOF even if you have multiple paths to it from each server and it has no internal SPOF? If so, isn't your cluster or your single physical location a SPOF? Two location, a single path (20 Mb/s) between the two. Thinking about it, the SPOF is actually the link between the two location. The situation is pretty much toasted as there cannot be a fully redundant setup. Case closed ! On a similar note, RedHat have apparently bought Sistina, and GPLed GFS. This is great news for HA under Linux, IMHO. I will be testing it soon. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: dspam & cyrus
Christiano, We're considering something very much like what you're describing. Would you mind passing on postfix, dspam (and any other pertinent) configs? It would save quite a bit of time screwing around with stuff. Also, we're somewhat concerned about introducing mysql as an additional dependancy for our mailsystem (we use it on large scale websites, and have nothing but problems instability wise). Im curious how mysql with dspam has been treating you, and how much volume your managing on it. Has mysql crashed on you yet? If so, did mail delivery halt? Thanks, Lee On Jun 22, 2004, at 5:28 PM, Christiano Anderson wrote: Palle Girgensohn <[EMAIL PROTECTED]> writes: Does anyone have experience of running dspam & cyrus? (with sendmail & without procmail) I use Postfix + Dspam + Cyrus and it works very fine. On Postfix I created two different transports: users with individual dspam database and users with global dspam database. Postfix pipes the messages to dspam, it makes the check, includes the header if message is spam or not and after that delivers to cyrdeliver. Each user has a sieve rule which moves the message to the spam folder if it is classified as spam. It is a good solution, I have been used it for 1 year. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus HA Scalable Solution? Rsync
We (my company) uses DRBD (http://drbd.cubit.at/) with heartbeat and cyrus quite successfully. To distribute load we use multiple heartbeat/drbd backend clusters. Each cluster is comprised of 2 machines connected together via gigabit ethernet cards and serial links. Postfix references ldap (for you mysql) to determine which backend cluster the user's mailbox resides on. Perdition or Cyrus Murder can be used to proxy the user logging in to check mail to the correct backend machine. This solution provides unlimited scalability and pretty good redunancy. DRBD is a good innexpensive solution. Its proved to be fast and pretty reliable. I would recommend it if you are on a budget. If you have unlimited cash, a kimberlite / SAN cluster might be another good option (havent tried it, but have heard good things). Lee Quoting Michael Loftis <[EMAIL PROTECTED]>: > > > --On Tuesday, May 25, 2004 14:39 -0700 Kevin Baker <[EMAIL PROTECTED]> > wrote: > > > > Thought? This is obviously just a sketch... but I haven't > > seen a this done before as far as the failover solution > > with rsync and thought it might work pretty well. > > rsync sucks for large numbers of files/directories. It has to build an > in-memory tree before it even starts syncing. > > what would be 'nice' to see is something built inside of cyrus to handle > multiple backends but that's a pretty complicated bit of beast. (no i'm > not volunteering ;) ) > > > -- > GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E > --- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Delivering to a folder
Ken, that did it. Thank you. One last question, are there any security risks to having all of a user's mailboxes postable by anonymous? Thanks again, Lee On Dec 26, 2003, at 10:15 AM, Ken Murchison wrote: Lee wrote: We're using postfix -> lmtp -> cyrus 2.1.16 on a redhat 9 box. When I try to send a message to [EMAIL PROTECTED] its always delivered to the user's inbox. What do i need to do to get the messages delivered to the folder? Assuming that above is a placholder for the real userid, set the ACL on user//folder so that the 'anonymous' or 'anyone' userid has the 'p' (post) right. Our imapd.conf is attached below. Thanks, Lee IMAPD.CONF: # Cyrus Imapd Configuration configdirectory: /export/cyrus/imap partition-default: /export/cyrus/spool/imap admins: admin tls_cert_file: /export/cyrus/server.pem tls_key_file: /export/cyrus/server.pem allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: localhost autocreatequota: 0 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sievedir: /export/cyrus/sieve sendmail: /usr/sbin/sendmail #sieve_maxscriptsize: 32 #sieve_maxscripts: 5 # Get rid of folders as subfolders of INBOX altnamespace: yes unixhierarchysep: yes -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Delivering to a folder
We're using postfix -> lmtp -> cyrus 2.1.16 on a redhat 9 box. When I try to send a message to [EMAIL PROTECTED] its always delivered to the user's inbox. What do i need to do to get the messages delivered to the folder? Our imapd.conf is attached below. Thanks, Lee IMAPD.CONF: # Cyrus Imapd Configuration configdirectory: /export/cyrus/imap partition-default: /export/cyrus/spool/imap admins: admin tls_cert_file: /export/cyrus/server.pem tls_key_file: /export/cyrus/server.pem allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: localhost autocreatequota: 0 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sievedir: /export/cyrus/sieve sendmail: /usr/sbin/sendmail #sieve_maxscriptsize: 32 #sieve_maxscripts: 5 # Get rid of folders as subfolders of INBOX altnamespace: yes unixhierarchysep: yes
Re: High Availability Email
Gary, We use multiple two-box mailstore clusters running cyrus, drbd, and linux-ha to store the actual mail. On top of this we have loadbalancers running a set of ldap boxes for authentication, and perdition to loadbalance the frontend mail connections. DRBD + Heartbeat (linux-ha) for the backend mail store boxes has worked for over a year for us, but If you have the cash I recommend using two-box redundantly shared fibrechannel SANs instead ... a lot more expensive, but less wonky. L On Saturday, August 30, 2003, at 09:26 AM, Gary C. New wrote: I am gearing up to migrate our systems to a high availability email topology and was wondering what the current solutions are to provide such an architecture? I need a solution that synchronizes/mirrors/replicates user mail stores across several physical servers for redundency. Some of my research has pointed me to Cyrus Murder and the MUPDATE protocol, but it sounds like even in this type of configuration the back-end server would still be a single point of failure. Suggestions? Thanks. Gary
Re: Can't delete old folders from before ALTNAMESPACE
That was it, no problem deleting now. Thank you. L On Monday, June 16, 2003, at 04:17 PM, Wil Cooley wrote: On Mon, 2003-06-16 at 12:31, Lee wrote: I created the directories spool/imap/user/joe/INBOX and INBOX/A =D and INBOX/A =D/Accounts, then i ran recontruct -R on user/joe, but that just returned the following errors: user.joe.INBOX.A =D: System I/O error Bad file descriptor user.joe.INBOX.A =D.Accounts: System I/O error Bad file descriptor ... Any other ideas? Did you make sure they're owned by cyrus:mail? Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * Linux, UNIX, Networking and Security Solutions * * * * * Tired of spam and viruses in your e-mail? Get the * * Naked Ape Mail Defender! http://nakedape.cc/r/maildefender *
Re: Can't delete old folders from before ALTNAMESPACE
Will this cause any problems with seen / unseen flags (or anything for that matter)? L On Monday, June 16, 2003, at 03:34 PM, John Alton Tamplin wrote: Lee wrote: You should be able to delete these from within cyradm as an admin, unless somebody deleted stuff by hand from the filesystem. I think that might be the problem. When i try to SAM the folders pre-deletion in cyradm, i get a: setaclmailbox: admin: lcp: System I/O error Is there a way to force remove cyrus' internal list of those folders? If you deleted them without Cyrus knowing about it, your best bet is to take Cyrus down, dump the mboxlist (ctl_mboxlist -d >file.txt), edit the text version of the file to remove things that are no longer there, and then undump the mboxlist (ctl_mboxlist -u -f file.txt), and then bring everything up. You really should not be deleting things under Cyrus's control except through Cyrus. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: Can't delete old folders from before ALTNAMESPACE
I created the directories spool/imap/user/joe/INBOX and INBOX/A =D and INBOX/A =D/Accounts, then i ran recontruct -R on user/joe, but that just returned the following errors: user.joe.INBOX.A =D: System I/O error Bad file descriptor user.joe.INBOX.A =D.Accounts: System I/O error Bad file descriptor This is odd since we're using the / as the directory seperator not "." (which we used to use a long time ago). BTW i also tried creating and reconstructing two top level directory folders spool/imap/user.joe.INBOX.A =D and spool/imap/user.joe.INBOX.A =D .Accounts, but it didn't change the error I recieved when running reconstruct. Any other ideas? L On Monday, June 16, 2003, at 03:16 PM, Rob Siemborski wrote: On Mon, 16 Jun 2003, Lee wrote: You should be able to delete these from within cyradm as an admin, unless somebody deleted stuff by hand from the filesystem. I think that might be the problem. Don't do that! ;) To fix the problem, recreate the directories in the filesystem, reconstruct the mailboxes, and then delete them properly via cyradm. Is there a way to force remove cyrus' internal list of those folders? Not any easy ways, there are some test utilities for cyrusdb functionality that let you manipluate the database on a per-key basis. They're in the distribution, but they're a use-at-your-own-risk sort of thing. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Can't delete old folders from before ALTNAMESPACE
You should be able to delete these from within cyradm as an admin, unless somebody deleted stuff by hand from the filesystem. I think that might be the problem. When i try to SAM the folders pre-deletion in cyradm, i get a: setaclmailbox: admin: lcp: System I/O error Is there a way to force remove cyrus' internal list of those folders? L On Monday, June 16, 2003, at 01:50 PM, Ken Murchison wrote: Quoting Lee <[EMAIL PROTECTED]>: Hey All, One of our users has the following folders listed in his account: user/joe/INBOX/A =D (\HasChildren) user/joe/INBOX/A =D/Accounts (\HasNoChildren) These folders don't exist because the were remnants of our mail system before we turned on ALTNAMESPACE. The problem is that when I try to delete the folder in cyradm or in outlook, cyrus just returns errors. Any ideas? You should be able to delete these from within cyradm as an admin, unless somebody deleted stuff by hand from the filesystem. What errors are you getting from cyradm? -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Can't delete old folders from before ALTNAMESPACE
Hey All, One of our users has the following folders listed in his account: user/joe/INBOX/A =D (\HasChildren) user/joe/INBOX/A =D/Accounts (\HasNoChildren) These folders don't exist because the were remnants of our mail system before we turned on ALTNAMESPACE. The problem is that when I try to delete the folder in cyradm or in outlook, cyrus just returns errors. Any ideas? Thanks, Lee
Re: Geographically Redundant mail stores
We looked into a number of solutions to do what you're doing, and the
best solution (within our budget) was to use block level syncing
software like drbd (http://www.complang.tuwien.ac.at/reisner/drbd/)
with heartbeat (linux-ha). Basically replicates a all data written to
disc on the primary to the secondary and handles switching from primary
to secondard when it detects that the primary is down.
L
On Tuesday, March 18, 2003, at 06:58 PM, Michael Fair wrote:
On Tue, 18 Mar 2003, Michael Fair wrote:
I'm doing some work on how to create a somewhat
reliable geographically redundant mail system.
Since I'm guessing you don't want to hear the reasons that this won't
work
(synchronizing UIDs and flags, for example, is hard), I won't go into
that.
Thanks. I've given up on trying to provide a perfect/correct
solution. Instead I'm shooting for something more along the
lines of being able to look at a live backup and then synchronizing
any new mail that comes in. State flags and other things above
and beyond the email messages themselves are not a concern (but
would be nice to have).
The main problem is just that if the main server is ever unavailable
communications come to a grinding halt. Since we have people
outside the office as well as in, we wanted some way for them to
at least continue to send/receive new mail.
I've been thinking about this problem for some time, and at the
moment the best concepts I have going are:
1) Use Cyrus 2.2 and have the NNTP server sync the mailboxes.
(This does nothing for state flags and probably will not
help with the creation/deletion of new folders)
2) Create a "file locking server" that replaces the file
locking calls with something that is cross machine compatible
then use Coda, Intermezzo, or NFS to mirror the file store.
3) Turn Cyrus on the backup server off, use rsync to copy all
the files from one server to the other (making the UID/GIDs
match on the two servers shouldn't be a problem), then in the
event of a failure activate the Cyrus server, then flush the
MTA queue to deliver the queued mail to Cyrus (the queued mail
will that which has been delivered since primary failure).
It would look like I restored from a backup (which wouldn't
be too far from the truth).
(This is just admin intensive, and slow, and assumes that an
admin will always be available to manually make the changes)
4) Enhance Mailsync which does a good job at synchronizing
the mail stores for an individual user to do an entire
mail store.
(Without enhancement it needs to be setup per user.)
(With enhancment, by default an administrator cannot read
the emails within users mailboxes and therefore cannot
sync them)
5) Wait for people smarter than myself to add redundancy to
Cyrus directly (perhaps with a Group Communication Library
like Spread or something similar).
Instead I'll answer your main question directly.
My question was that the only user I know that
can see the whole tree is an admin user. But
by default admin users can't select the mailboxes
because they don't have the proper permissions.
Admin users can authorize as any user they want. So simply have the
admin
user authorize as each user, and they can get to that mailbox with no
trouble.
Note that if you SELECT a mailbox as a user, it *will* change the
state of
\Recent flags for the user.
Is there a reliable way to query the known list of users?
I thinking of big loop:
foreach $user (@users) { syncMailbox($user); }
I suppose I could just use the output of saldblistusers
as STDIN input to the perl script (or the perl script
could run it directly) since that's the backend I use.
Or doing a List of the "user" folder one level deep.
Any other ideas?
How would you do it?
The problem is:
When the primary mail site is down, all email communication
ceases despite the availability of other sites that could
handle the load.
In addition to allowing sending/receiving of new email,
The system must integrate any new mail back into the main
site when it becomes available again.
The system should allow people to see all their email and
folders older than some sane value (like 1 hour prior
to main site failure (shorter times preferred)).
The system may (as added bonus points and extra special
kudos) preserve flag states for users email.
Just as an FYI, the systems are Debian servers running
Henrique's amazingly wonderful packages.
The servers are Cyrus 2.1, Postfix 1.1.11, both integrated
with sasldb for Authentication (SMTP AUTH is only allowed
during a TLS session with Postfix - not that it matters).
Site A has a 4MB link, Site B has 1.5MB link.
-- Michael --
Re: Cyrus emails backup
Yes, just backup your /var/mail and /var/spool/mail folders. Lee On Wednesday, January 22, 2003, at 01:03 AM, test s wrote: Hi, Does anyone knows how to backup cyrus emails? _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Re: backup mail server
- Are you using other tools like heartbeat or in the same kind ? If yes
which tool ?
Yes, we're using hearbeat. Heres the requisite config:
/etc/ha.d/haresources:
servname.host.com 100.102.248.46 datadisk::drbd0 cyrus postfix
- From your drbd configuration file I can see that you are using
/dev/sda6
as physical disk, is that your Cyrus partition (/var/spool/imap) ?
sda6 is our "data" partitiion where we keep /var/spool/imap /var/imap/
/var/spool/mail and all of our configuration files.
L
Thanks
Marc
drbd configuration file:
resource drbd0 {
protocol=C
fsckcmd=fsck.ext2 -p -y
inittimeout=60
skip-wait=yes
disk {
do-panic
disk-size=66621523
}
net {
sync-rate=6M
tl-size=5000
timeout=60
connect-int=10
ping-int=10
}
on box1 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.1
port=7789
}
on box2 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.2
port=7789
}
}
Boxes are connected together via serial and etho links.
L
On Saturday, January 11, 2003, at 05:10 PM, [EMAIL PROTECTED] wrote:
On Sat, Jan 11, 2003 at 01:38:11PM -0500, Lee wrote:
We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and
linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box
mailstores (one active, one hotspare, continuously in-sync). Works
beautifully.
Are you using the drdb from CVS on a 2.4.x kernel? Could you provide
details of the drdb version and OS off list?
A copy/paste of your config file would also be great as example, if
they do
not contain too much sensitive data of course which shouldn't be the
case...
Thanks
Marc
Re: backup mail server
drbd configuration file:
resource drbd0 {
protocol=C
fsckcmd=fsck.ext2 -p -y
inittimeout=60
skip-wait=yes
disk {
do-panic
disk-size=66621523
}
net {
sync-rate=6M
tl-size=5000
timeout=60
connect-int=10
ping-int=10
}
on box1 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.1
port=7789
}
on box2 {
device=/dev/nb0
disk=/dev/sda6
address=10.0.0.2
port=7789
}
}
Boxes are connected together via serial and etho links.
L
On Saturday, January 11, 2003, at 05:10 PM, [EMAIL PROTECTED] wrote:
On Sat, Jan 11, 2003 at 01:38:11PM -0500, Lee wrote:
We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and
linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box
mailstores (one active, one hotspare, continuously in-sync). Works
beautifully.
Are you using the drdb from CVS on a 2.4.x kernel? Could you provide
details of the drdb version and OS off list?
A copy/paste of your config file would also be great as example, if
they do
not contain too much sensitive data of course which shouldn't be the
case...
Thanks
Marc
Re: backup mail server
I am in the process of testing out this same setup at present under Linux and I have a couple of questions. 1) How large is your Cyrus installation (# of accounts, # of simultaneous 286 Accounts, usually around 10-15 simultaneous IMAP connections. Total spool size is 4.2 gigs, this includes stage and all user data. We've designed this system to scale to 1500 accounts per box, but havent fully tested under that load yet though. connections and IMAP spool size) 2) What DRBD protocol are you using A,B or C and over what file system (EXT2, LVM,& EXT3 ???) DRBD protocol C / Ext3 3) Are you using block replicated disks for both your IMAP spool & your IMAP directory (Mailboxes DB etc)? Yes, we are using block replication for everything directly related to services running on this system. L
Re: backup mail server
We use drbd (http://www.complang.tuwien.ac.at/reisner/drbd/) and linux-ha's (http://www.linux-ha.org/) heartbeat to create two-box mailstores (one active, one hotspare, continuously in-sync). Works beautifully. L On Saturday, January 11, 2003, at 10:26 AM, Ken Murchison wrote: Greg Sidleinger wrote: I have a small cyrus setup that only a few users use but I want to setup some kind of live backup system for it. I would really just like to have two cyrus servers that keep the same mail boxes on them so if one fails (hardware, software crash, smurfs, etc...) the other will have a back up the mail and continue to receive mail. I was reading up on the murder stuff for cyrus but am not sure if it is what I want and if I have the spare systems to support everything. If anyone could point me in the right direction it would be great. Maintaining a hot spare machine _might_ be possible by using the NNTP support in Cyrus 2.2, since this is what NNTP does, but nothing has been done on this front. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Administrate Sieve?
We use an ldap directory with SSHA hashing on passwords stored in ldap as the backend for our cyrus 2.1.X implementation. We are currently trying to add a set of sieve scripts to EVERY user's account. Since we cant actually access a user's password (since they're hashed in ldap) I was hoping to login to sieve as an administrator and add the scripts to each user's account. This doesnt seem possible though. Does anyone have a suggestion how I might go about adding sieve scripts to users accounts using some sort of administrative account or by making a global (server-wide) set of sieve scripts? Thanks, Lee
Sieve Server-Wide
Hey All, I've setup spamassassin / amavisd-new to tag spam with an X-Spam header. I want to now tell cyrus to filter those emails into the users spam folder. I found a sieve script that does this, but I'm wondering if there is a way to apply the script to all users on the server. Is there some sort of "shared" or "default" sieve user/directory that affects all users or some way to have all users' sieve dir simply be a single directory? Thanks, Lee
RE: Synchronised mail-directories advise
We use DRDB with heartbeat (http://www.linux-ha.org/) to have one live box and one hot-standby. If something ever happens to one, the other takes over the "shared ip" and resumes services. Sincerely, Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Dekkers Sent: Thursday, September 26, 2002 7:57 AM To: [EMAIL PROTECTED] Subject: Synchronised mail-directories advise Hi, I'm running Cyrus IMAPd for a about 3 years now, and I'm really happy with it. I'm still running v1.6.24 without any problems. (I'm not aware of any security issues, if there are any, or other disadvantages of running this version I'd really like to know. I haven't looked cyrus for some time since it suits my needs and runs fine.) One thing I want to implement is redundant mail storage. The way I think about doing this, is running one master box, that runs unison (good bi-directional synchronisation, can be compared to rsync) either after the user modified some data, or at a specified interval (I think that's the best option). I want to synchronise it then to a box in the same subnet, so it can take over it's IP-address if the first one fails. The only thing that does not work with this unison-trick I think is the cyrus.* files: if the other files are changed on one of the boxes, these files are not synchronisable. I think the best option is then run a reconstruct for every (changed) mailbox after the unison job. Can anyone advise me on this issue? Is this a good way of doing things, or will I face some problems I don't see yet? (Is it wise to upgrade?) This would really work with Maildir-mailboxes, since there are no cache's and index-files. I'd like to keep cyrus however, because of the shared mailboxes e.g. Thank you in advance, Paul
BUG ALERT! - RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Guys,
This patch solved the problem I described below. I installed the patch 3
days ago, and havent had the problem since.
To reiterate for the loyal cyrus bug hunters:
My system is using cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box (ive tried
this config against 4 different versions of openldap, on two completely
different servers) and I compiled with:
SASL:
./configure --enable-plain --disable-krb4
--with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
IMAP:
./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
--with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
Sincerely,
Lee
-Original Message-
From: Mohan Khurana [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 7:56 PM
To: Lee Hoffman
Cc: [EMAIL PROTECTED]; Igor Brezac
Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Lee,
Below, I've included a patch, it basically removes persistance from
saslauthd. This has fixed the problem for me. I'm not exactly familiar
with all the code, so I was unable to free the lak config structure, but
this does let you atleast get saslauthd working. I think there's a
problem with persistance, I'm not exactly sure what it is though. Any
thoughts?
mohan
*** ../../orig/cyrus-sasl-2.1.7/saslauthd/lak.c Thu Aug 1 15:58:24 2002
--- lak.c Thu Sep 26 19:42:11 2002
***
*** 816,821
--- 816,832
rc = lak_auth_custom(lak, user, realm, password);
}
+ /* free the lak */
+ if (lak->ld) {
+ if (lak->conf->cache_ttl)
+ ldap_destroy_cache(lak->ld);
+ ldap_unbind_s(lak->ld);
+ lak->ld = NULL;
+ }
+ //lak_free_config(&(lak->conf));
+ free(lak);
+ persistent_lak = NULL;
+
return rc;
}
***
*** 846,851
--- 857,874
attrs[1] = NULL;
rc = lak_retrieve(lak, user, realm, (const char **)attrs,
&lres);
+
+ /* free the lak */
+ if (lak->ld) {
+ if (lak->conf->cache_ttl)
+ ldap_destroy_cache(lak->ld);
+ ldap_unbind_s(lak->ld);
+ lak->ld = NULL;
+ }
+ lak_free_config(&lak->conf);
+ free(lak);
+ persistent_lak = NULL;
+
if (rc != LAK_OK) {
return rc;
}
RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Igor, Thanks for all your help. As it turns out, my friend was able to solve the problem. I don't have the patch in front of me, but my friend did a little digging in the saslauthd code and found a bug in its LDAP caching mechanism. Since his change the problem has not reoccurred. My friend has assured me he will send the patch/bug to the list as soon as he cleans up his changes. Sincerely, Lee -Original Message- From: Igor Brezac [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 11:57 AM To: Lee Hoffman Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL Lee, Can you apply the attached patch and recompile saslauthd? cd $cyrus-sasl-src/saslauthd patch -p0 < /tmp/saslauthd.patch make restart saslauthd and email me syslog entries after auth begins to fail. I added a few extra debug codes which should help me see what is going on. Thanks, -Igor On Fri, 20 Sep 2002, Lee Hoffman wrote: > Hey Igor, > Running ldapsearch when the server is printing the AUTHFAILS returns > what you would expect, the single user account entry for the user. Based > on the fact that restarting the ldap server seems to help, one would > think that its an ldap server problem. But I just done see how that can > be since Ive run 3 different versions of openldap, on two different > servers, and the ldap server load never goes above 0.10. > > Any other ideas? > > Thanks, > Lee > > -Original Message- > From: Igor Brezac [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 20, 2002 6:39 PM > To: Lee Hoffman > Cc: [EMAIL PROTECTED] > Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL > > > On Fri, 20 Sep 2002, Lee Hoffman wrote: > > > I've been pulling my hair out with this for nearly 4 days now. I have > > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows: > > > > SASL: > > ./configure --enable-plain --disable-krb4 > > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib > > > > IMAP: > > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix > > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no > > > > Basically I CYRUS->SASLAUTHD->LDAP > > > > For some reason users intermittently will be prompted for their > password > > over and over. The sasl debug log show the following lines when that > > happens: > > > > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more > than > > one entries found (uid=superman). > > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman > > service=imap realm= > > > > (ldap logs show nothing) > > > > The user always exists in the ldap directory. In fact 75% of the time > > they can login and use mail without problems. It seems like when I > > restart the ldap directory the AUTHFAILS stop happening for a while. I > > have the ldap directory restarting ldap every 5 minutes now, which > seems > > to be keeping the AUTHFAILS to a minimum (but they are still > happening). > > > > > > I immediately figured it was an LDAP problem. However, I've now tried > > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried > each > > of these three versions on two different servers (one with redhat, one > > with debian). Both servers were completely different hardware. I also > > tried different versions of the ldap client library (and of course > > recompiled cyrus and sasl after trying each) on the cyrus server. > > Nothing stops these intermittent AUTHFAILS. > > > > Does anyone have any idea whats going on? I'm desperate. Any ideas > would > > be appreciated. > > > > > Are there any other saslauthd lines in the syslog? What happens when > you run > ldapsearch -x -b ou=users,dc=location,dc=com -D > cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman > on the command line after you start getting AUTHFAIL messages? > How many entries, if any, are returned? > > Your configuration looks good. > > > > > > > SASLAUTHD.CONF: > > > > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here) > > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com > > ldap_bind_pw: password > > ldap_auth_method: bind > > ldap_search_base: ou=users,dc=location,dc=com > > ldap_debug: 5000 > > ldap_timeout: 15 # tried multiple values here too > > ldap_time_limit: 15 # tried multiple values here too > > > > > > IMAPD.CONF > > > > configdirectory: /export/cyrus/imap > > partition-default: /export/cyrus/spool/imap > > admins: admin > > #sasl_pwcheck_method:
RE: How to Instructions
Here are my install commands for cyrus/sasl on RH7.3. Some things have been updated, you'll have to change version numbers where appropriate. Also this install cyrus data in a shared partition /export (changing this is easy). # CYRUS mkdir cyrus ls /export/ cd cyrus/ wget http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz tar -xzf db-4.0.14.tar.gz cd db-4.0.14 ls cd build_unix/ ../dist/configure make make install cd .. cd .. wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.1.5.tar.gz wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.7.tar.gz groupadd cyrus useradd -g cyrus cyrus ls tar -xzf cyrus-sasl-2.1.7.tar.gz cd cyrus-sasl-2.1.7 export CPPFLAGS="-I/usr/local/BerkeleyDB.4.0/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.0/lib" ./configure --enable-plain --disable-krb4 --with-saslauthd=/var/run/saslauthd --with-ldap make make install cd .. tar -xzf cyrus-imapd-2.1.5.tar.gz cd cyrus-imapd-2.1.5 cd ../cyrus-sasl-2.1.7 mkdir -p /var/run/saslauthd cd saslauthd make testsaslauthd cp testsaslauthd /usr/local/bin ldconfig cd .. cd ../cyrus-imapd-2.1.5 export CPPFLAGS="-I/usr/include/et"; ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no make depend make make isntall make install emacs /etc/init.d/cyrus chmod 755 /etc/init.d/cyrus ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/S20cyrus ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/K10cyrus mkdir /export/cyrus mkdir /export/cyrus/imap touch /export/cyrus/imapd.conf ln -s /export/cyrus/imapd.conf /etc/imapd.conf touch /export/cyrus/ldap.conf ln -s /export/cyrus/ldap.conf /etc/ldap.conf mv /etc/ldap.conf /export/cyrus/ ln -s /export/cyrus/ldap.conf /etc/ldap.conf emacs /etc/services ls -al /etc/imapd.conf ls -al /etc/cyrus.conf touch /export/cyrus/cyrus.conf ln -s /export/cyrus/cyrus.conf /etc/cyrus.conf put saslauthd.conf in /export/cyrus/ # UNINSTALL SENDMAIL FIRST # POSTFIX cd cyrus/ ls wget http://www.gcfl.net/postfix-download/official/postfix-1.1.11.tar.gz ls tar -xzf postfix-1.1.11.tar.gz ls cd postfix-1.1.11 ls less INSTALL ./configure ls less INSTALL make ln -s /export/cyrus/postfix/etc /etc/postfix emacs /etc/init.d/postfix useradd postfix groupadd mail emacs /etc/passwd # add postfix to mail and cyrus groups emacs /etc/group make install # CREATE SELF-SIGNED CERTIFICATE openssl req -new -nodes -out req.pem -keyout key.pem openssl rsa -in key.pem -out new.key.pem openssl x509 -in req.pem -out ca-cert -req \ -signkey new.key.pem -days 999 cp new.key.pem /export/cyrus/server.pem rm new.key.pem chown cyrus:mail /export/cyrus/server.pem chmod 600 /export/cyrus/server.pem SASLAUTHD.CONF ldap_servers: ldaps://yourserver.yourdomain.com # ldap not ldaps if no SSL ldap_bind_dn: cn=admin,ou=users,dc=domain,dc=com ldap_bind_pw: password ldap_auth_method: bind ldap_search_base: ou=users,dc=domains,dc=com # Cyrus Imapd.conf Configuration configdirectory: /export/cyrus/imap partition-default: /export/cyrus/spool/imap admins: admin #sasl_pwcheck_method: pam # For SSL tls_cert_file: /export/cyrus/server.pem tls_key_file: /export/cyrus/server.pem allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: localhost autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd #sievedir: /usr/sieve #sendmail: /usr/sbin/sendmail #sieve_maxscriptsize: 32 #sieve_maxscripts: 5 # Get rid of folders as subfolders of INBOX altnamespace: yes unixhierarchysep: yes Hope this helps. Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kimberly Triplett Sent: Monday, September 23, 2002 1:19 PM To: [EMAIL PROTECTED] Subject: How to Instructions I am still having problems getting my redhat linux 7.2 - cyrus -ldap config working. IS there anyone out there that can give me a step by step how-to on getting this stuff installed and configured. Thanks Kim
RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Igor,
Here's my slapd.conf.
SLAPD.conf:
---
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /export/openldap/etc/schema/core.schema
include /export/openldap/etc/schema/misc.schema
include /export/openldap/etc/schema/cosine.schema
include /export/openldap/etc/schema/inetorgperson.schema
include /export/openldap/etc/schema/horde.schema
include /export/openldap/etc/schema/domain.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile/usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath/usr/local/libexec/openldap
# moduleloadback_ldap.la
# moduleloadback_ldbm.la
# moduleloadback_passwd.la
# moduleloadback_shell.la
# Define global ACLs to disable default read access.
defaultaccess none
access to * by self read
by dn="cn=softwareAdmin,ou=software,dc=domain,dc=com" write
by dn="cn=postfixAdmin,ou=software,dc=domain,dc=com" read
by dn="cn=listAdmin,ou=software,dc=domain,dc=com" read
by * auth
###
# ldbm database definitions
###
databaseldbm
suffix "dc=location,dc=com"
rootdn "cn=Manager,ou=software,dc=location,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}jklasdjklajasd83qkl9002002sadsasda
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /export/openldap/var/openldap-ldbm
# Indices to maintain
index default pres,eq
index objectClass,uid,cn,trbcPublicEmailAddress,trbcDomainName
loglevel 0
# TLS / SSL
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /export/openldap/etc/ldapcert.pem
TLSCertificateKeyFile /export/openldap/etc/ldapkey.pem
TLSCACertificateFile /export/openldap/etc/demoCA/cacert.pem
replogfile /export/openldap/replog
# Replication
replica host=ldap2.domain.com:389
binddn="cn=Replicator,ou=software,dc=location,dc=com"
bindmethod=simple credentials=password
> I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.
That would be great. I really appreciate you taking the time to help.
Sincerely,
Lee
-Original Message-
From: Igor Brezac [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 7:59 PM
To: Lee Hoffman
Cc: [EMAIL PROTECTED]
Subject: RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
On Fri, 20 Sep 2002, Lee Hoffman wrote:
> Hey Igor,
> Running ldapsearch when the server is printing the AUTHFAILS returns
> what you would expect, the single user account entry for the user.
Based
> on the fact that restarting the ldap server seems to help, one would
> think that its an ldap server problem. But I just done see how that
can
> be since Ive run 3 different versions of openldap, on two different
> servers, and the ldap server load never goes above 0.10.
>
> Any other ideas?
>
saslauthd can be at fault here, but I am not convinced yet. What does
your slapd.conf look like?
I'd like to email you a patch for saslauthd, but I am not at a place
where
I can do this until Monday.
I run a similar setup without any problems except I use a different OS.
-Igor
> Thanks,
> Lee
>
> -----Original Message-
> From: Igor Brezac [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 20, 2002 6:39 PM
> To: Lee Hoffman
> Cc: [EMAIL PROTECTED]
> Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
>
>
> On Fri, 20 Sep 2002, Lee Hoffman wrote:
>
> > I've been pulling my hair out with this for nearly 4 days now. I
have
> > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows:
> >
> > SASL:
> > ./configure --enable-plain --disable-krb4
> > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib
> >
> > IMAP:
> > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix
> > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no
> >
> > Basically I CYRUS->SASLAUTHD->LDAP
> >
> > For some reason users intermittently will be prompted for their
>
RE: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
Hey Igor, Running ldapsearch when the server is printing the AUTHFAILS returns what you would expect, the single user account entry for the user. Based on the fact that restarting the ldap server seems to help, one would think that its an ldap server problem. But I just done see how that can be since Ive run 3 different versions of openldap, on two different servers, and the ldap server load never goes above 0.10. Any other ideas? Thanks, Lee -Original Message- From: Igor Brezac [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 6:39 PM To: Lee Hoffman Cc: [EMAIL PROTECTED] Subject: Re: Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL On Fri, 20 Sep 2002, Lee Hoffman wrote: > I've been pulling my hair out with this for nearly 4 days now. I have > cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows: > > SASL: > ./configure --enable-plain --disable-krb4 > --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib > > IMAP: > ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix > --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no > > Basically I CYRUS->SASLAUTHD->LDAP > > For some reason users intermittently will be prompted for their password > over and over. The sasl debug log show the following lines when that > happens: > > Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than > one entries found (uid=superman). > Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman > service=imap realm= > > (ldap logs show nothing) > > The user always exists in the ldap directory. In fact 75% of the time > they can login and use mail without problems. It seems like when I > restart the ldap directory the AUTHFAILS stop happening for a while. I > have the ldap directory restarting ldap every 5 minutes now, which seems > to be keeping the AUTHFAILS to a minimum (but they are still happening). > > > I immediately figured it was an LDAP problem. However, I've now tried > openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each > of these three versions on two different servers (one with redhat, one > with debian). Both servers were completely different hardware. I also > tried different versions of the ldap client library (and of course > recompiled cyrus and sasl after trying each) on the cyrus server. > Nothing stops these intermittent AUTHFAILS. > > Does anyone have any idea whats going on? I'm desperate. Any ideas would > be appreciated. > Are there any other saslauthd lines in the syslog? What happens when you run ldapsearch -x -b ou=users,dc=location,dc=com -D cn=postfixAdmin,ou=software,dc=location,dc=com -W uid=superman on the command line after you start getting AUTHFAIL messages? How many entries, if any, are returned? Your configuration looks good. > > > SASLAUTHD.CONF: > > ldap_servers: ldaps://server1.com # (tried ldap and ldaps here) > ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com > ldap_bind_pw: password > ldap_auth_method: bind > ldap_search_base: ou=users,dc=location,dc=com > ldap_debug: 5000 > ldap_timeout: 15 # tried multiple values here too > ldap_time_limit: 15 # tried multiple values here too > > > IMAPD.CONF > > configdirectory: /export/cyrus/imap > partition-default: /export/cyrus/spool/imap > admins: admin > #sasl_pwcheck_method: pam > > tls_cert_file: /export/cyrus/server.pem > tls_key_file: /export/cyrus/server.pem > > allowanonymouslogin: no > allowplaintext: yes > sasl_mech_list: PLAIN > servername: localhost > autocreatequota: 1 > reject8bit: no > quotawarn: 90 > timeout: 30 > poptimeout: 10 > dracinterval: 0 > drachost: localhost > sasl_pwcheck_method: saslauthd > #sievedir: /usr/sieve > #sendmail: /usr/sbin/sendmail > #sieve_maxscriptsize: 32 > #sieve_maxscripts: 5 > > # Get rid of folders as subfolders of INBOX > altnamespace: yes > unixhierarchysep: yes > > > -- Igor
Serious Bug in Cyrus/SASL: Intermittent Ldap AUTHFAIL
I've been pulling my hair out with this for nearly 4 days now. I have cyrus 2.1.5, sasl 2.1.7 on a RH7.3 box compiled as follows: SASL: ./configure --enable-plain --disable-krb4 --with-saslauthd=/var/run/saslauthd --with-ldap=/usr/local/lib IMAP: ./configure --with-sasl=/usr/local/lib --with-perl --with-auth=unix --with-ssl --with-dbdir=/usr/local/BerkeleyDB.4.0 --with-ucdsnmp=no Basically I CYRUS->SASLAUTHD->LDAP For some reason users intermittently will be prompted for their password over and over. The sasl debug log show the following lines when that happens: Sep 20 16:53:46 servername saslauthd[341]: Entry not found or more than one entries found (uid=superman). Sep 20 16:53:46 servername saslauthd[341]: AUTHFAIL: user=superman service=imap realm= (ldap logs show nothing) The user always exists in the ldap directory. In fact 75% of the time they can login and use mail without problems. It seems like when I restart the ldap directory the AUTHFAILS stop happening for a while. I have the ldap directory restarting ldap every 5 minutes now, which seems to be keeping the AUTHFAILS to a minimum (but they are still happening). I immediately figured it was an LDAP problem. However, I've now tried openldap 2.0.25, 2.1.5, 2.0.23 as the ldap server. I've even tried each of these three versions on two different servers (one with redhat, one with debian). Both servers were completely different hardware. I also tried different versions of the ldap client library (and of course recompiled cyrus and sasl after trying each) on the cyrus server. Nothing stops these intermittent AUTHFAILS. Does anyone have any idea whats going on? I'm desperate. Any ideas would be appreciated. Thanks, Lee SASLAUTHD.CONF: ldap_servers: ldaps://server1.com # (tried ldap and ldaps here) ldap_bind_dn: cn=postfixAdmin,ou=software,dc=location,dc=com ldap_bind_pw: password ldap_auth_method: bind ldap_search_base: ou=users,dc=location,dc=com ldap_debug: 5000 ldap_timeout: 15 # tried multiple values here too ldap_time_limit: 15 # tried multiple values here too IMAPD.CONF configdirectory: /export/cyrus/imap partition-default: /export/cyrus/spool/imap admins: admin #sasl_pwcheck_method: pam tls_cert_file: /export/cyrus/server.pem tls_key_file: /export/cyrus/server.pem allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: localhost autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd #sievedir: /usr/sieve #sendmail: /usr/sbin/sendmail #sieve_maxscriptsize: 32 #sieve_maxscripts: 5 # Get rid of folders as subfolders of INBOX altnamespace: yes unixhierarchysep: yes
SSL Certificate Authority
Hey all, So after finally getting ssl working with a self-signed certificate, Im trying to make the certificate legit by getting a Thawte signed certificate. I read through the cyrus docs and followed them to create the original self-signed server.pem file (which worked). My question is how do I then generate a CSR from that server.pem file, that I can then submit to thawte? Likewise, when I get the new certificate back from thawte, do I just paste it into the existing server.pem file, replacing the key part of the file? Also, does the command cyrus recommends "openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365" create a 128 bit key pair? BTW, I also tried following the instructions for Openssl key/csr/crt creation on thawte's website (see below). I then changed the cyrus.conf to point to the new key and self-signed certificate and it caused cyrus to reject ssl logins with the error: "unable to get private key from '/var/imap/servername.com.key' (which does exist and is readable by the cyrus user. Thawte Openssl instructions --- Step 1. Go to your SSL directory cd /usr/local/ssl/private Step 2. Generate a private key openssl genrsa -des3 -rand file1:...:file5 1024 > www.xxx.com.key Now PLEASE backup your www.xxx.com.key and make a note of the passphrase. Losing your key will cost you money! Step 3. Go to your certs directory cd /usr/local/ssl/certs Step 4. Generate a CSR from your key openssl req -new -key ../private/www.xxx.com.key > www.xxx.com.csr Step 5. Generate a self-signed certificate openssl req -x509 -key ../private/www.xxx.com.key -in www.xxx.com.csr > www.xxx.com.crt Clearly I don't know what I'm doing here. Any help would be much appreciated. Sincerely, Lee
[was RE: SSL/TLS ] - SOLVED!!!!!!
That was a typo in my email, I was compiling --with-openssl not --with-ssl. The good news is that I figured what the problem is though! Now EVERYTHING is working!! Woo Hoo! Basically I had manually compiled openssl-0.9.6b. For ssh there is non need to add the "shared" configure flag (which compiles shared libraries as well as normal libraries). However, when cyrus is compiled it needs the libssl.so shared library (which I originally didn't compile with openssl). So I just recompiled openssl and added the shared flag (which made the shared library). Then I recompiled cyrus: ./config ... --with-openssl=/usr/local/lib (where libssl.so is installed). BAM, ssl/tls works !! Long story short for those using debian 2.2, make sure you either install libssl-dev or if you compile openssl manually, make sure you add the shared flag to your openssl ./config . Thank you for all your help, Lee -Original Message- From: Jeff Bert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 8:53 PM To: Lee Hoffman Cc: 'Cyrus Mailing List' Subject: RE: SSL/TLS i looked in the compile notes for 2.0.16 and I think maybe you have the option wrong... maybe you should try: --with-openssl=/usr/local/ssl and not --with-ssl Jeff > -Original Message- > From: Lee Hoffman [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 4:50 PM > To: 'Jeff Bert'; 'Ken Murchison' > Cc: 'Cyrus Mailing List' > Subject: RE: SSL/TLS > > > So when I restart cyrus I get the same as jeff when I run netstat. > > I'm beginning to wonder if this maybe a compile issue. I just tried > recompiling without --with-ssl, didn't change anything. I also tried a > bunch of different compile time options, nothing helps. My original > configure was: > > ./configure --with-cyrus-group=cyrus --with-cyrus-user=cyrus > --with-sasldir=/usr/local --with-dbdir=/usr/local/BerkeleyDB.3.3 > --with-ssl=/usr/local/ssl > > I then started to look through the config.log file, and I noticed the > following error: > > configure:3631: gcc -o conftest -g -O2 > -I/usr/local/BerkeleyDB.3.3/include -I/usr/local/include > -L/usr/local/BerkeleyDB.3.3/lib -Wl,-rpath,/usr/local/BerkeleyDB.3.3/lib > -L/usr/local/BerkeleyDB.3.3/lib -L/usr/local/lib > -Wl,-rpath,/usr/local/lib conftest.c -lssl -lcrypto -lfl -ldb-3 1>&5 > /usr/bin/ld: cannot find -lssl > > I tried adding /usr/local/ssl/lib to ld.so.conf, but ofcourse that didnt > change anything because that's only for runtime. > > Does any of the above spark any insights with anyone? > > Thanks, > Lee > > -Original Message- > From: Jeff Bert [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 4:36 PM > To: Lee Hoffman > Cc: 'Cyrus Mailing List' > Subject: RE: SSL/TLS > > also, i'd do a 'netstat -an | grep 993' to see if anything is listening > on that port... i get: > > tcp 0 0.0.0.0:993 0.0.0.0:* LISTEN > > and my imaps port works. > > Jeff > > > -Original Message- > > From: Jeff Bert [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 1:16 PM > > To: Lee Hoffman > > Cc: 'Cyrus Mailing List' > > Subject: RE: SSL/TLS > > > > > > maybe you should look in /etc/xinetd.d/ and see if there is an imaps > > file floating unwarranted in there. maybe some other process is > > intercepting > > it... i know this is a wild guess > > > > jeff > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Ken > Murchison > > > Sent: Wednesday, May 22, 2002 12:35 PM > > > To: Lee Hoffman > > > Cc: 'Cyrus Mailing List' > > > Subject: Re: SSL/TLS > > > > > > > > > > > > > > > Lee Hoffman wrote: > > > > > > > > The log was already at local6.debug. When I try to login, no imapd > -s > > > > process is spawned, and the logs show nothing at all (atleast > > that I can > > > > discern, there are a number of users logging in and out, so > > theres a lot > > > > of stuff being printed). > > > > > > > > It seems to me that it's a problem with master not spawning > > (it listens, > > > > but then doesn't spawn). > > > > > > If its listening but not spawning, master probably thinks there is a > > > process already running which can service this. The 'available' > count > > > can get screwed up if a process gets killed but master doesn't know > > > about it
RE: SSL/TLS
So when I restart cyrus I get the same as jeff when I run netstat. I'm beginning to wonder if this maybe a compile issue. I just tried recompiling without --with-ssl, didn't change anything. I also tried a bunch of different compile time options, nothing helps. My original configure was: ./configure --with-cyrus-group=cyrus --with-cyrus-user=cyrus --with-sasldir=/usr/local --with-dbdir=/usr/local/BerkeleyDB.3.3 --with-ssl=/usr/local/ssl I then started to look through the config.log file, and I noticed the following error: configure:3631: gcc -o conftest -g -O2 -I/usr/local/BerkeleyDB.3.3/include -I/usr/local/include -L/usr/local/BerkeleyDB.3.3/lib -Wl,-rpath,/usr/local/BerkeleyDB.3.3/lib -L/usr/local/BerkeleyDB.3.3/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib conftest.c -lssl -lcrypto -lfl -ldb-3 1>&5 /usr/bin/ld: cannot find -lssl I tried adding /usr/local/ssl/lib to ld.so.conf, but ofcourse that didnt change anything because that's only for runtime. Does any of the above spark any insights with anyone? Thanks, Lee -Original Message- From: Jeff Bert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 4:36 PM To: Lee Hoffman Cc: 'Cyrus Mailing List' Subject: RE: SSL/TLS also, i'd do a 'netstat -an | grep 993' to see if anything is listening on that port... i get: tcp 0 0.0.0.0:993 0.0.0.0:* LISTEN and my imaps port works. Jeff > -Original Message- > From: Jeff Bert [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 1:16 PM > To: Lee Hoffman > Cc: 'Cyrus Mailing List' > Subject: RE: SSL/TLS > > > maybe you should look in /etc/xinetd.d/ and see if there is an imaps > file floating unwarranted in there. maybe some other process is > intercepting > it... i know this is a wild guess > > jeff > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Murchison > > Sent: Wednesday, May 22, 2002 12:35 PM > > To: Lee Hoffman > > Cc: 'Cyrus Mailing List' > > Subject: Re: SSL/TLS > > > > > > > > > > Lee Hoffman wrote: > > > > > > The log was already at local6.debug. When I try to login, no imapd -s > > > process is spawned, and the logs show nothing at all (atleast > that I can > > > discern, there are a number of users logging in and out, so > theres a lot > > > of stuff being printed). > > > > > > It seems to me that it's a problem with master not spawning > (it listens, > > > but then doesn't spawn). > > > > If its listening but not spawning, master probably thinks there is a > > process already running which can service this. The 'available' count > > can get screwed up if a process gets killed but master doesn't know > > about it. > > > > I would try restarting master. > > > > > Im going to try a recompile without the --with-ssl, any other ideas > > > before I do so (Im trying to avoid it since this is a live server)? > > > > This probably won't make a difference. imapd would complain if your > > tried to do SSL/TLS and it wasn't compiled with it. > > > > > > > > > -Original Message- > > > From: Ken Murchison [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, May 22, 2002 3:13 PM > > > To: Lee Hoffman > > > Cc: 'Cyrus Mailing List' > > > Subject: Re: SSL/TLS > > > > > > Lee Hoffman wrote: > > > > > > > > Im not sure if its being caused by login attempts via ssl > (although it > > > > seems to happen when I try to login via ssl from a mail > client or when > > > I > > > > run the command below), but imapd prints the following: > > > > > > > > May 22 14:55:51 servername master[18641]: process 28462 > exited, status > > > 0 > > > > > > > > Yes, imaps is listed in /etc/services > > > > > > Alright. Crank the imap logging level up to local6.debug and restart > > > syslogd. > > > > > > Try to make another connection, and see if an 'imapd -s' gets spawned. > > > Look in imapd.log and do a 'ps -f -u cyrus'. > > > > > > If you have a running 'imapd -s', then do an strace on it to > see what it > > > is doing. > > > > > > Ken > > > > > > > -Original Message- > > > > From: Ken Murchison [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, May 22, 2002 2:52 PM > > > > To: Lee Hoffman > >
RE: SSL/TLS
The log was already at local6.debug. When I try to login, no imapd -s process is spawned, and the logs show nothing at all (atleast that I can discern, there are a number of users logging in and out, so theres a lot of stuff being printed). It seems to me that it's a problem with master not spawning (it listens, but then doesn't spawn). Im going to try a recompile without the --with-ssl, any other ideas before I do so (Im trying to avoid it since this is a live server)? Thanks again, Lee P.S. Not that it should matter, but Im doing pam/ldap auth. -Original Message- From: Ken Murchison [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 3:13 PM To: Lee Hoffman Cc: 'Cyrus Mailing List' Subject: Re: SSL/TLS Lee Hoffman wrote: > > Im not sure if its being caused by login attempts via ssl (although it > seems to happen when I try to login via ssl from a mail client or when I > run the command below), but imapd prints the following: > > May 22 14:55:51 servername master[18641]: process 28462 exited, status 0 > > Yes, imaps is listed in /etc/services Alright. Crank the imap logging level up to local6.debug and restart syslogd. Try to make another connection, and see if an 'imapd -s' gets spawned. Look in imapd.log and do a 'ps -f -u cyrus'. If you have a running 'imapd -s', then do an strace on it to see what it is doing. Ken > -Original Message- > From: Ken Murchison [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 2:52 PM > To: Lee Hoffman > Cc: 'Cyrus Mailing List' > Subject: Re: SSL/TLS > > Lee Hoffman wrote: > > > > When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993 > > > > The following is printed: > > > > CONNECTED(0003) > > > > Then it just hangs. > > Check imapd.log for errors. Is "imaps" listed in /etc/services? > > Ken > -- > Kenneth Murchison Oceana Matrix Ltd. > Software Engineer 21 Princeton Place > 716-662-8973 x26 Orchard Park, NY 14127 > --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
RE: SSL/TLS
Im not sure if its being caused by login attempts via ssl (although it seems to happen when I try to login via ssl from a mail client or when I run the command below), but imapd prints the following: May 22 14:55:51 servername master[18641]: process 28462 exited, status 0 Yes, imaps is listed in /etc/services Lee -Original Message- From: Ken Murchison [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:52 PM To: Lee Hoffman Cc: 'Cyrus Mailing List' Subject: Re: SSL/TLS Lee Hoffman wrote: > > When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993 > > The following is printed: > > CONNECTED(0003) > > Then it just hangs. Check imapd.log for errors. Is "imaps" listed in /etc/services? Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
RE: SSL/TLS
When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993
The following is printed:
CONNECTED(0003)
Then it just hangs.
L
-Original Message-
From: Ken Murchison [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 11:31 AM
To: Lee Hoffman
Cc: Cyrus Mailing List
Subject: Re: SSL/TLS
Lee Hoffman wrote:
>
> This is VERY weird!!! When I telnet into the mailserver on 993:
>
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> . logout
> ^X
>
> No commands works, yet it says that its connected! '. logout' does
> nothing, '. starttls' does nothing etc... I checked inetd, and other
> services running, and none bind to 993. Could the master process be
> listening on 993 and then *not* spawning a new imapd -s when a
> connection comes in??
Port 993 is IMAP over SSL (imaps) which expects an SSL negotiation to be
made as soon as the connection is opened. Try doing this instead:
openssl s_client -connect localhost:993
> -Original Message-
> From: Scott M Likens [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 2:41 AM
> To: Lee Hoffman; 'Jeff Bert'; [EMAIL PROTECTED]
> Subject: RE: SSL/TLS
>
> *sigh*
>
> Telnet to your imap port and please verify that the STARTTLS command
> exists...
>
> Easiest way to do that instead of doing . logout
>
> do . starttls
>
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK shell Cyrus IMAP4 v2.1.4 server ready
> . starttls
> . OK Begin TLS negotiation now
>
> like that
>
> *bleh*
>
> Stop using imtest like a golden rule folks. Use an ACTUAL mail client
> to
> test things!!!
>
> --On Wednesday, May 22, 2002 12:58 AM -0400 Lee Hoffman
> <[EMAIL PROTECTED]> wrote:
>
> > Here is my imapd.conf:
> >
> > configdirectory: /var/imap
> > partition-default: /var/spool/imap
> > admins: adminuser
> > sasl_pwcheck_method: PAM
> >
> > tls_cert_file: /var/imap/server.pem
> > tls_key_file: /var/imap/server.pem
> >
> > (/var/imap/server.pem exists and is readable by the cyrus user)
> >
> > ok running: 'imtest -t "" -u lee -a lee -r servername.com
> > servername.com' gets auth working, but still no STARTTLS:
> >
> > C: C01 CAPABILITY
> > S: * OK servername.com Cyrus IMAP4 v2.0.16 server ready
> > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
> ID
> > NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> > THREAD=REFERENCES IDLE
> > S: C01 OK Completed
> > Password:
> > C: L01 LOGIN lee {8}
> > + go ahead
> > C:
> > L01 OK User logged in
> > Authenticated.
> > Security strength factor: 0
> >
> > Any other ideas?
> >
> > Lee
> >
> >
> > -Original Message-
> > From: Jeff Bert [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, May 22, 2002 12:28 AM
> > To: Lee Hoffman; [EMAIL PROTECTED]
> > Subject: RE: SSL/TLS
> >
> > did you add these to your imapd.conf:
> >
> > tls_ca_path: /path-to-ca-folder/
> > tls_ca_file: /path-to-ca-file/
> > tls_cert_file: /path-to-cert-file/
> > tls_key_file: /path-to-key-file/
> >
> > ?
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED]]On Behalf Of Lee
> Hoffman
> >> Sent: Tuesday, May 21, 2002 8:21 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: SSL/TLS
> >>
> >>
> >> Hey all,
> >> I'm trying to get SSL/TLS working on cyrus 2.0.16. I followed the
> >> instructions to a "T" to create the certificate. I also compiled
> cyrus
> >> -with-ssl=/usr/local/ssl (the latest version of openssl is
installed,
> >> and working with the sshd daemon). Anyway, cyrus (which is
> >> authenticating off PAM/ldap) works fine. However, as soon as I try
to
> >> enable ssl from my email client, the client is unable to connect to
> > the
> >> server. I tried telneting into the box on port 993 and cyrus does
> >> answer.
> >>
> >> Here is the output from imtest:
> >>
> >> Server-name:~# imtest -t "" -u lee server-name.com
> >> C: C01 CAPABILITY
> >> S: * OK server-name.com Cyrus IMAP4 v2.0.16 server ready
> >> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE
UIDPLUS
> > ID
> >> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> >> THREAD=REFERENCES IDLE
> >> S: C01 OK Com
RE: SSL/TLS
Scratch that, that error prints out occasionally even when Im not trying to log in via ssl. Lee -Original Message- From: Ken Murchison [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:52 PM To: Lee Hoffman Cc: 'Cyrus Mailing List' Subject: Re: SSL/TLS Lee Hoffman wrote: > > When I run /usr/local/ssl/bin/openssl s_client -connect localhost:993 > > The following is printed: > > CONNECTED(0003) > > Then it just hangs. Check imapd.log for errors. Is "imaps" listed in /etc/services? Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
RE: SSL/TLS
This is VERY weird!!! When I telnet into the mailserver on 993:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
. logout
^X
No commands works, yet it says that its connected! '. logout' does
nothing, '. starttls' does nothing etc... I checked inetd, and other
services running, and none bind to 993. Could the master process be
listening on 993 and then *not* spawning a new imapd -s when a
connection comes in??
BTW, I did restart, many times, since trying everything.
I also don't have a CA.
Lee
-Original Message-
From: Scott M Likens [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 2:41 AM
To: Lee Hoffman; 'Jeff Bert'; [EMAIL PROTECTED]
Subject: RE: SSL/TLS
*sigh*
Telnet to your imap port and please verify that the STARTTLS command
exists...
Easiest way to do that instead of doing . logout
do . starttls
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK shell Cyrus IMAP4 v2.1.4 server ready
. starttls
. OK Begin TLS negotiation now
like that
*bleh*
Stop using imtest like a golden rule folks. Use an ACTUAL mail client
to
test things!!!
--On Wednesday, May 22, 2002 12:58 AM -0400 Lee Hoffman
<[EMAIL PROTECTED]> wrote:
> Here is my imapd.conf:
>
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: adminuser
> sasl_pwcheck_method: PAM
>
> tls_cert_file: /var/imap/server.pem
> tls_key_file: /var/imap/server.pem
>
> (/var/imap/server.pem exists and is readable by the cyrus user)
>
> ok running: 'imtest -t "" -u lee -a lee -r servername.com
> servername.com' gets auth working, but still no STARTTLS:
>
> C: C01 CAPABILITY
> S: * OK servername.com Cyrus IMAP4 v2.0.16 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN lee {8}
> + go ahead
> C:
> L01 OK User logged in
> Authenticated.
> Security strength factor: 0
>
> Any other ideas?
>
> Lee
>
>
> -Original Message-
> From: Jeff Bert [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 12:28 AM
> To: Lee Hoffman; [EMAIL PROTECTED]
> Subject: RE: SSL/TLS
>
> did you add these to your imapd.conf:
>
> tls_ca_path: /path-to-ca-folder/
> tls_ca_file: /path-to-ca-file/
> tls_cert_file: /path-to-cert-file/
> tls_key_file: /path-to-key-file/
>
> ?
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Lee
Hoffman
>> Sent: Tuesday, May 21, 2002 8:21 PM
>> To: [EMAIL PROTECTED]
>> Subject: SSL/TLS
>>
>>
>> Hey all,
>> I'm trying to get SSL/TLS working on cyrus 2.0.16. I followed the
>> instructions to a "T" to create the certificate. I also compiled
cyrus
>> -with-ssl=/usr/local/ssl (the latest version of openssl is installed,
>> and working with the sshd daemon). Anyway, cyrus (which is
>> authenticating off PAM/ldap) works fine. However, as soon as I try to
>> enable ssl from my email client, the client is unable to connect to
> the
>> server. I tried telneting into the box on port 993 and cyrus does
>> answer.
>>
>> Here is the output from imtest:
>>
>> Server-name:~# imtest -t "" -u lee server-name.com
>> C: C01 CAPABILITY
>> S: * OK server-name.com Cyrus IMAP4 v2.0.16 server ready
>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
> ID
>> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
>> THREAD=REFERENCES IDLE
>> S: C01 OK Completed
>> Password:
>> C: L01 LOGIN root {8}
>> + go ahead
>> C:
>> L01 NO Login failed: authentication failure
>> Authentication failed. generic failure
>> Security strength factor: 0
>>
>>
>> What really worries me is that STARTTLS is even listed in
CAPABILITIES
>> (it should be shouldn't it?).
>>
>> My cyrus.conf file:
>>
>> # standard standalone server implementation
>>
>> START {
>> # do not delete these entries!
>> mboxlist cmd="ctl_mboxlist -r"
>> deliver cmd="ctl_deliver -r"
>>
>> # this is only necessary if using idled for IMAP IDLE
>> # idledcmd="idled"
>> }
>>
>> # UNIX sockets start with a slash and are put into /var/imap/sockets
>> SERVICES {
>> # add or remove based on preferences
>> imap cmd="imapd" listen="imap" prefork=5
>> imaps cmd="ima
RE: SSL/TLS
Here is my imapd.conf:
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: adminuser
sasl_pwcheck_method: PAM
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
(/var/imap/server.pem exists and is readable by the cyrus user)
ok running: 'imtest -t "" -u lee -a lee -r servername.com
servername.com' gets auth working, but still no STARTTLS:
C: C01 CAPABILITY
S: * OK servername.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE
S: C01 OK Completed
Password:
C: L01 LOGIN lee {8}
+ go ahead
C:
L01 OK User logged in
Authenticated.
Security strength factor: 0
Any other ideas?
Lee
-Original Message-
From: Jeff Bert [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 12:28 AM
To: Lee Hoffman; [EMAIL PROTECTED]
Subject: RE: SSL/TLS
did you add these to your imapd.conf:
tls_ca_path: /path-to-ca-folder/
tls_ca_file: /path-to-ca-file/
tls_cert_file: /path-to-cert-file/
tls_key_file: /path-to-key-file/
?
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Lee Hoffman
> Sent: Tuesday, May 21, 2002 8:21 PM
> To: [EMAIL PROTECTED]
> Subject: SSL/TLS
>
>
> Hey all,
> I'm trying to get SSL/TLS working on cyrus 2.0.16. I followed the
> instructions to a "T" to create the certificate. I also compiled cyrus
> -with-ssl=/usr/local/ssl (the latest version of openssl is installed,
> and working with the sshd daemon). Anyway, cyrus (which is
> authenticating off PAM/ldap) works fine. However, as soon as I try to
> enable ssl from my email client, the client is unable to connect to
the
> server. I tried telneting into the box on port 993 and cyrus does
> answer.
>
> Here is the output from imtest:
>
> Server-name:~# imtest -t "" -u lee server-name.com
> C: C01 CAPABILITY
> S: * OK server-name.com Cyrus IMAP4 v2.0.16 server ready
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
ID
> NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
> THREAD=REFERENCES IDLE
> S: C01 OK Completed
> Password:
> C: L01 LOGIN root {8}
> + go ahead
> C:
> L01 NO Login failed: authentication failure
> Authentication failed. generic failure
> Security strength factor: 0
>
>
> What really worries me is that STARTTLS is even listed in CAPABILITIES
> (it should be shouldn't it?).
>
> My cyrus.conf file:
>
> # standard standalone server implementation
>
> START {
> # do not delete these entries!
> mboxlist cmd="ctl_mboxlist -r"
> deliver cmd="ctl_deliver -r"
>
> # this is only necessary if using idled for IMAP IDLE
> # idledcmd="idled"
> }
>
> # UNIX sockets start with a slash and are put into /var/imap/sockets
> SERVICES {
> # add or remove based on preferences
> imap cmd="imapd" listen="imap" prefork=5
> imaps cmd="imapd -s" listen="imaps" prefork=1
> # pop3 cmd="pop3d" listen="pop3" prefork=3
> # pop3scmd="pop3d -s" listen="pop3s" prefork=1
> # sievecmd="timsieved" listen="sieve" prefork=0
>
> # at least one LMTP is required for delivery
> # lmtp cmd="lmtpd" listen="lmtp" prefork=0
> lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
> }
>
> EVENTS {
> # this is required
> checkpointcmd="ctl_mboxlist -c" period=30
>
> # this is only necessary if using duplicate delivery suppression
> delprune cmd="ctl_deliver -E 3" period=1440
> }
>
>
> Any ideas?
>
> Thanks,
> Lee
>
>
SSL/TLS
Hey all,
I'm trying to get SSL/TLS working on cyrus 2.0.16. I followed the
instructions to a "T" to create the certificate. I also compiled cyrus
-with-ssl=/usr/local/ssl (the latest version of openssl is installed,
and working with the sshd daemon). Anyway, cyrus (which is
authenticating off PAM/ldap) works fine. However, as soon as I try to
enable ssl from my email client, the client is unable to connect to the
server. I tried telneting into the box on port 993 and cyrus does
answer.
Here is the output from imtest:
Server-name:~# imtest -t "" -u lee server-name.com
C: C01 CAPABILITY
S: * OK server-name.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE
S: C01 OK Completed
Password:
C: L01 LOGIN root {8}
+ go ahead
C:
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
What really worries me is that STARTTLS is even listed in CAPABILITIES
(it should be shouldn't it?).
My cyrus.conf file:
# standard standalone server implementation
START {
# do not delete these entries!
mboxlist cmd="ctl_mboxlist -r"
deliver cmd="ctl_deliver -r"
# this is only necessary if using idled for IMAP IDLE
# idledcmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
# sievecmd="timsieved" listen="sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
}
EVENTS {
# this is required
checkpointcmd="ctl_mboxlist -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" period=1440
}
Any ideas?
Thanks,
Lee
RE: Webmail for Cyrus Imap ?
I LOVE YOU ALL!!! I've been working on this problem with IMP/MD5/php 4 for 3 days now to no avail. Sure enough I removed sasldb and boom! It worked. BTW, does anyone know how to get cyradm to use pam to authenticate an admin (when I try to tell it to use pam, it wont let me in). The only way Ive been able to use cyradm was to saslpasswd the administrator user and then auth off of sasl for that user (but obviously I cant do that anymore If I want IMP to work ). Thanks, Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 1:59 AM To: Robert Scussel Cc: [EMAIL PROTECTED] Subject: Re: Webmail for Cyrus Imap ? Robert Scussel schrieb am Wed, Dec 12, 2001 at 09:51:21PM -0500: * Thanks, first of all for the help getting cyrus working with * saslauthd-pam... * * I have been trying for days now to get the latest IMP(3.0) with the * latest Horde(2.0) to work with cyrus. The problem now is that imp tries * to use the protocol imap to logon, which then tries to logon via * * CRAM-MD5, sasldb2, and even kerberos * * It doesn't appear to try pam/plain/saslauthd login. Most webmailers I saw (e.g. aeromail, twig) did a CAPABILITY upon connect and tried to do the most secure authentication first. So if your server lists CRAM-MD5 in its capability list, the webmailer will try that before trying PLAIN. We debugged this down to the code of imap-2001 which is the library that is mostly used by PHP for IMAP issues. So if you set up a PHP webmailer, you can't help this behaviour because its hardcoded into the lib. We finally did a very nasty workaround: As we use LDAP-via-PAM as authen- tication backend, we do not need the sasldb - and when completely removing /etc/sasldb, Cyrus IMAP stops sending CRAM-MD5 in its capability list. - Birger
RE: Solaris 7 and Cyrus 2.0.16/LDAP/SASL/PAM
Ive had a heck of a time getting LDAP/cyrus/postfix all working together, but I finally did it. These were my stumbling blocks, maybe one of them will fix your problems: (all done on debian 2.2r3 with latest cyrus/cyrus-sasl) Do Not apply the cyrus-ldap patches. Ive tried them all and all I found was that they caused cyrus to miss-behave (crash, core-dump etc...). Instead use cyrus-sasl with PAM-LDAP. Follow the directions for compiling them, except for one note: Run : export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include before compiling sasl in order to ensure that it links against BerkelelyDB (this caused me A LOT of problems). All in all my configs looked something like this: #SASL export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include ./configure --disable-krb4 --disable-gssapi # --with-ldap=/usr/local/lib #CYRUS ./configure --with-cyrus-group=cyrus --with-cyrus-user=cyrus --with-ssl=/usr/local/ssl --with-dbdir=/usr/local/BerkeleyDB.3.3 make depend make all CFLAGS=-O Hope this helps, Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tarjei Huse Sent: Friday, November 09, 2001 5:26 PM To: Gardiner Leverett Cc: [EMAIL PROTECTED] Subject: Re: Solaris 7 and Cyrus 2.0.16/LDAP/SASL/PAM This lookes like the good old SASL-LDAP problem. Have you read the FAQ? Faq: cyrus-utils.sf.net/faq have a special look at the death by 11 section :) Hope this helps. Tarjei Gardiner Leverett wrote: > > I have a rather complicated load I'm trying to do. I've been going > through the archives without any answers. > > I have a server running Solaris 2.7, and I'm trying to build Cyrus 2.0.16 > with SASL 1.5.24, OpendLDAP 2.0.18, and pam_ldap 1.33. > > I can't even tell if any of this is working as the imap server doesn't > even respond when connecting via the telnet port. I get: > > # telnet localhost imap > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > Connection closed by foreign host. > > When I run the imtest: > > # ./imtest -m login localhost > C: C01 CAPABILITY > failure: prot layer failure > > I originally built the server to check against the password file, and I > received this error. I have re-compiled Cyrus to use OpenLDAP and I still > have received this error. I can't determine if any of the > OpenLDAP/PAM/SASL issues others have mentioned on this list and other are > related since the server doesn't even work. > > The configure line I used to build this server was: > > ./configure --prefix=/private/cyrus --with-sasl=/private/software/sasl > --with-auth=unix --with-cyrus-prefix=/private/cyrus --disable-sieve > > The configure line for SASL was: > > ./configure --prefix=/private/software/sasl --disable-krb4 > --disable-gssapi --disable-cram --disable-digest > --with-ldap=/private/openldap --with-pam=/usr/lib/security > > My ultimiate goal is to have verion 2.0.16 authenticating users against a > local OpenLDAP server (with or without PAM). I've tried the sasl patch to > make sasl talk to ldap directly, but after applying the patch, the code > doesn't compile. > > My fall back is using cyrus 1.5.19 (compiled on Solaris 2.6) with checking > to /etc/passwd. (I stole this from another machine in-house). It does > work, but I have to work on the tcl part for cyradm. > > Is there anyone who's run into this problem or similar? Does anyone know > what I'm doing wrong? And why is the CMU Cyrus web server been going up > and down the past week? > > -- > Gardiner D. Leverett[EMAIL PROTECTED] > Merit Network, Inc. Phone: 734-647-9888 > 4251 Plymouth Road, Suite 2000 Ann Arbor, MI 48105-2785 > http://www.merit.edu
SASL-LDAP Patch = Ahhh!
Title: SASL-LDAP Patch = Ahhh! Hey All, So Im trying to compile Cyrus-sasl with the SASL-Auth-LDAP patch (http://sourceforge.net/projects/cyrus-utils/) and cyrus-sasl 1.5.24. I untar everything and run: patch -p1 < sasl-ldap+mysql.patch autoheader autoconf automake -i export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib ./configure --with-ldap=/usr/local/lib make make install Everything goes without a hitch. Then I try to run cyradm myserver.mydomain.com and enter the root user’s password from the ldap directory and then I get the following error: IMAP Password: Login failed: ldap_basedn not defined at /usr/local/lib/site_perl/i386-linux/Cyrus/IMAP/Admin.pm line 78 cyradm: cannot authenticate to server with as root and the following is printed to the auth log: Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Oct 24 19:53:43 servername imapd[6199]: unable to open Berkeley db /etc/sasldb: Unknown error 4294936307 Please help! Ive been working on this for over a month, and have been getting nowhere. Thanks in advance, Lee
RE: Master Segmentation Fault - SOLVED!
I finally got it!!! The first piece was obviously to delete the line db from services in /etc/nsswitch.conf. The second piece of the puzzle was that I had to recompile sasl executing the following commands before configuring: export CPPFLAGS=-I/usr/local/BerkeleyDB.3.3/include export LDFLAGS=-L/usr/local/BerkeleyDB.3.3/lib Boom! Everything now works. Thanks again for all your help. Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mika Iisakkila Sent: Monday, October 22, 2001 3:14 PM To: [EMAIL PROTECTED] Subject: Re: Master Segmentation Fault Lee Hoffman wrote: > Thanks a bunch for the advice. I deleted db from /etc/nsswitch.conf and > viola, master stopped segfaulting on launch. ... > Oct 21 13:09:27 grass master[1520]: about to exec > /usr/local/cyrus/bin/imapd > Oct 21 13:09:27 grass master[1508]: process 1520 exited, signaled to > death by 11 Well, it's obvious that now that the master runs, all its children are still dying, probably for the same reason. Did you try setting LD_LIBRARY_PATH to point to where you have the DB-3 libraries (those that you linked with) prior to running master? Does "ldd imapd" show that those libraries are actually getting selected instead of libdb or libdb2? Do you have other "db" references in nsswitch.conf? Can't think of anything else... --mika
RE: Master Segmentation Fault
Dear Mika,
Thanks a bunch for the advice. I deleted db from /etc/nsswitch.conf and
viola, master stopped segfaulting on launch.
Unfortunately, IMAP still isnt working though. When I run:
/usr/local/bin/imtest -m login foobar
I get the following error:
gethostbyname: No such file or directory
failure: Network initialization
Also, I can telnet to port 143, but when postfix delivers mail to cyrus
(for example to the testuser account), the mail is never delivered and
the following processes are run, and never die (even if the box is
restarted, the same processes reappear):
642 ? S 0:00 pipe -n cyrus -t unix flags=R user=cyrus
argv=/usr/cyrus/bin/deliver -e -m ${extension
643 ? S 0:00 /usr/cyrus/bin/deliver -e -m testuser
When I start master, master shows up under running processes, but imapd
doesn't.
The following appears in the logs:
---
9:27 grass master: unable to change limit of file descriptors available
Oct 21 13:09:27 grass master[1508]: process started
Oct 21 13:09:27 grass master[1509]: about to exec
/usr/local/cyrus/bin/ctl_mboxlist
Oct 21 13:09:27 grass ctl_mboxlist[1509]: running mboxlist recovery
Oct 21 13:09:27 grass ctl_mboxlist[1509]: done running mboxlist recovery
Oct 21 13:09:27 grass service-imap[1518]: executed
Oct 21 13:09:27 grass master[1520]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass service-imap[1520]: executed
Oct 21 13:09:27 grass master[1519]: about to exec
/usr/local/cyrus/bin/pop3d
Oct 21 13:09:27 grass service-pop3[1519]: executed
Oct 21 13:09:27 grass master[1508]: process 1520 exited, signaled to
death by 11
Oct 21 13:09:27 grass service-pop3[1521]: executed
Oct 21 13:09:27 grass master[1521]: about to exec
/usr/local/cyrus/bin/pop3d
Oct 21 13:09:27 grass service-imap[1522]: executed
Oct 21 13:09:27 grass master[1508]: process 1519 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1518 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1516 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1508]: process 1521 exited, signaled to
death by 11
Oct 21 13:09:27 grass service-imap[1523]: executed
Oct 21 13:09:27 grass master[1522]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass master[1508]: process 1522 exited, signaled to
death by 11
Oct 21 13:09:27 grass master[1523]: about to exec
/usr/local/cyrus/bin/imapd
Oct 21 13:09:27 grass master[1508]: process 1512 exited, status 0
Oct 21 13:09:27 grass master[1508]: process 1523 exited, signaled to
death by 11
---
Any idea whats going on? Any help would be much appreciated.
Thanks,
Lee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mika
Iisakkila
Sent: Sunday, October 21, 2001 4:19 AM
To: [EMAIL PROTECTED]
Subject: Re: Master Segmentation Fault
Lee Hoffman wrote:
> Ive followed the directions to a T, while compiling cyrus sasl (w/ldap
> support) and cyrus (2.0.16) (with ssl support) on a debian 2.2r3
distro
> box. The compilation and installation report no errors. I follow the
> installation directions, and ensure that all the directories exist and
> have the correct permissions. When I run master though, I get a
> "Segmentation Fault" and imapd isn't started. The error log reads:
Welcome to the club. I spent a good deal of a day chasing this,
and the culprit is that Debian stable (2.2r3, currently) comes
with an old version of DB. I went to great lengths to ensure that
cyrus compiled and dynalinked with my own DB 3.1 libraries, and
the damn thing still crashed.
The problem is that for some unfathomable reasons, nsswitch in
Debian uses DB first by default, even though nothing is stored in DB
files in normal installations. Library version clash during imap/pop3
service lookup -> crash. Your /etc/nsswitch.conf has a line
services: db files
Remove the db. If it still doesn't help, the system db libraries are
probably still getting in the way, and you could try setting
LD_LIBRARY_PATH to point to the correct place prior to running master.
--mika
Master Segmentation Fault
Ive followed the directions to a T, while compiling cyrus sasl (w/ldap support) and cyrus (2.0.16) (with ssl support) on a debian 2.2r3 distro box. The compilation and installation report no errors. I follow the installation directions, and ensure that all the directories exist and have the correct permissions. When I run master though, I get a "Segmentation Fault" and imapd isn't started. The error log reads: Oct 20 09:14:09 grass master[272]: process started Oct 20 09:14:09 grass master[273]: about to exec /usr/local/cyrus/bin/ctl_mboxlist Oct 20 09:14:09 grass ctl_mboxlist[273]: running mboxlist recovery Oct 20 09:14:09 grass ctl_mboxlist[273]: done running mboxlist recovery Oct 20 09:14:09 grass master[274]: about to exec /usr/local/cyrus/bin/ctl_deliver Ive tried recompiling cyrus 7 times, with every combination of compile options, and every time I end up with the same result. Ive looked through the mailing list archive and have seen other report a similar problem, without a solution. Please help! Thanks in advance, Lee
Master Segmentation Fault
Title: Master Segmentation Fault Ive followed the directions to a T, while compiling cyrus sasl (w/ldap support) and cyrus (2.0.16) (with ssl support) on a debian 2.2r3 distro box. The compilation and installation report no errors. I follow the installation directions, and ensure that all the directories exist and have the correct permissions. When I run master though, I get a “Segmentation Fault” and imapd isn’t started. The error log reads: Oct 20 09:14:09 grass master[272]: process started Oct 20 09:14:09 grass master[273]: about to exec /usr/local/cyrus/bin/ctl_mboxlist Oct 20 09:14:09 grass ctl_mboxlist[273]: running mboxlist recovery Oct 20 09:14:09 grass ctl_mboxlist[273]: done running mboxlist recovery Oct 20 09:14:09 grass master[274]: about to exec /usr/local/cyrus/bin/ctl_deliver Ive tried recompiling cyrus 7 times, with every combination of compile options, and every time I end up with the same result. Ive looked through the mailing list archive and have seen other report a similar problem, without a solution. Please help! Thanks in advance, Lee
Re: sasldb-error
I think it is because of the read permission of the sasldb file. My cyrus user is cyrus:mail, so chgrp mail /etc/sasldb and chmod g+r /etc/sasldb It's OK. BTW: One can find the answer of his question from the archive. I did so. - Original Message - From: "Christoph Krempe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 28, 2001 11:25 PM Subject: sasldb-error > Hi, > > I'm trying to run cyrus 2.0.14 together with BerkeleyDB 3.2.9 and > cyrus-sasl 1.5. > > I compiled: > > BerkeleyDB3.2.9: > ./configure > > cyrus-imap: > ./configure --disable-sieve --with-auth=unix > --with-sasl=/usr/local/lib --with-dbdir=/usr/local/BerkeleyDB.3.2 > > cyrus-sasl: > ./configure --with-pwcheck=/var/pwcheck --with-pwcheck_method=shadow > > Compiling + installing seemed to be ok. > > /etc/imapd.conf look like > > configdirectory: /var/imap > partition-default: /var/spool/imap > umask: 077 > admins: cyrus root > srvtab: /var/imap/srvtab > allowanonymouslogin: no > postmaster: [EMAIL PROTECTED] > sasl_passwd_check: shadow > > /usr/local/sbin/pwcheck is running, socket is /var/pwcheck/pwcheck > > After I start "master", I get an error message in > /var/log/messages: > > Jun 28 17:14:13 hal master[30997]: about to exec /usr/cyrus/bin/imapd > Jun 28 17:14:13 hal service-imap[30997]: executed > Jun 28 17:14:13 hal imapd[30997]: unable to open Berkeley db /etc/sasldb: Invalid >argument > > Any idea what's wrong here? > > Gru?Ch. Krempe > > --- > Freie Universitaet Berlin Christoph Krempe > Universitaetsbibliothek Systemverwaltung > - Rechenzentrum - Tel: 030/838 54583 > Garystrasse 39 Fax: 030/838 54582 > 14195 Berlinhttp://www.ub.fu-berlin.de/~ck
