Re: does xfer require murder?
I create a cert on both servers per the Install-configure.html and can run
imtest to either host.
From server1 to server2 for example:
/opt/mail/cyrus-imapd/bin/imtest -t -m plain -a cyrus -u cyrus -p imap -v
server2.sub2
after much output at the end it lists
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
I can see in the logs on server2
Apr 25 16:08:28 server2 imap[10683]: starttls: TLSv1 with cipher AES256-SHA
(256/256 bits new) no authentication
Apr 25 16:08:33 server2 imap[10683]: login: server1.sub1.domain.com
[10.248.176.34] cyrus PLAIN+TLS User logged in
So imtest looks good.
I log in to do the xfer and I get the same error from before.
/opt/mail/cyrus-imapd/bin/cyradm --user cyrus --auth plain server1
Password:
IMAP Password:
server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation
I see in the log on the source server it was auth with PLAIN not PLAIN+TLS
like listed from imtest.
The connection to the remote host also lists PLAIN and not PLAIN+TLS.
Is there away to force the tls part?
Here is imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: plain login
tls_cert_file: /local/imap/server1.sub1.domain.com.pem
tls_key_file: /local/imap/server1.sub1.domain.com.pem
Thank you for any help
Perry
Bascially:
Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.
The SASL mechanism you are using is PLAIN (I don't think LOGIN is a SASL
mechanism, its a imap specific)
PLAIN requires TLS
TLS requires certificates.
You don't have certificates.
if
imtest -t -m PLAIN -a cyrus -u cyrus servername
does not work, then xfer never will.
Get a cert! :)
-Patrick
On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:
Sorry to keep bugging everyone on this but it seems I am close I'm just
over looking something obvious.
I looked through the config on the hosts and we are using pam.
I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN
Imtest looks to work Ok with Login
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
This works to the localhost as well as to server2.
I try the xfer from server1 to server2:
server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus -- server
server1.sub1 --auth login
IMAP Password:
server1.sub1.domain.com
server1.sub1.domain.com xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation
the log from server2 shows:
Apr 21 12:56:31 server2 imap[27408]: badlogin: server1.sub1.domain.com
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
not match required]
/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}
Is there a doc on the sysconfig/saslauthd flags? I looked through the
docs that came with cyrus-imap and cyrus-sasl and did not find anything.
From server1 I can log into server2 with imtest, testsaslauthd works OK
as
well. What security flags do not match? Is there a way to kick up the
verbosity of the logging to see if that would give a clue?
Perry
I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
And it got rejected.
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I can not find a tls conf file so I do not thing starttls is set up.
I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password:
Re: does xfer require murder?
Sorry to keep bugging everyone on this but it seems I am close I'm just over
looking something obvious.
I looked through the config on the hosts and we are using pam.
I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN
Imtest looks to work Ok with Login
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
This works to the localhost as well as to server2.
I try the xfer from server1 to server2:
server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server
server1.sub1 --auth login
IMAP Password:
server1.sub1.domain.com
server1.sub1.domain.com xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation
the log from server2 shows:
Apr 21 12:56:31 server2 imap[27408]: badlogin: server1.sub1.domain.com
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not
match required]
/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}
Is there a doc on the sysconfig/saslauthd flags? I looked through the docs
that came with cyrus-imap and cyrus-sasl and did not find anything.
From server1 I can log into server2 with imtest, testsaslauthd works OK as
well. What security flags do not match? Is there a way to kick up the
verbosity of the logging to see if that would give a clue?
Perry
I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
And it got rejected.
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I can not find a tls conf file so I do not thing starttls is set up.
I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: PLAIN
And it gets things furthur along then before
$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1
--auth PLAIN
domain.com authorized use only. [EMAIL PROTECTED] Password:
Password:
IMAP Password:
server1.sub1.domain.com
server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation
log on source:
Apr 20 17:42:05 server1 imap[1458]: accepted connection
Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
not match required]
Apr 20 17:42:14 server1 imap[1458]: login: server1.sub1.domain.com
[10.12.12.12] cyrus plaintext User logged in
Apr 20 17:42:41 server1 master[27630]: process 32354 exited, status 0
Apr 20 17:42:41 server1 master[2161]: about to exec
/opt/mail/cyrus-imapd/bin/imapd
Apr 20 17:42:41 server1 imap[2161]: executed
Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to backend
server: authentication failure
Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox: user.vbperry,
Initial backend connect failed
But I'm now at least seeing something on the destination server:
Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com
[10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do
not match required]
If I can take a step back (sorry I'm trying to decipher how the previous
admin had things set up in the environment). The document on how this was
set up states.
cyrus-sasl was config'ed with
./configure --prefix=/opt/mail/cyrus-sasl \
--enable-login --enable-plain --enable-cram \
--enable-digest --with-bdb-incdir=/usr/include/db4 \
--with-pam --enable-static=yes --enable-sample \
--disable-java --disable-otp --disable-krb4 \
--with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2
The cyrus-sasl cyrus.conf states:
srvtab: /var/imap/srvtab seems I could remove this since kerberos is
disabled above.
pwcheck_method: saslauthd
saslauthd is
Re: does xfer require murder?
Bascially:
Cyrus Imapd uses a SASL mechanism to talk between cyrus machines.
The SASL mechanism you are using is PLAIN (I don't think LOGIN is a
SASL mechanism, its a imap specific)
PLAIN requires TLS
TLS requires certificates.
You don't have certificates.
if
imtest -t -m PLAIN -a cyrus -u cyrus servername
does not work, then xfer never will.
Get a cert! :)
-Patrick
On Apr 21, 2006, at 4:30 PM, Perry Brown wrote:
Sorry to keep bugging everyone on this but it seems I am close I'm
just over looking something obvious.
I looked through the config on the hosts and we are using pam.
I changed the imapd.conf a little
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: LOGIN PLAIN
Imtest looks to work Ok with Login
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
This works to the localhost as well as to server2.
I try the xfer from server1 to server2:
server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --
server server1.sub1 --auth login
IMAP Password:
server1.sub1.domain.com
server1.sub1.domain.com xfer user.vbperry server2.sub2
xfermailbox: Server(s) unavailable to complete operation
the log from server2 shows:
Apr 21 12:56:31 server2 imap[27408]: badlogin:
server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism
available: security flags do not match required]
/etc/sysconfig/saslauthd
MECH=pam
FLAGS=${FLAGS:=}
Is there a doc on the sysconfig/saslauthd flags? I looked through
the docs that came with cyrus-imap and cyrus-sasl and did not find
anything.
From server1 I can log into server2 with imtest, testsaslauthd
works OK as
well. What security flags do not match? Is there a way to kick up
the verbosity of the logging to see if that would give a clue?
Perry
I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
And it got rejected.
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I can not find a tls conf file so I do not thing starttls is set up.
I added the entry mentioned to imapd.conf
$ cat /etc/imapd.conf
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
force_sasl_client_mech: PLAIN
And it gets things furthur along then before
$ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server
server1 --auth PLAIN
domain.com authorized use only. [EMAIL PROTECTED] Password:
Password:
IMAP Password:
server1.sub1.domain.com
server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com
xfermailbox: Server(s) unavailable to complete operation
log on source:
Apr 20 17:42:05 server1 imap[1458]: accepted connection
Apr 20 17:42:07 server1 imap[1458]: badlogin:
server1.ssub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no
mechanism available: security flags do not match required]
Apr 20 17:42:14 server1 imap[1458]: login:
server1.sub1.domain.com [10.12.12.12] cyrus plaintext User logged in
Apr 20 17:42:41 server1 master[27630]: process 32354 exited,
status 0
Apr 20 17:42:41 server1 master[2161]: about to exec /opt/mail/
cyrus-imapd/bin/imapd
Apr 20 17:42:41 server1 imap[2161]: executed
Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to
backend server: authentication failure
Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox:
user.vbperry, Initial backend connect failed
But I'm now at least seeing something on the destination server:
Apr 20 17:42:52 server2 imap[24375]: badlogin:
server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no
mechanism available: security flags do not match required]
If I can take a step back (sorry I'm trying to decipher how the
previous admin had things set up in the environment). The document
on how this was set up states.
cyrus-sasl was config'ed with
./configure
Re: does xfer require murder?
Perry Brown wrote:
Thanks for the imtest idea.
It looks like I can log in OK.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
server2.sub2.domain.com
Force imtest to use one of the SASL mechanisms that are listed. The
backends *only* use SASL, not protocol specific login commands (IMAP
LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY
* BAD Invalid tag
LIST
* BAD Invalid tag
list
* BAD Invalid tag
It looks like the cyrus account gets authenticated OK.
Andrew Morgan wrote:
On Wed, 19 Apr 2006, Ken Murchison wrote:
Perry Brown wrote:
Here is what my imapd.conf looks like:
defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 3
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves:yes
proxy_authname: cyrus
proxy_password: password
proxyservers: cyrus
Just tested XFER on 2.2.13 and it works fine. Your problem is that
you've specified the password for a machine named 'proxy'.
Presumably, you want:
server1_password: password
server2_password: password
on the respective machines
I have a test murder environment running with v2.2.12. I've been
using proxy_authname and proxy_password on my frontend server just
fine. The man page says that those parameters set the defaults for
connecting to a backend, but they an be overridden with hostname
specific versions.
Hmm. You're right. Then I'd try using imtest to connect to the
backends using the proxy_authname and proxy_password to see what its
complains about.
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
Perry Brown wrote:
Thanks for the imtest idea.
It looks like I can log in OK.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
server2.sub2.domain.com
Force imtest to use one of the SASL mechanisms that are listed. The
backends *only* use SASL, not protocol specific login commands (IMAP LOGIN,
POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
I'm sorry I got my dounce cap on today or something.
Should I change the -m login to -m and one of the AUTH= values from the
CAPABILITY output?
ie -m GSSAPI? or digest-md5 etc...
I gave this a try with GSSAPI, and got nothing.
digest-md5,
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S:
wkrnfjknf (etc list of characters)
Please enter your password: (I enter passwd for cyrus)
C: dXNlcm5h (another long list of characters)
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128
This is what I see in local6.log on server1.sub1
Apr 20 11:04:32 server1 imap[17729]: accepted connection
Apr 20 11:04:38 server1 imap[17729]: badlogin: localhost.localdomain
[127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: no secret in database]
This is in the auth.log
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db
/etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db
/etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: no secret in database
cram-md5 got me pretty much the same thing.
Is there a cyrus or sasl command I should/can run to get the auth for
digest-md5 working?
Perry
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
On Thu, 20 Apr 2006, Perry Brown wrote: I'm sorry I got my dounce cap on today or something. Should I change the -m login to -m and one of the AUTH= values from the CAPABILITY output? ie -m GSSAPI? or digest-md5 etc... Maybe -m plain? Andy Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
Perry Brown wrote:
Thanks for the imtest idea.
It looks like I can log in OK.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
server2.sub2.domain.com
Force imtest to use one of the SASL mechanisms that are listed. The
backends *only* use SASL, not protocol specific login commands (IMAP
LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
I'm sorry I got my dounce cap on today or something.
Should I change the -m login to -m and one of the AUTH= values from the
CAPABILITY output?
ie -m GSSAPI? or digest-md5 etc...
Andy Morgan wrote:
Maybe -m plain?
thank you for the suggestion Andy but no luck.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I gave this a try with GSSAPI, and got nothing.
digest-md5,
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY
SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S:
wkrnfjknf (etc list of characters)
Please enter your password: (I enter passwd for cyrus)
C: dXNlcm5h (another long list of characters)
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128
This is what I see in local6.log on server1.sub1
Apr 20 11:04:32 server1 imap[17729]: accepted connection
Apr 20 11:04:38 server1 imap[17729]: badlogin: localhost.localdomain
[127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: no secret in database]
This is in the auth.log
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db
/etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db
/etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: no secret in database
cram-md5 got me pretty much the same thing.
Is there a cyrus or sasl command I should/can run to get the auth for
digest-md5 working?
Perry
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED
X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
You need to use tls as well for PLAIN to work. add -t to your
arguments
What mechanism do you want to use for connecting between backends? If
its PLAIN then you want
force_sasl_client_mech: PLAIN
in your imapd.conf file.
Otherwise, the machines will see GSSAPI advertised and will try using
that.
-Patrick
On Apr 20, 2006, at 5:19 PM, Perry Brown wrote:
Perry Brown wrote:
Thanks for the imtest idea.
It looks like I can log in OK.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap
server2.sub2.domain.com
Force imtest to use one of the SASL mechanisms that are listed.
The backends *only* use SASL, not protocol specific login
commands (IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS).
I'm sorry I got my dounce cap on today or something.
Should I change the -m login to -m and one of the AUTH= values
from the CAPABILITY output?
ie -m GSSAPI? or digest-md5 etc...
Andy Morgan wrote:
Maybe -m plain?
thank you for the suggestion Andy but no luck.
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR
LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz
S: A01 NO no mechanism available
Authentication failed. generic failure
Security strength factor: 0
I gave this a try with GSSAPI, and got nothing.
digest-md5,
server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5
WARNING: no hostname supplied, assuming localhost
S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES
ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-
IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE DIGEST-MD5
S:
wkrnfjknf (etc list of characters)
Please enter your password: (I enter passwd for cyrus)
C: dXNlcm5h (another long list of characters)
S: A01 NO user not found
Authentication failed. generic failure
Security strength factor: 128
This is what I see in local6.log on server1.sub1
Apr 20 11:04:32 server1 imap[17729]: accepted connection
Apr 20 11:04:38 server1 imap[17729]: badlogin:
localhost.localdomain [127.0.0.1] DIGEST-MD5 [SASL(-13): user not
found: no secret in database]
This is in the auth.log
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db /
etc/sasldb2: No such file or directory
Apr 20 11:06:26 server1 imap[15971]: no secret in database
cram-md5 got me pretty much the same thing.
Is there a cyrus or sasl command I should/can run to get the auth
for digest-md5 working?
Perry
S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-
REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT
CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyrus {8}
S: + go ahead
C: omitted
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
CAPABILITY
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap And it got rejected. C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz S: A01 NO no mechanism available Authentication failed. generic failure Security strength factor: 0 I can not find a tls conf file so I do not thing starttls is set up. I added the entry mentioned to imapd.conf $ cat /etc/imapd.conf defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password force_sasl_client_mech: PLAIN And it gets things furthur along then before $ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1 --auth PLAIN domain.com authorized use only. [EMAIL PROTECTED] Password: Password: IMAP Password: server1.sub1.domain.com server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com xfermailbox: Server(s) unavailable to complete operation log on source: Apr 20 17:42:05 server1 imap[1458]: accepted connection Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not match required] Apr 20 17:42:14 server1 imap[1458]: login: server1.sub1.domain.com [10.12.12.12] cyrus plaintext User logged in Apr 20 17:42:41 server1 master[27630]: process 32354 exited, status 0 Apr 20 17:42:41 server1 master[2161]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 20 17:42:41 server1 imap[2161]: executed Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to backend server: authentication failure Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox: user.vbperry, Initial backend connect failed But I'm now at least seeing something on the destination server: Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not match required] If I can take a step back (sorry I'm trying to decipher how the previous admin had things set up in the environment). The document on how this was set up states. cyrus-sasl was config'ed with ./configure --prefix=/opt/mail/cyrus-sasl \ --enable-login --enable-plain --enable-cram \ --enable-digest --with-bdb-incdir=/usr/include/db4 \ --with-pam --enable-static=yes --enable-sample \ --disable-java --disable-otp --disable-krb4 \ --with-plugindir=/opt/mail/cyrus-sasl/lib/sasl2 The cyrus-sasl cyrus.conf states: srvtab: /var/imap/srvtab seems I could remove this since kerberos is disabled above. pwcheck_method: saslauthd saslauthd is started in with pam support: root 2060 0.0 0.0 2564 1036 ?SApr14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam There is /etc/pam.d/imap and pop3 with the following content.. #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Cyrus-imap was compiled with (again what is in the notes from install from previoys admin) CFLAGS=-I/usr/kerberos/include ./configure --prefix=/opt/mail/cyrus-imapd \ --with-cyrus-prefix=/opt/mail/cyrus-imapd \ --with-cyrus-user=cyrimap \ --with-cyrus-group=mail \ --with-bdb-incdir=/usr/include/db4 \ --build=i686-pc-linux-gnu \ --with-sasl=/opt/mail/cyrus-sasl \ --with-auth=unix \ --enable-netscapehack \ --enable-listext \ --with-perl=/opt/third-party/bin/perl \ --disable-murder I can run a testsaslauthd and it works fine to the local host server1.sub1% /usr/sbin/testsaslauthd -u cyrus -p password -R 3 0: OK Success. 1: OK Success. 2: OK Success. It seems I do not need to have a realm defined because we are using pam. and if I do a sasldbpasswd2 it says /etc/sasldb2 does not exist. This not seem to be the problem though since saslauthd is using pam. yes? When I login into cyradm again locally with --auth plain I can do commands like listmailbox and such. I can't seem to be able to run info I just go back to the prompt on that one. What should my security flags be? What am I missing? Thank you perry You need to use tls as well for PLAIN to work. add -t to your arguments What mechanism do you want to use for connecting between backends? If its PLAIN then you want force_sasl_client_mech: PLAIN in your imapd.conf file. Otherwise, the machines will see GSSAPI advertised and will try using that. -Patrick On Apr 20, 2006, at 5:19 PM, Perry Brown wrote: Perry Brown wrote: Thanks for the imtest idea. It looks like I can log in OK. server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap server2.sub2.domain.com Force imtest to use one of the SASL mechanisms that are listed. The backends *only* use SASL, not protocol specific login
Re: does xfer require murder?
Perry Brown wrote: Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus Just tested XFER on 2.2.13 and it works fine. Your problem is that you've specified the password for a machine named 'proxy'. Presumably, you want: server1_password: password server2_password: password on the respective machines -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
On Wed, 19 Apr 2006, Ken Murchison wrote: Perry Brown wrote: Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus Just tested XFER on 2.2.13 and it works fine. Your problem is that you've specified the password for a machine named 'proxy'. Presumably, you want: server1_password: password server2_password: password on the respective machines I have a test murder environment running with v2.2.12. I've been using proxy_authname and proxy_password on my frontend server just fine. The man page says that those parameters set the defaults for connecting to a backend, but they an be overridden with hostname specific versions. Andy Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
Andrew Morgan wrote: On Wed, 19 Apr 2006, Ken Murchison wrote: Perry Brown wrote: Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus Just tested XFER on 2.2.13 and it works fine. Your problem is that you've specified the password for a machine named 'proxy'. Presumably, you want: server1_password: password server2_password: password on the respective machines I have a test murder environment running with v2.2.12. I've been using proxy_authname and proxy_password on my frontend server just fine. The man page says that those parameters set the defaults for connecting to a backend, but they an be overridden with hostname specific versions. Hmm. You're right. Then I'd try using imtest to connect to the backends using the proxy_authname and proxy_password to see what its complains about. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
On Apr 19, 2006, at 12:54 PM, Ken Murchison wrote: Andrew Morgan wrote: On Wed, 19 Apr 2006, Ken Murchison wrote: Perry Brown wrote: Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus Just tested XFER on 2.2.13 and it works fine. Your problem is that you've specified the password for a machine named 'proxy'. Presumably, you want: server1_password: password server2_password: password on the respective machines I have a test murder environment running with v2.2.12. I've been using proxy_authname and proxy_password on my frontend server just fine. The man page says that those parameters set the defaults for connecting to a backend, but they an be overridden with hostname specific versions. Hmm. You're right. Then I'd try using imtest to connect to the backends using the proxy_authname and proxy_password to see what its complains about. Also try testing it with out the 'srvtab' line and with force_sasl_client_mech: PLAIN The machine might be trying to do some kerberos stuff and I'm thinking you just want to use PLAIN -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
PLease if anyone has any suggestions. I've been banging my head against a desk on this one. perry I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd -a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable-murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/ hierarchy with one command, you have to do it one user at a time. Assuming that you're using unixhierachysep, you would do: xfer user/vbperry host2 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info:
Re: does xfer require murder?
what happens if you use cyradm to log into the second host from the first host using the proxy username and password? I think xfer is going to connect on the imap port of the 2nd machine. Is syslog in the debug level? if not, that might give you a better hint. It seems that its the connection from the 1st to second server that's tripping you up . Do the two servers use the same source for authentication verification? -Patrick On Apr 18, 2006, at 1:29 PM, Perry Brown wrote: PLease if anyone has any suggestions. I've been banging my head against a desk on this one. perry I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/ cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd - a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable- murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/
Re: does xfer require murder?
I believe you are missing the proxyservers parameter on server2. From the man page: proxy_authname: proxy The authentication name to use when authenticating to a backend server in the Cyrus Murder. proxy_password: none The default password to use when authenticating to a backend server in the Cyrus Murder. May be overridden on a host-specific basis using the hostname_password option. proxyservers: none A list of users and groups that are allowed to proxy for other users, seperated by spaces. Any user listed in this will be allowed to login for any other user: use with caution. On frontend servers, you would specify proxy_authname and proxy_password to define how the frontend server connects to the backend server. On backend servers, you would specify proxyservers to list which usernames are allowed to proxy for other users. So, on server2 I believe you need to specify proxyservers and on server1 you need to specify proxy_authname and proxy_password. Andy On Tue, 18 Apr 2006, Perry Brown wrote: PLease if anyone has any suggestions. I've been banging my head against a desk on this one. perry I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd -a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does
Re: does xfer require murder?
Hi Andy, Thank you for the suggestion. I added proxyservers: cyrus to the imapd.conf and restarted cyrus (the doc says it should not be an admin but I'm just trying to get things working right now) restarted and got the same error. I think Patrick was on to something with running cyradm to the other host. In my testing I am launching cyradm from server3. It can connect to server1 and server2 with no problem. When I tried his suggestion of running cyradm from server1 to server2 I get: Can't load '/opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/auto/Cyrus/IMAP/IMAP.so' for module Cyrus::IMAP: libssl.so.0.9.7: cannot open shared object file: No such file or directory at /opt/software/depot/Linux-2.4c2.3-i686/perl-5.6.0/lib/perl-5.6.0/Linux-2.4c2.3-i686/DynaLoader.pm line 200. at /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/Cyrus/IMAP/Admin.pm line 44 Compilation failed in require at /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/Cyrus/IMAP/Admin.pm line 44. BEGIN failed--compilation aborted at /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/Cyrus/IMAP/Admin.pm line 44. Compilation failed in require at /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/Cyrus/IMAP/Shell.pm line 60. BEGIN failed--compilation aborted at /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/Cyrus/IMAP/Shell.pm line 60. Compilation failed in require. BEGIN failed--compilation aborted. Does cyradm need to be able to run from one host to the other for this to work? I'm digging through the archives on the above errrors to see if I can see what is going on. Thank you Perry I believe you are missing the proxyservers parameter on server2. From the man page: proxy_authname: proxy The authentication name to use when authenticating to a backend server in the Cyrus Murder. proxy_password: none The default password to use when authenticating to a backend server in the Cyrus Murder. May be overridden on a host-specific basis using the hostname_password option. proxyservers: none A list of users and groups that are allowed to proxy for other users, seperated by spaces. Any user listed in this will be allowed to login for any other user: use with caution. On frontend servers, you would specify proxy_authname and proxy_password to define how the frontend server connects to the backend server. On backend servers, you would specify proxyservers to list which usernames are allowed to proxy for other users. So, on server2 I believe you need to specify proxyservers and on server1 you need to specify proxy_authname and proxy_password. Andy On Tue, 18 Apr 2006, Perry Brown wrote: PLease if anyone has any suggestions. I've been banging my head against a desk on this one. perry I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm
Re: does xfer require murder?
On Tue, 18 Apr 2006, Perry Brown wrote: Hi Andy, Thank you for the suggestion. I added proxyservers: cyrus to the imapd.conf and restarted cyrus (the doc says it should not be an admin but I'm just trying to get things working right now) restarted and got the same error. I think Patrick was on to something with running cyradm to the other host. In my testing I am launching cyradm from server3. It can connect to server1 and server2 with no problem. When I tried his suggestion of running cyradm from server1 to server2 I get: [snip] Does imtest work from server1 to server2? Your cyradm output looked like some sort of ssl library problem... Andy Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
I fixed the cyradm issue $ ldd -r /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/auto/Cyrus/IMAP/IMAP.so libdb-4.1.so = /lib/libdb-4.1.so (0x009cf000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x009a5000) libssl.so.0.9.7 = not found libcrypto.so.0.9.7 = not found libc.so.6 = /lib/tls/libc.so.6 (0x00393000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x00daa000) libdl.so.2 = /lib/libdl.so.2 (0x00339000) libresolv.so.2 = /lib/libresolv.so.2 (0x00805000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x00e11000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x00e83000) I linked libcyrpto and libssl libcrypto.so.0.9.7 - libcrypto.so.0.9.7a libssl.so.9.7 - libssl.so.0.9.7a ldd -r looks good now. $ ldd -r /opt/mail/cyrus-imapd/lib/perl-5.6.0/Linux-2.4c2.3-i686/auto/Cyrus/IMAP/IMAP.so libdb-4.1.so = /lib/libdb-4.1.so (0x00e5d000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x007c3000) libssl.so.0.9.7 = /lib/libssl.so.0.9.7 (0x00746000) libcrypto.so.0.9.7 = /lib/libcrypto.so.0.9.7 (0x0013) libc.so.6 = /lib/tls/libc.so.6 (0x003b7000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x0035d000) libdl.so.2 = /lib/libdl.so.2 (0x00932000) libresolv.so.2 = /lib/libresolv.so.2 (0x00221000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x00233000) libgssapi_krb5.so.2 = /usr/kerberos/lib/libgssapi_krb5.so.2 (0x00b4b000) libkrb5.so.3 = /usr/kerberos/lib/libkrb5.so.3 (0x0026) libcom_err.so.3 = /usr/kerberos/lib/libcom_err.so.3 (0x00d8b000) libk5crypto.so.3 = /usr/kerberos/lib/libk5crypto.so.3 (0x002c9000) libz.so.1 = /usr/lib/libz.so.1 (0x002eb000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x00a1b000) and cyradm from server1 and launch on server2 $ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server2.sub2.domain.com --auth plain Password: IMAP Password: server2.sub2.domain.com server2.sub2.domain.com help authenticate, login, auth authenticate to server chdir, cd change current directory createmailbox, cm, create create mailbox deleteaclmailbox, dam, deleteacl remove ACLs from mailbox deletemailbox, delete, dm delete mailbox disconnect, disc disconnect from current server exit, quitexit cyradm help, ? show commands info display mailbox/server metadata listacl, lam, listaclmailbox list ACLs on mailbox listmailbox, lm list mailboxes listquota, lq list quotas on specified root listquotaroot, lqr, lqm show quota roots and quotas for mailbox mboxcfg, mboxconfig configure mailbox reconstruct reconstruct mailbox (if supported) renamemailbox, rename, renm rename (and optionally relocate) mailbox server, servername, connect show current server or connect to server setaclmailbox, setacl, samset ACLs on mailbox setinfo set server metadata setquota, sq set quota on mailbox or resource version, ver display version info of current server xfermailbox, xfer transfer (relocate) a mailbox to a different server server2.sub2.domain.com listmailbox user.test (\HasNoChildren) user.testmail (\HasNoChildren) I tried the xfer again and got the same errors. server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com xfermailbox: Server(s) unavailable to complete operation couldn't authenticate to backend server: generic failure Could not move mailbox: user.pbrown, Initial backend connect failed Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus thank you Perry On Tue, 18 Apr 2006, Perry Brown wrote: Hi Andy, Thank you for the suggestion. I added proxyservers: cyrus to the imapd.conf and restarted cyrus (the doc says it should not be an admin but I'm just trying to get things working right now) restarted and got the same error. I think Patrick was on to something with running cyradm to the other host. In my testing I am launching cyradm from server3. It can connect to server1 and server2 with no problem. When I tried his suggestion of running cyradm from server1 to server2 I get: [snip] Does imtest work from server1 to server2? Your cyradm output looked like some sort of ssl library problem... Andy Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info:
Re: does xfer require murder?
Perry Brown wrote: PLease if anyone has any suggestions. I've been banging my head against a desk on this one. I will locally tomorrow. I know that I added support for XFER for non-Murder configs for Fastmail.fm, I just don't remember in what version. I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd -a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable-murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/ hierarchy with one command, you have to do it one user at a time. Assuming that you're using unixhierachysep, you would do: xfer user/vbperry host2 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Kenneth Murchison Systems Programmer Project Cyrus
RE: does xfer require murder?
Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd -a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Thank you Perry Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable-murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/ hierarchy with one command, you have to do it one user at a time. Assuming that you're using unixhierachysep, you would do: xfer user/vbperry host2 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd -a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable-murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/ hierarchy with one command, you have to do it one user at a time. Assuming that you're using unixhierachysep, you would do: xfer user/vbperry host2 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable-murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/ hierarchy with one command, you have to do it one user at a time. Assuming that you're using unixhierachysep, you would do: xfer user/vbperry host2 -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
