Re: installsieve protocol as standard track
Cyrus Daboo [EMAIL PROTECTED] writes: I would like to see a standard protocol that all clients could use. This would act as a 'wrapper' for whatever storage mechanism a particular implemenation may want to use on the back-end, e.g. file system, ACAP, IMSP, LDAP etc, but would provide sieve clients with a single upload/download API to use. I think this is a good idea. Some sieve specific things simply don't map to all protocols -- such as reporting syntactical errors in sieve scripts, or setting the active script -- and will never work well in the face of users if clients need to implement several upload protocols, IMHO. The managesieve draft mention ACAP as the long term solution. Does long error message about syntactic errors (which would require a sieve parser in the ACAP server) fit into the ACAP model? IMHO something similar to managesieve is simpler and better.
Cyrus/SASL/PAM/LDAP - what am I missing?
I'm having trouble getting Cyrus-IMAP to authenticate against an OpenLDAP
server using PAM modules. I seem to be able to get Cyrus/SASL to work with
PAM when it's authenticating against /etc/passwd, but as soon as I point it
at LDAP it refuses to work.
Of course, it's hard to know where to post for help when you have so many
pieces working together. Since I think I limited it down to the PAM - LDAP
connection, I sent a large "help me!" message to the padl.com mailing list
for nss_ldap/pam_ldap modules. But I believe a number of people on this
list have my intended configuration up and running, so I'm going to re-post
my "help me!" message below in hope that someone from this list can shed
some light on my troubles. If you don't know what I'm talking about, then
just delete me and move along :^)
--Josh
[Below is full description of problem, along with logs]
---
I'm working on getting a new installation of the Cyrus IMAP server (2.0.9)
authenticating against an OpenLDAP (2.0.7) server. As expected, SASL
(1.5.24), PAM (0.74) and the nss_ldap/pam_ldap modules sit inbetween these
two.
I believe I've chased the problem down to something between PAM and LDAP
Cyrus works just fine through SASL and PAM when PAM is pointed to my
/etc/passwd file. But as soon as I tell PAM to reference LDAP, it starts
choking...
I understand the need for plain/cleartext passwords throughout the system,
and believe I have everything compiled and set up to talk that way as
evidenced by the working Cyrus-SASL-PAM-/etc/passwd route.
But as soon as I change my /etc/pam.d/imap file to look like the following:
-
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
accountsufficient /lib/security/pam_ldap.so
accountrequired /lib/security/pam_unix_acct.so
-
My Cyrus 'imtest -m login -u jpenix -a jpenix localhost' session goes like
this:
-
C: C01 CAPABILITY
S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN jpenix {8}
+ go ahead
C: omitted
failure: prot layer failure
-
The /var/log/ldap.log from the above session:
-
Feb 26 02:04:29 celery slapd[29687]: daemon: conn=22 fd=18 connection from
IP=127.0.0.1:33082 (IP=0.0.0.0:389) accepted.
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 BIND dn="" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=0 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SRCH
base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=1 SEARCH RESULT tag=101
err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 BIND dn="CN=JOSHUA
PENIX,DC=PROJECTDESIGN,DC=COM" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=2 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 BIND dn="" method=128
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=3 RESULT tag=97 err=0 text=
Feb 26 02:04:29 celery slapd[29687]: conn=22 op=4 UNBIND
Feb 26 02:04:29 celery slapd[29687]: conn=-1 fd=18 closed
-
And *no* mention of it in /var/log/messages where I'd expect to see PAM
messages, and *no* mention of it in /var/log/imapd.log where I'd expect to
see Cyrus complaining.
Interestingly, the above only happens when I type the password CORRECTLY.
Here's an 'imtest -m login -u jpenix -a jpenix localhost' where I purposely
type the password incorrectly:
-
C: C01 CAPABILITY
S: * OK celery.projectdesign.com Cyrus IMAP4 v2.0.9 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN jpenix {4}
+ go ahead
C: omitted
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
-
And here's the /var/log/ldap.log from the session with incorrect password:
-
Feb 26 02:07:47 celery slapd[29687]: daemon: conn=23 fd=18 connection from
IP=127.0.0.1:33084 (IP=0.0.0.0:389) accepted.
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 BIND dn="" method=128
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=0 RESULT tag=97 err=0 text=
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SRCH
base="dc=projectdesign,dc=com" scope=2 filter="(uid=jpenix)"
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=1 SEARCH RESULT tag=101
err=0 text=
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 BIND dn="CN=JOSHUA
PENIX,DC=PROJECTDESIGN,DC=COM" method=128
Feb 26 02:07:47 celery slapd[29687]: conn=23 op=2 RESULT tag=97 err=49 text=
Feb 26
sasldb in LDAP
maybe it's a security risk, but has anybody tried to keep the secrets normally stored in sasldb in an LDAP tree? i guess a rewrite of db_berkeley.c using ldap, calling it db_ldap.c, should be sufficient when access control to the LDAP tree can be enforced. this would allow the usage of AUTH authentication with distributed IMAP servers in a cluster environment. otherwise the synchronization of the berkely daytabase files would be a PITA.
RE: Migrating 12,000 students
we use some custom sendmail rules to deliver mail to IMAP folders based on a flat file containing the usernames of those who wish to use IMAP. All others go to /var/mail/username. I can post the rules here, if you like, it's fairly straightforward stuff. g. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Salmon Sent: Tuesday, 20 February 2001 7:41 PM To: Marco Pirovano; [EMAIL PROTECTED] Subject: Re: Migrating 12,000 students | Now, I use fetchmail to move mail from /var/mail/user to imap users INBOX | folders. but, I can't use it for a great number of users. | Is it possible to configure sendmail so, POP3 users mail still goes into | /var/mail/user and IMAP mail goes into INBOX folders ? Possible, yes but not desireable. If it was me and I really had to do it, I would create a custom MDA script but I think that that is a bad solution. Take the system down for a few hours and convert all mailboxes, my guess is that you can convert several mailboxes per second.
Re: Cyrus file system performance
[EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I'm supporting 1600 users (400 concurrent) across 3 machines and it works pretty well. I've got the mail partitions and config directories split across two different partition on 2 different drives. This helps ALOT. What type of hard drives are you using? Roland Pope wrote: I am running Cyrus 1.6.24 for around 400 users under Red Hat 6.2 (2.2.14-12 Kernel) on a Dual Xeon with 512 Mb of memory using the EXT2 file system. As suggested in the manual, I have set the synchronous bit on the /var/imap and /var/spool/imap directories. As a result, things go very slow when performing tasks like adding and deleting folders and changing ACLs on folders. Does anyo ne have any suggestions how to get a performance increase in this area? Are there other filesystems being used without +S set?? Does 2.0.12 improve things in th is area? What about later versions of Linux? Thanks Roland Pope
user rename
Hi, I just wanted to know if the user rename implementation is considerd as stable? Are there any known bugs? Thanks in advance, Thomas.
No Subject
Subject: Re: Enterprise Server Solution Date: Thu, 22 Feb 2001 01:08:24 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Would it be too difficult to encapsulate this data into one cyrus.conf file? My imagination says that this would require a rewrite of much of the server code to implement a new parser and more brains in the master process. I'm thinking of a scheme similar to some other programs where you specify an IP address in typical XML style and then put specific paramters for that in that section. I envisioned something like: --- begin cyrus.conf --- 192.168.101.40 configdirectory: /var/imap/192.168.101.40 partition-default: /var/spool/imap/192.168.101.40 pwcheck_method: sasldb admins: cyrus,admin,joe /192.168.101.40 192.168.101.41 configdirectory: /var/imap/192.168.101.41 partition-default: /var/spool/imap/192.168.101.41 pwcheck_method: sasldb admins: cyrus,admin,joe /192.168.101.41 ... repeat as necessary ... --- end cyrus.conf --- I have this lurking thought that this kind of change would end up reworking so much of the core architecture of the supporting programs that it would be more work than its worth at the current moment. However, I thought I would ask. -- Michael -- - Original Message - From: "Ken Murchison" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 3:46 PM Subject: Re: Enterprise Server Solution John, I have been discussing this with Amos Gouaux and Larry Greenfield, and I'm currently working on changes to CVS which will allow you to specify an alternate config file (-C alt_config) for the services and tools. This should allow you to use one set of binaries and one cyrus.conf for multiple setups. I should have this done and checked into CVS by the end of the week. I hope to have Amos help document this, because he seems to have more use for this than I do. Ken "John C. Amodeo" wrote: Greetings, Let me first start by extending my warmest thanks to everyone who has replied to my original message regarding Cyrus capabilities to partition into multiple independent mail servers. After reading your suggestions, and giving some considerable thought to what would be in our best interest, we have decided to run Cyrus on multiple IP aliases. This seems to be the most common work around for the the multiple domain problem. The one major draw back to using this method is every time Cyrus is updated to a new version, multiple copies of the binary will need to be compiled all with different parameters (i.e. conf files directory, etc.) If you have, lets say, 4 Cyrus servers per physical box, and 6 or so imap server, you can see what a nightmare this would be every time a new version comes out. One of my colleagues came up with a suggestion that consists of modifying the Cyrus code so we can pass variables to the binary when it is invoked. For instance, instead of compiling Cyrus with /etc/imap.conf and /etc/cyus.conf hard coded in, we could modify the code to accept a variable or two when the master is invoked. This way, we can have 1 binary on the server, but invoke 4 masters with different parameters (like location of imap.conf and cyrus.conf). I guess this is the same concept as the "-s" switch to run imaps, and so on. Is this possible or am I totally getting out of control? Has anyone done this or attempted to do this yet? When our system is up and functioning well, we plan to write some good documentation about ways to integrate Cyrus / Linux into a "business" environment that uses Novell and Windows for file sharing and application distribution. -John __ John C. Amodeo, Associate Director Information Technology and Computer Operations Faculty of Arts Sciences, Rutgers University 732.932.9455-voice 732.932.0013-fax -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Cyrus file system performance
[EMAIL PROTECTED] [EMAIL PROTECTED] 011501c09c3f$00b4b750$8181608f@cn w.co.nz Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-scanner: Scanned by Inflex McAffee. Hi. Looking at the docs, in particular install-configure.html, it only mentions problems on linux boxes after a crash, so it probably just needs to be sure that all writes are fully completed. A journalling filesystem should provide the same features. As for the number of folders, 11500 is quite few, but it's only really about 28 mailboxes per user. Looking at my own mail, I personally have 116. :-) I'm probably not quite "user typical", as I have lots of filters for email reports from various systems around our network, not to mention being subscribed to about 30 mailing lists. :-) I've been thinking about it, I think doing either a filesystem upgrade or doing an upgrade to 2.0.x will give you an acceptable performance improvement, but doing both will allow your system to scale much better. T. Roland Pope wrote: I thought setting the +S bit was to get around file locking issues, to prevent more than one process at a time from updating files? Also, we have around 11500 entries in our mailboxes file, would this seem like a lot?? - Original Message - From: "Tristan Ball" [EMAIL PROTECTED] To: "Roland Pope" [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 7:37 PM Subject: Re: Cyrus file system performance Reiserfs should allow you to put synchronous writes back on. You'll cop a little performance hit on writes versus normal ext2, because it's a journalling filesystem, but nothing like what you're having now. It's about to be included in kernal 2.4.1, or 2.4.2, but Suse have had it in production 2.2 series kernels for some time. (part of the reason linus is allowing it into the 2.4.x series). For the record, I run without setting the +S bit, and have no problems. I realise I might if I have a power failure, but I have nightly backups, and a days mail is a pain, not a nightmare for us. :-) Moving to Cyrus 2.0.x, which uses a database for the mailbox list would also help hugely, as then cyrus doesn't have to write out the whole file, which really really hurts. :-) T. Roland Pope wrote: I am running Cyrus 1.6.24 for around 400 users under Red Hat 6.2 (2.2.14-1 2 Kernel) on a Dual Xeon with 512 Mb of memory using the EXT2 file system. A s suggested in the manual, I have set the synchronous bit on the /var/imap a nd /var/spool/imap directories. As a result, things go very slow when performing tasks like adding and deleting folders and changing ACLs on folders. Does anyone have any suggestions how to get a performance increase in this area? Are there other filesystems being used without +S set?? Does 2.0.12 improve things i n this area? What about later versions of Linux? Thanks Roland Pope -- -=*=-=*=--=*=-=*=-=*=- Tristan Ball System Administrator Vision Systems ph 03 9211 7064 -=*=-=*=--=*=-=*=-=*=- -- -=*=-=*=--=*=-=*=-=*=- Tristan Ball System Administrator Vision Systems ph 03 9211 7064 -=*=-=*=--=*=-=*=-=*=-
No Subject
/6.0 X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Re: What a BITCH! References: [EMAIL PROTECTED] Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit htmlhead/headbody1. Yes it is good of the people at CMU to provide this for free. br 2. Documentation is part of any project - poor documentation = poor product. br br Perhaps we can lend a hand with this rather than complaining? I don't have much/any time to spare, but I would be glad to help with improving the documentation br br Nickbr /body/html
RedHat 7 and Cyrus 2.0.12 compile errors
Hi, maybe a silly question- but I`m not that specialist :-) After configuring Cyrus with default settings, make produces the following: cut ### Making all in /home/r2scheik/test/cyrus-imapd-2.0.12/et make[1]: Wechsel in das Verzeichnis Verzeichnis ;/home/r2scheik/test/cyrus-imapd-2.0.12/et+ gcc -c -I/usr/local/include -DHAVE_CONFIG_H -I. -I. -I.. -g -O2 error_message.c In file included from /usr/include/errno.h:36, from internal.h:44, from error_message.c:54: /usr/include/bits/errno.h:25:26: linux/errno.h: Datei oder Verzeichnis nicht gefunden make[1]: *** [error_message.o] Fehler 1 /cut Can anyone please help me? Thanks, Roland
Re: cyrus-PAM-ldap or cyrus-ldap will run first ?
Pascal Pucci wrote: * If I want to use ldap directly : - does: sasl_passwd_method: ldap // should be good ? ldap_basedn: ou=People,dc=test yes. ldap_server: LDAP Server [localhost] ldap_basedn: LDAP base dn ldap_uidattr: LDAP uid attribute [uid] ldap_port: LDAP port [389] ( this is in doc/sysadmin.html when the patch is applied ). The uid default is liable to be wrong for many people cn is the default that is in most LDAP documentation. * How can I diagnostiq the problem : - Pam-ldap run : I can have a shell with just a ldap user via rlogin (/etc /pam.d/rlogin. - Cyrus run : tests with imtest,cyradm are good : pam-ldap need files in /etc/pam.d/ for imap try ? cp /etc/pam.d/rlogin /etc/pam.d/imapd ? -- Simon
[OT for Cyrus] Re: Enterprise Server Solution
[EMAIL PROTECTED] [EMAIL PROTECTED] 3A9558FE.DEDAC78 [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "John C. Amodeo" wrote: David, You have mentioned a very important point - "Cyrus lacks is a 'pretty interfac e' for administration, as Exchange has." This is one of its best features - why? Because it ensures only people with t he skill and the know how are the system administrators. John, I agree with you wholeheartedly. Microsoft-style interfaces make it really easy to get something done, even if the operator doesn't know what they're doing. This 'argument' just happens to be the one I have with my boss most often - his feeling is that free software hasn't caught on quicker due to lack of 'packaging'. The average IT director, he argues, will be turned off by the lack of GUI interface. My argument is that free software is from a whole other universe, where _all_ the rules are different. Stuff that he thinks essential to the success of free software really has no meaning in our universe, and therefore no impact on whether free software succeeds or not. There can be no argument that free software is succeeding wildly; due in large part no doubt to the increasingly large population of skilled system administrators who started by running a mailserver in their dorm room. In any case, I'm glad I'm able to show the existence of at least _one_ enlightened IT director. regards, David To give you a little background about Rutgers, we have 48,000 registered stude nts, about 6 campuses, 10,000 full-time employees and literally hundreds of servers - all a mix of Unix, Linux, Novell, NT, and Mac. Currently there are no real standa rds about what is allowed and what is not. Every department makes up the rules as they go. It has been my experience that NT remains the server OS of choice for tho se who do not know any better. The ones who do know better run the most stable syste ms at the University (Unix, Linux, and Novell.) Exchange makes it too easy for any novice who knows Windows to "take a shot" a nd set up a mail server. It also makes it very easy for anyone (even non-system admi ns) to try and fix the system when its broken. And since there are no standards in p lace about who is allowed to administer a server, and who is not, you have allot of department heads, who even though they are not computer people (mostly academi c administrators), have the power to make his / her computer people give up the admin passwords on the systems. It makes them feel important when they also know wh at the password is. The problem here is that in an emergency, they generally figure "Hey, why don't I just log in and fix the server." You come back from a week's vaca tion and find the server was hosed because someone thought they knew what they were doing... Command line interfaces are the best. Its like an insurance policy that deter s people who shouldn't be messing around with the system from doing just that. At least in my opinion; it makes me feel more comfortable. As a wise man once said - "The most dangerous type of "computer" person is one who "thinks" they know what they're doing." -John "David L. Parsley" wrote: Thanks John; I just forwarded a copy of this to my boss, who was a little uncomfortable with my using Cyrus to replace Netscape last summer. Cyrus has done such a great job, his doubts have diminished greatly. Still, this kind of testimonial from IT Directors at other institutions is invaluable. In my bosses opinion, what Cyrus lacks is a 'pretty interface' for administration, as Exchange has. While I'm perfectly comfortable with current tools, most of my co-workers (boss included) would prefer a nice GUI like you find with Microsoft products. To me, this is judging a book by it's cover. Fortunately he _does_ understand the value of open standards, which is probably the main reason we're enjoying Cyrus today. regards, David "John C. Amodeo" wrote: Randall, Paying for software is really not an issue. The University has spent hund reds of thousands of dollars for hundreds of copies of Novell, a site license f or McAfee, Oracle, etc. The point here is Cyrus is such a powerful program, with an outstanding tr ack record, that despite the few features it lacks at this point, you couldn't ask for more, in my opinion. In addition, my goal is to see all of the Exchan ge server go away, and the only way to do that is to prove there is a better system out there and put it to work. Having one that's free makes it that much easier to convince others to switch. Anyway, thanks for your suggestion, I will keep it in the back of my mind. -John "Randall S. Winchester" wrote: If you do not mind "paying" for a server, Sendmail has a POP/IMAP messag e store that is quite similar
Re: Debugging
Hi, I find it often more useful to use a sniffer (like ethereal, www.ethereal.com) to debug php programs. Ofcourse this way you'll only see the commands going to the imap server, and not what's going on there internally. cheers, .roel On Sun, Feb 25, 2001 at 02:15:02PM +0100, Roland Scheike wrote: is there any hidden switch (or maybe a switch I haven't found until now :-) ) that enables debugging for imapd? I wrote a little admin-tool with php and I'm not able to create new accounts. So it would be very interresting for me to see what commands go to impad. -- ALL YOUR BASE ARE BELONG TO US
Re: deleting mailboxes?
Grant Beattie wrote: 2.0.11/Solaris 7 root@wombat# grep admins /etc/imapd.conf admins: cyrus wombat lam user.grant anyone p grant lrswipcda cyrus d wombat dm user.grant deletemailbox: Permission denied What is causing this? How can I delete the mailbox? IIRC, give the cyrus user at least the 'c' (create/delete folder) and 'a' (admin) rights. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
[SUMMARY] Re: IMAP 2.0.9/SASL 1.5.24 Auth Issues
I have a solution to the following problem now. The problem is that in order to do SIA authentication under Compaq Tru64, you must be root. The reason the IMSP server didn't have any problems was because the server *does* run as root. However, the IMAP server immediately changes to the cyrus user, and is no longer root when doing authentication. The end result is the "authentication failed. generic failure" messages, which tell me very little about the true nature of the problem. The real solution was to use the pwcheck daemon, adding the SIA routines to it to make it work. Since the daemon runs as root and SASL will connect to it via a unix named socket, it all works good (though, not to my liking, but hey, it still works). I will send a patch into the SASL group so that the SIA routine stuff gets into the next version. Anwyays, I feel significantly better for getting past this hurdle :-) Scott --On Thursday, February 08, 2001 9:47 AM -0500 Scott Adkins [EMAIL PROTECTED] wrote: I have compiled up the Cyrus IMAP server (2.0.9) on Tru64 5.0a. It is using the SASL libraries (1.5.24) for authentication. The IMAP capability command produces the following: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE AUTH=ANONYMOUS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 The only authentication method that has worked so far is ANONYMOUS. All of the other methods give me "NO authentication failure" followed by a "Authentication failed. generic failure". I have a /etc/sasldb file, owned by cyrus, and populated using saslpasswd (with "root" and "sadkins" accounts). The sasldblistusers commands produce the following output: user: root realm: cats.ohiou.edu mech: DIGEST-MD5 user: sadkins realm: cats.ohiou.edu mech: PLAIN user: sadkins realm: cats.ohiou.edu mech: CRAM-MD5 user: root realm: cats.ohiou.edu mech: PLAIN user: root realm: cats.ohiou.edu mech: CRAM-MD5 user: sadkins realm: cats.ohiou.edu mech: DIGEST-MD5 The /usr/lib/sasl/Cyrus.conf file lists the following: pwcheck_method: sia The /etc/imapd.conf also lists a line "sasl_pwcheck_method: sia". However, using imtest or telnetting to the port directly, I choose other auth mechs as well, and they all fail (except anonymous). I suspected the SASL library was at fault, but here is the clincher. I also compiled up the latest IMSP server, which uses the same libraries. It uses the "sia" mech as well (which is the password file lookup mechanism for Tru64). I can authenticate just fine on the IMSP server. I even had suspected at one time or another that maybe SASL authentication was failing on the IMSP server and that it was defaulting to a local authentication scheme, but after debugging the server a little bit, I proved that IMSP was indeed using SASL for its authentication, and that it was authenticating successfully (where-as, the IMAP server is failing). So, does anyone have any ideas what could be wrong here? I am at a total loss here... Thanks, Scott -- +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ Scott W. Adkinshttp://www.cns.ohiou.edu/~sadkins/ UNIX Systems Engineer mailto:[EMAIL PROTECTED] ICQ 7626282 Work (740)593-9478 Fax (740)593-1944 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+ CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979
Re:
Michael, Hadn't really thought about doing this (even though Amos mentioned it once), because you're limited to having different configs based on the interface. By using an alternate config file, I can have multiple imapds listening on one interface (different ports, obviously) each with a different config. This is great for testing new code changes, etc. Ken Michael Fair wrote: Would it be too difficult to encapsulate this data into one cyrus.conf file? My imagination says that this would require a rewrite of much of the server code to implement a new parser and more brains in the master process. I'm thinking of a scheme similar to some other programs where you specify an IP address in typical XML style and then put specific paramters for that in that section. I envisioned something like: --- begin cyrus.conf --- 192.168.101.40 configdirectory: /var/imap/192.168.101.40 partition-default: /var/spool/imap/192.168.101.40 pwcheck_method: sasldb admins: cyrus,admin,joe /192.168.101.40 192.168.101.41 configdirectory: /var/imap/192.168.101.41 partition-default: /var/spool/imap/192.168.101.41 pwcheck_method: sasldb admins: cyrus,admin,joe /192.168.101.41 ... repeat as necessary ... --- end cyrus.conf --- I have this lurking thought that this kind of change would end up reworking so much of the core architecture of the supporting programs that it would be more work than its worth at the current moment. However, I thought I would ask. -- Michael -- - Original Message - From: "Ken Murchison" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 21, 2001 3:46 PM Subject: Re: Enterprise Server Solution John, I have been discussing this with Amos Gouaux and Larry Greenfield, and I'm currently working on changes to CVS which will allow you to specify an alternate config file (-C alt_config) for the services and tools. This should allow you to use one set of binaries and one cyrus.conf for multiple setups. I should have this done and checked into CVS by the end of the week. I hope to have Amos help document this, because he seems to have more use for this than I do. Ken "John C. Amodeo" wrote: Greetings, Let me first start by extending my warmest thanks to everyone who has replied to my original message regarding Cyrus capabilities to partition into multiple independent mail servers. After reading your suggestions, and giving some considerable thought to what would be in our best interest, we have decided to run Cyrus on multiple IP aliases. This seems to be the most common work around for the the multiple domain problem. The one major draw back to using this method is every time Cyrus is updated to a new version, multiple copies of the binary will need to be compiled all with different parameters (i.e. conf files directory, etc.) If you have, lets say, 4 Cyrus servers per physical box, and 6 or so imap server, you can see what a nightmare this would be every time a new version comes out. One of my colleagues came up with a suggestion that consists of modifying the Cyrus code so we can pass variables to the binary when it is invoked. For instance, instead of compiling Cyrus with /etc/imap.conf and /etc/cyus.conf hard coded in, we could modify the code to accept a variable or two when the master is invoked. This way, we can have 1 binary on the server, but invoke 4 masters with different parameters (like location of imap.conf and cyrus.conf). I guess this is the same concept as the "-s" switch to run imaps, and so on. Is this possible or am I totally getting out of control? Has anyone done this or attempted to do this yet? When our system is up and functioning well, we plan to write some good documentation about ways to integrate Cyrus / Linux into a "business" environment that uses Novell and Windows for file sharing and application distribution. -John __ John C. Amodeo, Associate Director Information Technology and Computer Operations Faculty of Arts Sciences, Rutgers University 732.932.9455-voice 732.932.0013-fax -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: apop implementation
It turns out we have several users that very strongly want to use APOP. I
could find it mentioned nowhere in the documentation, so I'm presuming that
it's not implemented in the server code. Has anyone made modifications to
implement APOP? Are there suggestions on how to avoid sending cleartext
passwords that are acceptable to Eudora users? We store the passwords in
cleartext currently so that we can use APOP on our current mail server.
Thanks,
Stephen
I've written an APOP implementation (although I haven't actually put
it into production yet). The following patch to pop3d.c in version
2.0.12 will add APOP. It will also let you specify the domain name
to use for authentication (if you want to make it different from the
server name) by specifying auth-realm in the imap.conf file, and it
will enforce "allowplaintext".
The bad news is that the Cyrus SASL distribution doesn't have a
"sasl_checkapop()" function. Such a function requires an unencrypted
or two-way encrypted password which Cyrus SASL 1.5.24 doesn't do.
I'd love to see these changes added to the base code so I don't have
to add them to every new release.
*** pop3d.c.origFri Feb 16 13:55:10 2001
--- pop3d.c.new Fri Feb 23 13:53:07 2001
***
*** 104,109
--- 104,113
static SSL *tls_conn;
#endif /* HAVE_SSL */
+ /* APOP stuff */
+ #define APOP_CHAL_MAX 80
+ static char apop_chal[APOP_CHAL_MAX+1];
+
sasl_conn_t *popd_saslconn; /* the sasl connection context */
char *popd_userid = 0;
***
*** 128,133
--- 132,138
static int expungedeleted();
static void cmd_auth();
+ static void cmd_apop();
static void cmd_capa();
static void cmd_pass();
static void cmd_user();
***
*** 204,209
--- 209,215
struct hostent *hp;
int timeout;
sasl_security_properties_t *secprops=NULL;
+ const char *auth_realm; /* LMR - specify realm for SASLDB lookup */
signals_poll();
***
*** 251,257
}
/* other params should be filled in */
! if (sasl_server_new("pop", config_servername, NULL,
NULL, SASL_SECURITY_LAYER, popd_saslconn) != SASL_OK)
fatal("SASL failed initializing: sasl_server_new()",EC_TEMPFAIL);
--- 257,266
}
/* other params should be filled in */
! /* LMR - allow authentication realm to be something other than
hostname */
! /* so that password database is portable */
! auth_realm = config_getstring("auth-realm", NULL);
! if (sasl_server_new("pop", config_servername, auth_realm,
NULL, SASL_SECURITY_LAYER, popd_saslconn) != SASL_OK)
fatal("SASL failed initializing: sasl_server_new()",EC_TEMPFAIL);
***
*** 276,283
TLS negotiation immediatly */
if (pop3s == 1) cmd_starttls(1);
! prot_printf(popd_out, "+OK %s Cyrus POP3 %s server ready\r\n",
! config_servername, CYRUS_VERSION);
cmdloop();
return 0;
--- 285,298
TLS negotiation immediatly */
if (pop3s == 1) cmd_starttls(1);
! /* Generate APOP challenge string */
! if(sasl_mkchal(popd_saslconn, apop_chal, APOP_CHAL_MAX, 1) == 0)
! fatal("Can't init challenge string", EX_SOFTWARE);
!
! prot_printf(popd_out, "+OK %s Cyrus POP3 %s%s server ready %s\r\n",
! config_servername, CYRUS_VERSION,
! popd_starttls_done ? "+TLS" : "", apop_chal);
!
cmdloop();
return 0;
***
*** 463,469
prot_printf(popd_out, "-ERR Missing argument\r\n");
}
else {
! cmd_user(arg);
}
}
else if (!strcmp(inputbuf, "pass")) {
--- 478,491
prot_printf(popd_out, "-ERR Missing argument\r\n");
}
else {
! /* possibly disallow login */
! if ((popd_starttls_done == 0)
! (config_getswitch("allowplaintext", 1) == 0)) {
! prot_printf(popd_out, "-ERR USER command only available
under a layer\r\n");
! }
! else {
! cmd_user(arg);
! }
}
}
else if (!strcmp(inputbuf, "pass")) {
***
*** 470,475
--- 492,501
if (!arg) prot_printf(popd_out, "-ERR Missing argument\r\n");
else cmd_pass(arg);
}
+ else if (!strcmp(inputbuf, "apop")) {
+ if (!arg) prot_printf(popd_out, "-ERR Missing argument\r\n");
+ else cmd_apop(arg);
+ }
else if (!strcmp(inputbuf, "auth")) {
cmd_auth(arg);
}
***
*** 851,856
--- 877,951
openinbox();
}
+ void
+ cmd_apop(apop_reply)
+
Re: deleting mailboxes?
From: "Grant Beattie" [EMAIL PROTECTED] 2.0.11/Solaris 7 root@wombat# grep admins /etc/imapd.conf admins: cyrus wombat lam user.grant anyone p grant lrswipcda cyrus d wombat dm user.grant deletemailbox: Permission denied What is causing this? How can I delete the mailbox? You need to give the admin user the (c)reate write on a mailbox, so that the admin user can delete the mailbox. Scot
Re: deleting mailboxes?
Grant Beattie [EMAIL PROTECTED] wrote: wombat lam user.grant anyone p grant lrswipcda cyrus d wombat dm user.grant deletemailbox: Permission denied What is causing this? How can I delete the mailbox? sam user.grant cyrus c dm user.grant 'c' gives right to delete actual folder (and to create sub folders), 'd' gives right to delete messages in folder. -- Cillian
Cyrus getquota and ACLs
Title: Cyrus getquota and ACLs We have written our own e-mail client, and would like to obtain a user's quota from the server. Unfortunately, the Cyrus IMAP server only allows a GETQUOTA if the user is an admin user. I read the Quota Extension RFC and this seems overly restrictive. Or am I missing something obvious? Thanks.
Re: Automatic deleteion from mailboxes
Todd Nemanich wrote: Hey everyone, I was wondering if messages more than a certain age can automatically be deleted from cyrus for users, possibly like how duplicate messages are deleted? Is there any facility to do this? If you're running 2.x, check out ipurge(8). Note: manpage is only available in 2.0.12. This utility *should* be EVENTable in cyrus.conf. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Automatic deleteion from mailboxes
Hey everyone, I was wondering if messages more than a certain age can automatically be deleted from cyrus for users, possibly like how duplicate messages are deleted? Is there any facility to do this?
exit code -11?
Hi, Can anyone tell me what might be causing deliver to exit with a -11? I can't seem to find documentation for this or glean it from the source. -Justin
Re: Cyrus v2.x
No worries, thats what the list is for :). Anyways, now that
there is hard evidence of the "_" being a valid character,
it might make some peopel think about there currrent
implentation :). But hey, if it works for your use, then why
fix it. :).
-Allan
On Mon, 26 Feb 2001 13:40:21 -0800, Michael Fair wrote:
Having repeated the "_" being an invalid character from
another sys admin that I trust, I decided to look it
up for myself before responding.
As it turns out, rfc822 ultimately identifies a
"local-part" as a CHAR with some exceptions:
local-part = word *("." word) ; uninterpreted
word= atom / quoted-string
atom= 1*any CHAR except specials, SPACE and CTLs
CHAR= any ASCII character; ( 0.-127. )
"_" is 95 and is not part of the specials, SPACE, or CTLs
groups. Therefore "_" is a valid character in the local-part
of an email name.
My mistake. My apologies for any inconvienence.
-- Michael --
- Original Message -
From: "Allan Rafuse" [EMAIL PROTECTED]
To: "Michael Fair" [EMAIL PROTECTED]
Sent: Monday, February 26, 2001 12:58 PM
Subject: Re: Cyrus v2.x
I thought the "_" character is valid in an email account. I
have friends that have "_" in there email accounts from
different providers. We also currently have a few accounts
with the "_". We are using plain text passwords for remote
clients that use various mail programs.
Cyrus uses PAM to authenticate users through our Mysql DB.
-Allan
On Tue, 20 Feb 2001 12:37:24 -0800, Michael Fair wrote:
I have no idea about the specific questions
you are asking but I would recommend changing
your naming scheme for a couple reasons.
1) the "+" character is usually used to designate
a sub mailbox. Sending mail to
[EMAIL PROTECTED] would be directly placed
in the user.allan.cyrus folder. While it might
be technically correct to use "+" further down
the chain (like in a mailbox name), why take the
risk of confusing yourself or the software like that?
2) The use of "@" in the userid is also a bad idea.
I'm thinking Kerberos 5 here, which cyrus also supports.
If the KB5 code tries to interpret the userid as
user@realm then it will strip the domain thinking it's
the realm (and they also call it a domain).
I don't know where in the code these symbols are
relevant but rather than confuse myself, or take the
chance that I get to be the lucky fellow to have to
deal with the bug because I was doing something the
authors weren't expecting, I'd use different symbols.
Of all the choices I've seen "_" is the best in my
opinion because "_" is not a valid character in emails
or domain names so you have some safety in that nobody
is going to try and split your userid up because of
that character.
Converting [EMAIL PROTECTED] to allan_freeview_com is
the path most people take and it doesn't seem to cause
any undo stress.
That said, checking the RFC for LMTP to see if it says
anything special about the "+" sign resturns a negative
result. The RFC isn't very long and says nothing about
any special characters in email names. Since I have no
real knowledge about it (other than what the RFC says),
you might be in technically correct territory and just
dealing with an incorrect implementation (but I doubt it).
The other possibility is that cyrus has taken complete
responsibility for its plussed mailbox feature and
carried it through to its LMTP implementation.
I still would recommend changing your naming scheme, but
maybe someone with more technical experience here can
say something different.
-- Michael --
- Original Message -
From: "Allan Rafuse" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, February 16, 2001 12:59 PM
Subject: Cyrus v2.x
A few questions here. We have been running 1.6.24 in a hacked for so
that
we can have virtual
users with username as: [EMAIL PROTECTED] Our hacked form went
through
the input and
converted any '.'s in the username to '+'. So in imap from:
1 LOGIN [EMAIL PROTECTED] pass
would be translated to allan@freeview+com.
The allan@freeview+com showed up in everything cyrus did. I also had a
TCL front end
to the cyradm TCL program to do the conversion for me, so the only
place
you'd see a +com
would be in cyrus.
Anyways :), I'm trying to upgrade to 2.0.11. I am able to login fine
and
list mailboxes, except I've
noticed a few new things with the LMTP. Here are the questions.
1. Why does LMTP tack on the '+' and then nuke from that to EOL in the
verify_user function ?
What significance does the '+' have in the LMTP? If it's needed,
I'll need to use another character for the '+com' :)
lmtpd.c verify_user() :
if (strlen(user) sizeof(buf)-10) {
r = IMAP_MAILBOX_NONEXISTENT;
} else {
strcpy(buf, "user.");
strcat(buf, user);
plus = strchr(buf, '+');
if
Re: Cyrus getquota and ACLs
Bruce Bauman wrote: We have written our own e-mail client, and would like to obtain a user's quota from the server. Unfortunately, the Cyrus IMAP server only allows a GETQUOTA if the user is an admin user. I read the Quota Extension RFC and this seems overly restrictive. Or am I missing something obvious? Have you tried it as not an admin I swear it works. ( I patched some propritry webmail system to use this once ) note: I could be wrong but the how does netscape do it I ask. -- Simon
RE: Cyrus/SASL/PAM/LDAP - what am I missing?
Thanks Pascal -- I tried your config changes, but they didn't make any difference. Turns out it was a compilation option that was set on my OpenLDAP installation - the SASL in OpenLDAP was conflicting with the SASL in Cyrus. (See my other post to the list for details...) Now I'm playing with configs, and it appears that my /etc/pam.d/imap works just the same as when I put your suggested changes in. But your version looks much more robust, so I'm going to go with it. But I hate to just blindly do stuff without understanding, so I was hoping you could shed a little light (I'm a PAM newbie) on why you chose the PAM options as you did. Again, thanks for your help!!! --Josh -Original Message- From: Pascal Pucci [mailto:[EMAIL PROTECTED]] Sent: Monday, February 26, 2001 10:54 AM To: Joshua Penix; [EMAIL PROTECTED] Subject: Re: Cyrus/SASL/PAM/LDAP - what am I missing? - #%PAM-1.0 auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass accountsufficient /lib/security/pam_ldap.so accountrequired /lib/security/pam_unix_acct.so - try with : auth sufficient pam_ldap.so account sufficient pam_ldap.so password required pam_ldap.so debug session required pam_deny.so
dberrors
Hello all I am trying to run 2.0.12 on linux sparc. I keep getting the same error and I am coming to that point that I do not what else to do :( I have seen similar errors on the list, but the solutions don't seem to fit my bill. Any help would be deeply appreciated. This is what I get in imapd.log when I start master : Feb 27 00:27:19 tricana master[26917]: process started Feb 27 00:27:19 tricana master[26918]: about to exec /usr/cyrus/bin/ctl_mboxlist Feb 27 00:27:19 tricana ctl_mboxlist[26918]: running mboxlist recovery Feb 27 00:27:19 tricana ctl_mboxlist[26918]: DBERROR db3: /var/imap/db/__db.001: unable to acquire environment lock: Inval id argument Feb 27 00:27:19 tricana ctl_mboxlist[26918]: DBERROR: dbenv-open '/var/imap/db' failed: Invalid argument Feb 27 00:27:19 tricana master[26917]: process 26918 exited, status 75 Feb 27 00:27:19 tricana master[26919]: about to exec /usr/cyrus/bin/ctl_deliver Feb 27 00:27:19 tricana ctl_deliver[26919]: DBERROR: dbenv-open failed: Invalid argument Feb 27 00:27:19 tricana master[26917]: process 26919 exited, status 1 Feb 27 00:27:19 tricana master[26917]: ready for work Feb 27 00:27:19 tricana master[26920]: about to exec /usr/cyrus/bin/ctl_mboxlist Feb 27 00:27:19 tricana ctl_mboxlist[26920]: checkpointing mboxlist Feb 27 00:27:19 tricana master[26917]: process 26920 exited, status 75 Feb 27 00:27:19 tricana ctl_mboxlist[26920]: DBERROR db3: /var/imap/db/__db.001: unable to acquire environment lock: Inval id argument Feb 27 00:27:19 tricana ctl_mboxlist[26920]: DBERROR: dbenv-open '/var/imap/db' failed: Invalid argument Feb 27 00:27:19 tricana master[26921]: about to exec /usr/cyrus/bin/ctl_deliver Feb 27 00:27:19 tricana ctl_deliver[26921]: DBERROR: dbenv-open failed: Invalid argument Feb 27 00:27:19 tricana master[26917]: process 26921 exited, status 1 Tkx for your time. Joao
Re: sendmail config question for multiple domains.
I use sendmail's virtusertable feature to deliver mail for [EMAIL PROTECTED] to somelocaluser; I was thinking of modifying the Cyrus code that handles IMAP LOGIN so that it tries to look up the username as presented by the user in the sendmail virtusertable, and if it succeeds, it will log in as the mapped name, so the user never has to know the somelocaluser part. This will do the job for me, but I can see some problems with it: - Need to make sure that Cyrus can locate and read the virtusertable map, which could mean several things, including making sure sendmail and Cyrus are built with the same BerkeleyDB. If virtusertable is elsewhere (LDAP routing?), then something else has to happen, and I'm not at all sure how to express this from a configuration perspective, let alone implementation. - Public folders would become difficult for users, because they'd have to have a way to learn their somelocaluser I'm sure there are more problems. Meanwhile, this seems to me to be a way to implement virtual domains in such a way that we don't have to agonize over Cyrus path separators, sendmail hacks, multiple IP addresses, and making lmtpd less enthusiastic. On balance, is this a less invasive approach than all of the other hacks? Pete.
