Re: upgrade to cyrus_imap or saslauth or both gon horribly wrong
On 01/08/19 20:12 +0100, James B Byrne wrote: FreeBSD-11.2p7 cyrus-imapd30-3.0.8_2 cyrus-sasl-saslauthd-2.1.27 cyrus-sasl-2.1.27 This morning we upgraded our cyrus_imap server using the FreeBSD pkg package manager. Following this we are unable to authenticate with imap. The error we receive is this: Jan 8 14:05:37 inet17 CYRUS/imaps[40533]: SASL cannot connect to saslauthd server: Permission denied Find the location of your saslauthd mux (unix domain socket) within the filesystem and verify the permissions of its path (typically somewhere underneath /var). It should allow access to the cyrus user. You can use testsaslauthd, as the cyrus user, to verify permissions. Jan 8 14:05:37 inet17 CYRUS/imaps[40533]: badlogin: servername [server address] plaintext username SASL(-1): generic failure: checkpass failed imapd.conf was not changed. it contains this: sasl_mech_list: PLAIN sasl_pwcheck_method:saslauthd I am posting this from a temporary email because, duhh, I cannot access my regular mailbox. I am open to any reasonable suggestions as to how to fix this, quickly. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: suddenly 'User unknown'?
Do you otherwise see log entries for an imap connection? Is there a permissions problem on the lmtpunix mux (/var/lib/imap/socket/lmtp)? Your syslog entry seems to indicate it is communicating with cyrus, but perhaps I'm misreading it. Look up telemetry logging, and lmtptest for other ways to verify your cyrus config. You may need to temporarily enable lmtp on a TCP port to test. On 11/29/18 15:25 +, Charles Bradshaw wrote: I have, and have always had, an empty /var/log/imapd.log so I'm not going to make progress until I fix that. In n /etc/rsyslog.conf # cyrus imapd #local6.* /var/log/imapd.log - tried this first. local6.debug /var/log/imapd.log auth.debug /var/log/auth.log and in /etc/imapd.conf syslog_prefix: cyrus syslog_facility: LOCAL6 If I remove the file /etc/imapd.log then # /etc/init.d/rsyslog restart # logger local6.debug 'test log message' # cat /var/log/imapd.log Nov 29 15:06:42 dell2600-1 brad: test log message Obviously syslog is working local6. But still no messages from cyrus! Therefor I'm now stuck with this secondary problem. I have followed the cyrus instructions as best I can, but no go. I say again this has all worked for years, albeit with an always empty imapd.log There must be some missing cyrus syslog configuration. On 29/11/2018 14:39, Dan White wrote: On 11/29/18 00:46 +, Charles Bradshaw wrote: Nov 27 15:18:36 dell2600-1 sendmail[4801]: wARFIavg004801: to=, delay=00:00:00, xdelay=00:00:00, mailer=cyrusv2, pri=31677, relay=localhost [[UNIX: /var/lib/imap/socket/lmtp]], dsn=5.1.1, stat=User unknown Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: suddenly 'User unknown'?
On 11/29/18 00:46 +, Charles Bradshaw wrote: lm user/b...@bradcan.homelinux.com user/b...@bradcan.homelinux.com (\HasChildren) and the directory /var/spool/imap/domain/b/bradcan.homelinux.com/b/user/brad exists and is intact. Perhaps I should change my rsyslog configuration. https://cyrusimap.org/imap/installing.html has some alternative instructions. Will the following be more helpful? |local6.* /var/log/imapd.log| |auth.debug /var/log/auth.log| Yes that should hopefully get you something useful from Cyrus to work with. Some OS packages, like Debian, modifiy the syslog facility, so you may need to consult your system documentation if that doesn't give appropriate output. On 28/11/2018 16:12, Dan White wrote: On 11/28/18 15:21 +, Charles Bradshaw via Info-cyrus wrote: My tests while logged in to the server as brad: Nov 27 15:18:36 dell2600-1 sendmail[4801]: wARFIavg004801: to=, delay=00:00:00, xdelay=00:00:00, mailer=cyrusv2, pri=31677, relay=localhost [[UNIX: /var/lib/imap/socket/lmtp]], dsn=5.1.1, stat=User unknown What do your cyrus syslog entries say? Does the output of 'lm' look correct? and /etc/imapd.conf [root@dell2600-1 brad]# cat /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop # sasl_auxprop_plugin:sql # allowplaintext: no unixhierarchysep: yes virtdomains: userid Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: suddenly 'User unknown'?
On 11/28/18 15:21 +, Charles Bradshaw via Info-cyrus wrote: My tests while logged in to the server as brad: [root@dell2600-1 brad]# cat /var/log/maillog Nov 27 15:18:35 dell2600-1 sendmail[4798]: wARFIZXZ004798: from=brad, size=44, class=0, nrcpts=1, msgid=<201811271518.warfizxz004...@bradcan.homelinux.com>, relay=brad@localhost Nov 27 15:18:35 dell2600-1 sendmail[4799]: wARFIZvh004799: from=, size=358, class=0, nrcpts=1, msgid=<201811271518.warfizxz004...@bradcan.homelinux.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Nov 27 15:18:36 dell2600-1 sendmail[4798]: wARFIZXZ004798: to=b...@bradcan.homelinux.com, ctladdr=brad (500/500), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30044, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (wARFIZvh004799 Message accepted for delivery) Nov 27 15:18:36 dell2600-1 sendmail[4801]: AUTH=client, relay=localhost, mech=, bits=0 Nov 27 15:18:36 dell2600-1 sendmail[4801]: wARFIZvh004799: to=, delay=00:00:01, xdelay=00:00:00, mailer=cyrusv2, pri=120358, relay=localhost, dsn=5.1.1, stat=User unknown Nov 27 15:18:36 dell2600-1 sendmail[4801]: wARFIZvh004799: wARFIavg004801: DSN: User unknown Nov 27 15:18:36 dell2600-1 sendmail[4801]: wARFIavg004801: to=, delay=00:00:00, xdelay=00:00:00, mailer=cyrusv2, pri=31677, relay=localhost [[UNIX: /var/lib/imap/socket/lmtp]], dsn=5.1.1, stat=User unknown What do your cyrus syslog entries say? What cyradmin says: localhost.localdomain> ver name : Cyrus IMAPD version: v2.4.17-Invoca-RPM-2.4.17-7.el6 d1df8aff 2012-12-01 localhost.localdomain> info user/b...@bradcan.homelinux.com {user/b...@bradcan.homelinux.com}: duplicatedeliver: false lastpop: 24-Oct-2013 21:04:43 +0100 lastupdate: 27-Nov-2018 04:00:00 + partition: default pop3newuidl: true sharedseen: false size: 8489796 Does the output of 'lm' look correct? and /etc/imapd.conf [root@dell2600-1 brad]# cat /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop # sasl_auxprop_plugin:sql # allowplaintext: no unixhierarchysep: yes virtdomains: userid # -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Missing Email & Folders
On 11/06/18 14:06 -0600, Robert Covell wrote: Hello All, Have a few weird situations that I have been unable to find solutions to. Server: CentOS release 6.x cyrus-imapd-2.4.17-6.el5.src.rpm (Simon Matter) Client: Outlook 2013 Our client is using Cyrus to store related emails for their clients. The server does not actually receive mail, it is placed (copied) there. Approximately eight clients connect to "one" Cyrus account. When an email comes in for client X the user will find the appropriate imap folder and copy it to it. If the folder does exist it is created. Issue One: Randomly the server side imap folder is empty. Client imap folder has what was supposed to be on the server but it is not. The copy of the email appears to have been successful. Mouse slip? If you suspect this is due to a client related problem, you could enable telemetry logging to find out who/what is causeing the emails to go missing. https://www.cyrusimap.org/imap/reference/faqs/o-telemetry.html If the purpose is to (mostly) copy emails into the folder and rarely delete, you could restrict delete access to a specific account via ACL. https://www.cyrusimap.org/imap/reference/admin/access-control/rights-reference.html Issue Two: Randomly computers will not see newly created imap folders from other users. Regardless of how we attempt to get the folder in the imap list we have to recreate the account. My assumption is that this is most likely due to imap support in Outlook and not Cyrus. Wanting to know if anyone has seen anything like this and if a solution was found. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus IMAP 'CAPABILITIES' and 'AUTH=PLAIN'
On 11/01/18 21:25 +, Marty Lee wrote: Forgive me asking this question, we’ve just had a server disk that’s starting to die in a remote location, and I’m frantically trying to clone some IMAP users onto another server - along with a number of other things. Despite imapd.conf having 'allowplaintext: yes’ (it’s an internal server) when logging in, ‘AUTH=LOGIN’ isn’t advertised, yet it works if I manually try to login. ‘imapsync’ is complaining as it can’t see the LOGIN capability. I’m about to start looking at the code, but if anyone can let me know if a setting needs changed, that would be great - clearly, I’ve got a number of things to try to get off this server ASAP, so any advice would be greatly appreciated. Server version is 3.0.4: [root@imapserver /opt/local/etc/cyrus]# nc localhost 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE] imapserver Cyrus IMAP 3.0.4 server ready 0 CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SEARCH=FUZZY SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES THREAD=REFS ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS LIST-METADATA WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE DIGEST=SHA1 X-REPLICATION URLAUTH URLAUTH=BINARY COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE I would guess you are missing libsasl2 modules for authentication, which your OS probably has packaged in a separate package. You can use pluginviewer/saslpluginviewer to view existing plugins. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Frontend couldn't authenticate to backend server: authentication failure
On 06/01/18 18:03 +0200, Jean-Christophe Delaye wrote: I'm trying to complete setup Cyrus Murder : 1 frontend with mupdate and 1 backend (initial config). # telnet imap1 imap Trying 192.168.106.208... Connected to imap1.eurecom.fr. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE MUPDATE=mupdate://cassandra.eurecom.fr/ STARTTLS AUTH=PLAIN SASL-IR] 001 login standard XXX A001 SELECT INBOX * 0 EXISTS * 0 RECENT * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] Ok * OK [UIDVALIDITY 1527674348] Ok * OK [UIDNEXT 1] Ok * OK [HIGHESTMODSEQ 3] Ok * OK [URLMECH INTERNAL] Ok * OK [ANNOTATIONS 65536] Ok A001 OK [READ-WRITE] Completed Note that you have 'mailproxy' configured as the proxy_authname on your frontend. Use imtest to simulate your frontend: imtest -m plain -a mailproxy imap1.eurecom.fr imtest -m plain -a mailproxy -u imap1.eurecom.fr The problem seems to be the proxy connections through frontend to the server with a backend role. From client(s), connection to frontend is the issue 001 login standard xxx X-QUOTA=X-NUM-FOLDERS IDLE] User logged in Once I get connected and authenticated, I launch the command “select inbox”, but I receive the message A001 SELECT INBOX A001 NO Server(s) unavailable to complete operation In the log files there is an error from both frontend and backend From frontend: cassandra cyrus/imap[19868]: couldn't authenticate to backend server: authentication failure From backend: imap1 cyrus1/master about to exec /opt/cyrus-imapd_3.0.7-cyrus1/libexec/imapd imap1 cyrus1/imap[11632]: SASL could not find auxprop plugin, was searching for '[all]' The above error is probably not important. badlogin: cassandra.eurecom.fr [192.168.106.61] PLAIN [SASL(-4): no mechanism available: Password verification failed] Check that the plain mechanism is available on the backend with 'pluginviewer', and verify your mailproxy credentials. On the backend: admins: cyrus1 cyrus postman allowallsubscribe: yes allowplaintext: yes allowusermoves: yes auditlog: yes configdirectory: /global/cyrus1/var/mail defaultpartition: default duplicate_db_path: /var/run/cyrus1/deliver.db hashimapspool: yes debug: yes httpmodules: caldav carddav idlesocket: /var/run/cyrus1/idle mboxname_lockpath: /var/run/cyrus1_lock mupdate_authname: postman mupdate_password: xxx mupdate_server: cassandra.eurecom.fr mupdate_username: postman popminpoll: 1 proc_path: /var/run/cyrus1_proc proxy_authname: mailproxy proxy_password: proxyservers: mailproxy cyrus1 cyrus ptscache_db_path: /var/run/cyrus1/ptscache.db servername: imap1.eurecom.fr sievedir: /global/cyrus1/var/sieve statuscache_db_path: /var/run/cyrus1/statuscache.db syslog_prefix: cyrus1 tls_sessions_db_path: /var/run/cyrus1/tls_sessions.db sasl_saslauthd_path: /global/cyrus1/var/state/saslauthd/mux sasl_mech_list: plain sasl_auto_transition: no sasl_pwcheck_method: saslauthd partition-default: /global/cyrus1/mail lmtp_admins: mailproxy cyrus1 cyrus on the frontend/mupdate master: admins: cyrus cyrus1 postman allowallsubscribe: yes allowplaintext: yes allowusermoves: yes auditlog: yes configdirectory: /global/cyrus/var/mail defaultpartition: default duplicate_db_path: /var/run/cyrus/deliver.db force_sasl_client_mech: PLAIN hashimapspool: yes debug: yes httpmodules: caldav carddav idlesocket: /var/run/cyrus/idle mboxname_lockpath: /var/run/cyrus_lock mupdate_authname: postman mupdate_password: xxx mupdate_server: cassandra.eurecom.fr mupdate_username: postman popminpoll: 1 proc_path: /var/run/cyrus_proc proxy_authname: mailproxy proxy_password: y ptscache_db_path: /var/run/cyrus/ptscache.db servername: cassandra.eurecom.fr sievedir: /global/cyrus/var/sieve statuscache_db_path: /var/run/cyrus/statuscache.db syslog_prefix: cyrus cassandra_mechs: PLAIN sasl_saslauthd_path: /global/cyrus/var/state/saslauthd/mux imap1_mechs: PLAIN sasl_mech_list: plain sasl_auto_transition: no sasl_pwcheck_method: saslauthd partition-default: /global/cyrus/mail -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Virtual domain admin login behaviour
On 04/30/18 12:00 -0600, Nels Lindquist wrote: I have a mail server still running an older version of Cyrus IMAPD (version 2.3.16) on CentOS 6 with virtual domains, using OpenLDAP as an authentication backend with saslauthd for LOGIN/PLAIN when SSL/TLS is used. I recently set up a domain admin account for one of the virtual domains in order to facilitate transfer of mail from that domain to a different mail host, and while I was testing the setup I noticed some inconsistent behaviour. Using "imtest -m PLAIN -u u...@example.ca -a ad...@example.ca mail.example.ca", I'm successfully able to login. Executing ". list *.*" produces the expected list of u...@example.ca's INBOX and subfolders. Using "imtest -u u...@example.ca -a ad...@example.ca" (Note: no mechanism override) it defaults to using the LOGIN method rather than PLAIN, and I'm successfully able to log in. However, the ". list *.*" command now produces a list of every folder in the example.ca subdomain, not just the specified user's mailbox. Anyone know what's going on here? The LOGIN mech does not support proxy authentication: https://www.sendmail.org/~ca/email/cyrus2/mechanisms.html -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Problem after upgrading debian wheezy to jessie
On 04/28/18 20:43 +0200, Dr. Harry Knitter wrote: after upgrading debian wheezy to jessie a socket has gone: /var/run/cyrus/socket/lmtp How to get out of this problem? The lmtp unix domain socket is started by master via its /etc/cyrus.conf config file, commonly in an entry called 'lmtpunix', which will specificy the location for the socket. Check your syslog for errors, such as a permissions problem with the path. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: please HELP
cyradm has wildcard support: host> cm user/first.last/Trash host> cm user/first.last/Sent host> cm user/first.last/Read 192.168.2.11> listacl user/f* user/first.last: first.last.todelete lrswipkxtecdan user/first.last/Read: first.last.todelete lrswipkxtecdan user/first.last/Sent: first.last.todelete lrswipkxtecdan user/first.last/Trash: first.last.todelete lrswipkxtecdan host> setacl user/fir* first.last.todelete "" Setting ACL on user/first.last...OK. Setting ACL on user/first.last/Read...OK. Setting ACL on user/first.last/Sent...OK. Setting ACL on user/first.last/Trash...OK. host> setacl user/fir* first.last all Setting ACL on user/first.last...OK. Setting ACL on user/first.last/Read...OK. Setting ACL on user/first.last/Sent...OK. Setting ACL on user/first.last/Trash...OK. host> listacl user/fir* user/first.last: first.last lrswipkxtecdan user/first.last/Read: first.last lrswipkxtecdan user/first.last/Sent: first.last lrswipkxtecdan user/first.last/Trash: first.last lrswipkxtecdan Should be easy to script in PHP and then cut and paste. On 01/23/18 14:14 -0300, Heiler Bemerguy via Info-cyrus wrote: I'm trying to fix the mailboxes with something like this: imap_setacl ($mbox, "user/".$argv[1]."/*", $wrongname."todelete", ""); imap_setacl ($mbox, "user/".$argv[1]."/*", $argv[1], "lrswipkxtea"); But it seems imap_setacl can't use wildcards. And I can't write one by one by hand. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: please HELP
On 01/22/18 19:02 -0300, Heiler Bemerguy via Info-cyrus wrote: Em 22/01/2018 18:46, Dan White escreveu: On 01/22/18 17:44 -0300, Heiler Bemerguy via Info-cyrus wrote: imap_renamemailbox($mbox, "$mailbox", "$mailbox"."TODELETE") Was this performed as an admin? Yes. In a huge list of imap accounts I THOUGHT were unused What is an example of "$mailbox"? What is your Cyrus version, and what does a sanitized copy of your imapd.conf look like? 2.5.10 configdirectory: /var/lib/cyrus proc_path: /dev/shm/cyrus/proc mboxname_lockpath: /dev/shm/cyrus/lock defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: yes reject8bit: yes lmtp_downcase_rcpt: yes admins: admin allowanonymouslogin: no popminpoll: 0 autocreate_quota: 0 umask: 077 hashimapspool: true allowplaintext: yes sasl_mech_list: PLAIN lmtp_strict_quota: 1 allowusermoves: true Please make sure you have a backup of the current state of your mailstore before proceeding, in addition to whatever backups you had prior to modification. I've done that. But in the cyrus.header, the "todelete" is still there, although in lower case.. I think that is the big problem!! The '^' implies you have unixhierarchysep turned off, based on this: But it is enabled.. should I disable it or what? I do not recommend making any changes to your imapd.conf. That could make things worse. I just renamed another imap account from "loginTODELETE" to "login" and even after Reconstruct, it shows on cyrus.header: root@mailer:/var/spool/cyrus/mail/a/user/ana^claudia# cat cyrus.header Cyrus mailbox header "The best thing about this system was that it had lots of goals." --Jim Morris on Andrew user.ana^claudia2696fec95963d41f $MDNSent $Forwarded ana.claudiatodelete lrswipkxtecda On a similar version of Cyrus, with the same altnamespace/unixhierarchysep config: cyradm --user=cyrus host> cm user/first.last Contents of cyrus.header: host# cat /var/spool/cyrus/mail/f/user/first^last/cyrus.header Cyrus mailbox header "The best thing about this system was that it had lots of goals." --Jim Morris on Andrew 55eee0815a6664c2 first.last lrswipkxtecdan host> lm user/f* user/first.last (\HasNoChildren) host> setacl user/first.last cyrus all host> rename user/first.last user/first.last.TODELETE host> lm user/f* user/first.last.TODELETE (\HasNoChildren) Contents of cyrus.header: host# cat /var/spool/cyrus/mail/f/user/first^last^TODELETE/cyrus.header Cyrus mailbox header "The best thing about this system was that it had lots of goals." --Jim Morris on Andrew 55eee0815a6664c2 cyrus lrswipkxtecdan first.last.todelete lrswipkxtecdan host> rename user/first.last.TODELETE user/first.last host> lm user/f* user/first.last (\HasNoChildren) The cyrus.header may not be directly related to your problem. Verify your mailboxes list, with cyradm, and use use it to perform your renames, as an admin user. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: please HELP
On 01/22/18 17:44 -0300, Heiler Bemerguy via Info-cyrus wrote: imap_renamemailbox($mbox, "$mailbox", "$mailbox"."TODELETE") Was this performed as an admin? Some mailboxes were erroneusly renamed to "loginTODELETE" and I need to put them back to the original name. I reverted this command, like: imap_renamemailbox($mbox, "$mailbox"."TODELETE", "$mailbox") And the mailbox seems to be there with the correct name. It lists all folders, but they all show up as EMPTY. We use roundcube as client and it always says "no messages was found" I've already tried like "cyrus reconstruct -r -f user/personlogin" with no luck !!! What is your Cyrus version, and what does a sanitized copy of your imapd.conf look like? If you have unixhierarchysep turned off, then you'd want: cyrreconstruct -r -f user.personlogin Please make sure you have a backup of the current state of your mailstore before proceeding, in addition to whatever backups you had prior to modification. I've noticed the cyrus.index file still mention the TODELETE name.. cat cyrus.header Cyrus mailbox header "The best thing about this system was that it had lots of goals." --Jim Morris on Andrew user.iury^pinto 78e57a515a664ca1 The '^' implies you have unixhierarchysep turned off, based on this: https://www.cyrusimap.org/imap/concepts/features/namespaces.html?highlight=internal See the /doc/internal documentation within the source as well. iury.pintotodelete lrswipkxtecda -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: SASL 2.1.27 rc6
Ken, I'll try to lab up my original test case (for bug 3480) tomorrow evening. On 12/20/17 11:00 -0500, Ken Murchison wrote: We haven't had much, if any, feedback on this release candidate. Do the GSSAPI/LDAP folks have any further comments on https://github.com/cyrusimap/cyrus-sasl/issues/419 I'd really like to make a final release by Christmas as promised, but I also don't want to make a release that folks will have to patch immediately. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Bad logins bogging down server
On 09/19/17 11:28 -0400, Michael Sofka wrote: On 09/19/2017 10:12 AM, Dan White wrote: The botnet is still hammering away, checking those old accounts. But the bottleneck appears to have been saslauthd threads. Doubling the thread count from 5 to 10 has resolved the problem for now. (And, If you're comfortable with caching, increase the -t value to saslauthd. Interesting. What is the default value of -t? when just "-c" is specified? It's much larger than I expected (from saslauthd/cache.h): #define CACHE_DEFAULT_TIMEOUT 28800 -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Using user_deny.db
On 09/19/17 10:02 -0400, Michael Sofka wrote: We have many recalcitrant, bad, accounts constantly checking IMAP, long after the student has graduated. I would like to use user_deny.db to simply tell them to go away. First, would this offer an advantage? That is, does "login" check user_deny.db before authenticating, or after? I believe that is it prior to authentication, based on my notes: https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html Second, any examples of how to use cyr_dbtool (or other tool) to put entries into user_deny.db? Finally, my reading of the documentation (2.4.17/18) is that user_deny.db is a flat file by default, so I will need to set userdeny_db to something like skiplist, or berkeley, etc. Any suggestions on a good choice assuming the list could grow to a few thousand? Any documentation on the sql option? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Bad logins bogging down server
On 09/19/17 09:52 -0400, Michael Sofka wrote: The botnet is still hammering away, checking those old accounts. But the bottleneck appears to have been saslauthd threads. Doubling the thread count from 5 to 10 has resolved the problem for now. (And, If you're comfortable with caching, increase the -t value to saslauthd. On 09/16/2017 07:41 AM, Michael D. Sofka wrote: The symptoms are that connections grow, and grow and grow until authentication slows, holding open connections longer and longer. It takes about 15 minutes for the connection number to be at a point at which service is interrupted. Friday night at attempt was made to re-enable off-campus IMAP, and the bots were still at it, service was again disrupted. Any other resources or limits in either Cyrus or Linux (Debian) that I should look at? https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Sieve impersonate
On 07/28/17 11:27 +0200, Gabriele Bulfon wrote: Hi, is there any valid way to impersonate using authorization on timsieved? I tried with: AUTHENTICATE "PLAIN" "x" creating the auth string with a perl script as: encode_base64($authid."\x00".$username."\x00".$password."") being : authid="impersonatedu...@sonicle.com" username="admin" password="adminpass" Doesn't work :( Any help? What error do receive? What does auth facility syslog report? Use sivtest for a better test case, and verify your list of plugins with pluginviewer. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus IMAP 2.5.10 BerkeleyDB use?
On 02/16/17 16:10 -0600, Kenneth Marshall wrote: We are running version cyrus-imapd-2.5.10, and even though no databases in imapd.conf default to berkeleydb, something is still using it. Here are our database definitions from our imapd.conf: duplicate_db_path: /dev/shm/cyrus-imapd/duplicate_db statuscache_db_path: /dev/shm/cyrus-imapd/statuscache_db annotation_db: skiplist duplicate_db: skiplist mboxkey_db: skiplist mboxlist_db: skiplist ptscache_db: skiplist quota_db: quotalegacy seenstate_db: skiplist statuscache_db: skiplist subscription_db: flat tls_sessions_db: skiplist userdeny_db: skiplist In what way is it used? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Can't authorize as different user in cyradm and sieveshell
In the absence of an [sasl_]auxprop_plugins statement, all plugins will be queried. For example, running pluginviewer (or saslpluginviewer on debian) should typically list sasldb if it's installed on your system. The canon_user plugins and auxprop plugins are coded within the same code, and so are tied together somewhat, although I haven't dug into the code to explain the error Michael is experiencing. Michael, I'd suggest installing the sasldb auxprop to see if that clears up the issue. That may not even require a configuration change. On 11/21/16 13:43 -0800, Andrew Morgan via Info-cyrus wrote: I'm using Debian packages for sasl. Here is what libsasl2-modules includes: /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 But in my imapd.conf, I'm not specifying an auxprop plugins: # grep sasl /etc/imapd.conf sasl_mech_list: PLAIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd Since we are using saslauthd, we don't use auxprop plugins, I think... Andy On Mon, 21 Nov 2016, Michael Ulitskiy wrote: I'm trying to read the code and it seems that it tries to lookup authorization id in auxprop plugin. since I don't have any auxprop plugins that returns SASL_NOMECH and results in the error I'm seeing. By any chance do you have any auxprop plugin defined? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: command line deletion of files
On 09/29/16 14:27 +, Shawn Bakhtiar via Info-cyrus wrote: trying to get rid of some emails that have large attachments (i.e. videos sent over email, or cd images, etc...) Would it be proper to rm -rf /var/spool/imap/u/username/mailbox/4321. then reconstruct -rf user.username Or is there a more "proper" way using cyrus? I've found mutt to be useful for this type of maintenance, which can sort messages by size, and can delete ranges. If you don't have access to user passwords, set up a 'proxyservers' authz identity to access their mailboxes. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: imclient_authenticate wrong prompt order.
On 09/24/16 17:28 +0200, jesper--- via Info-cyrus wrote: The following sample prompts for entering the password after ones actually did enter the password. 1) Why is that e.g why does this sample write "please enter your password: " after the password is entered, and then exits? The authentication works. Only the prompting is a problem. I've tried with adding different sasl_callback_t callbacks to imclient_connects but cannot get it to work as I expect it to. My goal is to authenticate fully programmatically. 2) How to supply username and password without user inetercaction? Have a look at doc/programming.html#callbacks_interactions within the cyrus sasl source. Can you provide an example which includes callbacks that is not working as expected? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Migrating mailbox data from Cyrus to MicroSoft Office 365 using their import tool.
On 06/23/16 16:49 +0200, Eric Luyten via Info-cyrus wrote: On Wed, June 22, 2016 6:02 pm, Dan White wrote: To enable SASL LOGIN support, add 'LOGIN' to your sasl_mech_list. Don't confuse login with pre-sasl user/pass authentication. If Office 365 isn't performing TLS, you'll need to configure sasl_minimum_layer and allowplaintext appropriately. By restricting the sasl_mech_list in imapd.conf I can make our server announce only AUTH=PLAIN in its capabilities string but the client insists on (and succeeds in) authenticating using AUTH=LOGIN, thus rendering proxying impossible. You're right. I missed that part before. LOGIN doesn't allow the passing of authz credentials, which is necessary for proxy authentication. There is a mech_list setting in saslauthd.conf which currently reads 'mech_list: login plain ldap' but this applies server wide and so I am a bit reluctant playing with it. saslauthd.conf does not support a mech_list option (you're looking for sasl_mech_list in /etc/imapd.conf). If you're using the ldap backend, reference 'saslauthd/LDAP_SASLAUTHD' in the cyrus sasl source for documentation. DIGEST-MD5 is a better approach here, except that you're using saslauthd, which cannot support it. If you have access to customer credentials, which I assume you do, then you could finagle a solution by creating a /etc/sasldb2 database (with saslpasswd2), and then exposing the DIGEST-MD5 mechanism via mech_list. The Office365 IMAP import client uses TLS, I have requested to deselect that option to see whether it then switches to using the stronger mech AUTH=PLAIN PLAIN isn't any stronger than LOGIN. Both are considered unsecure without TLS. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Migrating mailbox data from Cyrus to MicroSoft Office 365 using their import tool.
On 06/22/16 17:28 +0200, Eric Luyten via Info-cyrus wrote: All, After trying for a couple of days I have come to the conclusion that the Office 365 IMAP import tool uses the LOGIN authentication mech while Cyrus requires PLAIN or stronger for proxying to work. Even when only announcing AUTH=PLAIN in our server capabilities, Microsoft executes LOGIN ... ... (violation of RFC3501 section 6.1.1 ? dunno whether I am reading that correctly) Is my conclusion correct ? Any hacks or workarounds ? To enable SASL LOGIN support, add 'LOGIN' to your sasl_mech_list. Don't confuse login with pre-sasl user/pass authentication. If Office 365 isn't performing TLS, you'll need to configure sasl_minimum_layer and allowplaintext appropriately. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Migrating IMAP from Cyrus v2.2.13 to Cyrus v2.4.17
On 04/06/2016 01:32 PM, Dan White wrote: On 04/06/16 13:20 -0500, Jack Snodgrass via Info-cyrus wrote: Is there a documented process for taking a system from: Cyrus v2.2.13 to Cyrus v2.4.17 Check the upgrade instructions here: https://cyrusimap.org/docs/cyrus-imapd/2.5.3/install-upgrade.php 'ctl_cyrusdb -r' may require support for whichever backend you were using on the older version (on the new system), such as a legacy berkeleydb version. On 04/06/16 13:39 -0500, Jack Snodgrass via Info-cyrus wrote: I read that.. but after 8 hours of trying to get it going I gave up on it. I the debian 8 / Cyrus 2.5 stuff did not want to process the cyrus 2.4 db files from debian 6. You can say pretty words like: "may require support for whichever backend you were using" but if all you have is access to apt-get and you have two systems that are YEARS apart in what they have setup.. how do you do this? Tell me the apt-get install command to run so that ctl_cyrusdb -r works or it's just words. https://www.youtube.com/watch?v=S409DbhPmTk Since you're deploying this in a staged setup, you have the luxury of doing your own experimentation and research. Find out which database types you were using on the old system (/usr/lib/cyrus/cyrus-db-types.active). You could convert them before or after moving as discussed here: http://comments.gmane.org/gmane.mail.imap.cyrus/36350 Debian historically provides several versions of berkelydb within the apt respository, which the cyrus 2.(4|5) packages may or may not depend on. I can't tell you if it's a clean upgrade path, but the Debian cyrus imapd list may be able to, or may already provide guidance within the /usr/share/doc hierarchy. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Migrating IMAP from Cyrus v2.2.13 to Cyrus v2.4.17
On 04/06/16 13:20 -0500, Jack Snodgrass via Info-cyrus wrote: Is there a documented process for taking a system from: Cyrus v2.2.13 to Cyrus v2.4.17 I have rsync'd the mail between the two systems. /usr/lib/cyrus/bin/reconstruct did NOT magically convert the system from the old to the new. /usr/lib/cyrus/bin/reconstruct -G -f The 'seen' flags and probably some other flags / acls are not working. Check the upgrade instructions here: https://cyrusimap.org/docs/cyrus-imapd/2.5.3/install-upgrade.php 'ctl_cyrusdb -r' may require support for whichever backend you were using on the older version (on the new system), such as a legacy berkeleydb version. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Is there a way to send custom warning to all IMAP users?
On 03/28/16 14:16 -0300, francis picabia via Info-cyrus wrote: We have migrated all email on a server to a cloud email platform. The users were notified by email beforehand, but hundreds are still connecting to the standard IMAP service. They may not even remember they have set up devices to connect here. Is there a way to send a custom warning through some setting, similar to how quota warnings are generated. Really if there is any error I can fake, and customize the message, it would work. We are using Linux, pam authentication, Cyrus with saslauthd. Just shutting down the service is also a solution, but given over 600 unique users have logged in today, I'd rather not dump that load on the service desk. You can set a system wide motd, but it's unlikely all clients will honor it. See the cyradm manpage. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: mail to multiple recipient doesn't work
On 11/12/15 21:22 +0100, Daniel Schröter wrote: Hello, On 11/11/2015 10:13 PM, Dan White wrote: What does syslog say? Nothing special. Mail to cyrus.test and cyrus.test2. But only cyrus.test2 appears in the logs: I'm reordering, to make this easier to follow: Nov 12 21:09:45 fetchmail[6236]: awakened by User defined signal 1 Nov 12 21:09:45 fetchmail[6236]: 1 message for wp1116213-email at wp381.webpack.hosteurope.de (3083 octets). Nov 12 21:09:45 postfix/smtpd[15774]: connect from localhost[127.0.0.1] Nov 12 21:09:45 postfix/smtpd[15774]: 8EC4D92331C: client=localhost[127.0.0.1] Nov 12 21:09:45 postfix/cleanup[15776]: 8EC4D92331C: message-id=<5644f1fc.4020...@gmx.de> Nov 12 21:09:45 fetchmail[6236]: reading message wp1116213-em...@wp381.webpack.hosteurope.de:1 of 1 (3083 octets) flushed Nov 12 21:09:45 postfix/qmgr[15061]: 8EC4D92331C: from=<d.schroe...@gmx.de>, size=3416, nrcpt=1 (queue active) Nov 12 21:09:45 postfix/smtpd[15774]: disconnect from localhost[127.0.0.1] Nov 12 21:09:45 postfix/lmtp[15778]: 8EC4D92331C: to=<cyrus.te...@example.com>, relay=smtp.example.com[/var/run/cyrus/socket/lmtp], delay=0.2, delays=0.07/0/0.01/0.11, dsn=2.1.5, status=sent (250 2.1.5 Ok SESSIONID=) Nov 12 21:09:45 postfix/qmgr[15061]: 8EC4D92331C: removed Nov 12 21:09:45 cyrus/master[15779]: about to exec /usr/lib/cyrus/bin/lmtpd Nov 12 21:09:45 cyrus/lmtpunix[15779]: executed Nov 12 21:09:45 cyrus/lmtpunix[15779]: accepted connection Nov 12 21:09:45 cyrus/lmtpunix[15779]: lmtp connection preauth'd as postman Nov 12 21:09:45 cyrus/lmtpunix[15779]: WARNING: sieve script /var/spool/sieve/c/cyrus^test2/defaultbc doesn't exist: No such file or directory Nov 12 21:09:45 cyrus/lmtpunix[15779]: Delivered: <5644f1fc.4020...@gmx.de> to mailbox: user.cyrus^test2 Nov 12 21:09:45 cyrus/lmtpunix[15779]: USAGE cyrus^test2 user: 0.00 sys: 0.004000 Postfix is clearly not delivering a message to cyrus.t...@example.com, based on your output, which means cyrus isn't getting it. Are you using fetchmail to deliver these messages? If not, what is the smtp client in this scenario? What type of filesystem do you have? ext4 And also imapd.conf: Yes, that's what I was looking for instead of cyrus.conf. duplicatesuppression: no altnamespace: no unixhierarchysep: yes lmtp_downcase_rcpt: yes admins: cyrus lmtpsocket: /var/run/cyrus/socket/lmtp -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: mail to multiple recipient doesn't work
On 11/12/15 22:04 +0100, Daniel Schröter wrote: On 11/12/2015 09:47 PM, Dan White wrote: Are you using fetchmail to deliver these messages? Yes, and that's the problem. Thanks very much. My provider doesn't set the "Envelope-to" correct for more then one recipient :-( The envelop to is likely set by fetchmail. You could run it in multi-drop mode, but that asking for trouble if you receive emails with remote CC recipients, in that you'll be sending out duplicate emails. You might be able to do some Postfix magic to work around that. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: mail to multiple recipient doesn't work
On 11/11/15 22:02 +0100, Daniel Schröter via Info-cyrus wrote: I deliver mail to cyrus (2.4.12) with postfix (2.9.6) under ubuntu by lmtp. If a mail has multiple recipient just one recipient gets the mail. No error occur in logs by bounced mail. AFAIK cyrus should generate hardlinks for this(?). On the filesystem there is no additional file for the other recipient. My postfix configuration: # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix debug_peer_list = 127.0.0.1 inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp message_size_limit = 0 mydestination = example.com, smtp.example.com, example.de, localhost mydomain = example.com myhostname = smtp.example.com mynetworks = 192.168.0.0/16 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = $mydomain readme_directory = no recipient_delimiter = + relay_domains = $mydestination relayhost = [wp381.webpack.hosteurope.de] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = noanonymous,noplaintext smtp_sasl_tls_security_options = noanonymous smtp_use_tls = yes smtpd_banner = The SMTP-Server What does syslog say? What type of filesystem do you have? What does your cyrus.conf config look like? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: difference between checkpass failed and Password verification failed
On 11/06/15 10:17 +, Sunny via Info-cyrus wrote: Hi What is the difference between authentication failure: checkpass failed I would guess this is produced for non-sasl user/pass imap authentications, or perhaps apop. and authentication failure: Password verification failed Produced by the plain and passdss sasl mechanisms. See: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/sysadmin.php -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus mailbox authentication changing from NIS to LDAP
On 09/18/15 15:48 +0100, Sunny wrote: >Hi, > >I've inherited a cyrus mail server and I'm currently learning how it's >setup and would like some advice changing from a NIS to LDAP >authentication. > >At the moment, the imap server uses NIS to authenticate ssh >connections and I believe to also authenticate users to their >mailboxes > >imapd.conf >sasl_pwcheck_method: *saslauthd* >sasl_mech_list: PLAIN > >/etc/sysconfig/saslauthd >MECH=*pam* > >From the above output I believe that cyrus will use the pam service to >lookup authentication information to authenticate a users cyrus >mailbox. Correct. >I want the imap server to use LDAP (via sssd) for ssh authentication >and authenticating users to their mailboxes. > >If I configure the mail server to use sssd (also stop NIS) and update >/etc/pam.d/system-auth with the required pam_sss.so entries, does >anyone know or have experience if this change will allow users to >authenticate to their mailboxes using LDAP? Do you have imap/pop/etc. specific pam configuration (e.g. /etc/pam.d/imap)? If not, then it's likely that be all you need to do, with regards to cyrus services. As a test, you could created a dummy service pam configuration, such as /etc/pam.d/willthiswork, with your ldap/sssd configuration, then then run testsaslauthd with '-s willthiswork ...'. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disappearing Mailbox Content
If you can reliably reproduce the problem on a test account, enable telemetry logging to capture what the client is doing. On 09/09/15 13:07 -0500, Robert T. Covell wrote: >Nope. On the original user they might have a cached view. So to them it >looks like there is no issue until they try to interact with the folder. If >you were to go to a new/fresh client it is empty (minus potential sub-folders). > >-Original Message- >From: signaldevelo...@gmail.com [mailto:signaldevelo...@gmail.com] >Sent: Wednesday, September 9, 2015 1:02 PM >To: Robert T. Covell <rcov...@rolet.com> >Cc: info-cyrus@lists.andrew.cmu.edu >Subject: Re: Disappearing Mailbox Content > >And if you connect some type of IMAP client up to the account do the messages >show? > >Sent from my iPhone > >> On Sep 9, 2015, at 1:18 PM, Robert T. Covell <rcov...@rolet.com> wrote: >> >> Is the user in the RC db still? Are the folders displaying properly in >> Roundxube and they are just empty? >> >> >> On Sep 9, 2015, at 11:03 AM, Robert T. Covell <rcov...@rolet.com> wrote: >> We have an odd situation that I cannot track down regarding all content in a >> mailbox disappearing (minus sub mailboxes). >> >> CentOS release 6.5 >> Cyrus IMAP v2.4.17-Invoca-RPM-2.4.17-6.el6 >> >> A while back we setup a Cyrus install for a client to use as a mail >> repository for customer contact. They have one account which is shared >> across all users in the office. Approximate size of the account is 85GB. >> >> At times when a user tries to move email into a Customers mailbox the action >> is denied. On the client side they see do see email in the mailbox >> (cached). Upon further review everything is gone for that mailbox >> including: cyrus.cache, cyrus.header, cyrus.index. Backups contain >> everything including past emails and the core Cyrus files. If the mailbox >> contained other mailboxes they are not affected. Reconstructing it corrects >> the issue, luckily our backups do not propagate deletes. >> >> Problem is that we can’t find any record of the mailbox being deleted. The >> content just disappears. We have been running Cyrus for years and have >> never seen anything like this. I am leaning towards user error but I can’t >> identify what that would be. >> >> Any insight would be appreciated. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: not all folders are shown in the subscription list
On 09/09/15 14:41 +0100, Sunny wrote: >Hi, > >Several user have permissions to view a range of shared folders on an >imap server, when subscribing to these folders some users do not see >some of these shared folder names in the subscription list (thus unable >to subscribe) and for other users they can see the folders listed in the >subscription list. For the users that can't see I usually have to >rebuild the MSF (which doesn't really work in this situation) or remove >the tb profile and add it again (email profiles are headers only and not >downloaded to the local profile) this usually works as it's rebuilding >everything from scratch. Any advice what is happening or solutions to >fix this? > >Running latest version of TB. This is another good fit for telemetry logging, which should show you the list of folders being returned to the client. That output would be invaluable to the developers when opening a ticket (with whichever project is to blame). If you believe this is a bug in Cyrus, you can file it here: http://cyrusimap.org/mediawiki/index.php/Report_A_Bug -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Store data encrypted in maildir
On 08/25/15 11:55 +0530, Ram wrote: Is there a way I can store cyrus imap mails encrypted. This may not be a fully secure system but I just need something so that a root logged in user cant trivially read the files If you're in a controlled environment, use end-to-end encryption (e.g. OpenPGP). SELinux/AppArmor should have some way to prevent trivial access. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: imapd.conf: sasl_sql_update and sasl_sql_insert understanding
On 08/18/15 12:52 +0400, Sergey wrote: Hello. I need to fixate time of last succesful logon to Cyrus-IMAP. I see sasl_sql_update and sasl_sql_insert in some imapd.conf examples but does not see description of behavior of them. Can I solve this problem this way or I need to select another way ? Those are documented here: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php sql_insert and sql_update would only be called when creating or updating a user with saslpasswd2, or when auto_transition is enabled. If your sql backend can trigger an update on access, you could update your sql entry when sql_select is called. That would require 'sasl_auxprop_plugin: sql' to be configured. Or you could process your syslog (local6/mail/auth). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: shared mailbox read/unread status
On 08/17/15 16:25 +0100, Sunny wrote: Hi, Is there way to sync the read/unread status of an email between a users inbox and someone accessing it via it being shared e.g. user1 shared their inbox to user2 - at the moment user2 can see if an email has been starred/tagged/replied/forwarded by user1 but user2 doesn't know if an email has been read/unread by user1 as by default when user2 subscribes to user1 inbox all emails are set to unread but the starred/tagged/replied/forwarded are visible. The current permissions is set as lrswipkxtecd Set the /vendor/cmu/cyrus-imapd/sharedseen annotation on the mailbox. It's lightly documented in the changes file. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Number of imap process increasing over time
On 08/14/15 07:46 -0700, Shaheen Bakhtiar wrote: Rebuilt our IMAP server from scratch using Cyrus 2.4.17 on FC22 x86_64. The server is a single process 2.3GH 8 core AMD 64bit with 4G of memory. Ever since the rebuild we are experience an ever growing number of imapd processes, when we first boot the server we have ~200 using 2.4G of memory. In about 3 to 4 days we have ~1500 imapd processes taking up all available physical memory and all all available swap memory (an additional 4G). and our logs are filled with messages like: Aug 14 06:26:01 postoffice kernel: Out of memory: Kill process 15427 (imapd) score 1 or sacrifice child Aug 14 06:26:01 postoffice kernel: Killed process 15427 (imapd) total-vm:179648kB, anon-rss:7756kB, file-rss:672kB How many processes spawn is configurable within /etc/cyrus.conf. How do you have your imap entries configured? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Number of imap process increasing over time
On 08/14/15 08:11 -0700, Shaheen Bakhtiar wrote: On Aug 14, 2015, at 8:03 AM, Dan White dwh...@olp.net wrote: On 08/14/15 07:46 -0700, Shaheen Bakhtiar wrote: Ever since the rebuild we are experience an ever growing number of imapd processes, when we first boot the server we have ~200 using 2.4G of memory. In about 3 to 4 days we have ~1500 imapd processes taking up all available physical memory and all all available swap memory (an additional 4G). and our logs are filled with messages like: Aug 14 06:26:01 postoffice kernel: Out of memory: Kill process 15427 (imapd) score 1 or sacrifice child Aug 14 06:26:01 postoffice kernel: Killed process 15427 (imapd) total-vm:179648kB, anon-rss:7756kB, file-rss:672kB How many processes spawn is configurable within /etc/cyrus.conf. How do you have your imap entries configured? [shawn@postoffice ~]$ more /etc/cyrus.conf imap cmd=imapd listen=imap prefork=5 imapscmd=imapd -s listen=imaps prefork=1 You can limit the damage with a maxchild option (cyrus.conf(5)). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Shared folder permissions
On 07/30/15 16:21 +0100, John wrote: Hi List, I have a bunch of shared folders which I want to have various user permissions on them. I can do the simple read/write ones, but I cannot work out how to allow a user to delete mails but not the mailbox. A user has just done it *again* so I need to get it sorted. https://www.ietf.org/rfc/rfc4314.txt You want 't' and not 'x'. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Shared folder permissions
RFC 4314 was implemented in 2.3.0 (according to the changes file). So with 'd' listed, e, t, and x are implied, per the RFC. This is way out of date date unfortunately: http://cyrusimap.org/docs/cyrus-imapd/2.5.4/overview.php Check your 'defaultacl:' option to verify it doesn't contain d. On 07/30/15 19:09 +0100, John wrote: I set the ACL to lrswiptek and it then shows as lrswipktecd. Have I missed a database migration step at some point in the past? The current server is running 2.4.12 (and I have a project to move it all to 2.5.x soon). John On 30/07/15 16:37, Dan White wrote: On 07/30/15 16:21 +0100, John wrote: Hi List, I have a bunch of shared folders which I want to have various user permissions on them. I can do the simple read/write ones, but I cannot work out how to allow a user to delete mails but not the mailbox. A user has just done it *again* so I need to get it sorted. https://www.ietf.org/rfc/rfc4314.txt You want 't' and not 'x'. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus murder auth issue
On 07/28/15 16:37 +, Forster, Gabriel wrote: Hello, This was asked in the Kolab list, but they mentioned this list may be more appropriate: Trying to get Kolab 3.4 setup in a distrubuted environment. The last piece of the puzzle seems to be getting Cyrus configured correctly for a murder environement. Currently, only using 1 frontend and one backend. mupdatetest and testsaslauthd checks seem to work fine. But, when trying to create a user account using the command-line cyradm tools, from the backend, I'm getting the following error: cyradm -t -u kolab -w ${password} ${cyrus_host} verify error:num=18:self signed certificate cm user/kolab3test verify error:num=18:self signed certificate Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to [redacted.fqdn.backend.server] and directly from the frontend: cm user/kolab3test Password: IMAP Password: Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to [redacted.fqdn.backend.server] /var/log/messages on the backend only shows perl: No worthy mechs found and /var/log/maillog says: imap[27001]: SASL bad userid authenticated imap[27001]: badlogin: [redacted.fqdn.frontend.server] [10.2.1.26] PLAIN [SASL(-13): authentication failure: bad userid authenticated] Check your auth facility syslog (e.g. /var/log/auth.log) as well. Verify your configuration with: http://cyrusimap.org/docs/cyrus-imapd/2.5.4/install-murder.php For further assistance, provide redacted copies of your /etc/imapd.conf, /etc/cyrus.conf, and saslauthd.conf (if existing) files for both the frontent and backend servers. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus murder auth issue
On 07/28/15 16:37 +, Forster, Gabriel wrote: mupdatetest and testsaslauthd checks seem to work fine. But, when trying to create a user account using the command-line cyradm tools, from the backend, I'm getting the following error: cyradm -t -u kolab -w ${password} ${cyrus_host} cm user/kolab3test Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to [redacted.fqdn.backend.server] and directly from the frontend: cm user/kolab3test Password: IMAP Password: Invalid user at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to [redacted.fqdn.backend.server] /var/log/messages on the backend only shows perl: No worthy mechs found and /var/log/maillog says: imap[27001]: SASL bad userid authenticated imap[27001]: badlogin: [redacted.fqdn.frontend.server] [10.2.1.26] PLAIN [SASL(-13): authentication failure: bad userid authenticated] On 07/28/15 18:33 +, Forster, Gabriel wrote: BACKEND /etc/imapd.conf sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN allowplaintext: 1 allowallsubscribe: 1 allowusermoves: 1 altnamespace: 1 hashimapspool: 1 unixhierarchysep: 1 anysievefolder: 1 fulldirhash: 0 username_tolower: 1 postuser: shared mupdate_config: standard mupdate_server: {redacted} mupdate_port: 3905 mupdate_authname: {redacted} mupdate_username: {redacted} mupdate_password: {redacted}- proxyservers: {redacted} proxy_authname: {redacted} proxy_password: {redacted}- virtdomains: off FRONTEND /etc/imapd.conf sasl_pwcheck_method: saslauthd auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: PLAIN allowplaintext: 1 allowallsubscribe: 1 allowusermoves: 1 altnamespace: 1 hashimapspool: 1 unixhierarchysep: 1 anysievefolder: 1 fulldirhash: 0 username_to_lower: 1 normalizeuid: 1 deletedprefix: DELETED delete_mode: delayed expunge_mode: delayed mupdate_config: standard mupdate_server: {redacted} mupdate_port: 3905 mupdate_authname: {redacted} mupdate_username: {redacted} mupdate_password: {redacted} This block may confuse your proxyd processes. Try removing it and retesting. defaultserver: {redacted} serverlist: {redacted} proxy_authname: {redacted} proxy_password: {redacted} virtdomains: off FRONTEND /etc/cyrus.conf mupdate cmd=mupdate -mlisten=3905 prefork=1 Again, consult your auth facility syslog for sasl related problems. Does imap authentication (imtest) succeed? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp authentication ignored with tls enabled
On 07/20/15 03:21 +0200, Marcus Schopen wrote: sendmail.mc: -- AuthInfo:imap.domain.de I:lmtp-admin P:pass M:DIGEST-MD5 -- Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234: to=postmas...@domain.de, delay=00:02:43, xdelay=00:00:03, mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx], dsn=4.0.0, stat=Deferred: 430 Authentication required -- This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with proper authentication. Good. But after setting tls_cert_file und tls_key_file in imapd.conf to get an encrypted connection the lmtp authentication is completely ignored and mails are going through even without any AuthInfo in /etc/mail/access: Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de It appears you may be performing sasl EXTERNAL authentication. Your auth-facility syslog should confirm that. Configuring a restricted mechanism list would prevent that from happening: lmtp_sasl_mech_list: digestmd5 /etc/imapd.conf: -- lmtp_downcase_rcpt: yes admins: cyrus lmtp_admins: lmtp-admin allowplaintext: yes sasl_minimum_layer: 0 sasl_pwcheck_method: auxprop sasl_auto_transition: no tls_cert_file: /etc/ssl/domain/imap.crt tls_key_file: /etc/ssl/domain/imap.key tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp cyrus.conf: lmtp cmd=lmtpd listen=2003 prefork=4 maxchild=20 lmtpunix cmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=0 maxchild=20 -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp authentication ignored with tls enabled
On 07/20/15 19:15 +0200, Marcus Schopen wrote: Hi Dan, Am Montag, den 20.07.2015, 08:33 -0500 schrieb Dan White: It appears you may be performing sasl EXTERNAL authentication. Your auth-facility syslog should confirm that. How do I do that? libsasl logs to the auth facility. Check your syslog configuration for where that logs to, but on some systems, it's in /var/log/auth.log. You may need to increase the syslog logging level (auth.*) and/or increase the sasl debug level with 'sasl_log_level: 7' in imapd.conf to get the appropriate debug information. Configuring a restricted mechanism list would prevent that from happening: lmtp_sasl_mech_list: digestmd5 I set lmtp_sasl_mech_list: DIGEST-MD5 to imapd.conf. Connected to localhost. Escape character is '^]'. 220 roz Cyrus LMTP v2.4.12-Debian-2.4.12-2 server ready lhlo e 250-roz 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250-STARTTLS 250-AUTH DIGEST-MD5 250 IGNOREQUOTA But has no effect. As soon as tls is actived, mails are delivered without using LMTP_AUTH. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp socket error
On 07/01/15 22:25 -0400, Shaw, Brian wrote: All, I'm not sure if this is a cyrus error or a postfix error but, I can't find any information about how to resolve it. I'm seeing the following in /var/log/maillog: Jul 1 21:52:15 mail-server cyrus-imapd/master[11907]: process type:SERVICE name:lmtpunix path:/usr/lib/cyrus-imapd/lmtpd age:0.206s pid:12140 exited, status 75 EX_TEMPFAIL? exitcodes.h indicates this could be a whole host of different issues. Jul 1 21:52:15 mail-server postfix/lmtp[12036]: EB0C1E5B11: to=u...@example.com, relay=mail-server[/var/lib/imap/socket/lmtp], delay=32177, delays=32169/6/2.6/0.02, dsn=4.3.0, status=deferred (host mail-server[/var/lib/imap/socket/lmtp] said: 421 4.3.0 lmtpd: Internal error: assertion failed: lib/cyrusdb_twoskip.c: 600: record-level = MAXLEVEL (in reply to end of DATA command)) The really strange thing is some mail goes through and some does not. I haven't found any pattern to it yet. Any suggestions would be greatly appreciated. Did that particular email (EB0C1E5B11) ever get delivered? If not, there may be something within the email triggering lmtpd to crash. Are there any binary headers or unusual content? If the email is junk, there may be configuration options within postfix to disallow such emails. Attach a debugger to trouble shoot lmtpd. See the cyrus.conf and lmtpd manpages, and: http://members.sange.fi/~atehwa/vc/packaging/cyrus-imapd/debian/README.Debian.debug -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sivtest fails to authenticate but imtiest succeeds
On 06/27/15 13:33 +, John Hayward wrote: I am having trouble authenticating to sivtest but can authenticate to Imtest. my /usr/pkg/etc/imapd.conf currently looks like: = imapd.conf configdirectory: /var/imap partition-default: /var/spool/imap #sieveusehomedir: true hashimapspool: false sievedir: /usr/pkg/sieve sieve_maxscriptsize: 32 sieve_maxscripts: 5 admins: cyrus johnh #sasl_mech_list: PLAIN sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb allowanonymouslogin: no allowplaintext: yes tls_ca_file: /var/imap/server.pem tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem = end imapd.conf == Here is what I am seeing when I run imtest and sivtest sieve.log === Script started on Sat Jun 27 07:54:38 2015 ESC[?1034hbash-3.2$ imtest -a linda -u linda localhost S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=LOGIN AUTH=PLAIN SASL-IR] haywardfamily.org Cyrus IMAP v2.4.17 server ready^M C: A01 AUTHENTICATE LOGIN^M S: + VXNlcm5hbWU6^M Please enter your password: C: bGluZGE=^M S: + UGFzc3dvcmQ6^M C: MnphcHB5^M If this is a publicly accessible server, you should change this password as it's easily reversible. S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) SESSIONID=haywardfamily.org-4536-1435409698-1^M Authenticated. Security strength factor: 0 ^CC: Q01 LOGOUT^M Connection closed. bash-3.2$ sivtest -a linda -u linda localhost S: IMPLEMENTATION Cyrus timsieved v2.4.17^M S: SASL LOGIN PLAIN^M S: SIEVE comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy^M S: STARTTLS^M S: UNAUTHENTICATE^M S: OK^M C: AUTHENTICATE LOGIN^M S: {12}^M S: VXNlcm5hbWU6^M Please enter your password: C: {8+}^M C: bGluZGE=^M S: {12}^M S: UGFzc3dvcmQ6^M C: {8+}^M C: MnphcHB5^M S: NO Authentication Error^M Authentication failed. generic failure Security strength factor: 0 ^CC: LOGOUT^M Connection closed. bash-3.2$ exit exit Script done on Sat Jun 27 07:55:49 2015 end of sieve.log === Any suggestions on how to resolve this issue? Review your syslog (auth facility). Increase your sasl log level if necessary (set 'sasl_log_level: 7' in imapd.conf). Some additional questions: 1) if one is trying to use sasldb with sasl_auxprop_plugin then saslauthd is out of the picture - I have it running but don't think it needs to be involved. Correct, when 'sasl_pwcheck_method: auxprop' is set. 2) There appears to be both login and plain mechanisms - on imtest I can specify either and they both authenticate - which one should I be focused on? PLAIN is preferred in that it supports passing authz (-u) identities. Be aware that specifying '-m login' (for imtest only) will fall back to using pre-sasl 'login' authentication, or at least it used to. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: autocreateinboxfolders
On 06/18/15 17:18 +0300, Nikos Gatsis - Qbit wrote: Hello list I have install cyrus 2.4.17 in a Centos 7 distro and i find out that autocreateinboxfolders doesn't work. I mean, imap users doesnt auto create Sent or Trash folder automatically. Is something I miss? My conf is: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus some sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail allowanonymouslogin: no hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN allowplaintext: yes anyoneuseracl: 0 createonpost: 0 munge8bit: 0 autocreateinboxfolders: Sent|Drafts|Trash autosubscribeinboxfolders: Drafts|Sent|Trash These two options are not valid for version 2.4.17, and appear to have been added in one of the 2.5.x releases. tls_cert_file: /var/lib/imap/server.pem #tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /var/lib/imap/server.pem #tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt # uncomment this if you're operating in a DSCP environment (RFC-4594) # qosmarking: af13 -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Murder frontend problem
On 06/05/15 16:44 +0200, Major Csaba wrote: Hi, Thanks for the quick answer. I managed to get further as I realized I missed a small piece from the documentation. My fronted server and master update server is on the same machine and I didn't configure the mupdate_* parameter. But as I can see, the proxy still has to speak to mupdate when I would like to create a new mailbox and the auth info is necessary even if they are on the same host. So, it seems to be a misundersanding of the documentation which is not so verbose :) I added the mupdate_* parameters (pointing to the host itself) and it is working fine now. There is one more small question: why the proxied LMTP needs to have admins permission on the backend? I thought the proxyservers setting is for this, but LMTP doesn't work without adding my proxy user in the admins... On your backend, you should set 'lmtp_admins: murderproxy', rather than specifying it as an admin, which limits its security impact. With imap, the frontend proxy 'authenticates' as the user connecting to the front end, which gains the permissions of the connecting user (on the backend). E.g. you should see log entries on your backend with a successful imap select which appears to be authenticating as the end user (e.g. jsm...@domain.com). lmtp may not proxy authenticate at all. If it does, you could specify *that* user (e.g., the 'mail' account on your frontend) in the backend's lmtp_admin, but I'm not sure that gains you much security wise. Referencing syslog on the backend is the best way to flesh this out. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus-imapd with lmtpd + postfix slow delivery with group email ids
On 05/14/15 05:42 +, jayesh.shinde wrote: Please suggest , for faster delivery what could be the best config in postfix + cyrus-imapd . I am using the cyrus-imapd-2.4.17-6.el6.x86_64 for mailbox server and for smtp server postfix-2.10.0-1.el6.x86_64 Both server have SAS hdd , 16 core , 16 GB RAM . There is no i/o issues Mailbox server have 21K email ids. Cyrus running with tcp socket on port 24 i.e lmtpd . cyrus singleinstance is maintained For group id mapping is under virtual_alias_maps of smtp's main.cf i.e no /etc/aliases. From smtp server emails are getting deliver by transport_maps to mailbox server . My problem observe :-- -- 1) When HOD send email to 3-5 big group email ids then , then its postfix delivery get slow. What I observe is postfix getting delivered the traffic per email and not parallel. Each group contain 3k or 7k email ids. Verify that single instance store is working. If not, you may have a Postfix configuration issue. Find one of these mass emails in a mailbox and stat it to find out: stat -c %h file A returned value of 1 means single instance store isn't working. If that's not the issue, you can determine if this is a postfix issue or a cyrus issue by sending a mass email directly to lmtpd, with lmtptest. In peak hours the queue on postfix get high and other normal emails also getting stuck in queue. Once the group email get clear after that other emails also get clear. in mailbox cyrus.conf :-- lmtp cmd=lmtpd -a listen=lmtp prefork=0 in main.cf of smtp server :-- lmtp_destination_concurrency_limit = 100 lmtp_destination_recipient_limit = 0 How many lmtp processes do you see spawned in this scenario? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: too much logging
On 04/30/15 18:41 +0200, hw wrote: Am 30.04.2015 um 16:35 schrieb Bron Gondwana: On Thu, Apr 30, 2015, at 11:10 PM, Bron Gondwana wrote: You can't remove the db file from under a rubbing instance, only while it is shut down. Er, a running instance. Great work autocomplete. I'm at decent internet again now. You need to shut down Cyrus and restart it for the existing processes to be closed. Once they have opened the file once, they'll keep expecting it to be there forever. Oh, hm, I think I might not have restarted Cyrus after I created the file. Now I restarted, and I'm still getting the 'fetching user_deny.db entry for ...' message. The code I specified was for 2.5.1, which is functionally different from 2.4.17. You'll need to trigger a failure for 'DENYDB-open', which I'm not clear how you would do. Try specifying a non-existant path for your user_deny database or a invalid database format. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: too much logging
On 04/29/15 17:21 +0200, hw wrote: Am 29.04.2015 um 16:14 schrieb Dan White: On 04/29/15 16:07 +0200, hw wrote: Hi, is there a way to reduce the log output from cyrus? A lot, if not most, entries say 'imaps[20670]: fetching user_deny.db entry for ...', which seems to be a rather useless information. Which version are you running? 2.4.x changed the behavior of when the user_deny database is opened (at service startup time): http://cyrusimap.org/docs/cyrus-imapd/2.5.1/changes.php 2.4.17 The URL says Modified user_deny.db code to open database once at service startup time. Does this mean that before 2.5.1, the database is being opened and closed all the time, yielding a log message? Correct. But that was an error produced if the user_deny.db file didn't exist, and ended up flooding syslog. That's a different syslog entry from what you're seeing. You might have to modify your syslog config to get rid of them: http://cyrusimap.org/docs/cyrus-imapd/2.5.1/install-configure.php -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: too much logging
On 04/29/15 18:35 +0200, hw wrote: Am 29.04.2015 um 18:15 schrieb Dan White: Does this mean that before 2.5.1, the database is being opened and closed all the time, yielding a log message? Correct. But that was an error produced if the user_deny.db file didn't exist, and ended up flooding syslog. That's a different syslog entry from what you're seeing. You might have to modify your syslog config to get rid of them: http://cyrusimap.org/docs/cyrus-imapd/2.5.1/install-configure.php That is precisely what I do not want to do. There is no point in generating useless log messages, and it should be possible to turn these messages off. They are usually somewhat harmless, though. When there are thousands or millions of them generated, it might indicate that there is some issue that needs to be fixed. Not all imaps processes create so many messages. In this sense, the messages are not useless. But what might cause so many of these messages to be generated within a short time, all day long? user_deny is used to selectively deny access to services for certain users. It's called within the main cmdloop within the imapd code, among other places (pop3, nntpd, lmtpd, and httpd). Each imapd connection could result in many syslog entries depending on what activity the client is performing. The syslog entry is generated with this code: if (!denydb) denydb_open(/*create*/0); if (!denydb) return 0; memset(tok, 0, sizeof(tok)); /* fetch entry for user */ syslog(LOG_DEBUG, fetching user_deny.db entry for '%s', user); If cyrusdb_open cannot successfully open or create the entry (such as a permissions error), then that would effectively stop the syslog entries from being generated. So, setting a bogus value for 'userdeny_db' and/or 'userdeny_db_path' should do what you want in a round about way. That's assuming you're not actually using userdeny of course. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: group acl with winbind
On 04/07/15 17:50 +0200, Luca Olivetti wrote: El 07/04/15 a les 17:31, Dan White ha escrit: localhost sam m_sist group:m_sist lrw setaclmailbox: group:m_sist: lrw: Invalid identifier localhost Could this be a permissions problem? Can the cyrus user successfully execute the getent command? Yes, it can $ sudo su -s /bin/bash cyrus $ whoami cyrus $ getent group | grep m_sist m_sist:x:674:ojeda,luca,calmet,rafa,oscar I'm at a loss to explain that behavior. You may need to trace/debug to get to the bottom of it: http://members.sange.fi/~atehwa/vc/packaging/cyrus-imapd/debian/README.Debian.debug -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: group acl with winbind
On 04/07/15 16:28 +0200, Luca Olivetti wrote: I'm currently using cyrus-imapd 2.4.17 and sssd to obtain nss groups from an openldap server. I have some group acl which are currently working fine. I'm testing the migration to samba4 as an active directory domain controller and I'm trying to use winbind instead of sssd (which works perfectly btw). The problem is that with winbind group acls don't work. Group enumeration (a pain to configure) works: $ getent group | grep m_sist m_sist:x:674:ojeda,luca,calmet,rafa,oscar But I cannot set acl on that group: $ cyradm -u cyrus localhost Password: localhost sam m_sist group:m_sist lrw setaclmailbox: group:m_sist: lrw: Invalid identifier localhost Could this be a permissions problem? Can the cyrus user successfully execute the getent command? Meanwhile I have winbindd running in the foregroung and the above sam command will cause no messages at all (i.e. it seems it isn't querying winbindd for group information) If I change nsswitch back to sssd (which is pulling data from the same samba4 server) and restart cyrus, it works: $ cyradm -u cyrus localhost Password: localhost sam m_sist group:m_sist lrw localhost The simple solution is to use sssd and forget about winbind, but I'm curious: why one works and the other doesn't giving that group enumeration works with both? Presumably your auth_mech is set to the default (unix), which is not scalable, and has caused serious performance issues for me in the past. See: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/overview.php#aclauth If your group information is exposed over an LDAP backend, consider using pts. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MANAGESIEVE commands
On 03/31/15 14:23 +0200, Willy Offermans wrote: Is there a list of possible MANAGESIEVE commands to be used with the sivtest program? sivtest -t PublicPrivate.key -a user -m PLAIN localhost possible commands: LISTSCRIPTS GETSCRIPT user.sieve LOGOUT However and for example: PUTSCRIPT user.sieve NO Did not specify legal script data length I don't know what the correct syntax is and, even worse, I don't know where to look it up? See RFC 5804. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: IMAP archive?
On 03/05/15 13:53 +0100, Marco wrote: I read in docs that with Cyrus-Imapd I can create a folder Archive with no quota for each user, using a dedicated partition. Assuming you have a quota root set for each user's INBOX, you would need to explicitly set a higher quota value for any such archive folder, if it exists hierarchically underneath the INBOX. Is there a plan to provide also a mechanism that move old mails in Archive folder? Meantime, how can I move old mails to Archive folder automatically without using MUA tasks? This would be best handled at the MUA level as there are no internal solutions I'm aware of (like ipurge). An imapsync script with --minage and --delete/--expunge should do the trick, but would need to iterate over all your mailboxes. I would also to know limits of an IMAP archive solution. How does a slow partition with large amount of mails and folders impact in mailbox, indexes and whole server performances? In other words, does performances degrade only for Archive folder selection, or for all mailbox too? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Communicating kerberos password expiration
On 02/14/15 09:33 -0600, Jason L Tibbitts III wrote: I know this isn't entirely a Cyrus question, but I figure some folks here would have some idea of my issue. Basically, we use Kerberos authentication with Cyrus. The passwords in Kerberos expire. With shell and (Linux) desktop logins and such, the system alerts users and if necessary forces them to change their password. And obviously these days it's not terribly useful to actually mail someone with information about their password expiring. My understanding is that IMAP has a limited way to communicate password expiration (through the EXPIRED response code). Does Cyrus support communicating that to the client when appropriate? Anyone know if any clients actually do something useful with it? Does anyone know if the protocol (or Cyrus) has any way to communicate password expiration in advance of the password actually expiring? (You have 5 days to change your password or something like that.) Really I'd like to integrate something with the Horde webmail system to at least cover webmail-only users. I can actually hack on that a bit, but I'll obviously ask the Horde people about that. Though I wouldn't turn down any advice there either if someone here happened to have any. I haven't found it common for IMAP clients to display Quota alerts, but I haven't extensively tested. Squirrel mail, and perhaps Horde, will display Quota Alerts, so it's possible that it would display any alert provided by the imap server. There is an annotation (/comment) which you can set per mailbox, which should result in an alert being displayed: https://cyrusimap.org/mediawiki/index.php/FAQ That would allow you to implement the password change notification via an external process, such as with the cyradm perl library. I'm unfamiliar with the EXPIRED response code or what Cyrus' plans are for supporting it. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Communicating kerberos password expiration
On 02/17/15 12:31 -0600, Jason L Tibbitts III wrote: DW == Dan White dwh...@olp.net writes: DW There is an annotation (/comment) which you can set per mailbox, DW which should result in an alert being displayed: Checking that again, I'm not sure that's the case. There's a misformatting in the FAQ entry which squishes the text for /motd into the description of /comment. I don't think /motd can be set per-mailbox, and I don't think /comment does anything other than set a comment. Looks like you're correct! I did a test and did not see any alert upon selecting the mailbox. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Intergation with MDM solutions
On 01/21/15 14:00 +0530, Ram wrote: I need to integrate cyrus IMAP with a MDM ( Mobile Device Management ) solution. The idea is that even if the IMAP ports are open only selective users / devices should be allowed from an external Network. Internal Network everyone is allowed. I have seen that ready MDM solutions come up with server side plugins for Microsoft Exchange which can help achieve this Is there a software for Cyrus Imap server that can allow selective users / devices only ? The userdeny_db database can be used to selectively allow certain users. Search the list archives for flat file manipulation with cyr_dbtool. It can be configured to use a sql database for integration with 3rd party tools. See: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/internal/database-formats.php To configure different access rules based on network, create two imapd services in cyrus.conf, with each listening on the appropriate network (IP). e.g.: ... SERVICES { imapint cmd=imapd listen=192.168.1.1:imap ... imapext cmd=imapd listen=203.0.113.1:imap ... ... } The service name you configure within the userdeny database should match the service name in cyrus.conf (e.g. imapext). You would not configure any entries for imapint which would allow access to all internal connections by default. I'm not aware of a way to restrict devices (I'm assuming, based on a client string?). There may be 3rd party imap proxies that can assist with that. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: IMAP over SSL (only) handshake hangs
On 01/13/15 11:22 +0100, Niels Dettenbach wrote: While any other IMAP and POP3 ports with and without SSL / TLS are working - connects to imaps (993) just hangs, there is nothing in the logs and a openssl s_client -connect mail.myhost.abc:993 just brings out: CONNECTED(0003) what times out after minutes. Connection to 995 (POP3s) works perfectly. The service is configured (and worked until tonight!): imaps cmd=imapd -s listen=imaps prefork=0 maxchild=150 pop3s cmd=pop3d -s listen=pop3s prefork=0 maxchild=50 A crazy thing is, that connections to localhost seems to work as soon as it uses the IPv6 adress of the localhost (::): imtest -v -s localhost while the IPv4 variant doesnt seem to work: imtest -v -s 127.0.0.1 You may have something else running on tcp:imaps. Verify with: netstat -lp | grep imaps On 01/13/15 12:24 +0100, Niels Dettenbach wrote: Ive done a strace -f -p on the master process which brought out: See /usr/share/doc/cyrus-imapd-2.x/README.Debian.debug.gz for help in debugging a particular service. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/30/14 10:52 +0100, Gabriele Bulfon wrote: So, first I changed openldap configuration with sasl-secprops none to have also plain auth enabled. Running pluginviewer to see the plugins: sonicle@www:~$ pluginviewer -m PLAIN List of server plugins follows Plugin plain [loaded],API version: 4 List of client plugins follows Plugin plain [loaded],API version: 4 sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms' dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS Now, try plain auth doing a earch of an existing user: sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H ldap://localhost -W Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Can't find a reason for ldapsearch not finding the plain mech. Odd. Add a '-d -1' to get more detail. See the ldap.conf(5) manpage, and verify you don't have any conflicting options set via relevant ENVIRONMENT VARIABLES or FILES. Check your syslog for any additional details (auth facility). Also, slapd has been built with sasl: sonicle@www:~$ ldd /sonicle/libexec/slapd libdb-4.8.so =/sonicle/lib/libdb-4.8.so libpthread.so.1 =/lib/libpthread.so.1 libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 libdl.so.1 =/lib/libdl.so.1 libssl.so.0.9.8 =/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 libresolv.so.2 =/lib/libresolv.so.2 libgen.so.1 =/lib/libgen.so.1 libnsl.so.1 =/lib/libnsl.so.1 libsocket.so.1 =/lib/libsocket.so.1 libc.so.1 =/lib/libc.so.1 libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 libmd.so.1 =/lib/libmd.so.1 libmp.so.2 =/lib/libmp.so.2 libm.so.2 =/lib/libm.so.2 How about your libldap library and client utilities? Do they have access to libsasl2 and the PLAIN shared library/mechanism? Try: ldd `which ldapsearch` And verify that the linked sasl library is the same as for slapd, or if not, uses a good libsasl installation. Also, you may want to try ldapsearch from another system with a known good sasl installation. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: Hi, I recently stumbled upon this issue, where I can't find a solution. Same cyrus/sasl server, serving multiple 2 level domains (dc=domain,dc=com). Sasl configuration is like: ldap_search_base: ou=People,dc=%2,dc=%1 ldap_filter: uid=%u Enter a new domain, but this time it's a 3 level one (dc=dpt,dc=domain,dc=com). Sasl configuration should be like: ldap_search_base: ou=People,dc=%3,dc=%2,dc=%1 ldap_filter: uid=%u How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/23/14 16:07 +0100, Willy Offermans wrote: Hello Dan, On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). I don't understand how this works. ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server via sasl protocol directly. Is this correct? Correct. The ldap backend to saslauthd itself performs sasl authentication. And what happens then? How do saslauthd and slapd communicate and how is authentication performed? The communication between Cyrus IMAP and saslauthd would not change. imapd would still communicate with saslauthd in the same manor, by submitting a username and password via the saslauthd mux. The ldap backend to saslauthd can be configured to perform SASL over LDAP authentication to slapd (not to be confused with SASL over IMAP authentication). slapd would simply return a successful bind code back to the saslauthd backend, which in turn would respond with an 'OK' to cyrus IMAP. Using SASL within the LDAP saslauthd backend is a much simpler configuration. i.e.: ldap_servers: ldap://ldap.example.com ldap_use_sasl: yes ldap_mech: PLAIN (This may require you to configure olcSaslSecProps) The '-r' option to saslauthd may be necessary, if you're not already using it. Use ldapwhoami to test your slapd config: ldapsearch -Y PLAIN -U jsm...@example.com -H ldap://ldap.example.com \ -W And if that works, verify your saslauthd configuration with: testsaslauthd -u jsm...@example.com -p password -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sasl_mech_list in imapd.conf ?
On 12/16/14 06:18 -0600, Patrick Goetz wrote: My old Ubuntu imapd.conf includes this line: sasl_mech_list: PLAIN LOGIN and sasl_mech_list is also mentioned here: https://cyrusimap.org/docs/cyrus-imapd/2.4.6/faq.php It's documented as 'sasl_option:' in the manpage. All options beginning with sasl_, with the exception of sasl_maximum_layer and sasl_minimum_layer, are retrieved by cyrus sasl via a callback. Available options are listed here: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php For a discussion of mechanisms, see: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php If using the Ubuntu sasl packages, use saslpluginview to list available plugins. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sasl_mech_list in imapd.conf ?
On 12/16/14 08:23 -0600, Dan White wrote: If using the Ubuntu sasl packages, use saslpluginview to list available plugins. Make that 'saslpluginviewer'. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd question
On 12/11/14 12:34 -0600, Patrick Goetz wrote: Surely someone on this list will know the answer to this question. Given sasl_pwcheck_method: saslauthd, with authentication mechanism=pam I'm trying to track down how saslauthd knows that the cyrus PAM service file is called imap; i.e. /etc/pam.d/imap. Is this just built in? I can't find a configuration for it anywhere. saslauthd receives the service name via the unix domain socket protocol exchange - see the OVERVIEW section in saslauthd-main.c. The glue layer (libsasl2) provides the service name to saslauthd based on what it's given in the call to sasl_server_new (See the manpage). Cyrus imapd hard codes the service names, and they are not configurable. Grep through the cyrus imap source for that function call to determine which pam file to configure for each service. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: annotation_definitions and other options in imapd.conf
On 12/03/14 12:45 -0600, Patrick Goetz wrote: On 12/03/2014 06:53 AM, Adam Tauno Williams wrote: auth_mech: - Isn't this handled by SASL? Partially, yes. Don't forget that identity management is AAA - three As, not one. Authorization, Authentication, Accounting. So, for example: Authorization would be cm user.username in cyradm Authentication would be saslauthd - PAM -- PAM modules Accounting would be setting permissions and quotas sam user.username write sq user.username N cyrus sasl performs authentication. This would be consistent across all servers which use libsasl, such as imapd or slapd. It's primary purpose is to resolve *who* the authentication identity is and to relieve the server daemon (imapd) of the burden of figuring out how to authenticate users. Authorization is handled primarily outside of libsasl, and is left up to the server which use libsasl (imapd). Authorization involves who can access what, and is configured by way of ACL commands - e.g. john can access jane's mailbox. slapd performs this step via olcAccess configuration. Accounting is the ability to track who accessed what, and when - i.e. syslog output. I'm still not seeing where auth_mech or ldap options fit into this, although Sven seems to have offered an explanation: there is some undocumented way of bypassing saslauthd. Which, if true, I suggest is a terrible idea and should be stripped out of the code. Allowing for direct PAM authentication might work somehow, assuming there is a way to handle TLS authentication. Authentication architecture needs to be less, not more complicated in general in the unix/linux world. auth_mech, as I've used it, figures out who exists in which groups. So if jane has given read permissions to group 'wheel', and john in a member of wheel in /etc/groups, *and* auth_mech is configured to be unix, then john would be granted access to jane's mailbox on request. A big problem with 'auth_mech: unix' is that it's *slow* on systems with lots of groups, due to the way unix searches for group membership (by iterating over all groups in the system). If that happens every time a user attempts to open a mailbox, your system will fall over. The other auth_mechs, such as ldap, can make that process efficient. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: segfault cyrus imapd 2.17 when upgrading to glibc 2.16
On 11/03/14 15:56 +0100, Andreas Nyback wrote: Cant get this working. Running gentoo 64 bit. Access from some users work, some/one always segfault. Tried to find if any dependency needed recompile with upgraded glibc, no luck. Tried fresh install of gentoo. Same same. When on glibc 2.16 all works fine. strace of segfault session: 4447 18:03:30.928204 strlen(sasl_) = 5 4447 18:03:30.928319 __snprintf_chk(0x7fff1e5108b0, 256, 1, 256) = 24 4447 18:03:30.928438 strcmp(imap_sasl_auxprop_plugin, partition-default) = -7 4447 18:03:30.928576 strcmp(sasl_auxprop_plugin, partition-default) = 3 4447 18:03:30.928706 strcmp(sasl_auxprop_plugin, sasl_auxprop_plugin) = 0 4447 18:03:30.928865 malloc(16)= 0x18a0f20 4447 18:03:30.928966 malloc(250) = 0x18a0b50 4447 18:03:30.929147 free(0x18a0b50) = void 4447 18:03:30.929252 malloc(19)= 0x18a0e10 4447 18:03:30.929352 malloc(11)= 0x18a0f40 4447 18:03:30.929452 malloc(8) = 0x18a0f60 4447 18:03:30.929551 malloc(15)= 0x18a0f80 4447 18:03:30.929650 malloc(21)= 0x18a0fa0 4447 18:03:30.929756 malloc(250) = 0x18a0940 4447 18:03:30.929921 free(0x18a0940) = void 4447 18:03:30.930026 malloc(10)= 0x18a0fc0 4447 18:03:30.930125 malloc(250) = 0x18a0940 *4447 18:03:30.930292 free(0x18a0940) = void** **4447 18:03:30.932631 free(0x18a0fc0) = void** **4447 18:03:30.932795 free(0x18a0f80) = void** **4447 18:03:30.932899 free(0x18a0fa0) = void** **4447 18:03:30.933133 free(0x18a0f60) = void** **4447 18:03:30.933238 free(0x18a0f40) = void** **4447 18:03:30.96 free(0x18a0e10) = void** **4447 18:03:30.933438 free(0x18a0f20) = void** **4447 18:03:30.933842 --- SIGSEGV (Segmentation fault) ---** **4447 18:03:30.934298 +++ killed by SIGSEGV +++** Verify both the cyrus sasl glue library and all plugins (auxprop/mechanisms) are compiled against the same version of glibc as cyrus imap, as well as any libraries your auxprop plugin uses i.e. libldap or sql). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Some cyrus-sasl questions
On 09/29/14 17:44 -0500, Patrick Goetz wrote: Hi - I've been setting up some new servers and wanted to revisit and optimize my cyrus-sasl configuration. I couldn't find answers to these questions anywhere in the documentation or online, but figured this list would know. Ironically, the postfix documentation for using sasl (http://www.postfix.org/SASL_README.html) appears to be more complete than anything I could find on the cyrus source site. 1. Postfix suggests that I can put the SASL configuration file in /etc/sasl2 instead of /usr/lib/sasl2, but I couldn't find this anywhere in the official cyrus-sasl documentation. User configurable options always need to go in /etc, not /usr/lib, so I just want to confirm that 2.1.26 will look for the configuration file in /etc/sasl2 The location depends how cyrus sasl was compiled. '--with-configdir=DIR' is used to specify the location config files will be searched for. By default, that's /usr/lib/sasl2. Distributions may specify others. For Debian, that's: /etc/sasl2:/etc/sasl:/usr/lib/$(DEB_HOST_MULTIARCH)/sasl2:/usr/lib/sasl2 See ./configure --help for an explanation. Additionally, the cyrus sasl api allows the location to be overridden using the 'sasl_getconfpath_t' callback. See the manpage for sasl_callbacks (3). To determine where to place a sasl config file for a particular daemon, you'll need to consult the documentation for your distribution/OS if you're not compiling it yourself. To confuse matters even more, Cyrus IMAP uses the API to store configuration data into imapd.conf, and will look for the options to be preprended with 'sasl_', e.g. 'sasl_pwcheck_method'. OpenLDAP does the same, but for one option only (olcSaslAuxprops). 2. I can't find any hints about what an optimal PAM configuration file is if you only want to authenticate users through PAM with valid accounts. Currently the /etc/pam.d/imap file is basically set up as auth required pam_unix.so account required pam_unix.so (Debian/Ubuntu add other junk via default common authentication groups which must be superfluous). I don't understand why the account management group is needed for imap authentication. Is it just there because there's no documentation on how to do this properly, so people are guessing? The PAM backend for saslauthd calls 'pam_authenticate' (auth), 'pam_acct_mgmt' (account), but not 'pam_open_session' (session) or 'pam_chauthtok' (password). As far as I know, this is not documented anywhere. 3. Both cyrus and postfix use SASL. In the past, I've run postfix in a chroot jail, so it had it own saslauthd daemon process. Since chroot jails don't add much security, I'm jettisoning that, but presumably cyrus and postfix will happily use the same saslauthd daemon process? Yes. You should not override the location of the saslauthd mux (in /etc/default/saslauthd, on Debian), unless you are chrooting postfix. By default, Cyrus and Postfix will use the default (at compile time) location, by way of the libsasl2 glue library. Postfix requires a sasl configuration file, but I just noticed that my cyrus 2.3.16 install doesn't seem to have one. Is this compile time default or am I just overlooking where the configuration file? Or does cyrus use the SASL libraries directly, in which case I'm not sure how it knows to use pam. Is there any documentation on this? There is no default cyrus sasl config file installed for Postfix. In the case of a missing config file, the defaults will be used (auxprop instead of saslauthd/pam). 'saslfinger' is highly recommended for trouble shooting Postfix/Cyrus Sasl config issues. To direct Postfix to authenticate against PAM, you'll need to start saslauthd with the PAM backend. Then create a Postfix sasl config file (in /etc/postfix/sasl/smtpd.conf, on Debian) which includes: pwcheck_method: saslauthd And you'll want to include: # exclude shared secret mechanisms mech_list: plain login external gssapi See: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Complete mailbox delete?
On 08/10/14 13:23 +0100, Charles Bradshaw wrote: I have used cyradm to delete some virtual domain mail boxes. cyradm lm now lists them as DELETED and my /var/spool/imap/domain/s/somedomain.com/u/DELETED/user/ now contains copies of the deleted mail boxes. Assuming that the old user has no use for the contents, is it safe to just delete these? cyr_expire will delete those for you, based on how long ago they were deleted (-D option). Typically it's ran from /etc/cyrus.conf on a daily basis. If you don't wish to use the delayed delete feature, you can set 'delete_mode' to 'immediate'. Supposing that all of the somedomain.com users are now gone can I just remove .../somedomain.com and all its sub directories? Presumably if you remove all mailboxes from a virtual domain, you'll be left with an empty hierarchy underneath your spool directory that should be safe to delete, although it shouldn't be taking up much space. Depending on configuration, you may have some lingering files underneath your configdirectory hierarchy as well. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: postfix-amavis-cyrus on multidomain ldap
On 08/04/14 11:42 +0200, Gabriele Bulfon wrote: Hi, I've been using postfix-amavis-cyrus for years, with normal passwd+aliases mode. We recently switched to virtual domains using ldap. Because we don't want to mantain a virtual mailbox map for postfix, we decided to have a vmailbox file like: @domain1 allow @domain2 allow and have cyrus detect wrong destinations, via ldap. What happens here, is that any quarantined mail by amavis (having very high score, that should not even be reconsidered once qurantined) get back to postfix in some way, devliered to cyrus, which in many cases is a wrong invented mailbox, so back to postfix wich sends back en error. This was not happening before: a quarantined mail by amavis would be just quarantined. No answer back. No delivery in the spam folder. So first, my question is: why the mail is being delivered to postfix even if it's quarantined and have a very high score? Last question is about configuring vmailbox to lookup ldap. I've seen many examples, but they all look for a single domain, while I have multiple domains both in cyrus,ldap and postfix. Exemples like this: server_host = localhost search_base = ou=Users,dc=example,dc=com version = 3 scope = sub query_filter = (mail=%s) result_attribute = mail are for just the example.com domain How should I write the vmailbox ldap file to query different domains? That approach, even if properly configured, may still lead to accepting and queueing messages for mailboxes that are over quota. A better approach is to use Postfix policy script which can query mailbox state before accepting the message, such as by communicating with the smmap socket. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: NO Login failed: generic failure
On 03/26/14 09:27 -0700, Marc Fournier wrote: cyrus-imapd24-2.4.17_4/ cyrus-sasl-2.1.26_5 /var/log # telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN SASL-IR] xxx.xxx Cyrus IMAP v2.4.17 server ready . login x...@xxx.xxx xxx . NO Login failed: generic failure . logout * BYE LOGOUT received . OK Completed Connection closed by foreign host. /var/log/debug.log shows: == Mar 26 16:09:08 xxx imap[67279]: SQL backend defaulting to engine 'sqlite' Mar 26 16:09:08 xxx imap[67279]: executed Mar 26 16:09:08 xxx imap[67279]: sql auxprop plugin using sqlite engine Mar 26 16:09:08 xxx imap[67279]: IOERROR: opening /var/spool/imap/user_deny.db: No such file or directory Mar 26 16:09:08 xxx imap[67279]: accepted connection Mar 26 16:09:36 xxx imap[67279]: accepted connection Mar 26 16:09:49 xxx imap[67279]: sql plugin Parse the username x...@xxx.xxx Mar 26 16:09:49 xxx imap[67279]: sql plugin try and connect to a host Mar 26 16:09:49 xxx imap[67279]: sql plugin trying to open db '/var/db/sqlite/mailsys' on host '' Mar 26 16:09:49 xxx imap[67279]: begin transaction Mar 26 16:09:49 xxx imap[67279]: sql plugin create statement from userPassword xxx xxx.xxx Mar 26 16:09:49 xxx imap[67279]: sql plugin doing query SELECT userPassword FROM sasl_auth WHERE userid = 'x...@xxx.xxx'; Mar 26 16:09:49 xxx imap[67279]: sql plugin create statement from cmusaslsecretPLAIN xxx xxx.xxx Mar 26 16:09:49 xxx imap[67279]: sql plugin doing query SELECT cmusaslsecretPLAIN FROM sasl_auth WHERE userid = 'x...@xxx.xxx'; Mar 26 16:09:49 xxx imap[67279]: sql plugin: no such column: cmusaslsecretPLAIN Mar 26 16:09:49 xxx imap[67279]: commit transaction Mar 26 16:09:49 xxx imap[67279]: sql plugin Parse the username x...@xxx.xxx Mar 26 16:09:49 xxx imap[67279]: sql plugin try and connect to a host Mar 26 16:09:49 xxx imap[67279]: sql plugin trying to open db '/var/db/sqlite/mailsys' on host '' /var/log/messages shows: Mar 26 16:09:49 rdfund imap[67279]: badlogin: xxx [200.46.208.227] plaintext x...@xxx.xxx SASL(-1): generic failure: checkpass failed I’ve even tried su’ng to the cyrus user and running the sql command against the database, and it returns the right database: % echo SELECT userPassword FROM sasl_auth WHERE userid = ‘x...@xxx.xxx'; | sqlite /var/db/sqlite/mailsys rightPW % What does your imapd.conf config look like? In particular the sasl_*, virtdomain, defaultdomain, allowplaintext, and loginrealms options. Try using a sasl mechanism, e.g.: imtest -m digest-md5 -a 'x...@xxx.xxx' localhost Is there any way of getting more debug information out of the backend without modifying the code itself? Add 'sasl_log_level: 7' to imapd.conf, and verify your syslog daemon is logging 'auth.*'. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: NO Login failed: generic failure
On 03/26/14 11:45 -0700, Marc Fournier wrote: On Mar 26, 2014, at 11:25 , Dan White dwh...@olp.net wrote: What does your imapd.conf config look like? In particular the sasl_*, virtdomain, defaultdomain, allowplaintext, and loginrealms options. configdirectory: /var/spool/imap partition-default: /var/spool/mail duplicatesuppression: 1 sievedir: /var/spool/sieve sendmail: /usr/sbin/sendmail hashimapspool: yes lmtpsocket: /var/run/socket/lmtp unixhierarchysep: 0 quotawarn: 90 virtdomains: 1 allowplaintext: 1 pwcheck_method: auxprop auxprop_plugin: sql sasl_sql_engine: sqlite sasl_sql_database: /var/db/sqlite/mailsys sasl_sql_select: SELECT %p FROM sasl_auth WHERE userid = '%u@%r' sasl_sql_insert: INSERT INTO sasl_auth ( userid, %p, domain ) VALUES ( '%u@%r', '%v' ) sasl_sql_update: UPDATE sasl_auth SET %p = '%v' WHERE userid = '%u@%r' tls_ca_file: /var/imap/server.pem tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem You should have your domain(s) listed within a loginrealms statement. I recommend 'virtdomain: userid' over on or 1. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: NO Login failed: generic failure
On 03/26/14 11:45 -0700, Marc Fournier wrote: On Mar 26, 2014, at 11:25 , Dan White dwh...@olp.net wrote: What does your imapd.conf config look like? In particular the sasl_*, virtdomain, defaultdomain, allowplaintext, and loginrealms options. configdirectory: /var/spool/imap partition-default: /var/spool/mail duplicatesuppression: 1 sievedir: /var/spool/sieve sendmail: /usr/sbin/sendmail hashimapspool: yes lmtpsocket: /var/run/socket/lmtp unixhierarchysep: 0 quotawarn: 90 virtdomains: 1 allowplaintext: 1 pwcheck_method: auxprop auxprop_plugin: sql This *should* prevent sasldb from initializing. On 03/26/14 14:04 -0700, Marc Fournier wrote: ‘k, think I got it … tracing “Could not open db” to where it is in the code, turns out it is generated by cyrus-sasl - sasldb - db_ndbm.c … but, we don’t *use* sasldb, so why is that error being generated? Looking on my ‘working system’, there is a /usr/local/etc/sasldb2.db file there, which is why that error isn’t being generated … so, I just created a ‘dummy’ sasldb2.db file on both of my non-workign systems, and suddenly, it looks like everything is authenticating properly … Still have to do more testing but … is there some way to *disable* it checking for that file? I created and then disabled an account in it, so that its got the right structure, so its not too painful of a solution, just not sure why it came up in the first place … when I upgraded the code, the version of cyrus-sasl didn’t change (2.1.16 in both the pre and post upgrade systems, just confirmed), but cyrus-imap went from 2.3 - 2.4 … so a stricter requirement in 2.4 that I hadn’t seen before … ? If your cyrus sasl was compiled as shared libraries, you can delete the library from your disk to prevent it from loading (pluginviewer -a should confirm). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Ubuntu Server 13.10 | Postfix 2.10.2 | Cyrus 2.4.16
On 03/07/14 17:13 +0100, Andrey wrote: Hi everyone, I am stack. I would like to use in my test environment virtual domains and emails. I have 2 domains. The users from default domain i can via sasl and pam authenticate without problem. I use in my mail software credentials like user password. Now I don’t want to use pam mechanism, but sasldb. See hereunder my configs: /etc/default/saslauthd START=yes MECHANISMS=sasldb MECH_OPTIONS= THREADS=5 saslauthd, with default compile options, does not contain support for sasldb. It is recommended to use the sasldb auxprop plugin in this scenario rather than saslauthd. Configure /etc/imapd.conf with: sasl_auxprop_plugin: sasldb sasl_pwcheck_method: auxprop #chroot Postfix OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd” /etc/postfix/main.cf #only sasl/virtual related config info! mydomain = domain.tld myhostname = mail.domain.tld mydestination = mail.domain.tld, domain.tld, localhost.domain.tld, localhost mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp Configure your postfix smtpd.conf with: auxprop_plugin: sasldb pwcheck_method: auxprop The sasldb database is typically contained in /etc, and not underneath underneath the Postfix chroot. Either disable chrooting of smtpd in /etc/postfix/master.cf, or configure an appropriate 'sasl_sasldb_path' in /etc/imapd.conf, and a 'sasldb_path' in your postfix smtpd.conf file. If you continue to chroot postfix, you will also need to specify the location of the sasldb database with 'saslpasswd2 -f path'. /etc/imapd.conf #only sasl/virtual related config info! allowplaintext: yes sasl_mech_list: PLAIN loginrealms: domain.tld,domain2.tld virtdomains: userid defaultdomain: domain.tld sasl_pwcheck_method: saslauthd sasl_auto_transition: no Then I did following steps: saslpasswd2 -u domain.tld info testsaslauthd -u info -r domain.tld -p Pa77w0rd 0: OK Success. testsaslauthd -u i...@domain.tld -p Pa77w0rd 0: NO authentication failed With saslauthd, you may wish to experiment with the '-r' option (/etc/default/saslauthd OPTIONS). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Ubuntu Server 13.10 | Postfix 2.10.2 | Cyrus 2.4.16
On 03/07/14 22:02 +0100, Andrey wrote: Hi this was very helpful: sasl_auxprop_plugin: sasldb But is works only in combination with: sasl_pwcheck_method: saslauth 'sasl_pwcheck_method: auxprop' is really what you want here. saslauthd and testsaslauthd are no longer needed. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Ubuntu Server 13.10 | Postfix 2.10.2 | Cyrus 2.4.16
On 03/07/14 16:33 -0600, Dan White wrote: On 03/07/14 22:02 +0100, Andrey wrote: Hi this was very helpful: sasl_auxprop_plugin: sasldb But is works only in combination with: sasl_pwcheck_method: saslauth 'sasl_pwcheck_method: auxprop' is really what you want here. saslauthd and testsaslauthd are no longer needed. Also, imtest and smtptest can be used for simple testing. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: disable login for users without mailbox
On 02/25/14 20:42 +0100, Marcus Schopen wrote: Hi, as soon as a user is created in sasldb2 a imap login is possible even if a cyrus mailbox isn't available. Can I avoid this? I use sasldb authentication for another service (sendmail smtp_auth) on the same server and don't want to mix up smtp and imap users. Separated sasldb databases would be great. Set 'sasl_sasldb_path: path1' in /etc/imapd.conf, and 'sasldb_path: path2' in your sendmail sasl config. Use -f when creating or updating users with saslpasswd2. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 10:50 +0100, Willy Offermans wrote: Indeed, I needed to specify an authentication mechanism and then I could use the command line interface of cyradm: cyradm --user username --auth PLAIN localhost If we are at this point anyway, I was wondering what I need to do to use another authentication mechanism. Is this possible? And what do I need to consider? The IMAP server response with the following authentication mechanism: AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN If I login with SCRAM-SHA-1: MyName@MyComputer:~$ cyradm --user username --auth SCRAM-SHA-1 localhost Password: verify error:num=19:self signed certificate in certificate chain cyradm: cannot authenticate to server with SCRAM-SHA-1 as username In the logs: Feb 21 09:48:36 MyComputer imap[17576]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops] I'm pretty sure that the user is registered in the ldap database. DIGEST-MD5, CRAM-MD5, and SCRAM-SHA-1 all require cyrus sasl to have access to the shared secret (clear text password) to complete authentication. If you're using LDAP to store your user credentials, you'll need to use the ldapdb auxprop plugin and store users' clear text passwords in userPassword. Presumably you're using 'sasl_pwcheck_method: saslauthd' currently, which is sufficient for PLAIN and LOGIN authentication. If you choose not to go the ldapdb route, I recommend specifying a sasl_mech_list to limit your mechanisms to PLAIN and LOGIN (and EXTERNAL if you intend to do starttls client authentication). If you don't do that, in your current setup, most clients will attempt to first authenticate using a shared secret mechanism (including cyradm in your initial attempt), which will always fail on that attempt. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 16:11 +0100, Willy Offermans wrote: You are pointing to EXTERNAL, next to PLAIN and LOGIN. I do not understand this mechanism yet. At the moment I believe I have PLAIN password wrapped into TLS. So I already do starttls client authentication. What will EXTERNAL do? TLS client authentication is a scenario where you perform TLS authentication where the client also has a certificate. The server can then use the contents of the client certificate to derive the username (with no password, per se). For example, 'cyradm --tlskey file'. The EXTERNAL mechanism should not be offered unless TLS client authentication was successful during the starttls step. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/21/14 16:33 +0100, Willy Offermans wrote: This sounds interesting. I thought that TLSVerifyClient demand in slapd.conf was forcing this behavior. I like to read more about the EXTERNAL mechanism. Do you recommend some reading? At the moment I will stick to PLAIN and play with replication, serving multiple domains etc. A TLS primer would be the best place to start. A problem that you may encounter with EXTERNAL over STARTTLS, is that the username mapping process is not standardized, and is left up to the server implementation to perform. Cyrus imapd and slapd may do so in inconsistent ways. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyradm cannot connect to cyrus imap server
On 02/20/14 10:35 +0100, Willy Offermans wrote: I'm setting up cyrus on my new FreeBSD 10.0 server. I have used the following package: cyrus-imapd24-2.4.17_4 If I test my setup with imtest, I get connection to the imap server. MyName@MyComputer:~$ imtest -m login -u username -a username -s localhost verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN SASL-IR] MyComputer Cyrus IMAP v2.4.17 server ready Please enter your password: C: L01 LOGIN username {13} S: + go ahead C: omitted S: L01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=SCRAM-SHA-1 AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=NTLM AUTH=PLAIN AUTH=LOGIN COMPRESS=DEFLATE IDLE] User logged in SESSIONID=MyComputer-11451-1392884061-1 Authenticated. Security strength factor: 256 From the message log file: Feb 19 09:00:11 MyComputer imaps[3437]: imapd:Loading hard-coded DH parameters Feb 19 09:00:11 MyComputer imaps[3437]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Feb 19 09:00:11 MyComputer imaps[3437]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Feb 19 09:00:15 MyComputer imaps[3437]: badlogin: localhost [127.0.0.1] plaintext username SASL(-13): authentication failure: checkpass failed Feb 19 09:00:30 MyComputer imaps[3437]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Feb 19 09:00:30 MyComputer imaps[3437]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Feb 19 09:00:39 MyComputer imaps[3437]: login: localhost [127.0.0.1] username plaintext+TLS User logged in SESSIONID=MyComputer-3437-1392800430-1 Feb 19 09:02:18 MyComputer imaps[3437]: USAGE username user: 0.007544 sys: 0.022632 However, if I try to connect via cyradm, I cannot login. MyName@MyComputer:~$ cyradm --user username localhost Password: verify error:num=19:self signed certificate in certificate chain cyradm: cannot authenticate to server with as username Does the output really say this (empty username)? I'm assuming you just removed it when pasting it. from the message log file: Feb 19 09:02:41 MyComputer imap[3440]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Feb 19 09:02:48 MyComputer imap[3440]: badlogin: localhost [127.0.0.1] SCRAM-SHA-1 [SASL(-13): user not found: unable to canonify user and get auxprops] Feb 19 09:02:51 MyComputer imap[3440]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: unable to canonify user and get auxprops] Feb 19 09:02:55 MyComputer imap[3440]: imapd:Loading hard-coded DH parameters Feb 19 09:02:55 MyComputer imap[3440]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Feb 19 09:02:55 MyComputer imap[3440]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied In imapd.conf, set: sasl_mech_list: PLAIN LOGIN EXTERNAL to remove some extraneous error messages. Try specifying a mechanism (--auth=PLAIN) in your cyradm command. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Still getting SQUAT errors after adding squatter to events
On 02/12/14 13:36 -0600, Joshua Battles wrote: Hello, I am maintaining a mail server for a very active group of users with large mailboxes and am having trouble getting squatter to run. I've added it as an event in Cyrus.conf but I am still getting the errors. The entry has been in the config for 24 hours and I'm still seeing squat errors. Here is the line I've added: squatter cmd=/use/sbin/squatter -r user period=30 You have a typo here, in the path. Squatter resides in the sbin directory. What should I be checking to figure out why it isn't running? I didn't see anything in the logs. Does it matter that the cyrus user isn't cyrus ? I'm new to cyrus and was handed this server already in use so pardon my ignorance. Thanks, Josh -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: imapd + sasl + ldapdb problems
On 02/04/14 20:15 -0600, Peter Erickson wrote: I'm trying to configure imapd to authenticate against an ldap directory using ldapdb and am running into problems. I provide hosting services (i.e. ftp, svn, mail, etc) for several people where user account information is stored in an openldap directory. In addition to having a username/password, each user also has a primary email account and a list of services that they are authorized to use. I've got authentication working using the a user's uid, but I need to change this so that users are only allowed access using their email address. I believe I need this to happen as well since I'm using the Cyrus' virtdomains option. Once that is done, I'll attempt to restrict access based on the existence of the proper authorizedService attribute. In hopes of requiring users login using their email address I set sasl_ldapdb_canon_attr, however that resulted in the following syslog messages (These same messages occur if comment out the canonuser_attr options in imapd.conf as well): imtest: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied imap[16385]: SQL engine 'mysql' not supported imap[16385]: auxpropfunc error no mechanism available imap[16385]: unable to canonify user and get auxprops imap[16385]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-1): generic failure: unable to canonify user and get auxprops] You'll need to have a Cyrus SASL version 2.1.23 installed for the ldapdb canonuser functionality, or you'll need to patch your existing version. Check that you have a properly installed cyrus sasl with: ~$ cat /tmp/pluginviewer.conf EOF ldapdb_uri: ldapi:/// sql_select: select please_work from the_ether EOF ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -a Installed and properly configured auxprop mechanisms are: ldapdb sql sasldb List of auxprop plugins follows Plugin ldapdb , API version: 8 supports store: yes Plugin sql , API version: 8 supports store: yes Plugin sasldb , API version: 8 supports store: yes ~$ SASL_CONF_PATH=/tmp /usr/sbin/saslpluginviewer -s | grep -i 'cram-md5\|digest-md5' GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS GSSAPI DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no ~$ strings /usr/lib/x86_64-linux-gnu/sasl2/libldapdb.so.2 | grep canon ldapdb_canonuser_plug_init sasl_canonuser_init ldapdb_canon_attr rm /tmp/pluginviewer.conf I tracked down the ldapdb_canonuser_plug_init() error to ldapdb_config(). When the ldapdb_uri option is read, it apparently returns a null string reference which results in the SASL_BADPARAM being returned. Unfortunately, not fully understanding the SASL package, I'm not really sure where to go from here nor do I know if this will even solve my problem if it returns successfully. Any help in configuring this would be greatly appreciated. imapd.conf: configdirectory: /var/cyrus/config partition-default: /var/cyrus/spool admin: cyrusadmin sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldaps://localhost sasl_ldapdb_id: imapd-user sasl_ldapdb_pw: password sasl_canon_user_plugin: ldapdb sasl_ldapdb_canon_attr: mail sasl_mech_list: cram-md5 digest-md5 virtdomains: userid defaultdomain: example.com Consider that the certificate returned by ldaps://localhost may fail, unless the certificate used by localhost is named 'localhost', or is otherwise trusted. ldapi:/// may be a better option. Other than that, your config looks reasonable. Include an 'ldapdb_mech' option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid' instead, since example.com is the default domain. This command should succeed, and return the DN of the test user if your config is good: ldapwhoami -Y digest-md5 -H ldaps://localhost -U imapd-user -w password -X u:tuser (or u:tu...@example.com? not sure) example ldap entry: dn: cn=test user,o=hosted_domain,ou=hosting,dc=example.com objectclass: top objectclass: inetOrgPerson objectclass: authorizedServiceObject cn: test user sn: user uid: tuser mail: tu...@example.com userPassword: password authorizedService: mail authorizedService: svn -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: imapd + sasl + ldapdb problems
On 02/05/14 11:15 -0600, Peter Erickson wrote: virtdomains: userid defaultdomain: example.com Other than that, your config looks reasonable. Include an 'ldapdb_mech' option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid' instead, since example.com is the default domain. This command should succeed, and return the DN of the test user if your config is good: Just to make sure that I'm understanding the options right, is there a good explanation for what sasl_ldapdb_canon_attr does? I'm not quite sure that I understand its purpose. sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back to cyrus. The identity will be used to find the user's INBOX. Having a default domain complicates things a bit (and you may have to experiment. I don't define a default domain). Basically, the sasl_ldapdb_canon_attr should equal the user portion of their INBOX name. It's handy in scenarios where the authentication identity differs from the mailbox name (name change, for instance). Based on the following, its possible that my problem isn't with cyrus imapd/sasl, but a misunderstanding of the ldap proxy authorization process and I need to recheck my ldap config. I'm more accustomed to using ldap filters and a base instead of the proxy authorization. # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z SASL/DIGEST-MD5 authentication started SASL username: u:tuser SASL SSF: 128 SASL data security layer installed. dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com This looks good. # ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tu...@example.com -Z SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: not authorized You may need a different or better authz-regexp rule here, or you may need to adjust your authzto/authzfrom rules. See: http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
On 01/31/14 14:10 -0200, Fabio S. Schmidt wrote: Hello! Considering that Cyrus stores messages in files, does anyone have any experience on the protection of access to these files, even for the root user? I researched about SELINUX and found no conclusive documentation. Are you attempting to prevent local access (from a physical administrator), or remote access via root login? How does cyrus differ from other email stores that you've dealt with (security wise)? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Postfix with Cyrus Imap
On 01/26/14 02:28 +, Karol Pomaski wrote: Yes I have all the files. I am using Debian, do you know if this patch is already there? I don't think so, but you could check with pkg-cyrus-imapd-debian-de...@lists.alioth.debian.org. Here I send you all my configuration files. Could you check what is incorrect? Also while trying to connect through cyradm using 'cyrus' user it doesn't permit me to enter. Which password should be used for cyrus user? Below, you have configured the admin user to be 'cyrus'. You will need to have that user configured within your mysql database, with whatever password you wish to use. imapd.conf - admins: cyrus autocreatequota: -1 virtdomains: on allowplaintext: yes sasl_mech_list: PLAIN LOGIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 #loginrealms: example.com #defaultdomain: sasl_pwcheck_method: saslauthd #sasl_auxprop_plugin: sasldb sasl_auto_transition: no Your SASL config matches up pretty well with your postfix sasl config. Your virtual domain configuration appears broken. See: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/install-virtdomains.php You may wish to specify a default domain (for your primary admin/cyradm logins), and then list all supported domains within 'loginrealms'. 'virtdomains: userid' may be more appropriate. smtpd.conf pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: sql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: mail_admin sql_passwd: 111 sql_database: mail sql_select: select password from users where email = '%u@%r' Assuming your postfix was compiled against cyrus sasl, your 'auxprop_plugin' and 'sql_*' statements here likely have no effect on your postfix user authentication. I would comment them out and verify, since it's likely adding to some confusion. /etc/defaults/saslauthd START=yes DESC=SASL Authentication Daemon NAME=saslauthd MECHANISMS=pam MECH_OPTIONS= THREADS=5 OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd -r This is a problem, as by default cyrus imapd will attempt to communicate with saslauthd using the standard mux location. See: http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.info-cyrusmsg=54942 for options. For trouble shooting, I run saslauthd in debug mode to verify imapd is able to communicate with the saslauthd mux. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Postfix with Cyrus Imap
On 01/25/14 16:21 +, Karol Pomaski wrote: my main.cf smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous You should have a sasl smtpd.conf file with authentication details, such as in /etc/postfix/sasl or /usr/lib/sasl2/ (saslfinger is useful here). You should be able to prepend 'sasl_' to it's configuration and insert those statements into /etc/imapd.conf. Postfix use correctly the DB, but Cyrus Imap not. As you haven't answered my question, is it possible to add acount to MySQL DB and than mailbox will be created autmatically (without using cyradm)? You may need to apply this patch if your OS's package has not included them: http://code.uoa.gr/p/cyrus/autocreate/ -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Postfix with Cyrus Imap
On 01/24/14 21:03 +, Karol Pomaski wrote: Hello All, I have a question. I am trying to integrate Cyrus Imap with Postfix. My postfix user accounts are on my MySQL db. All the password are encrypted using ENCRYPT() method in MySQL. My question is, is it possible to force Cyrus Imap to use the same password, email as postfix uses it? Is it possible that when I add new account on my DB, it will create the mailbox automatically? What does your postfix config look like? Does it use sasl to authenticate your users? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Postfix + Cyrus Sasl problem
On 12/18/13 16:25 -0500, Eric Abreu Alamo wrote: Hello all: Recently I have been trying to install and configure Postfix + Cyrus + Sasl auth (with smtp auth) and i found the following problem. I have installed and configured Cyrus, Postfix and Sasl, and everything is right until smtp auth. When I edit the /etc/default/saslauthd file and I change the line OPTIONS=-c -m /var/run/saslauthd by OPTIONS=-c -m /var/spool/postfix/var/run/saslauthd where postfix chroot directory is, and i run dpkg-stateoverride with 750, 7 for root user owner and 5 sasl group, I restart those services and after do that, I got the smtp auth but Cyrus authentication service fail, then I can't to access through imap service. Somebody have configured those daemons before? Im using Ubuntu 12.04 LTS OS. You can modify the path that cyrus imapd uses, assuming that is has appropriate file permissions to do so, with (in /etc/imapd.conf): sasl_saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux although it may make more since to just unchroot your smtpd process(es) within /etc/postfix/master.cf. Another option is to run two saslauthd instances, one using the default mux path, and the second underneath the postfix chroot. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: allowplaintext: no and aggregates
On 12/06/13 14:04 -0500, sofkam wrote: We are running a murder aggregate: Front-end db Three front-end servers One back end server Starting next year we are no longer permitting unencrypted connections (long time coming). Our supported authentication mechanisms are: sasl_mech_list: PLAIN LOGIN When I change allowplaintext to no, will the back-end and front-end servers be able to communicate with each other? Or, do I need to add an additional non-plain authentication mechanism? Will the db-server require plain-text logins? Enabling TLS should allow plaintext logins even where allowplaintext is set to no. You could also enable sasldb or another auxprop plugin, use a shared secret mechanism such as digest-md5, for your server to server communications. However, if you enable a shared secret mechanism on a frontend server, or a backend server (if you allow clients to connect directly to one), you will likely see authentication failures from clients attempting digest-md5 auth, unless those users exist within your auxprop database. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/13 14:29 +0200, Stefan Gofferje wrote: Hi, I have a Cyrus IMAP and Postfix running. Some time ago, I configured them for TLS and recently, I started to use also Thunderbird on those and Thunderbird is asking me on startup which certificate to use for identification for IMAP. Is there a way to tell Cyrus to *not* request the client certificates at all? Config attached. rfc_ignore_8bit: on configdirectory: /var/lib/imap #artition-default: /var/spool/imap partition-default: /server/imap sievedir: /var/lib/sieve admins: cyrus nobody lmtp_admins: cyrus nobody allowanonymouslogin: no autocreatequota: 1 #reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: auxprop auxprop_plugin: sasldb postuser: shared allowplaintext: yes lmtp_overquota_perm_failure: no lmtpsocket: /var/spool/postfix/public/lmtp # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/apache2/x.x.x.pem tls_key_file: /etc/apache2/x.x.x.pem tls_ca_file: /etc/apache2/ca-certs.pem #tls_ca_path: /usr/ssl/CA tls_require_cert: false tls_imap_require_cert: false tls_pop3_require_cert: false tls_lmtp_require_cert: false tls_sieve_require_cert: false What log entries do you see during TLS authentication? Verify that this is a server side problem with imtest. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/13 19:52 +0200, Stefan Gofferje wrote: On 12/03/2013 04:39 PM, Dan White wrote: What log entries do you see during TLS authentication? Dec 3 19:13:10 home imap[17224]: SSL_accept() succeeded - done Dec 3 19:13:10 home imap[17224]: starttls: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits new) no authentication Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: login: enterprise.net.loc [xxx.xxx.xxx.xxx] plain+TLS User logged in This looks successful, from the server's viewpoint. Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: created decompress buffer of 4102 bytes Dec 3 19:13:10 home imap[17224]: created compress buffer of 4102 bytes Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: client id: name Thunderbird version 24.1.0 Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17225]: seen_db: user opened /var/lib/imap/user/s/.seen Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: seen_db: user opened /var/lib/imap/user/s/sgofferj.seen Dec 3 19:13:10 home imap[17225]: open: user opened INBOX Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' Verify that this is a server side problem with imtest. Unfortunately, I don't know how to use imtest, nor do I speak IMAP fluently so I could test with netcat... imtest -t host will attempt a starttls connection without submitting a client certificate. If that succeeds, then it proves that your server supports TLS without client authentication. See that manpage for other options (e.g. imaps). On my Android, I use K9-mail and that does not ask which client certificate to use but it could be that K9 doesn't support certificate authentication anyway plus I don't have any client certificates installed there... -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus 2.4.x logging issue
On 07/10/13 09:52 +0200, Lars Schimmer wrote: Hi! I do run debian cyrus impad 2.4.12-2+b1 on my box. But for a long time, the logging did annoy me big time. Now with a central logfile server, it annoys me even more. How can I reduce the stuff cyrus is logging? Currently it logs all login/prune/lookup/... nearly everything. Or any other tip on howto I can redeuce the logging of cyrus in conjunction with rsyslog? See: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/install-configure.php /usr/share/doc/cyrus-imapd-x.x/README.Debian.debug.gz Debian packages use syslog facility mail (for cyrus-imap) instead of local6. And Debian configures a verbose level by default. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Imapd and diffie hellman encryption
On 06/27/13 13:36 +0200, Vladislav Kurz wrote: Hello all, recently I read an article about perfect forward secrecy, and so I have tried all of our services to see what ciphers do they use. I have found that most of them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my client to use only DHE-RSA-AES256-SHA, connection was refused. So, is there anything I can do to enable DH key negotioation in imapd.conf? My tls options from imapd.conf are: tls_cert_file: /etc/ssl/certs/mail.crt tls_key_file: /etc/ssl/private/mail.key tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_require_cert: false mail.crt contains also the whole certificate chain of public certificate authority that issued my certificate. /etc/ssl/certs contains only a few certificates - one is the same as included in mail.crt, and others belong to our govermental CA - some clients tried to send them to the server to authenticate, even though authentication is only password based. Somewhere I found a howto that suggested to add DH parameters to either cert or key file (they used one for both), but it didn't work. Try setting tls_cipher_list. See imapd.conf(5) and ciphers(1). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Trouble with sieve
On 06/04/13 17:11 -0600, Jason Bailey wrote: All, I have a CentOS 6 mail system running Cyrus version 2.3.16, which is configured to use virtual domains. Sieve is enabled, and indeed runs for some mailboxes, but not for others. I'm struggling to find a solution. Case in point. I have a script that is supposed to file incoming messages into specific sub-folders. The problem is, it doesn't do anything (script doesn't seem to execute). Messages simply arrive in the root of the inbox. I'm puzzled because I have used this very same script for years. Message sources show that the X-Sieve header is set and is reporting CMU Sieve 2.3. The server also shows sieve listening on port 4190. Scripts uploaded with sieveshell are copied and installed without error. I looked at my mail log, but it isn't telling me much. The only Cyrus related error I can find is one about duplicate_mark. There isn't much there about Sieve besides logins. I ran sivtest and all seems good there. I'm not sure what to look for. Any ideas? Help is appreciated. Did you activate the uploaded script? Was the script successfully compiled to bytecode? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: MD5 Passwords in MySql?
On 03/24/13 14:21 +, Charles Bradshaw wrote: In my /etc/imapd.conf I'm using: sasl_auxprop_plugin:sql sasl_sql_engine:mysql I want to store MD5 hashed passwords in my database. Is this possible? SASL 2.1.26 contains support for 'pwcheck_method: auxprop-hashed', but it is undocumented. I believe it's based on a previously circulated patch that you google for. Using such a configuration will require you to use the PLAIN or LOGIN mechanisms (or pre-sasl login/pass IMAP authentication). -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: uppercase usernames
On 03/10/13 23:28 +0100, Joerg Maier joerg.maier wrote: Hi List, I am using cyrus since ~8 years for a mailserver with ~200 mailaccounts. After transferring a mailserver from cyrus 2.2 to 2.4, I have an issue with usernames containing uppercase letters. Up to now, i did tread the part before the @ as case sensitive, and i allowed users to create mailboxes like TestCApital. I have set: lmtp_downcase_rcpt: 0 username_tolower: 0 When I try: testsaslauthd -u TestCApital.domain -p password I get 0: OK Success. But when I try to logon via imap, i see in the logs: ... saslauthd[24118]: do_auth : auth failure: [user=testcapital.domain] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] What is the best solution to work around this? Do you get the same result with imtest? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Login with an alias ID
On 02/28/13 11:33 +0530, Ram wrote: Does cyrus implement login with an alias id If the mailbox of a user is created with a long email id , it may be helpful to allow login with a short nickname So the user has a choice of logging in with either his full email-id or nickname to the same mailbox You can implement this using a sasl canonicalization plugin. Sasl version 2.1.25 (and greater) supports canonicalization with the ldapdb shared library. There is a patch in bugzilla to implement support in the sql shared library. See: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php (search for 'canon'). The best source of documentation is the cyrus-sasl mailing list archives. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus-imap: 'realm' is missing when authenticate against LDAP with ldapdb plugin
On 102/2/26 下午 10:30, Dan White wrote: On 02/26/13 13:26 +0800, Lingfeng Xiong wrote: sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://MY-LDAP-SERVER sasl_ldapdb_id: CYRUS-PROXY-USER-NAME sasl_ldapdb_pw: CYRUS-PROXY-USER-PASSWORD sasl_ldapdb_mech: DIGEST-MD5 sasl_log_level: 7 When I tried to login with a user like 't...@example.net', I desire it look for 'uid=t...@example.net,cn=digest-md5,cn=auth' in OpenLDAP. But according to OpenLDAP's log, it passed 'uid=test,cn=digest-md5,cn=auth' to it. Apparently, 'realm' has been ignored. Is there anyway for me to make cyrus-imapd query the username with it's realm to OpenLDAP? Or my methodology is completely incorrect? Do you have virtdomains enabled (or set to userid)? Does this only happen with one domain (@example.net)? If so, then do you have a defaultdomain option set? On 02/27/13 20:54 +0800, Bear wrote: Hi Dan, Thanks for your reply. I found no matter I set the virtdomains and default domains, I always got 'uid=test,cn=digest-md5,cn=auth'-like dn in LDAP when running 'imtest'. I tried to set '-r' argument or just append the domain with username in '-u', both are just the same... You should be using a -a option here, such as: imtest -m DIGEST-MD5 -a t...@example.net imap_host Compare the slapd logs to when running this command: ldapwhoami -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U t...@example.net If you want to simulate the function of the ldapdb auxprop plugin, try: ldapwhoami -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U CYRUS-PROXY-USER-NAME -X u:t...@example.net -w CYRUS-PROXY-USER-PASSWORD Which should return the DN for t...@example.net. Then do: ldapsearch -Y DIGEST-MD5 -H ldap://MY-LDAP-SERVER -U CYRUS-PROXY-USER-NAME -X u:t...@example.net -w CYRUS-PROXY-USER-PASSWORD -b $user_dn userPassword Which should return the user's password. Add a '-d -1' option to ldapwhoami/ldapsearch commands for detailed debugging information. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus