Re: disabling usage of realms
You can use virtdomains: virtdomains: yes defaultdomain: your defaultdomain.com with this: username = usern...@yourdefaultdomain.com Old clients can use username or usern...@yourdefaultdomain.com and new clients usern...@project1.com , usern...@project2.com. More details in: http://www.cyrusimap.org/docs/cyrus-imapd/2.3.16/install-virtdomains.php On Thu, Jan 6, 2011 at 11:22 AM, Stefan Palme pa...@kapott.org wrote: Hi all, I use cyrus-imapd-2.3.x. User authentication happens via saslauthd, which in turn uses PAM. The PAM configuration includes a complicated stack of modules including LDAP, UNIX password files, access control lists etc. In general this setups works fine. Up to now all user-ids have the form username. Now there are some new user accounts with user-ids like usern...@project1. These user accounts are stored in the LDAP backend (which is transparent to the IMAP server). Authenticating these users by using PAM-test-tools works fine. Cyrus IMAP Server uses saslauthd. With the default configuration, saslauthd splits the given user-id into username and realm project1. To disable this, I run saslauthd with -r, so the username which is sent to PAM is really usern...@project1, which in turn causes user authentication to work again. But when I try to login to Cyrus IMAP Server using usern...@project1, I get error messages like authentication failure: cross-realm login usern...@project1 denied. I think I understand the problem - I should configure project1 as a valid loginrealm in /etc/imapd.conf. But I don't want this, because I don't want to modify the IMAP server configuration for each new project X. Is there a way to tell Cyrus IMAP Server to completely skip its realm logic, and to treat usernames containing an @ just like any other normal username, which includes assuming the default realm? Thanks in advance! -stefan- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Shared mailboxes doc
On Fri, 2011-01-07 at 16:33 +, Andy Bennett wrote: Hi, Does anyone know the option that needs to be set (and how to set it) in order to do a bulletin board. i.e. have a separate SEEN state for each user? Do the imapd.conf sharedseenstate option (disabled) and setting the anyone 's' ACL help? I think that the imapd.conf option would be for all mailboxes. I thought that there was an annotation that could be set on a per mailbox basis. There is: sharedseen. Set it to true. xyz.example.com info bogus.mailbox.name {bogus.mailbox.name}: condstore: false duplicatedeliver: false lastpop: lastupdate: 7-Jan-2011 11:38:48 -0500 partition: default pop3newuidl: true sharedseen: true size: 29468 The original poster seems to want a separate SEEN state for each user. In that case, shouldn't sharedseen be set to false, not true? I thought the default behaviour of Cyrus was to keep sharedseen = false, which would be what the original poster wants. Shuvam Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Disallow cleartext on the wire
Hello List! I am going mad, mad as in crazy. CentOS 5.5 Sendmail 8.13.8/8.13.8 cyrus-imapd.x86_64-2.3.7-7.el5_4.3 cyrus-imapd-devel.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-perl.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-utils.x86_64 -2.3.7-7.el5_4.3 cyrus-sasl.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-devel.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-gssapi.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-lib.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-md5.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-plain.x86_64 -2.1.22-5.el5_4.3 I am using Thunderbird to test with. I want completely disallow logins without TLS for IMAP. This is my /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd auxprop sasl_mech_list: LOGIN PLAIN allowplainwithouttls: 0 allowanonymouslogins: 0 virtdomains: userid tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt I think maybe I am confused here. I thought 'allowplainwithouttls: O' would not allow cleartext passwords but now I am thinking it means only the PLAIN mech. Is that correct? If that is the case, how do I configure the server to only accept PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a packet capture on the session I can see the username and password in cleartext inside of my capture file. Thanks for any help, Jon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
RE: Disallow cleartext on the wire
Hi I am using Thunderbird to test with. I want completely disallow logins without TLS for IMAP. Have a look at /etc/cyrus.conf: SERVICES { # --- Normal cyrus spool, or Murder backends --- # add or remove based on preferences imapcmd=imapd -U 30 listen=imap prefork=0 maxchild=100 imaps cmd=imapd -s -U 30 listen=imaps prefork=0 maxchild=100 # pop3cmd=pop3d -U 30 listen=pop3 prefork=0 maxchild=50 #pop3s cmd=pop3d -s -U 30 listen=pop3s prefork=0 maxchild=50 #nntp cmd=nntpd -U 30 listen=nntp prefork=0 maxchild=100 #nntps cmd=nntpd -s -U 30 listen=nntps prefork=0 maxchild=100 Just hash out imap and restart cyrus. Regards, D. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Disallow cleartext on the wire
On Sun, 9 Jan 2011, j...@destar.net wrote: Hello List! I am going mad, mad as in crazy. CentOS 5.5 Sendmail 8.13.8/8.13.8 cyrus-imapd.x86_64-2.3.7-7.el5_4.3 cyrus-imapd-devel.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-perl.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-utils.x86_64 -2.3.7-7.el5_4.3 cyrus-sasl.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-devel.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-gssapi.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-lib.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-md5.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-plain.x86_64 -2.1.22-5.el5_4.3 I am using Thunderbird to test with. I want completely disallow logins without TLS for IMAP. This is my /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd auxprop sasl_mech_list: LOGIN PLAIN allowplainwithouttls: 0 allowanonymouslogins: 0 virtdomains: userid tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt I think maybe I am confused here. I thought 'allowplainwithouttls: O' would not allow cleartext passwords but now I am thinking it means only the PLAIN mech. Is that correct? If that is the case, how do I configure the server to only accept PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a packet capture on the session I can see the username and password in cleartext inside of my capture file. allowplaintext: 0 Allow the use of cleartext passwords on the wire. The default changed back in 2.3.something to disallow plaintext passwords by default. If you want to make sure, set it in imapd.conf as: allowplaintext: 0 This will require a SSF 0, which means either digest authentication or a protection layer like TLS and SSL. When you connect without TLS on the standard imap port, you'll see the following in the CAPABILITY response: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder v2.3.15 server ready Notice the LOGINDISABLED part. After TLS is negotiated, a full CAPABILITY response is returned: S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE URLAUTH Notice the AUTH=PLAIN part. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Disallow cleartext on the wire
j...@destar.net wrote: Hello List! I am going mad, mad as in crazy. CentOS 5.5 Sendmail 8.13.8/8.13.8 cyrus-imapd.x86_64-2.3.7-7.el5_4.3 cyrus-imapd-devel.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-perl.x86_64 -2.3.7-7.el5_4.3 cyrus-imapd-utils.x86_64 -2.3.7-7.el5_4.3 cyrus-sasl.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-devel.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-gssapi.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-lib.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-md5.x86_64 -2.1.22-5.el5_4.3 cyrus-sasl-plain.x86_64 -2.1.22-5.el5_4.3 I am using Thunderbird to test with. I want completely disallow logins without TLS for IMAP. This is my /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd auxprop sasl_mech_list: LOGIN PLAIN allowplainwithouttls: 0 allowanonymouslogins: 0 virtdomains: userid tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt I think maybe I am confused here. I thought 'allowplainwithouttls: O' would not allow cleartext passwords but now I am thinking it means only the PLAIN mech. Is that correct? If that is the case, how do I configure the server to only accept PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a packet capture on the session I can see the username and password in cleartext inside of my capture file. Thanks for any help, Jon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ It's been a while since I set this up, but I found I also needed to use the following: sasl_minimum_layer: 128 Perhaps it's unecessary at this point... Cheers, Rafe Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Disallow cleartext on the wire
Quoting Andrew Morgan mor...@orst.edu: On Sun, 9 Jan 2011, j...@destar.net wrote: Hello List! I think maybe I am confused here. I thought 'allowplainwithouttls: O' would not allow cleartext passwords but now I am thinking it means only the PLAIN mech. Is that correct? If that is the case, how do I configure the server to only accept PLAIN LOGIN only if there is SSL/TLS present? Right now when I do a packet capture on the session I can see the username and password in cleartext inside of my capture file. allowplaintext: 0 Allow the use of cleartext passwords on the wire. The default changed back in 2.3.something to disallow plaintext passwords by default. If you want to make sure, set it in imapd.conf as: allowplaintext: 0 This will require a SSF 0, which means either digest authentication or a protection layer like TLS and SSL. When you connect without TLS on the standard imap port, you'll see the following in the CAPABILITY response: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://xxx.oregonstate.edu/ STARTTLS LOGINDISABLED COMPRESS=DEFLATE] xxx.oregonstate.edu Cyrus IMAP Murder v2.3.15 server ready Notice the LOGINDISABLED part. After TLS is negotiated, a full CAPABILITY response is returned: S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://xxx.oregonstate.edu/ AUTH=PLAIN SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE URLAUTH Notice the AUTH=PLAIN part. Andy Perfect, thanks Andy. Jon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
saslauthd vs auxprop
I cannot wrap my mind around saslauthd and auxprop. Does auxprop use the sasldb file to authenticate users that have been added using the 'saslpasswd2' command? What is saslauthd trying to use for authentication, would it be the mechs shown in a 'saslauthd -v' output? What does changing the value in the Sendmail.conf file from saslauthd to auxprop or vice versa doing? Running a ps I see that saslauthd is using the shadow mech: /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow But I have no users in the shadow file other than cyrus and my users for my mail server are in the sasldb file? I have read the documentation on the cyrus site, the man pages and searched the mailing list but I still cannot grasp what seems to be a simple concept. Can someone shed some light or at least point me in the right direction? Jon Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: saslauthd vs auxprop
On Sun, 9 Jan 2011, j...@destar.net wrote: I cannot wrap my mind around saslauthd and auxprop. Does auxprop use the sasldb file to authenticate users that have been added using the 'saslpasswd2' command? What is saslauthd trying to use for authentication, would it be the mechs shown in a 'saslauthd -v' output? What does changing the value in the Sendmail.conf file from saslauthd to auxprop or vice versa doing? Running a ps I see that saslauthd is using the shadow mech: /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow But I have no users in the shadow file other than cyrus and my users for my mail server are in the sasldb file? I have read the documentation on the cyrus site, the man pages and searched the mailing list but I still cannot grasp what seems to be a simple concept. Can someone shed some light or at least point me in the right direction? Hopefully I get this right! There are basically 2 high-level choices to make: saslauthd or auxprop. saslauthd is an external daemon process that your program communicates with via a unix socket. auxprop uses C library modules that are loaded by libsasl into your program. saslauthd support a few different authentication mechanisms. The most popular are PAM and passwd/shadow. Auxprop is usually used for sasldb, but I think there are several different modules that can be used. I'm fuzzy on auxprop so maybe someone else can fill in more detail here. Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/