Re: folders created with cyradm not deletable by cyradm
Hello, I think you are getting caught on two things. The IMAP protocol itself has this concept of an inbox. In cyrus, the user's inbox folder name is usually user.username, where username is replaced with the id of the person logging in. Second, anyone, including the admin user, must be granted explicit rights to delete a folder. This minimizes mistakes/accidents. Regards, Earl Shannon Stefan Schlörholz wrote: Hi there, Again I rely on you. In cyradm I created a mailbox to solve another problem (posted before and not yet solved: bringing back the special mailboxes). I logged in to cyradm as cyrus. I created the folders user.hans.INBOX, user.hans.INBOX.Sent and user.hans.INBOX.Drafts. Since this did help with my problem of missing special folders I want to delete them again e.g. using dm user.hans.INBOX.Sent. cyradm sais Permission denied. When logging in as user hans and doing a dm INBOX.Drafts I get Invalid mailbox name. This also is the case when trying to access/delete this folders by a client (KMail). Doing a dm INBOX as user hans I get Operation is not supported on mailbox. A lm as user hans gives me (beside others) two INBOX folders INBOX (\HasChildren) and INBOX (\Noinferiors) INBOX.Drafts (\HasNoChildren) INBOX.Sent (\HasNoChildren) Can anybody help in order to get rid of those folders? Best regards Stefan --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Basic FAQs and HOWTOs
Hello, Google for Naked Ape Consulting. Seems like I remember them/him posting something in the last week or so about some work that's been done on some documentation. It should be in the list archives also. Regards, Earl Shannon Forrest Aldrich wrote: I'm new to Cyrus IMAPD SASL2. For the time being, using the FreeBSD ports to build and configure. Having a devil of a time making some sense of the configuration process (post build), getting imtest to authenticate correctly, etc. I don't see any up-to-date FAQs out there, but I imagine there has to be, for something this complex. Can someone point me there - or even some basic step-by-step outline of the build and *.conf editing processes. Thanks. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Restrict IMAP usage to certain hosts
Hello, Frankly, I'd ask you to justify having to meet both conditions. If they can use Webmail, why not let them use a real client? That's what we do here at NCSU. That said, since you say you can meet condition 1, You might create a proxy user who does all logins from the Webmail service. Users would/should still have to authenticate to Webmail. After they do that the proxy user actually logs in to the IMAP server. This would probably take some work writing code on the webmail side of things though in order to make sure users don't do things to other users. Unless of course a webmail client already supports doing this. Regards, Earl Shannon Bart Boelaert wrote: Hello all, Cyrus IMAP relies on Cyrus SASL for authentication purposes. I now want to set-up the following configuration : 1) Certain users should be allowed IMAP access from any host, all other users should use POP3 2) IMAP access should be allowed for all users, when they check their e-mail via webmail (which retrieves the mail via IMAP). Webmail is installed on a web server located near the mail server. Currently saslauthd uses PAM and PAM connects to a MySQL database in order to verify the login credentials. There's also a PAM listfile that allows/denies access based on the service and username supplied by saslauthd (so, condition 1 is met). So far, I didn't succeed in meeting condition 2. I already discovered (correct me if I'm wrong) that the saslauthd does not pass the remote host to PAM. Filtering on the remote host via a listfile would otherwise have solved my problem. Can anyone give me an alternative for meeting both condition 1 and 2? Thanks in advance! Bart. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Software Quality rant (was Re: Large email account)
Hello, I don't want to sound like I'm defending poorly written software. BUT, If it doesn't look pretty people won't want to use it. And if no one is going to use your software, why write it? Again, I'm not defending insecure and otherwise poorly written software. I'm saying that users want pretty AND do what I want software. And without users the software is pointless. Do users really know the difference between CRAM-MD5 and Kerberos? Or even IMAP vs. POP? But they do know what they think looks cool. Regards, Earl Shannon Michael Loftis wrote: --On Tuesday, December 21, 2004 08:53 -0200 Henrique de Moraes Holschuh [EMAIL PROTECTED] wrote: On Tue, 21 Dec 2004, Simon Matter wrote: The nice thing about Thunderbird is that it works fine. Same goes for recent kmail versions. Mulberry and PINE may do it better, but they don't look better. We are talking Unix here (industrial strenght tools, focus on doing things right, etc) or are we talking Microsoft-based Professional Software here (the MAIL FROM: [EMAIL PROTECTED] crowd)? Not that Thunderbird is that bad. It is *not*. But it really saddens me to see more and more developers get caught on the pretty is more important than functionality mentality. This has nothing to do with Thunderbird. And I have to agree with Henrique here, and not just because he keeps Cyrus backported for my older Woody installs :) Working at a web host we deal with all of the major PHP packages. I won't name any names, but most of them are pretty poorly written. Riddled with bugs and security holes. Because they're written to do one thing, look pretty. Security is bolted on as an afterthought. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Compiling Sieve
Hello, We are preparing to migrate an older cyrus install to a newer one. One of the things we are having to address are the sieve scripts being compiled to byte code. We've not yet found an complete answer to how a script goes from text on my client to byte code on the server. We've been using text scripts and do know that sievec makes a script into byte code, but the tools we have don't work on the new server as the making stuff into byte-code part seems to be skipped. Thanks for any help. Regards, Earl Shannon -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: imtest fails w/ Authentication failed. no mechanism available
Hello, I see the PLAIN mech being advertised by the server. I'd check and make sure the SASL libraries can be found by the imtest client. Regards, Earl Shannon OpenMacNews wrote: hi all, i've newly built/installed: exim-4.43 cyrus-imap-2.28 cyrus-sasl-2.1.19 on OSX 10.3.5 plus, i've been moving to MySQL support for vitrual domanis using VExim ... so, at this point, exim seems to run fine, responding to send-tests, etc. as expected. when testing cyrus-imap w/ TLS, however, i'm having some issues. specifically, when i: % /usr/local/cyrus-imap/bin/imtest -t -m plain -a testuser -p imap testdomain.com it fails with an Authentication failed. no mechanism available: S: * OK testserver.testdomain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LISTEXT LIST-SUBSCRIBED S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=PLAIN AUTH=PLAIN SASL-IR LISTEXT LIST-SUBSCRIBED S: C01 OK Completed Authentication failed. no mechanism available Security strength factor: 256 now, i'll bet i've misconfigured something ... but durned if i can find it (yet). i'm crusing the list, as well, but am not yet familiar enuf with what to even look for. fwiw, my imapd.conf is: admins: testuser postmaster: postmaster virtdomains: yes defaultdomain: testdomain.com servername: testserver.testdomain.com configdirectory: /etc/cyrus-imap/ partition-default: /var/spool/imap sievedir: /var/sieve sieve_maxscriptsize: 32 sieve_maxscripts: 5 autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sendmail: /usr/local/exim/bin/exim allowanonymouslogin: no allowplaintext: yes sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN any/all pointers/suggestions are much appreciated, richard --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: General IMAP functionality
Hello, Comments are imbedded below. Warrick FitzGerald wrote: Posted this last night, but did not see it come through ... sorry about the re-post if you have this already. Im in the process of moving an office of POP3 users to IMAP, and realized that that I dont fully understand how things normally work. Our mail is currently hosted on an ASP basis and when a user is running out of disk space they receive an email saying youre running out of space. I tested what happens on the IMAP side, and using Mozilla Thunderbird I get a message popup saying pretty much the same thing, but I only get this once Ive run out of space. 1. Can I set Cyrus to prompt when the users mailbox reaches 90% usage? Yes. The server sends what the IMAP protocol calls an ALERT. The client is responsible for handling it accordingly. This usually means a POPUP. You'll need to look through the imapd.conf man page to see how its set. 2. Is it possible to email an admin account when this happens? Many users dont understand how to free space on the server and need assistance (save the comments please J ). No, Not with the native software. We've written a script that will go through and send a message to the user letting them know that they are filling up and generate a list of those people which then gets sent to the admins. Now heres the part I dont fully understand. As far as I can gather youre responsible for moving mail off the server onto you local machine on some regular interval. Outlook seems to have this Archiving feature thats responsible for this, but Im not sure if this is the Microsoft way of doing things, or the right way of doing things. Yes, the user is responsible. The IMAP protocol makes not effort to make this happen. Any ARCHIVE feature such as you mention is a function of the client software. I dont seem to find an Archive feature in Thunderbird. What am I missing here? See above. The whole point of IMAP is to store the messages on the server. Keeping below an adminstratively imposed quota is the users responsibility. Sadly, not all users are responsible. :) Thanks Warrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Another space issue that new IMAP users sometimes have difficulty with is the Trash model of deleting stuff. This is a client configurable thing so some people see it, others may not. But they move a message to Trash when they delete and don't empty the Trash. It will still use their quota. And if they keep copies of sent messages on the Server, same deal. They use quota. Have fun. Regards, Earl Shannon -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ACL for pop-only ?
Hello, This sounds a bit drastic. It prevents the server from being used as an IMAP server. IMHO, the proper way to do this is to have some form of directory, ldap, hesiod, ( or whatever ) track whether or not a user has a POP or IMAP account. The server then behaves accordingly. This isn't built into cyrus though, or wasn't last time I looked. That has been awhile. Regards, Earl Shannon Stefan Nitz wrote: Dear listeners, Am Freitag, 15. Oktober 2004 16:08 schrieb Christiaan den Besten: Hi all! Is it possible to use an ACL to set a mailbox to 'pop only'. I would like to be able to prevent people from creating (new) subfolders in their inbox. You can disable imap in the SERVICES section of cyrus.conf. bye, Chris PS: I have read all documentation on ACL's, but I have not been able to find the right mixture of rights... --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Funding Cyrus High Availability
Hello, All that you say is true. But for performance one either buys bigger and better or multiple machines to spread the load. Murder allows one to buy multiple machines. All I am saying is that improving perforance may already be done. I believe redundancy in the application is more important at this point. Regards, Earl Shannon Michael Loftis wrote: --On Thursday, September 16, 2004 22:14 -0400 Earl Shannon [EMAIL PROTECTED] wrote: Hello, Question: Are people looking at this as both redundancy and performance, or just redundance? My $0.02 worth. Performance gains can be found the traditional way, ie, faster hardware, etc.Our biggest need is for redundance. If something goes wrong on one machine we still need to be able to let users use email. Cyrus already has this solved via MURDER, but FWIW, more smaller boxes isolate failures more effectively than one big box, also price/performance is still better at a certain size for any platform, and going up higher on the performance curve has HUGE price jumps. There's also the cost of administering multiple separate boxes to think about but carefully planned, this can be managed rather easily. The whole 'throw bigger and bigger boxen' at it method of 'scaling' doesn't scale. You hit the wall. One box can only do so much, granted you can spend LOTS of money and get pretty big boxes, but at some point it becomes ludicrous -- who would use a Sun E10k/E15k and a whole Symmetrix DMX for just mail? (and I'm excluding companies like AOL and IBM who actually can afford it and would maybe have a reason to scale to that size)... Price/Performance has a curve associated with it, most of us can't afford to always stay at the top end of the curve, and have to be at the middle. Further, does it make sense to re-invest in equipment every year to maintain growth? No, you should be able to expand, add another box, or two, and that scales fairly well. Better than the single big box approach. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Systems Programmer ,Information Technology Division NC State University. http://www.earl.ncsu.edu Anonymous child Some people can tell the time by looking at the sun, but I have trouble seeing the numbers. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: timsieved auth problem
Hello, I don't think those method's get advertised unless SSL in already negotiated. Regards, Earl Shannon Didi Rieder wrote: Hi again, we are running cyrus-2.2.8 with sasl-2.1.19. Our sasl authentication settings in imapd.conf are: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN LOGIN saslauthd is using PAM to authenticate. It works well for imap/imaps, however we can't get it to run with timsieved. It seems that the sieve deamon is not advertising any auth method: [EMAIL PROTECTED] etc]# telnet localhost sieve Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. IMPLEMENTATION Cyrus timsieved v2.2.8 SIEVE fileinto reject envelope vacation imapflags notify subaddress relational regex STARTTLS OK Shouln't be a SASL PLAIN LOGIN there? What could be wrong? (Remember imap works fine)... Didi --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Redhat ES3.0 update cannot find gssapi library
Hello, One way to fix this is to specify the -I and -L flags to the compiler with the appropriate paths. I use a script to call configure which first sets up the various environment variables for our environment. Something like #!/bin/csh setenv CFLAGS -I/usr/kerberos/include -I/local/openssl/include -L/usr/kerberos/lib -L/local/openssl/lib ./configure \ --prefix=/local/cyrus \ --with-sasl=/local/sasl \ --with-openssl=/local/openssl \ --with-auth=krb5 Above is just a quick example (and probably won't work). But I prefer this method over trying to muck with our standard Solaris Install kit's filesystem. Things go where they go and I go look for them where they are: :) Regards, Earl Shannon Alex Needham wrote: Hi Folks I'm trying to compile cyrus-imapd to use with kerberos autentication. Whilst runnning ./configure --with-auth=krb5 checking for crypt... no checking for crypt in -lcrypt... yes checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no configure: WARNING: Disabling GSSAPI - no include files found checking GSSAPI... disabled checking sasl/sasl.h usability... yes I know this a path related problem I am just not sure what the configure is looking for. Thanks to redhat putting kerberos header and libs in /usr/kerberos/include and /usr/kerberos/lib It is making life difficult. If I put a symlink from /usr/kerberos/include/gssapi /usr/include/gssapi and run configure I get checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking for res_search in -lresolv... (cached) yes checking for gss_unwrap in -lgssapi... no checking for gss_unwrap in -lgssapi_krb5... no checking for csf_gss_acq_user in -lgss... no checking for csf_gss_acq_user in -lgss... no checking for gss_unwrap in -lgss... no configure: WARNING: Disabling GSSAPI - no library checking GSSAPI... Disabled So headers are getting there libs not, Any help greatly appreciated, I would really like to use this as our european mail engine. Rgds Alex Stealth IT Bloke UK -- Alex Needham Tel +44 1753 829681 Mob +44 7786 396465 Fax +44 1753 855290 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: MURDER or IMAP proxy solution ?
Hello, Well, the uniform name space means a couple of things. First, each user's account has a unique name. Not just on the IMAP server where their account resides, but across all the IMAP servers that are part of the MURDER. This allows the accounts to be on any machine in the MURDER. This allows the MURDER to be referred to by one hostname in DNS, ie mail.some.domain because the murder keeps track of where things have to go. Whether its for deliver of email or the connection of a client. It's the client connection part that brings the shared folders into the mix. Usually a client program or MUA ( Mail User Agent) is configured with the username/server where the persons account resides. This gets them to their inbox. But what if an organization has some shared folders? And what if those shared folders are on another machine? A second server must be configured in the MUA to allow the connection to the server where the folders are. If using a MURDER this second server would not need to be configured in the MUA. The client program sees one uniform name space where all the folders reside with only configuring ONE name for the email server in the MUA. Regards, Earl Shannon Greg Pulfer wrote: Hi there, I was reading the latest Cyrus IMAPd 2.2.6 documentation especially this page: http://asg.web.cmu.edu/cyrus/download/imapd/install-murder.html Now I saw the following phrase: Sites which think they need the Murder functionality but do not need a uniform namespace (no shared mailboxes) should consider other IMAP proxy solutions. This made me wonder if I really need the MURDER functionality... First of all can someone exlain me what is a uniform namespace (no shared mailboxes), I am not sure if I need that or not. If I could use a IMAP proxy solution and that would make everything simplier I would go for it. Would I acheive the same horizontal scalability with an IMAP proxy solution as with a MURDER solution ? Well to explain my case a bit I would like to install a mail architecture for an ISP which currently has approx 200 mailboxes but it will grow and grow and grow, that's why horizontal scalability is needed. Thanks Regards Do you Yahoo!? New and Improved Yahoo! Mail http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotions.yahoo.com/new_mail/static/efficiency.html - 100MB free storage! --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: System-wide sieve filter
Hello, Amavis is a milter and is not part of the Cyrus package. What it would do with the extension listed is change the deliver to address by suffixing it with +spam. The + address indicates to the final delivery agent, usually lmtpd for cyrus, to put the message in the specified folder. So a message sent to [EMAIL PROTECTED] would get delivered to a subfolder of my inbox named spam, should such a folder exist and the ACL on that folder was appropriately set. Regards, Earl Shannon Tore Anderson wrote: * Tore Anderson Hi. I need to make SpamAssassin-tagged messages to be by default filtered into a spam-folder. I figured I could do this either by a global sieve script, or some default script that was copied in place whenever a new user mailbox was created. * Luca Olivetti in /etc/amavisd.conf $addr_extension_spam = 'spam'; then when I create an user, I create a spam folder and give it an anonymous p acl. Hm, amavis, did I post to the wrong list? :-) I don't use amavis, so I'm don't really know what this does.. Does it mean you can tell Cyrus to filter a message into a folder, by adding a extension to the RCPT TO address? Like [EMAIL PROTECTED]? I use the autocreate patch, so a folder named Spam is automatically created when the user is. But I didn't figure out how I could make the suspected spam messages be automatically filed into that folder, without patching Cyrus. Could you elaborate on how your method works? --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bad index files.
Hello, Sadly we rotate the log files every 10 days, and any logs during the time frame for this have rotated out. And we don't know how to replicate the problem short of stopping the server. Which we don't want to do just to troubleshoot this. :) And I can't check to see if both the index files you ask about exist since we have fixed all the affected accounts. :( Yes, we are talking about a stop/start cycle. Which is one reason I asked a little while ago about the proper way to shut down the server. All we currently do is send a SIGKILL to the master process. I'm planning to update our init script to put a shutdown message in place and wait five minutes before actually sending the signal in hopes that will help reduce the occurences. Really its not a large percentage. At most close to 100 on machines with over 8000 accounts on them. However, having to do it at all is somewhat disturbing. Particularly when one doesn't know why. Regards, Earl Shannon -- Systems Programmer, Information Technology Division North Carolina State University http://www.earl.ncsu.edu Lawrence Greenfield wrote: Date: Wed, 3 Mar 2004 15:15:58 -0500 (EST) From: Rob Siemborski [EMAIL PROTECTED] On Wed, 3 Mar 2004, Earl R Shannon wrote: The stop/start is when this seems to happen. Is it not possible that imapd processes are being SIGKILLed and leaving the index files in an untenable state? The running index files are never updated directly -- the .NEW files are written out, and then moved (atomicly via rename()) into place. Err, that's not true. The index files for some things (like \Answer flag updates) are modified in place, since rewriting/renaming the entire file would be too slow. However, if we're talking a stop/start cycle (and not even a reboot) I don't understand how these files are getting corrupted. The existance of .NEW files seem to indicate that an EXPUNGE is going on. Is there both a cyrus.index.NEW _and_ cyrus.cache.NEW? (If one gets renamed and the other doesn't, that yields a corrupt mailbox.) Are there any syslog'd messages when the user attempts to SELECT the corrupt mailbox? Larry --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAPd, SASL, GSSAPI, Proxy Authorization
Hello, It would help to see the imapd.conf file for the server in question. That said, is the user jablko listed in the imapd.conf file on the proxyservers list? ie: proxyservers: jablko Regards, Earl Shannon [EMAIL PROTECTED] wrote: I'm attempting to connect to the Cyrus IMAPd mailbox admin on wum.lat as the Kerberos principal [EMAIL PROTECTED], using proxy authorization. The principal imap/wum.lat is in the realm RUZ - cross realm authentication is working - I can connect to the mailbox admin as [EMAIL PROTECTED]. Account information is currently being successfully retrieved from an OpenLDAP server, using nss_ldap. I can currently ssh to [EMAIL PROTECTED] as [EMAIL PROTECTED], using a .k5login file in admin's home. I should also be able to proxy authorize to the OpenLDAP server using saslAuthzTo / From. Cyrus, however, isn't letting me in. I am unclear on what I must do to configure proxy authorization for Cyrus IMAPd, and why it is calling nss_ldap (and why nss_ldap can't, in this case, contact the LDAP server). Can anyone help? Thanks! Jack == auth.log == Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: NEEDED_PREAUTH: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required Mar 13 15:41:10 wum krb5kdc[17432]: AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Mar 13 15:41:53 wum krb5kdc[17432]: TGS_REQ (5 etypes {16 23 1 3 2}) 192.168.179.43: ISSUE: authtime 1079221270, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for imap/[EMAIL PROTECTED] == mail.log == Mar 13 15:41:53 wum cyrus/imapd[18603]: accepted connection == auth.log == Mar 13 15:41:54 wum cyrus/imapd[18603]: user jablko is not allowed to proxy == mail.log == Mar 13 15:41:54 wum cyrus/imapd[18603]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server Mar 13 15:41:54 wum cyrus/imapd[18603]: badlogin: fis.lat[192.168.179.43] GSSAPI [SASL(-13): authentication failure: user jablko is not allowed to proxy] --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: shared folders?
Hello, I haven't seen one yet. Doesn't mean there's not one out there. Real quickly. Create the folder. Give people who need access the necessary ACL. It's pretty much that simple. Here at NCSU I've set up a seperate server for shared folders. This causes some problems of its own since we have not yet implemented a Cyrus Murder. But otherwise it works well. We have a Service Level Agreement that we have people sign and I've prepared a short tutorial on what IMAP and shared folders are and included a couple of examples using cyradm to administer a folder. Please note that a couple of items in it are specific to our environment.ie, the add command I mention. My target audience is those who are specified in the SLA to be an administrator(s) for the shared folder(s). It can be found at http://www.ncsu.edu/imap/shared Please, if you have any comments or suggestions concerning the tutorial let me know. Regards, Earl Shannon -- Systems Programmer, Information Technology Division North Carolina State University http://www.earl.ncsu.edu Ian Beyer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a good tutorial on setting up shared folders for users with Cyrus? Thanks. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) iD8DBQFAU4Q/RGycTB/It0gRAsSGAJwMy+jAN0WHkHpwV3+3oT9y0puhMgCfcME2 o6/xjpnsjaspJZg6d1FPPEg= =h+SF -END PGP SIGNATURE- --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: global sieve script?
Hello, My two cents worth on how to make it work. It would have to go through lmtpd twice. Terribly inefficient I'm sure, and I'll bet some people are cringing as we read. The first pass through is for the global sieve script(s). Handled on a per domain basis, or maybe for the server if you truly want it to be global, as for say, SPAM filtering or Virus checking, etc. If it makes it to the second pass it's just normal lmtpd delivery. There is no interaction per se, but there is a precedence, which really should go to the global filter, IMHO. That said, is this really something that postmasters want to start doing? You are messing with peoples email with a sieve script and have the potential to delete or redirect email that should be allowed to go to the user who may then decide. I'd bet that's been a reason that global filtering hasn't happened yet. Regards, Earl Shannon Edward Rudd wrote: nope.. It's not in there. Not sure when it will be either, as it's a little more involved than just adding it in to cyrus imapd.. one has to figure out how a global script will interact with a users local script, including having one override another. Which AFAIK is not documented in the RFC.. On Thu, 2004-03-04 at 17:22, Joe Hrbek wrote: This was posted in reference to a global sieve script: http://www.irbs.net/internet/info-cyrus/0112/0133.html It dates back to 2001. Is this capability now present in the latest cyrus package? I use simon matter's RPM. If so, this would be very cool. -j --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Bad index files.
Hello, I've got a question about the behavior we see when we shut down the imap server processes. When the master gets killed and the imap processes start to go away the state of the index files in some of the user accounts seems to become corrupted for some users. While a small percentage doesn't seem to be a bother the fact that it happens at all is bothersome. And it consumes time at server startup to find and correct the affected accounts. The index files suffixed with .NEW are left behind apparently in some unrecoverable state. If not fixed with a reconstruct the user is unable to access their account. Is this a known bug with the version we are using ( 2.1.11 )? We are running on Solaris 2.8 and 2.7. The 2.8 machines seem to be the ones affected. ID NIL command output: name: Cyrus IMAPD version: v2.1.11 2002/12/04 14:53:12 vendor: Project Cyrus support-url: http://asg.web.cmu.edu/cyrus os: SunOS os-version: 5.8 environment: Cyrus SASL 2.1.10; Sleepycat Software: Berkely DB 3.2.9: (January 24, 2001); OpenSSL 0.9.7c 30 Sep 2003; CMU Sieve 2.2; mmap = shared; lock = fcntl; nonblock = fcntl; auth = krb (NCSU Krbcyrus); idle = poll; mboxlist.db = db3; subs.db = flat; seen.db = flat; duplicate.db = db3-nosync; tls.db = db3.nosync I've not seen any info in the wiki FAQ or the mail list archive. Perhaps I've missed it. Point me to it if its there. Thanks. Regards, Earl Shannon --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bad index files.
Hello, Well, then. I'm at a loss to understand the behavior we see. Users can't connect to their account. Go look and see the .NEW files. Hm. Run a reconstruct and the .NEW files go away. User problem fixed. Perhaps you can offer me an alternative explanation for the behavior and we can fix what actually is broke. Thanks. Regards, Earl Shannon Rob Siemborski wrote: On Wed, 3 Mar 2004, Earl R Shannon wrote: The index files suffixed with .NEW are left behind apparently in some unrecoverable state. If not fixed with a reconstruct the user is unable to access their account. The .NEW files should be totally ignored by any running cyrus instance (well, except when they are overwritten). They're just evidence of a half-completed transaction. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bad index files.
Hello, Answers to queries below their respective question. Rob Siemborski wrote: On Wed, 3 Mar 2004, Earl R Shannon wrote: Well, then. I'm at a loss to understand the behavior we see. Users can't connect to their account. Go look and see the .NEW files. Hm. Run a reconstruct and the .NEW files go away. User problem fixed. Perhaps you can offer me an alternative explanation for the behavior and we can fix what actually is broke. Thanks. Well running reconstruct will always delete .NEW files. What do you mean by cannot log in?\ Here's what happens when I proxy in for a user 1 select inbox 1 NO Mailbox has an invalid format Sendmail is given the same error message when it tries to deliver email to the user. What protocol is the user using? IMAP, I used imtest to get the above info. Do you have IMAP transcripts? Logfile information? No. I can generate some if you really think they may be more informative. It sounds like the index files themselves are corrupt, but the existence of .new files are almost certainly a red herring. If so, how can we prevent the corruption from occuring? It always seems to appear when we shut down the cyrus processes and start them back up. Be nice if we didn't have to fix accounts simply because we did a stop/start sequence. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Bad index files.
Hello, No. Solaris 7 and 8, using UFS with noatime as an option at mount time. The filesystems are volume slices of a RAID on a T3 attached via a Fibre SAN. The stop/start is when this seems to happen. Is it not possible that imapd processes are being SIGKILLed and leaving the index files in an untenable state? Regards, Earl Shannon Rob Siemborski wrote: On Wed, 3 Mar 2004, Earl R Shannon wrote: It sounds like the index files themselves are corrupt, but the existence of .new files are almost certainly a red herring. If so, how can we prevent the corruption from occuring? It always seems to appear when we shut down the cyrus processes and start them back up. Be nice if we didn't have to fix accounts simply because we did a stop/start sequence. You shouldn't. By any chance, are you on linux with an ext2 filesystem? -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: folder pointing to another IMAP server?
Hello, I don't think you've really given us enough information. Are both servers cyrus? I understand from your posting that at least one will be. I have multiple servers configured in my email client ( Mozilla ) but they are all cyrus. That shouldn't be a requirement however. The drawback for most people will be how to configure their email program to do this, ie, its a user/client education issue. Connecting to two or more mail servers with one client program may confuse some users. We usually move peoples mail when setting putting their account on a new server. There is a short interruption in their accounts ability to recieve mail and thier ability to read it. Letting people know what is going on however greatly mitigates questions and concerns. Regards, Earl Shannon Michael Bartosh wrote: OK I've posted this twice now but I haven't seen it go across the list... I apologize if it is and I'm spamming... Please notify me off-list if so. Is it feasible in cyrus to have a special folder that points to an inbox on another server? I'd like to do this to facilitate transition to a cyrus server, allowing users to manually move their mail to the new server if they prefer. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh [EMAIL PROTECTED] 303.517.0272 Denver, CO The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently. - -- Nietzsche Think Different. --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Proper shutdown of cyrus IMAP server.
Hello, We've recently experienced problems with some of the cyrus index files in user account getting suffixed with .NEW and not going away. Their presence indicates a problem with the account. We are currently guessing that the files are being left as a result of the server being shutdown and they don't get cleaned up properly. Wha we currently do to stop the server is simply kill the master process. That's what I found in the docs. Might there be some things to do before that ie, create a shutdown message and let things calm down before killing master? Send a particular signal? Or, are we seeing a completely different problem with the .NEW files? We are using version 2.1.11 on Solaris 8 with a UFS filesystem on a SAN. Regards, Earl Shannon
Re: Shared folders question...
Hello, I've not seen anything per se myself. We've set up a shared folder service here at NCSU. Things to be aware of are the form of the email address to deliver to the shared mailbox/folder, permissions to allow the mail delivery to occur, ie. give the user anyone an ACL with at least p in it. Set ACL's for additional users as necessary. And make sure that clients know how to configure their email programs. As part of the service we provide an alias for people to use that maps onto the delivery address to the shared folder. For example: [EMAIL PROTECTED] - [EMAIL PROTECTED] Regards, Earl Shannon Jason Williams wrote: Good morning everyone. I wanted to ask some questions regarding shared folders and cyrus. I currently have cyrus-imapd-2.1.16 'gelling' well with postfix right now. Everything is running smoothly. My next task is to do some research and testing on shared folders. Our company needs the ability to set up shared folders that can only be viewable to certain people (which are in turn, departments). With that in mind, I was hoping to find additional documentation that I can use to read up on shared folders. That way, I can see how to create shared folders, setup permissions, remove/add users etc. I've been flipping through the 'Managing IMAP' book but its a few years old. I've also been googling looking for additional docs as well. There anyone that can point me in the right direction for additional information to help me get started with this task? I do appreciate it. Best, Jason
Re: Using singleinstancestore on a large scale (thousands of recipients)
Hello, We use a perl script to do what we call a broadcast. It loops through and delivers to each individual user. Probably not very efficient, particularly since we have thousands of accounts as well, but it was quick to implement and it works. Regards, Earl Shannon Sebastian Hagedorn wrote: Hi, we've got Cyrus 2.1.16 running on Red Hat AS 2.1 with singleinstancestore and it's working well. A common case is that mails will have up to 5 recipients: -rw---5 cyrusmail 3754 Jan 13 11:13 /var/spool/imap/S/user/a0620/88222. We haven't yet moved all our student accounts to Cyrus, but once we've done that, I'd like to be able to use this mechanism for sending mails to all of them. We've got around 30,000 student accounts. Now I wonder: - can a single inode have 30,000+ links? We're using ext3 as this is the only file system supported by Red Hat. - can I invoke deliver with such a long argument list? If not, is there an alternative? I've searched the WiKi and the mailing list archive, but haven't found any reports regarding this ... Thanks, Sebastian Hagedorn -- Sebastian Hagedorn M.A. - RZKR-R1 (Gebäude 52), Zimmer 18 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln / Cologne University - Tel. +49-221-478-55 87
Re: Using singleinstancestore on a large scale (thousands of recipients)
Hello, I may have made an invalid assumption. The perl script I mentioned in my last post runs on the IMAP server itself. No need for an MTA to get involved. I assumed the initial poster was doing the same. BTW, deliver is simply a wrapper to lmtpd on the IMAP server. A little overhead exec'ing another file, but it makes using LMTP easier. Regards, Earl Shannon [EMAIL PROTECTED] wrote: On Tue, 13 Jan 2004, Sebastian Hagedorn wrote: we've got Cyrus 2.1.16 running on Red Hat AS 2.1 with singleinstancestore and it's working well. A common case is that mails will have up to 5 recipients: -rw---5 cyrusmail 3754 Jan 13 11:13 /var/spool/imap/S/user/a0620/88222. We haven't yet moved all our student accounts to Cyrus, but once we've done that, I'd like to be able to use this mechanism for sending mails to all of them. We've got around 30,000 student accounts. Now I wonder: - can a single inode have 30,000+ links? We're using ext3 as this is the only file system supported by Red Hat. - can I invoke deliver with such a long argument list? If not, is there an alternative? We don't have as many students, but we see a fair number of large distribution posts as well. You don't indicate what MTA you're using, but as pointed out, you need to use LMTP for this feature to have any impact. If you're using Postfix, you can control how many recipients are allowed to be handled by a single post: # Cyrus will hard link messages to multiple recipients # on the same Cyrus partition. lmtp_destination_recipient_limit = 3000 So a message to 6K will result in two messages with 3K links to each. I figured that was good enough, and not likely to freak anything out.
Re: server sizing question
Hello, I can't comment on a comparison since I've never heard of cucipop. What I can do is tell you what we run here at NCSU. We currently have 4 servers but plan to add 4 more. The servers are Sun Enterprise 220R's with 2 Gig of memory. We have over 10,000 accounts per machine. Not all are active however. They generally have about 1,000 imap processes running at any given time during the semester with a load average usually less than 1. Mail delivery spikes sometimes push the load average up. We have a seperate mail relay system and use lmtp for delivery to the IMAP servers instead of postfix or sendmail. I'm not sure how well you'll be able to map this to an Intel based server, which I'm guessing you'll be running. But I'd bet you'd be able to run your proposed load fairly well on an adequately configured single server, ie, plenty of memory and speed. And since the servers are very I/O intensive, the faster the disk subsystem the better. Regards, Earl Shannon Jeff wrote: Hi all, Does anyone have links to recommended server sizing for cyrus. I am migrating away from sendmail/cucipop to postfix/cyrus. I currently have about 7500 mail boxes with about 16GB of mail. The majority of my clients will be popping mail, but we are planning on supporting IMAP now that we have good quota support. Each client will be limited to 20MB of storage space. How does cyrus compare to cucipop in handling the load. Thanks, Jeff
Re: Large cyrus install surver
Hello, Information provided below. Regards, Earl Shannon [EMAIL PROTECTED] wrote: Hi, I'm looking at setting up IMAP servers for a mid-sized (2,000-3,000) company with several sites around the world. I've run Cyrus myself for years, and I'm very happy with it. But, I'd like to collect some configurations from people with large scale installations (CMU does not count :). If people will email me their info, I'll make a little web page, and post the results here so that others can benefit as well. Send me: The version(s) of Cyrus you are running 2.1.11 The specs of the servers you have (cpu,mem,disk,os, etc) 4 Servers: Sun Enterprise 220 R with one CPU 2 Gigabyte of RAM We are using a Fiber Channel SAN architecture with two Sun T3's. The SAN currently provides each IMAP server with 100GB of space. Currently Solaris 7 Adding 4 more. Sun Enterprise 280 R with one CPU 2 Gigabyte of RAM. How many accounts on each server. Average is 15102. Total accounts 6040. It should be noted that not all of these are active. Students are a transitory lot to say the least. We allot all users 30 MB initially. Additional quota may be purchased. Authentication methods are GSSAPI, KERBEROS_V4 TLS+PLAIN PLAIN The PLAIN methods use saslauthd, wich is using the kerberos4 mechanism. Sadly, we still have a memory leak using kerberos5, and the -n 0 flag actually slows down authentication too much due to the forking overhead. ( No pun intended :) ) The average and peak number of users on each server at a time Average is between 700 and 1000 depending upon the server. We haven't yet been able to identify users based upon a usage pattern and who they are to effectively load balance among the servers yet. Peaks as high as 1400. Loads usually stay below 1. We have limited the number of lmtp processes allowed to run to 50. Occassionally we get flooded with email and the delivery process will causing user problems. We decided it was better to slow dowm mail delivery as opposed to users not being able to login. The average and peak number of messages in a folder for your users (go ahead and estimate here...) Big guesses. A lot of people don't keep any on the server. Others have over 1000. A few have over 100 folders. They haven't yet grasped the concept ofcopying to a CD if they need to keep it. A user education issue we need to address along with making archiving easier. Are you using murder? If so, describe your proxies and mupdate server. Not Yet. Want to. Will make our shared mailbox server integrate much nicer. Any random thoughts you have. Would you pick Cyrus if you were free to start over right now? etc. I did not do the initial IMAP server evaluation. But from what I learned since I would stick with it. We will be adding another four servers and increasing the available space in the SAN. We will then redistribute our users over 8 instead of 4, and increase the default user quota to 50MB. As I already indicated we very much want to get the murder implemented. While it doesn't provide the high availability it will make other things easier for our support staff and users, particularly our webmail ( we use SquirrelMail ) users. What info about you (firstname, lastname, email, organization) is it ok for me to list with your info. (none at all is fine, and that's what I'll assume if you don't say otherwise) Earl Shannon [EMAIL PROTECTED] North Carolina State University, Information Technology Division http://www.earl.ncsu.edu email your info to [EMAIL PROTECTED] Thanks, -Seth
Re: received date and reconstruct
Hello, I'd suggest you investigate the ipurge command that comes with cyrus. It can be run from a cron job and delete messages based on specified criteria, including age. Hm. Not sure though how it determines age. Regards, Earl Shannon Andrew J Caird wrote: Strangely, I need to do something very similar. So if someone has the answer and was going to hold out because of lack of interest, that's no longer an excuse. :) Thanks a lot. -- Andrew On Thu, 20 Nov 2003, Phil Chambers wrote: I was planning to have a script go through doing this every night. It would use the creation dates of the message files, deleting ones that are too old and then use reconstruct to tidy up. I have two questions: 1) Can I rely on the creation date? I ask this because I have just seen an inbox where every message file had the same date/time. The date/time was 4.05 this morning and the user was not active at that time and the files had not been recovered from backup. Without any external activity, I cannot see what would have changed the creation dates. 2) Is it safe to use reconstruct on a live system in this way? I am concerned in case a new message gets delivered into the folder while reconstruct is doing its thing. Phil.
Re: received date and reconstruct
Hello, Call it a case of not thinking outside the box I suppose. We have standalone machines that are our IMAP servers. Which means that anything they do is basically cyrus related. We also have the cron job send us a piece of email. We have a wrapper for our cron jobs that collects STDOUT and STDERR and mails it to a specified address. It was easier to use the in place infrastructure of cron and our wrapper than do something as an event. Regards, Earl Shannon Ken Murchison wrote: Earl R Shannon wrote: Hello, I'd suggest you investigate the ipurge command that comes with cyrus. It can be run from a cron job and delete messages Why would you put it in crontab instead of an EVENT in cyrus.conf? Wouldn't it make more sense to keep all Cyrus-related processes in one spot?
Re: Hight Aviability and Cyrus
Bonjour, While there have been a couple of mentions that high availability is being considered by CMU, it has not been done natively to the IMAP server. In other words, the IMAP server does not do high availability. While it does have the cluster implementation, ( the murder ) this allows scalability, not high availablity. To provide high availability you will need to implement something yourself that does it. It seems there have been a few people on this list who have mentioned how they have done it. It would be a good idea to read the list archive and see what they have said about how they accomplished it. Regards, Earl Shannon Denis Liard wrote: We use Cyrus Imap Server since on year. It work Fine for us (Sendmail + Cyrus) We have 2 Sendmail box for Hight Aviability in MX configuration and filter all messages (SPAM and Virus) for several domains names. For some domaines, we are only MX relay, and mails are resend (by SMTP) to others storage mails server (Exchange and Domino) and some are delivered to our IMAP (Cyrus) server by SMTP (vitual users db is on this server box) and localy deliver by LMTP. But we have only one IMAP server (with SCSI RAID disk) but we would like procure more secure aviability. How to do this ? I dont not have good idea about this. Thanks a lot. Denis Liard (French soo my english is poor !) Vu le lundi 03/11/2003 a 10:03:06 par Proxy-ScanMx. Analyse antivirale par ProxyConcept (http://proxyconcept.com)
Re: Moving mail to a new machine
Hello, If its just you, ie, one account, the easiest way would probably been to simply drag and drop folders from one account (machine) to the other. This would of course require that both machines be up and running, which it sounds like you have. Failing that, what you need to realise is that a directory is not a folder. In order for a directory to be a folder it must be in the mailboxes database. Getting the entry there would depend upon the type of database you are using. I usually use the cyrus admin tool or the Perl IMAP::Admin module to create folders. Regards, Earl Shannon Gordon wrote: I previously had my imap server running on one machine that I had set up myself. I had several folders beside my inbox. I recently built a new machine with a new version of Redhat and I've built and installed the latest version of cyrus. I have cyrus running and configured but I'm having a heck of a time getting to my old mail files. What I've done is copy the whole directory tree of my mail files to the directory /var/spool/imap/g/user/gmc. I've gone into cyradm and created a mailbox called user.gmc and set the acl to write. I use mozilla for email and I was able to set it up and I can now see the emails from my old inbox. The problem is that I can't figure out how to get to the email that are in the other folders. They're in directories under the directory stated above. Can anyone help with this bit? Was there an easier way to do this? Gordon
SASL mechanism PLAIN advertising in IMAP capabilites
Hello, I'm getting confused. I'm trying to have AUTH=PLAIN show up in the response to a capability query of the IMAP server. Here is what I currently get: /var/log # telnet uni99map 143 Trying 152.1.4.242... Connected to uni99map.unity.ncsu.edu. Escape character is '^]'. * OK uni99map.unity.ncsu.edu Cyrus IMAP4 v2.1.13 server ready 0 capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS MUPDATE=mupdate://uni99map.unity.ncsu.edu/ AUTH=GSSAPI AUTH=KERBEROS_V4 LISTEXT LIST-SUBSCRIBED ANNOTATEMORE 0 OK Completed Note that only GSSAPI and KERBEROS_V4 show up. In the imapd.conf file I have: sasl_pwcheck_method: saslauthd sasl_saslauthd_path: /local/sasl/var/mux sasl_mech_list: PLAIN GSSAPI KERBEROS_V4 allowplaintext: yes Libraries in /usr/lib/sasl2 are: /usr/lib # ls /usr/lib/sasl2/ . libcrammd5.so.2 libgssapiv2.so.2.0.10 liblogin.so.2.0.0 libplain.so.2 .. libcrammd5.so.2.0.13libgssapiv2.so.2.0.13 liblogin.so.2.0.10 libplain.so.2.0.0 libanonymous.la libdigestmd5.la libkerberos4.la libotp.la libplain.so.2.0.10 libanonymous.so libdigestmd5.so libkerberos4.so libotp.so libplain.so.2.0.13 libanonymous.so.2 libdigestmd5.so.2 libkerberos4.so.2 libotp.so.2 libsasldb.la libanonymous.so.2.0.0 libdigestmd5.so.2.0.13 libkerberos4.so.2.0.0 libotp.so.2.0.0 libsasldb.so libanonymous.so.2.0.10 libgssapiv2.la libkerberos4.so.2.0.10 libotp.so.2.0.10libsasldb.so.2 libanonymous.so.2.0.13 libgssapiv2.so liblogin.la libotp.so.2.0.13libsasldb.so.2.0.10 libcrammd5.la libgssapiv2.so.2liblogin.so libplain.la libsasldb.so.2.0.13 libcrammd5.so libgssapiv2.so.2.0.0liblogin.so.2 libplain.so If I remove the sasl_mech_list line from the imapd.conf file DIGEST-MD5, CRAM-MD5, and OTP are also advertised: var/log # telnet uni99map 143 Trying 152.1.4.242... Connected to uni99map.unity.ncsu.edu. Escape character is '^]'. * OK uni99map.unity.ncsu.edu Cyrus IMAP4 v2.1.13 server ready 0 capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS MUPDATE=mupdate://uni99map.unity.ncsu.edu/ AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=GSSAPI AUTH=KERBEROS_V4 AUTH=OTP LISTEXT LIST-SUBSCRIBED ANNOTATEMORE 0 OK Completed But still no PLAIN. Heres a uname -a: SunOS uni99map.unity.ncsu.edu 5.7 Generic_106541-15 sun4u sparc SUNW,Ultra-1 IMAP version is 2.1.13 (as in the capability response ) and sasl is 2.1.13 Am I missing something here? Regards, Earl Shannon
Re: wishlist for 2.2 final
Hello, We had a situation where it might have helped us if we had been able to suspend new IMAP connections while leaving lmtpd running. We learned that the shutdown message will stop ALL new connections if the shutdown file exists. Perhaps a separate shutdown file could exist for lmtp, imap, pop, sieve and other services that the master runs. My initial thoughts are to simply name the file in ../conf/msg something like shutdown.imap, ie. add the service name as a suffix and if a connection is attempted for that service make the appropriate response. Wishing away. Earl Shannon -- Systems Programmer, Unix Systems, Information Technology Division North Carolina State University ph: (919)-515-5480 http://www.earl.ncsu.edu
Re: strange quota problem...
Hello, Been here done this. The first place I would look is at the quota allotted to the folder. I'd bet real money that you haven't set a quota for the folder yet. Regards, Earl Shannon Andrzej Kwiatkowski wrote: I have installed postfix 2.0.7 with Cyrus Imapd 2.1.12. My problem is a bit strange.. I can send only one message for test account: for example after creating imap account: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 0 20971520 and when i send mail to this account : Mar 31 14:31:15 junak postfix/qmgr[50240]: 1BA027B0CE3: from=[EMAIL PROTECTED], size=488, nrcpt=1 (queue active) Mar 31 14:31:15 junak postfix/pipe[50697]: 1BA027B0CE3: to=[EMAIL PROTECTED], relay=cyrus, delay=0, status=sent (junak.mydomain.com) and then: bash-2.05b# cat /isp/cyrus/var/imap/quota/t/user.test123 673 20971520 and why i try to send second message: ar 31 14:32:14 junak postfix/qmgr[50240]: 182F27B0CE3: from=[EMAIL PROTECTED], size=488, nrcpt=1 (queue active) Mar 31 14:32:14 junak postfix/pipe[50697]: 182F27B0CE3: to=[EMAIL PROTECTED], relay=cyrus, delay=0, status=bounced (data format error. Command output: test123: Over quota Where i should look for error ?? Thanks in advance Andrzej Kwiatkowski
Re: Cyrus in shared-only setup with no user inboxes?
Hello, We are in the process of setting up a machine just to do shared folders. There will be no user accounts on the machine. Their accounts are on other servers. We use kerberos for authentication, so once the ACL for their id is setup all they need to do is create the account in the client that they will use so that it accesses the correct machine, in addition to the machine where there regular inbox is. How you set up authentication may impact your ability to do this. We are using version 2.1.11 of cyrus. Regards, Earl Shannon Scott Balmos wrote: Hi everyone, I remember reading a message like this back in the 1997 archives, but maybe (hopefully?) something's changed in the newer versions. I'm intending to use Cyrus and shared IMAP folders as a replacement for a currently-running private NNTP server for small-scale discussion groups. No problem, as I know how to do the Cyrus ACLs. My question is if it possible to run Cyrus without individual user inboxes, such that the users exist in the ACL database, but that's it. What functionality is lost by not giving users individual mailboxes? Is it possible to have a single shared user inbox, somehow hidden from the user, just so Cyrus is happy? Basically, I don't want to give people mailboxes in any form. They don't need them, and shouldn't have them at all. I look forward to your responses. Thanks! -- Scott Balmos
Re: looking for Cyrus mail format documentation
Hello, One of the disadvantage of using Cyrus might be that there is no API to the mail store other than the IMAP protocol. You simply cannot go mucking around the mail store with external programs without the potential to cause problems. That said, mail is stored in directories that map unto folders and each message has its own file. Seems pretty straight forward until you realize that the file names and directories have metadata associated with them that the IMAP server process needs and maintains. One simply does not mkdir in someone's account and expect the corresponding folder to show up. Nor can you simply create a file with what appears to be an appropriate name and have the message show up in a folder. Cyrus documentation calls the IMAP server a black box. This is defined to mean that the users do not have access to the account/data accept through the well defined ( :-/ ) IMAP protocol. This black box concept also extends to a certain extent to the administrators of the servers. Best way to learn something is through experience. Set up a server and look at how it does things. If you opt for compiling it yourself choose the flat file options for all the databases. This will leave the data in a format that is human readable, sorta, and you can figure out what is going on. Regards, Earl Shannon Phil Howard wrote: A couple people have suggested to me that I use Cyrus-IMAP as opposed to Courier-IMAP, and have given some good arguments for that decision direction. However, I have still have one show stopper for that switch: some external programs that work directly with the storage space of all the mail. Due to the nature of some of these programs, accessing that mail by means of the IMAP protocol or any delivery protocol is not an option. What I want to examine at this point is the potential ease of converting those programs to work with the format Cyrus-IMAP stores its mail. Had Cyrus-IMAP used the Maildir format, this would be a simple unplug Courier and plugin Cyrus. The issue is not about converting existing messages (the transition will be done with all empty mailboxes). The issue is knowing the details of the format in its entirety. I've looked around the web site and the source file tree and I find no documentation on this format. I have been told two different stories about references to other formats it is like. But then, I've also heard people tell me Cyrus-IMAP really does use Maildir format (and as far as I can see, that simply is not true). So basically, I'm asking if any documentation(s) exists which would described (preferrably in a standards style) just what the format is. Please don't refer me to the source code, as I already have that, and I've never found that method to be a clean way to deal with all the issues (too often semantics are missed because the implementation doesn't push requirements to the edge). Documents in ASCII, HTML, or PDF preferred. I was also looking for documentation on SASL. That I found in the RFCs. That's the kind of thing I'm looking for regarding the file formats.
Re: looking for Cyrus mail format documentation
Hello, You are correct on all counts. I was simply trying to make a point, and IMAP is the major protocol used to access the mail store, at least it is here. Nor did I mean to imply that any server that one set's up to see how things worked should be a production machine. In fact, because one would be changing things to see how they affected clients, etc. I would expect it to be a test platform. But that does now beg the question. There must be some form of coordination between the various processes as they access the mail store. Can this not be abstracted out and put in an API to make it easier for people to write their own applications? I would venture a guess to say that the API already exists in some form, it just needs to be formalized and published. Regards, Earl Shannon Rob Siemborski wrote: On Fri, 31 Jan 2003, Earl R Shannon wrote: Cyrus documentation calls the IMAP server a black box. This is defined to mean that the users do not have access to the account/data accept through the well defined ( :-/ ) IMAP protocol. This black box concept also extends to a certain extent to the administrators of the servers. Obviously the mail store access is not limited to the IMAP protocol, one can also use LMTP and POP3, and NNTP if you're using the 2.2 branch. There's also some utilities such as deliver that can let you do various things to the mail store. Best way to learn something is through experience. Set up a server and look at how it does things. If you opt for compiling it yourself choose the flat file options for all the databases. This will leave the data in a format that is human readable, sorta, and you can figure out what is going on. This is really only useful for educational purposes, not for actually running a mail store where other programs want direct access. The only way to accomplish the latter legitimately is to use the cyrus source directly. Often times mailbox access semantics change slightly from version to version, and if you're not using all the same code (which assumes it is only dealing with one version of itself), then you can run into trouble. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: multiple cyruses via SAN
Hello, We would like to use a shared filesystem. Will ALL the accounts on each server. Then we would use a load balancing package ( Resonate ) in front of the servers. Should one server fail the service would continue. Network /\ / \ /\ / \ ResonateMaster-ResonateSlave |\ /| | \/ | | \ / | | \/ | |\ /| | \/ | | /\ | |/ \| | /\ | | / \ | | /\ | |/ \| cyrusbox1 cyrusbox2 \ / \ / \ / \ / \ / \ / San ( shared filesystem) More cyrusboxes can be added to access the San and be linked back to the resonate boxes. This allows us to scale the service as necessary and provide redundancy in the event of a failure. If an imap server fails then the Resonate machines would not route ( bad choice of words perhaps but thats basically what Resonate does ) requests to it. So, each imap server must see the same filesystem and since one connection can come from one server to a mailbox and another from a different server some form of locking mechanism must be used to garuantee mutual exclusion. The big question as already asked is, Does a clustering file system that allows such file system sharing provide sufficient protection or would the application itself (in this case cyrus) need to be made aware that accesses to its data could be made by processes running on a different machine? We already do this with our web servers using AFS instead of a SAN. But the web servers deliver static data so doing this is very simple for them. No one's trying to write while the web servers are reading. Ken Murchison wrote: [EMAIL PROTECTED] wrote: Here is the idea: CyrusBox1 CyrusBox2 \ / `-\__/ SAN The questions are: 1) Can it be done with out modifications to cyrus code? 2) if not, what has to be done 3) perhaps someone would like to do it for a reward in american presidents? What are you trying to accomplish with the SAN? Are your trying to have a shared filesystem, or just shared storage (each server has its own partition on the array)? If you're just looking for shared storage, than Cyrus _should_ work as-is. If you're looking for a shared filesystem, then I think you want to look below the application layer to something like SGI's CXFS (Clustered XFS filesystem). Which president in particular? I'm partial to several Ben Franklins myself ;-) Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: multiple cyruses via SAN
Hello, Actually, there is no SAN server. The SAN is to be implemented with fiber channel devices. The imap servers will have a fiber channel interface which is connected to a fiber channel switch. Also connected to the fiber channel switches are the RAID units with the actual storage. As for the load balancing, we have been using it for a while and are quite comfortable with what it does and how it works. And why have partner IMAP servers replicating work when having one machine do the work and the other see it immediately. In other words, the shared file system implemented on top of the SAN ( shared file system does not equal SAN ) sorta does the replication. In a very real sense you have one hard disk mounted on two machines. Once one does the file system update the other can see it. The trick is, and hence my question, how does one handle access to prevent corruption. Is cyrus written so that what the shared file system provides is sufficient, or does the application need to be made aware of the possibility of two processes on two different machines writing to the one disk? And yes, we need to have more than one imap server. I drew the picture below only showing two because that was easy in ASCII. In reality we will probably have at least four. Each being managed by the Resonate load balancing service and all connected to the same shared file system. Regards, Earl Shannon -- Systems Programmer, Computing Services, Information Technology NC State University. http://www4.ncsu.edu/~ershanno Sean Witham wrote: Earl R Shannon wrote: Hello, We would like to use a shared filesystem. Will ALL the accounts on each server. Then we would use a load balancing package ( Resonate ) in front of the servers. Should one server fail the service would continue. Network /\ / \ /\ / \ ResonateMaster-ResonateSlave |\ /| | \/ | | \ / | | \/ | |\ /| | \/ | | /\ | |/ \| | /\ | | / \ | | /\ | |/ \| cyrusbox1 cyrusbox2 \ / \ / \ / \ / \ / \ / San ( shared filesystem) When you look at that you have to ask if the San server and the load balancer are reliable enough to justify two cyrus servers or if you would be better off with just one cyrus server ? What you really want is a cyrus (or similar server) that can replicate updates between two partner servers. Or is you san really a virtual server that consists of a cluster of replicating units ? --Sean --Sean -- Systems Programmer, Computing Services, Information Technology NC State University. http://www4.ncsu.edu/~ershanno
Re: troubleshooting sieve
Hello, You have found what may be the biggest problems with free software. Documentation and Support. Sysadmins such as myself must take these issues into account when deciding upon a platform to use for delivery of services such as email. Using a package such as Cyrus requires a somewhat higher level of knowledge. Quite frankly, if I were to believe the test programs included with cyrus my setup would not be working ( but it is ). Documentation is sadly the last thing that gets done. We here constantly bemoan that fact about our own internal projects, but the problem remains. Once a working service is in place writing down what you did to get it working gets pre-empted by trying to get something else working. All I can say is keep prodding. If you don't get an answer from the list its generally because no one knows the answer. Don't let this stop you from asking though, or digging through the list archive. I've found help on the list myself for a couple of problems. Since I've not used any other IMAP servers I can't compare them to Cyrus. However, Cyrus has worked well for us. We currently have four machines with over five thousand accounts on three of the machines. Our biggest problem is getting a satisfactory turnaround on restoration requests. We have a new backup/restore product we hope to implement soon which we believe will help. We have had other problems to be sure, but frankly, you will have problems with any software. I would say that the people at CMU have done a good job. I do hope though that they listen to your comments and those of others with similar concerns. Regards, Earl Shannon -- Systems Programmer, Computing Services, Information Technology NC State University. http://www4.ncsu.edu/~ershanno Erik Steffl wrote: cyrus and related programs are some of the hardest programs to troubleshoot I ever encountered. I read the docs, asked on the mailing list (this one) etc. but it seems like there's simply no way to tell what's going on. I enabled all the logging, I even tried test (from sieve directory of cyrus source tree). how do people cope with that? I see cyrus being recommended as one of the best imap servers (and when it works it works, I didn't have any troubles) but to set it up or do any changes is basically impossible. e.g. this time I changed the sieve script, made a typo and it didn't work, all I've got is the following message: Feb 1 00:30:13 localhost deliver[23370]: sieve runtime error for erik id bgISrC.A.pyC.YElW8@murphy: Fileinto: Mailbox does not exist indicates what's going on but is not particularly helpful. it doesn't say where it tries to deliver the message. another example: I ran test (from sieve subtree) and changed the order of script and test message (my fault), but all it says it: line 1: parse error. WTF? so I started a debugger but I couldn't get to where the error actually occurs (it was in yyparse for which there is no source). I solved the problem but it was extremely unpleasant, made worse by the fact that program could have easily provided all the important info (I also had number of other similar troubles, including inability of using any other authentification method but sasl_pwcheck_method: sasldb, I haven't solved that one yet). Q: how do other people cope with troubleshooting problems of cyrus (and mainly sieve)? Are there any tools that I am not aware of? Is it getting better (the above is with older cyrus/sieve (test is from 2.0.16, real sieve from 1.6.x, but says 2.0 in X-sieve header). TIA! erik
Re: Using Cyrus imapd with AFS + KRB5 + krb524d ?
Hello, We use AFS but do not have it doing anything for IMAP. Our authentication scheme sounds just like what you want to do however. I've only recently got something to compile and it looks like it will work, but it hasn't been tested extensively yet. Are you putting the user folders in AFS? One of my coworkers has read that may not be a good idea. The I/O throughput is limited by AFS. We have separate raid units for each server. Our biggest problem now is the number of users we have allowed to accumulate on each server and backing them up. We are looking at moving to a SAN to alleviate both problems and to make it easier to bring a server up to replace one with problems. You are correct in that the conflict between openssl and kerberos is a problem. I believe CMU's current plan is to let the OpenSSL project change their conflicting names. Until then I found some information on the list archive from a programmer at Duke who has hacked the kerberos stuff a little bit to provide a compilable source tree. If you can't find his directions in the archive let me know. I'll see if I still have them laying around. You will need to use saslauthd to get things to work and include kerberosIV as an authentication mechanism. You may also need to make some changes in the source tree if CMU has not made them yet, depending upon your target platform. I am on Solaris 2.6. I have no confirmation but believe anything newer will be ok without any mods. As for sasl, everything I read says I have included 5, but it does not show up when doing saslauthd -v. We are able to authenticate using the kerberos4 mechanism. Please let me know how things go for you. As they say, misery loves company. Regards, Earl Shannon -- Systems Programmer, Computing Services, Information Technology NC State University. http://www4.ncsu.edu/~ershanno Adam Thornton wrote: Here's my situation: I want to use Cyrus imapd to handle mail in AFS space; I'm using OpenAFS 1.2.2, which is roughly equivalent to Transarc 3.6. I'd like to have Cyrus use the pts server for its ACLs, since I already have working ACLS and it makes my life a lot easier. I also have no reason to keep my users in /etc/passwd, since I'll be spreading mail across a bunch of machines, so I really want to authenticate against Kerberos, not /etc/passwd. The principals all look like v4 principals (because they're intended for use with AFS), but they really do live in K5 space: I'm not really running Kerberos IV; instead I'm using MIT krb5 1.2.2, and using the MIT krb524d to convert tickets. All that works fine. I was able to convince SASL-2.1.0 to build against the KerberosIV libraries, but not saslauthd, largely (I think) because the des.h in K4 gets along extremely poorly with the des.h in OpenSSL. Once I turn to imapd itself, I can more or less bully things into compiling, except for ipop3d, which gets upset over the krb.h in /usr/local/include/kerberosIV. My question is: is there anyone else out there using Cyrus imapd in conjunction with user homes and folders in AFS-space, and if so, is there anybody doing with with a krb5 implementation, rather than v4, under the covers? Am I even on the right track with what I'm trying to do? Adam