Re: virtdomains: userid?
Nope Bill, sorry. As was noted in my thread, it looks to be a SASL issue. Because some SASL plugins require a hostname, rather than IP, SASL apparently does a reverse DNS on every connecting IP. Maybe I'll move a request over to the SASL list to look into whether the reverse DNS can be on a per-enabled-plugin basis (thus if I only have enabled plugins that don't require reverse DNS, it doesn't occur). But my personal problem with it was resolved - I kicked my ISP in the rear and got them to fix their DNS setup. Being a local cable operator, they actually do respond to customers' technical requests (*gasp*). :D --Scott Bill Kearney wrote: Would this help your reverse DNS lookup trouble? Or will using the unqualified name still trigger a reverse lookup? It doesn't appear to help my situation, in that I'd like logins without a qualified name to use just the bare username and NOT append a realm onto it. Is this possible? -Bill Configuring Virtual Domains Introduction Virtual domains is the practice of hosting a service for more than one domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes for multiple domains (e.g. [EMAIL PROTECTED] and [EMAIL PROTECTED]) on a single server or Murder. In order to accomplish this, Cyrus needs to know which domain to look in when a mailbox is accessed. There are two ways in which Cyrus can determine the domain: * Fully qualified userid - the client logs in with a userid containing the domain in which the user belongs (e.g [EMAIL PROTECTED] or test%example.net) * IP address - the server looks up the domain based on the IP address of the receiving interface (useful for servers with multiple NICs or using IP aliasing) Both of these methods are active if the virtdomains option is set to on (or yes, 1, true) and can be used in conjunction with one another. If the virtdomains option is set to userid, then only the first method is used. Note that a fully qualified userid takes precedence over a domain obtained from the IP address. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Disabling client IP reverse DNS?
Ken Murchison wrote: Scott Balmos wrote: Hi all, I know in a virtual domain setup, if a user connects with an unqualified username, the server does a reverse DNS lookup on the *server's* incoming connection IP, to determine a default virtual domain name. But how do I disable Cyrus from doing a reverse DNS on the *client's* IP that they're connecting from? Connections to my mail server from home are taking very long because of a reverse DNS lookup being done on my home IP. This fails because my stupid cable Net ISP doesn't know how to run DNS properly. :) Set the 'virtdomains' option to 'userid' instead of 1/yes/on. This does not solve the situation. I am not in a virtual domain setup. But even with the noted change, the system continues to attempt a reverse DNS on the *client* IP. --Scott Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Disabling client IP reverse DNS?
Hi all, I know in a virtual domain setup, if a user connects with an unqualified username, the server does a reverse DNS lookup on the *server's* incoming connection IP, to determine a default virtual domain name. But how do I disable Cyrus from doing a reverse DNS on the *client's* IP that they're connecting from? Connections to my mail server from home are taking very long because of a reverse DNS lookup being done on my home IP. This fails because my stupid cable Net ISP doesn't know how to run DNS properly. :) Insight is appreciated. Thanks! --Scott Balmos Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus shared folders
quote who=Klaus P. Pieper Now we are looking for a way to set up shared folders and bulletin boards. However, as far as I can see, the Cyrus server reads the user-to-group relationship always from /etc/group. Is there a way to use the database for this purpose? If not, can the Cyrus server be run chrooted with its own /etc/group? Or is there any other workaround to avoid using /etc/group of the base system? I am assuming you're referring to taking advantage of group:foo style ACL entries. Google for, and set up, nss_mysql. Cyrus reads group membership information from the NSS subsystem. Setting up nss_mysql will have the added side-benefit of allowing you to use finger, id, and other UNIX account information widgets on your MySQL based users. They'll essentially be as normal as a user in the /etc password group database files. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Shared folders subdomain option?
Hi Ken all, This is an extension off my previous question last week, about replacing deliver with straight LMTP. All of my shared folder posts come into addresses of a separate subdomain from my regular user email (e.g. @members.simunex.com - user email, boards.simunex.com - shared folders). This worked fine when using deliver, since I would have a Postfix transport map entry that routed the mail to two different definitions of the deliver command - one each for user folders and one for shared folders. Now, since I'm converting to LMTP, I need the ability to tell Cyrus that all mail for a subdomain goes to shared folders, regardless of the username. This is because I'm using the username part of the address for access-control authorization. So I can't specify a normal postuser: option in imapd.conf, since the username is always changing, depending on who's doing the posting. How hard is it, and whereabouts in the code would I look, to implement the equivalent of postuser:, but for a subdomain? Or maybe just extend postuser:'s processing (e.g. a postuser entry of @boards.blah.com means all email of form [EMAIL PROTECTED] goes to shared.folder)? Thanks! --Scott Balmos --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: deliver vs LMTP for shared folders
Ken Murchison wrote: Scott Balmos wrote: Hi all, This is probably a bad subject line for the topic, but I can't think of a better one. I've always heard, between here and on the Postfix list, that delivering directly via LMTP to Cyrus is better than using the deliver wrapper program. I was curious how much of a performance hit there is by using deliver rather than LMTP directly? There's a method to my madness. I can't give you any quantitative number, but its just an extra, needless process. Anyway... The main problem is that I have found no way to get Postfix to authenticate as an arbitary user over LMTP (e.g. to pull the username from the user+folder address). I can set the Postfix LMTP client to authenticate with SASL... But then Postfix requires a SASL password map, which is impossible because the user account passwords are not stored anywhere in cleartext. Keep in mind that deliver is just a simple LMTP client, so anything that it does, *should* be possible in any MTA. An admin can always proxy as another user as long as you use a SASL mechanism which supports it (PLAIN, DIGEST-MD5). But, in deliver's case its using the optional AUTH=authuser keyword with the MAIL FROM command. At least one of these methods should be supported by Postfix. Should and does are not always the same, unfortunately. :) I think this is one area where Postfix maintains its mutual distrust of itself (its other component programs) in the name of security. From the LMTP client protocol code in Postfix: /* * We authenticate the local MTA only, but not the sender. */ #ifdef USE_SASL_AUTH if (var_lmtp_sasl_enable (state-features LMTP_FEATURE_AUTH) state-sasl_passwd) vstring_strcat(next_command, AUTH=); #endif next_state = LMTP_STATE_RCPT; break; So using AUTH=blah is out of the question, not to mention the fact that (as given by the state-sasl_passwd attribute check) Postfix expects to need to log in successfully before even thinking about putting in AUTH=. And as far as I can tell in the LMTP SASL code, Postfix has support for authentication, but not authorization. Whereabouts in the SASL docs, RFC, or whatever does it describe how to specify the authorization name in an LMTP (or SMTP for that matter) AUTH login conversation? If I'm reading the source code to deliver correctly, it uses the AUTH= keyword regardless, so I'm guessing that keyword is always available no matter whether or not you authenticate with SASL during the LMTP conversation startup. Like I said in the original message, I don't think this is an area that Postfix will budge on. :/ I'll see what they say after I get more information. But I seem to vaguely remember a conversation a year or so ago (I'll have to check the archives) about this, with less-than-positive results. Thanks Ken all for any more info. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
deliver vs LMTP for shared folders
Hi all, This is probably a bad subject line for the topic, but I can't think of a better one. I've always heard, between here and on the Postfix list, that delivering directly via LMTP to Cyrus is better than using the deliver wrapper program. I was curious how much of a performance hit there is by using deliver rather than LMTP directly? There's a method to my madness. Delivering user emails to their personal folders directly via LMTP works fine. However, I seem to need to use deliver, and the ability to arbitrarily set the authentication username, in order to deliver to shared folders. This is because I use a hacked-up scheme to do pseudo-authorization and access controls on my shared folders. Shared folders, in my system, have the format of [EMAIL PROTECTED] where user is the username of the person posting, and folder.name is the shared folder name. Using the deliver wrapper, I can have the authentication name (-a option) to be set to the value of user. And thus I can control the access rights to who can post to what shared folder, rather than the standard scheme of giving the anonymous user posting rights and letting shared folders be a free-for-all. :) Before we go too far, you're probably saying what keeps someone from putting any old username in the address, one that is authorized to post to the given folder?. Because post.boards.blah.com has no DNS entry, and emails actually come into the address [EMAIL PROTECTED] . I have a small Postfix policy server program which looks up the user account in LDAP of the sending address and rewrites the address to the [EMAIL PROTECTED] format. Then I have a Postfix transport entry for post.boards to send it to the deliver program with the necessary options. Since this is all done inside Postfix's flow of processing, post.boards does not have to exist in DNS, and thus is inaccessible to the outside world. Anyway... The main problem is that I have found no way to get Postfix to authenticate as an arbitary user over LMTP (e.g. to pull the username from the user+folder address). I can set the Postfix LMTP client to authenticate with SASL... But then Postfix requires a SASL password map, which is impossible because the user account passwords are not stored anywhere in cleartext. So it seems I have to use the deliver wrapper in this case, because it somehow magically authenticates to Cyrus as a given user without needing the password (how's it do that? :D). Thus, what kind of performance hit will I see? How many less messages/second or whatever using deliver vs. LMTP directly? This is on a run-of-the-mill P4 2.4 / 512 running FreeBSD 5.3. Thanks! Sorry for the long-winded explanation of things. Maybe in my rambling some others would like the idea of access-controlled shared folders. I can send code if anyone wants the policy server and my setup. It's a tiny command-line PHP script. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Sieve
Andreas Hasenack wrote: On Mon, Apr 25, 2005 at 11:02:27PM -0400, Scott Balmos wrote: Personally, and I'm sure a number of other list members could say the same, I can't say enough good for the AvelSieve plugin to Squirrelmail. Especially the newest build, which has auto-create-filter links when viewing a message, based on the message subject, to, from, etc. Does it still encode its rules inside the sieve script like a big block of base64 text? Ayup. Such is the limitation for not writing a full-blown parsing engine. :D Regardless, It Works For Me [tm]. --S --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Sieve
Andreas Hasenack wrote: Quoting Robert Baruch [EMAIL PROTECTED]: okay - I manually wrote, compiled, and installed a script - works like a champ... websieve appears to be broken... what are the alternatives for web-based sieve processing? Ingo from the Horde project (www.horde.org) is another one. Works quite well in my tests, but is somewhat more complicated than your usual web app to setup because it needs Horde and a database. It's usually only worth it if you already have Imp as your webmail app. It just doesn't interpret an already existing sieve script, however: it can only push scripts to the server, not read them back. Personally, and I'm sure a number of other list members could say the same, I can't say enough good for the AvelSieve plugin to Squirrelmail. Especially the newest build, which has auto-create-filter links when viewing a message, based on the message subject, to, from, etc. --S --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAP auths even without valid mailboxes.
Use pam_ldap in conjunction with the pam_check_service_attr option in its config file. Then add authorizedService attributes for every PAM service you want. Cyrus can get especially fine-grained, because it has four separate PAM services (one each for POP3, IMAP, NNTP, and Sieve). See below for a section of my account LDIF. Note that SASL does not append d to its service entries, like you think it would. That screwed me over the first time I tried to get this setup going. authorizedService: sshd authorizedService: ftpd authorizedService: imap authorizedService: pop authorizedService: nntp authorizedService: smtp authorizedService: sieve --Scott Ezsra McDonald wrote: My current system is SuSe 8.1. This version of saslauthd was not compiled with LDAP support. It currently hands off authentication to pam_ldap. I have looked for the cyrus_sasl src RPM for the version I am running. I would rebuild it but apparently it is not available. It looks like I will have to hack a later RPM and see if I can get it to work on SuSe 8.1. Does anyone know how to give pam_ldap a filter to use? That would be my quickest fix. I will be investigating that now. --Ez On Sun, 2005-04-03 at 14:07, Ondej Sur wrote: It's not task for IMAP server, but for SASL auth daemon. You have to construct LDAP query in sasl so it allow only users which have mail to login. Either create some special flag in LDAP. F.E.: ldap_filter: ((uid=%u)(allowCyrusLogin=true)) or something similar. Ondrej On Fri, 2005-04-01 at 13:02 -0800, Ezsra McDonald wrote: Is there a setting to tell IMAP not to allow authenticated users who don't have cyrus accounts? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: IMAP auths even without valid mailboxes.
I completely forget where I originally got this. I'm pretty sure it was
after some annoying late-night Googling. This is supposedly referenced in
one of the pam_ldap mailing list archive posts... somewhere, in some
galaxy, at some time. :)
(random FYI, objectClass hostObject, below, is if you were using
host-based checking in pam_ldap. Don't ask me where the host attribute is,
though... I think cosine)
[EMAIL PROTECTED] /usr/local/etc/openldap/schema] more ldapns.schema
# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $
# LDAP Name Service Additional Schema
# a
href=http://www.iana.org/assignments/gssapi-service-names;http://www.iana.org/assignments/gssapi-service-names/a
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )
Scott,
I was just browsing my LDAP schema. Where should if find
authorizedService?
--Ez
On Mon, 2005-04-04 at 09:33, Scott Balmos wrote:
Use pam_ldap in conjunction with the pam_check_service_attr option in
its config file. Then add authorizedService attributes for every PAM
service you want. Cyrus can get especially fine-grained, because it has
four separate PAM services (one each for POP3, IMAP, NNTP, and Sieve).
See below for a section of my account LDIF. Note that SASL does not
append d to its service entries, like you think it would. That screwed
me over the first time I tried to get this setup going.
authorizedService: sshd
authorizedService: ftpd
authorizedService: imap
authorizedService: pop
authorizedService: nntp
authorizedService: smtp
authorizedService: sieve
--Scott
snip
--
Scott Balmos
President - SimuNex, Ltd.
[EMAIL PROTECTED]
http://www.simunex.com
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: special folders
Stefan Schlörholz wrote: Hello everybody, I run a SuSE 8.2 on a server with a cyrus IMAP server for local clients. In my mailbox I (through squirrelmail) by accident deleted some special folders like sent, draft, trash, etc. so that only INBOX is left. I want to have those back in order to properly store the messages. Just introducing new folders with those names doesn't help. They are not recognized by e.g. kmail as special folders so that they do not get the dedicated icons. Does anybody know how to bring back those folders? I did a cyradmin --reconstruct but without effect. Best regards Stefan IIRC, KMail/Kolab utilizes special IMAP folder annotations to designate the purpose of the special folders, whether it is a sent folder, drafts, etc. Sorry, I don't know what the specifics of the annotation is, though I'm certain it can be found if you went slogging through the KMail developer docs, or something along those lines. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Making saslauthd fall back on SASLdb?
Hi all, I had this problem solved months ago, but that was on a different system. I'm running imapd using saslauthd as the authentication mechanism. saslauthd, in turn, is running through PAM, which runs to my LDAP server, to do all authentication. I was wondering if there was a way to get saslauthd, or imapd (whichever is the case), to fall back onto checking the local sasldb2 database (auxprop?). There are a few system accounts, like cyrus and some system-accessible-only manager accounts, that I want to keep out of LDAP. TIA --Scott Balmos --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Making saslauthd fall back on SASLdb?
Andreas Hasenack wrote: On Tue, Mar 29, 2005 at 03:31:13PM -0500, Scott Balmos wrote: Hi all, I had this problem solved months ago, but that was on a different system. I'm running imapd using saslauthd as the authentication mechanism. saslauthd, in turn, is running through PAM, which runs to my LDAP server, to do all authentication. I was wondering if there was a way to get saslauthd, or imapd (whichever is the case), to fall back onto checking the local sasldb2 database (auxprop?). There are a few system accounts, like cyrus and some system-accessible-only manager accounts, that I want to keep out of LDAP. Try this in /etc/imapd.conf: sasl_pwcheck_method: saslauthd auxprop Ayup... that did it. Thanks! I would suggest, to the writers of the example config files, that sasl_pwcheck_method's wording be changed to note that you can allow both of these options. As it is, and this is where I got hung up, the comments sound like it can only be auxprop OR saslauthd, not both. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LDAP Mailboxes
Norman Zhang wrote: I like to setup Cyrus to use LDAP for user authentication and global addressbook. May I ask what steps do I need? Do I still need SASL? Regards, Norman Zhang --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html SASL's always necessary for Cyrus. You want saslauthd, possibly with -a ldap. That switch is dependent on whether or not you want saslauthd to authenticate directly to LDAP. Leave it off if you're using something like pam_ldap (how I personally have it set up, and thus recommended). The use of LDAP as a global address book is a function of your mail client, and has nothing to do with Cyrus. --Scott --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sieve rule needed
does anyone have a rule for sieve that will disregard emails coming in
with a subject that just contains garbage?
I can't even cut-n-paste an example ... :(
Marc G. Fournier Hub.Org Networking Services
(http://www.hub.org)
Email: [EMAIL PROTECTED] Yahoo!: yscrappy ICQ:
7615664
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
if header :contains Subject garbage
{
discard;
}
:D
Kind of hard to develop an exact, programmatic definition of what
garbage is, right?
--
Scott Balmos
President - SimuNex, Ltd.
[EMAIL PROTECTED]
http://www.simunex.com
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sieve rule needed
Ken Murchison wrote:
Marc G. Fournier wrote:
...snip...
Sorry, figured that everyone else was probably getting this too,
since it seems to be 'standard spam' nowadays :(
garbage == those messages whose subjects are all non-ASCII
characters ...
Just off the top of my head (its been so long since I wrote the regex
draft I'm not sure I remember the syntax):
# the subject consists of nothing but non-printable characters
if header :regex :comparator i;octet subject ^[^[:print:]]+$ {
discard;
}
That *looks* like it'd be it. I would've said something along the same
lines, but I couldn't remember what the appropriate regex magic
incantation and wand-waving was.
--Scott
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Modifying reply-to header of NNTP public folder posts?
Hi everyone, I was wondering if there was any way for Cyrus 2.2 to modify the Reply-To header for messages posted through its NNTP daemon to public folders? For messages sent as regular emails (which is processed through Postfix before being sent to Cyrus), I'm able to do this. What I'm trying to achieve is something like a forced reply-to-list address for a mailing list. I want to force a message sent to a public folder to have a reply-to address of that folder's submission address, *not* the address of the person who sent the original message. These public folders are for discussion-type groups, where messages should post back to the discussion, not like a shared tech support folder where one person picks up the message and replies to the person privately. The scenario is so I'm covering people who are reading messages via an IMAP client in the public folder, which were posted through NNTP. See below: User A posts a message to the public folder through NNTP User B reads that message via an IMAP client. They want to reply to the discussion. User B hits Reply in their email client. Normally, this would use the Reply-To header, which is set to User A's email address. I want this to be set to the email submission address of the public folder. Ideas? Thanks! --Scott Balmos --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: scripted delete mailbox for cyradm
A common error. Do a lam user.public. User cyrus almost definitely will not have the c ACL right assigned, since that's by default. Give cyrus the c ACL right, which gives delete ability, then re-run the script. It would be useful to automatically assign this to any mailbox that your system creates, assuming your mailboxes and such are created as part of some scripted user-creation system (like a web app or something). Also, for the heck of it, have a periodic script, once every hour or so, that does the equivalent of sam * cyrus c, so any mailbox on your mail server can be successfully deleted by this script. -- Scott Balmos Craig White wrote: On Thu, 2005-02-10 at 11:02 -0600, Aleksandar Milivojevic wrote: Craig White wrote: Trying to script deleting a user's mailbox from system... /bin/su - cyrus -c '/usr/lib/cyrus-imapd/cyradm localhost \ --userrc=/var/lib/imap/.systemrc dm user.public' Try something like this instead: #! /usr/bin/perl -w use Cyrus::IMAP::Admin; $imap = Cyrus::IMAP::Admin-new(servername) or die Failed to connect; $imap-authenticate(-user = username, -password = password, -mechanism = LOGIN) or die Failed to authenticate; $imap-delete(user.mailbox) or die Failed to delete mailbox; See man pages for Cyrus::IMAP::Admin and Cyrus::IMAP for more details. OK - I think I can deal with this but... #cyradm localhost IMAP Password: localhost.localdomain lm user.public user.public (\HasNoChildren) and # ./ldap_useradmin.deluser Failed to delete mailbox at ./ldap_useradmin.deluser line 11. #cat ldap_useradmin.deluser #! /usr/bin/perl -w use Cyrus::IMAP::Admin; $imap = Cyrus::IMAP::Admin-new(localhost) or die Failed to connect; $imap-authenticate(-user = cyrus, -password = MY_PASS, -mechanism = LOGIN) or die Failed to authenticate; $imap-delete(user.public) or die Failed to delete mailbox; means we died and didn't delete the mailbox. as you can see from cyradm, the mailbox is indeed there and called 'user.public' so this defies my ability to discern what is going on and lastly, since this is perl and I'm a lost duck, is there a way to direct standard and error out on this to a file? I love to have a means to keep track of what happened when I call from another process and don't have a terminal to work with. Thanks Craig --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Manipulating References In-Reply-To
Hi all, I'm building a web forum system on top of Cyrus. Some people apparently want a message editing system, and possibly thread splitting / merging abilities. For message editing, I think it's okay if the original message is deleted, and then replaced with the edited message contents, via an IMAP post operation, that has the exact same headers as the original message (especially References In-Reply-To). Is this a more-or-less okay train of thought? I know one of the RFCs says that a Message ID is supposed to be absolutely unique. But for in-place editing, I really don't want to think of the processing load it would take to replace the edited message and also change the In-Reply-To and References headers of all of that message's child messages. Along the same lines, for message splitting, does Cyrus do its threading by In-Reply-To or References? What about the usual mail clients? Again, I'm trying to figure out whether I can split the message thread by editing one message, or if I have to remove a whole string of References message IDs from all of the split thread's messages. Any comments or suggestions for handling this? Thanks! -- Scott Balmos --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: MTAs that pass SMTP AUTH?
On Tuesday 01 April 2003 01:04 am, Kevin P. Fleming wrote: Scott Balmos wrote: My question is, where is Sendmail getting, or even sending to the deliver program, the information that says to match against username msmith, johndoe, or whatnot? I know of the -a switch for deliver, but pretty much all the other MTAs (including Postfix) say that there can only exist a blanket Cyrus user, designated to the MTA, for posting to shared folders. This is intended to be used in a secure localized installation, with the users using SMTP AUTH to authenticate themselves to the MTA. The MTA then records this information and passes it along via LMTP AUTH to the Cyrus lmtpd. Okay, fine. This is what I have also. The crux seems to be getting the MTA to pass along the AUTH info. So far I guess only Sendmail and Exim do such a thing, right? Has anyone *possibly* come up with a patch for Postfix about this? I remember a few days ago some mumblings on the list that to record such AUTH info to pass along with the message would be somewhat irritating. Where's everything come from, authentication-wise? The only thing I can think of is the user creates a message, saves to their local drafts folder, then manually moves the message into the proper folder on IMAP. But that seems really icky, and essentially like IMAP Send. Well, in my case, we're not actually using SMTP AUTH to deliver the messages to the MTA. Rather, I have set up mail delivery such that a message that arrives at my MTA address to [EMAIL PROTECTED] is delivered as if it had been AUTH'd as user. This means that messages can be delivered directly to any user's folders, without having to give anonymous p rights on those folders. Yes, this does mean that someone out there could abuse it, but all they could do is put random stuff directly into a folder, instead of into the user's INBOX. If we had shared folders set up, then I would have to implement SMTP AUTH so that the the folders could have reasonable (i.e. non-anonymous) rights. This is *EXACTLY* what I have right now, Kevin. I've always thought that since there is no password, and the user to authenticate is in the message itself, such that anyone reading that message sees the full address along with a username that has posting credentials to that folder, it was completely insecure. I guess it's just a risk, you only hope that the users (in my case, only about 300, so it's not that big a deal) don't abuse it, and you just make sure the folder admins are quick to delete. Well that makes me feel at least a little more comfortable knowing that at least one other person does this convoluted user+folder authentication setup like I was thinking of using. :) Thanks!
MTAs that pass SMTP AUTH?
(originally sent with wrong email address. Sorry to the human who has to clear out the moderation mailbox. :( ) Hi all, Does anyone know of any other MTAs that can pass SMTP AUTH info along to Cyrus, other than Sendmail? I'm thinking in the base case here, of a single server, for an intranet. We've already, unfortunately, ruled out Postfix earlier last week, I think I remember reading. I'm just trying to find a way to do the fabled per-user posting rights ACL matching for shared folders. Indeed, I'm not sure, maybe someone could clarify this for me. What good is having +p if you can't match it to specific users? The question is not counting normal users' private Inboxes. Besides, not having +p at all means the mailbox is basically read only... which defeats the purpose again because then you wouldn't have any content to put in, but that's a logic loop. :D Earlier, a week or so ago, I posted my current hack, which was to set the deliver program to read the username from the user portion of the user+folder email address. But, of course, that's not real authentication, since anyone could grab a username with posting rights by reading the message (since the username is in the email address, which is in the To or Cc field of the message). Plus that's using the deliver agent, and not LMTP. Any ideas, pointers to docs for things like this, anyone else done this somewhere, sometime? :( Thanks. -- Scott Balmos
Re: MTAs that pass SMTP AUTH?
Okay, maybe this might be a better question... In the O'Reilly Managing IMAP example (http://www.oreilly.com/catalog/mimap/chapter/ch09.html#91630), it discusses the setup I need, where some folders have per-user +p access. In the example case, msmith and johndoe. It says that msmith johndoe, sending to the submission address of [EMAIL PROTECTED], can go through fine, while others' submissions get dumped to announce's inbox. This is all supposedly standard through the deliver(8) program, and that a Sendmail config script handles it all. My question is, where is Sendmail getting, or even sending to the deliver program, the information that says to match against username msmith, johndoe, or whatnot? I know of the -a switch for deliver, but pretty much all the other MTAs (including Postfix) say that there can only exist a blanket Cyrus user, designated to the MTA, for posting to shared folders. Where's everything come from, authentication-wise? The only thing I can think of is the user creates a message, saves to their local drafts folder, then manually moves the message into the proper folder on IMAP. But that seems really icky, and essentially like IMAP Send. Am I missing something? Thanks. -- Scott Balmos
RE: Postfix 1.1.11 (Debian/Woody) and quota's using Courier
Odd to ask about Postfix Courier on a Cyrus list, but no matter... :) http://www.sweeney.demon.co.uk/pfix_imap_virtual.html HTH -- Scott Balmos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Welsch Sent: Thursday, March 06, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: Postfix 1.1.11 (Debian/Woody) and quota's using Courier Hi, I'd like catch all virtual user informations (authentification details and quota, etc) from a MySQL database. Optionally I'd like to implement POP-before-SMTP. Anybody set up something like this and/or could provide me with some kind of howto ? The mail traffic is about 15 GB / month ... so I would like to have a solution that is RELIABLE! As said, using Debian 3.0r1: ii libdbd-mysql-p 1.2216-2 mySQL database interface for Perl ii libmysqlclient 3.23.49-8.2mysql database client library ii libpam-mysql 0.4.7-1PAM module allowing authentication from a My ii mysql-client 3.23.49-8.2mysql database client binaries ii mysql-common 3.23.49-8.2mysql database common files (e.g. /etc/mysql ii mysql-server 3.23.49-8.2mysql database server binaries ii postfix1.1.11-0.woody A high-performance mail transport agent ii postfix-ldap 1.1.11-0.woody LDAP map support for Postfix ii postfix-mysql 1.1.11-0.woody MYSQL map support for Postfix ii postfix-pcre 1.1.11-0.woody PCRE map support for Postfix ii postfix-tls1.1.11+tls0.7. TLS and SASL support for Postfix It would be just great if I could authentificate using the email address: [EMAIL PROTECTED] Any help will be greatly appreciated ! Kind Regards, Markus Welsch
Few questions on deliver
Hi again all, Yesterday I got my shared folders setup working. Thanks to Ken Earl for their thoughts. Found out that Outlook others don't care about not having an Inbox. Later on last night I got the CyrusBB support going in Postfix. A few questions though... 1. Deliver's manpage states that if the user doesn't have posting ACL rights to the folder the message is to be delivered to, then it rejects, no problem. Yet the user to match off of is controlled supposedly by the -a switch to the deliver command. This feels like it almost certainly has to be hard-coded into my MTA setup (Postfix). Has anyone ever gotten Postfix configured in a way that it feeds in something from the message, say the username portion of the From: header, as the switch to -a for deliver, so I can have some real per-user posting rights? 2. Since this is a mostly shared-folder setup... Is there any way that deliver, or again maybe Postfix, to modify or suppress some headers? Specifically I'd at least like a Reply-To header changed, so that if a user clicks Reply, they reply to the submission address of the shared folder, not reply to the original poster's personal email address. Also, I'd like to, if possible, suppress the To and Cc headers. The personal email addresses of other users or such are shown when a message is viewed, which could be a privacy concern in my case. For example, if a message is sent to [EMAIL PROTECTED], [EMAIL PROTECTED], and [EMAIL PROTECTED] (the submission address), when anyone views that message, it'll have headers stating that it was sent to foo, blah, and the discussion board. 3. Finally, and this is off-topic I'm sorry (:D), but has anyone *ever* gotten Outlook to thread IMAP, whether through a patch or module or anything. Outlook Express does it fabulously. It seems absolutely stupid that M$ would put a desired function in their free version, but not their for-pay version. Yes, I know Exchange MAPI public folders do thread. But that's a different protocol and server. Hrm... Hidden sleight of hand by M$ to force you to buy Exchange? Thanks again for any replies! -- Scott Balmos
Cyrus in shared-only setup with no user inboxes?
Hi everyone, I remember reading a message like this back in the 1997 archives, but maybe (hopefully?) something's changed in the newer versions. I'm intending to use Cyrus and shared IMAP folders as a replacement for a currently-running private NNTP server for small-scale discussion groups. No problem, as I know how to do the Cyrus ACLs. My question is if it possible to run Cyrus without individual user inboxes, such that the users exist in the ACL database, but that's it. What functionality is lost by not giving users individual mailboxes? Is it possible to have a single shared user inbox, somehow hidden from the user, just so Cyrus is happy? Basically, I don't want to give people mailboxes in any form. They don't need them, and shouldn't have them at all. I look forward to your responses. Thanks! -- Scott Balmos
