Re: thunderbird sieve certificate issues
Hi Marc, it's as Thunderbird Sieve problem, again. let me guess your Sieve supports 'LOGIN' and 'PLAIN' and maybe some other authentication protocols. 'Thunderbird Sieve' says it support 'LOGIN' and 'PLAIN' as well. Unfortunately the 'LOGIN' code in 1.4 of Thunderbird Sieve is full of bugs! You have to use 'PLAIN'! There are two possibilities (I don't think you want to change your Sieve daemon) to do so. 1) Load down the current Thunderbird Sieve CVS in the Settings tab you can set the protocol. 2) Go into the 'SieveFilterExplorer.js'-file and comment out the 'case'-statement beginning line 24 // case login: //request = new SieveSaslLoginRequest(); // request.addSaslLoginListener(event); //break; I'm using now Sieve 1.4 CVS but currently facing a little issue. I think I'll fix it tonight (CET). If you want I can send you the 1.4 CVS xpi-file. Cheers Roland Marc Grober wrote: Yes, that got rid of the challenge, so now I am bacl to the same error and it sits there saying connecting. I am missing something that has to be very simple in making the connection to sieve, where it is the TLS negotiation or something else I don;t know Roland Felnhofer wrote: Hi Marc, again; here the essence to get rid of the dialog: user_pref(security.default_personal_cert, Select Automatically); Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thunderbird sieve certificate issues
Hi Marc, read this: http://forums.mozillazine.org/viewtopic.php?p=3359473 Best regards Roland Marc Grober wrote: I have thunderbird sieve extension connecting to my mail server, but the extension then advises that the server is requiring a certificate. Though I have a number of Thawte email certs none of them will of course be accepted and the extensions say they are unable to establish an encrypted connection. What is causing this and what can I do about it? Is the server looking for a public key? Does anyone having this running also being asked for a cert? I looked and played with OCSP. And it seems I can get the server to quit asking for a cert but then it just hangs there saying Connecting. Is the certificate just a red herring? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thunderbird sieve certificate issues
Hi Marc, again; here the essence to get rid of the dialog: user_pref(security.default_personal_cert, Select Automatically); The value is Case Sensitive!!! Best regards Roland Marc Grober wrote: I have thunderbird sieve extension connecting to my mail server, but the extension then advises that the server is requiring a certificate. Though I have a number of Thawte email certs none of them will of course be accepted and the extensions say they are unable to establish an encrypted connection. What is causing this and what can I do about it? Is the server looking for a public key? Does anyone having this running also being asked for a cert? I looked and played with OCSP. And it seems I can get the server to quit asking for a cert but then it just hangs there saying Connecting. Is the certificate just a red herring? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Hi Holger, how does the output of ps aux |grep saslauthd look like? It should look like:/usr/sbin/saslauthd -a ldap and NOT:/usr/sbin/saslauthd -a pam Best regards Roland FreiNet Technik wrote: Roland Felnhofer schrieb: Hi Holger, Are you using Thunderbird ? Hello Roland, i use several clients, but with Thunderbird i do most of the tests. I already tried all possible combinations of secure authentication and TLS-Settings, but nothing works. Regards, Holger Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus2.2 with IMAPS/SASLauthd not working
Hi Holgar, your problem is saslauthd related - I think so. you have two way of auth cyrus imap against LDAP either 'saslauthd -o ldap' - /sasl_pwcheck_method: saslauthd /or directly - sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb If you ask what I recommend - sorry I've only used 'saslauthd -o ldap' so far. Maybe someone else could give good advice. Best regards Roland PS: If the hints from my last mail do not work try to comment out: 'ldap_mech: DIGEST_MD5' as well. /etc/saslauthd.conf: ldap_servers: ldaps://ds1.example.net ldap_search_base: dc=example,dc=net # ldap_mech: DIGEST_MD5 check if one/both works: ldapsearch -H ldaps://ds1.example.net -U username -w password -Y DIGEST-MD5 ldapsearch -H ldaps://ds1.example.net -U username -w password -x FreiNet Technik wrote: Roland Felnhofer schrieb: Hi Holger, Are you using Thunderbird ? Hello Roland, i use several clients, but with Thunderbird i do most of the tests. I already tried all possible combinations of secure authentication and TLS-Settings, but nothing works. Regards, Holger Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problems with tls/ssl
Hi Philippe, you should have something like this in your syslog.conf: # # For Cyrus IMAP # local6.debug-/var/log/imapd.log please check that 'local6' is set to 'info' or better 'debug' Then try again and check your log file if there is more information. Best regards Roland Philippe Trolliet wrote: hi, when i try to change the ssl/tls certificates i get an error in maillog with following message: Fatal error: tls_start_servertls() failed here my cyrus config: ... tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem tls_key_file: /etc/pki/cyrus-imapd/newreq.pem tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem ... i used this howto to setup my own CA: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support .html for the first time ssl worked just over imap. after a while my pop3s worked too but before i got the above error message. now i get the same error messages with an new certificate. both doesn´t work, imaps und pop3s. what´s going on? regards philippe Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problems with tls/ssl
Hi Philippe, I just rushed through the how-to and your certs and keys should be ok - nonetheless it still irritates me that the request file and the key are in one file ('newreq.pem'). I recommend to increase the debug level of cyrus (I don't know by heart how to do it, but it should be quite easy to find it out.) It would help if the logs are more detailed. I'll be out for a one week of vacation, so don't worry if I don't responses immediately. Best regards Roland Philippe Trolliet wrote: hi, when i try to change the ssl/tls certificates i get an error in maillog with following message: Fatal error: tls_start_servertls() failed here my cyrus config: ... tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem tls_key_file: /etc/pki/cyrus-imapd/newreq.pem tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem ... i used this howto to setup my own CA: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support .html for the first time ssl worked just over imap. after a while my pop3s worked too but before i got the above error message. now i get the same error messages with an new certificate. both doesn´t work, imaps und pop3s. what´s going on? regards philippe Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus + TLS problem
Hi Jools, hmmm... tls_ca_file: /var/lib/imap/server.pem tls_cert_file: /var/lib/imap/server.pem tls_key_file: /var/lib/imap/server.pem you have everything (CA-cert, server cert and server key) in one file. It could easily be that that is fine for cyrus but it might be an easy test to split its content up into 3 individual files an check if your problems are gone. Best regards Roland Julian Pilfold-Bagwell wrote: Hi All, I'm configuring a mail server using Postfix and Cyrus-Imap on Mandriva 2007 spring and am having a hell of a time getting it to run in imaps secure mode although it works fine in unsecure imap mode. I've generated certificates for the Cyrus imap installation and have copied them into a folder in /var. su'ing to user Cyrus allows me to cat the certificates in their directory so I know it's not permissions thing but whenever I try to log in from a remote machine I get the following in /var/log/mail/info : Aug 19 10:45:18 webhost cyrus-master[11589]: process 11596 exited, status 0 Aug 19 10:45:18 webhost cyrus-master[11606]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:18 webhost imap[11606]: executed Aug 19 10:45:18 webhost cyrus-master[11607]: about to exec /usr/lib/cyrus-imapd/pop3d Aug 19 10:45:18 webhost pop3[11607]: executed Aug 19 10:45:18 webhost cyrus-master[11608]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:18 webhost cyrus-master[11609]: about to exec /usr/lib/cyrus-imapd/pop3d Aug 19 10:45:18 webhost imap[11608]: executed Aug 19 10:45:18 webhost pop3[11609]: executed Aug 19 10:45:20 webhost cyrus-master[11610]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost imap[11610]: executed Aug 19 10:45:20 webhost cyrus-master[11611]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost cyrus-master[11612]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost imap[11611]: executed Aug 19 10:45:20 webhost imap[11612]: executed Aug 19 10:45:20 webhost cyrus-master[11613]: about to exec /usr/lib/cyrus-imapd/pop3d Aug 19 10:45:20 webhost pop3[11613]: executed Aug 19 10:45:20 webhost cyrus-master[11614]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost imap[11614]: executed Aug 19 10:45:20 webhost cyrus-master[11615]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost cyrus-master[11616]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:20 webhost imap[11616]: executed Aug 19 10:45:20 webhost cyrus-master[11617]: about to exec /usr/lib/cyrus-imapd/pop3d Aug 19 10:45:20 webhost pop3[11617]: executed Aug 19 10:45:20 webhost imap[11615]: executed Aug 19 10:45:46 webhost imap[11602]: accepted connection Aug 19 10:45:46 webhost cyrus-master[11618]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:45:46 webhost imap[11618]: executed Aug 19 10:46:06 webhost imaps[11603]: accepted connection Aug 19 10:46:06 webhost cyrus-master[11628]: about to exec /usr/lib/cyrus-imapd/imapd Aug 19 10:46:06 webhost imaps[11628]: executed Aug 19 10:47:03 webhost cyrus-master[11589]: process 11602 exited, status 0 Aug 19 10:47:46 webhost imaps[11603]: imaps TLS negotiation failed: [172.20.0.212] Aug 19 10:47:46 webhost cyrus-master[11589]: process 11603 exited, status 75 Aug 19 10:47:46 webhost cyrus-master[11589]: service imaps pid 11603 in BUSY state: terminated abnormally It sounds like it's hanging on trying to load the SSL cert but I can't see any reason why it wouldn't be able to if I can cat the cert file as user cyrus. imap conf file as follows: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus allowanonymouslogin: no sieveusehomedir: no sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_ca_file: /var/lib/imap/server.pem tls_cert_file: /var/lib/imap/server.pem tls_key_file: /var/lib/imap/server.pem Any help gratefully appreciated. Cheers, Jools Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Global sieve scripts and spamfolders/bb
Hi Janne, partially answering your question: My sieve admin is cyrus. He owns the global cyrus scripts. Change these scripts as user cyrus. (I'm using 'Websieve') My config /setup imapd.conf ... sieve_extensions: fileinto reject vacation imapflags notify include envelope bod y relational regex subaddress copy ... # # global sieve file spam # require [fileinto]; if allof (header :contains X-Spam-Flag YES) { fileinto INBOX.Junk; } # # private user sieve script # require [include]; include :global spam; More info: http://www.mvmf.org/docs/draft-daboo-sieve-include-02.txt Best regards Roland Janne Peltonen wrote: Hi! If the way to use sieve with bbs is sieve scripts in the global namespace, I was wondering whether there was any way to determine the destination mailbox based on the incoming address. That is: We'd like to create /one/ global spam-filtering script, which the BB owners could register their BB to use. At the same time, we'd like the email classified as spam to end up somewhere the BB owners could read them - so as to detect false positives. And we'd like that only the owners of the BB could read the spam sent to that BB's address. So spam that's coming to 'bb' should get filtered to, say, 'bb.spam', and spam coming to 'bb2' should get filtered to 'bb2.spam'. If this isn't possible without a sieve-script-per-bb, is there a way to allow normal users to (safely) add global sieve scripts? Or is the only way to go to (automatically) create a new global sieve script every time a new bb is created? Thanks. --Janne smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Global sieve scripts and spamfolders/bb
Sorry here is a newer version: http://tools.ietf.org/html/draft-daboo-sieve-include-05 Best regards Roland Roland Felnhofer wrote: Hi Janne, partially answering your question: My sieve admin is cyrus. He owns the global cyrus scripts. Change these scripts as user cyrus. (I'm using 'Websieve') My config /setup imapd.conf ... sieve_extensions: fileinto reject vacation imapflags notify include envelope bod y relational regex subaddress copy ... # # global sieve file spam # require [fileinto]; if allof (header :contains X-Spam-Flag YES) { fileinto INBOX.Junk; } # # private user sieve script # require [include]; include :global spam; More info: http://www.mvmf.org/docs/draft-daboo-sieve-include-02.txt Best regards Roland Janne Peltonen wrote: Hi! If the way to use sieve with bbs is sieve scripts in the global namespace, I was wondering whether there was any way to determine the destination mailbox based on the incoming address. That is: We'd like to create /one/ global spam-filtering script, which the BB owners could register their BB to use. At the same time, we'd like the email classified as spam to end up somewhere the BB owners could read them - so as to detect false positives. And we'd like that only the owners of the BB could read the spam sent to that BB's address. So spam that's coming to 'bb' should get filtered to, say, 'bb.spam', and spam coming to 'bb2' should get filtered to 'bb2.spam'. If this isn't possible without a sieve-script-per-bb, is there a way to allow normal users to (safely) add global sieve scripts? Or is the only way to go to (automatically) create a new global sieve script every time a new bb is created? Thanks. --Janne smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: disallow bind_anon creates problem in cyrus
Hi, FIRST: Please buy a Linux book and read it!! http://www.oreilly.com/catalog/runlinux5/ inx.html http://www.oreilly.com/catalog/runlinux5/inx.html http://www.oreilly.com/catalog/linuxss2/ inx.html http://www.oreilly.com/catalog/linuxss2/inx.html http://www.oreilly.com/catalog/linuxckbk/ inx.html http://www.oreilly.com/catalog/linuxckbk/inx.html http://www.oreilly.com/catalog/esapr/ inx.html http://www.oreilly.com/catalog/esapr/inx.html http://www.oreilly.com/catalog/linag3/ inx.html http://www.oreilly.com/catalog/linag3/inx.html But my saslauthd is configured to support both pam and ldap Hint: Actually saslauthd does not support PAM and LDAP as a provider it's a user of these services as its authentication source. Where PAM again uses other sources as its authentication source (passwd, shadow, LDAP,...) To find out what I meant with that and how it affects you, consult the books I recommended to buy. Best regards Roland JOYDEEP wrote: Roland Felnhofer wrote: Hi, hmm, let me guess - you are running saslauthd with -a PAM?! try running it /usr/sbin/saslauthd -a ldap no need (with a more or less up-to-date version of saslauthd) to do it via PAM - use LDAP directly. Less layers less potential problems. What log entry and result do you get by executing: ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab Dear friend Roland, Thanks a lot for pointing out the problem. with *disallow bind_anon* I can successfully log in by executing */usr/sbin/saslauthd -a ldap* Thanks a lot. But my saslauthd is configured to support both pam and ldap. it is required to access cyrus admin as it is based on pam. u can check my /etc/pam.d/imap - auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix.so try_first_pass accountsufficient /lib/security/pam_ldap.so accountrequired /lib/security/pam_unix.so So based on this configuration both pam and ldap authentication is working except the *disallow bind_anon* in cyrus. but *disallow bind_anon* is working well with my present config with ldapsearch. So I have to fix this cyrus issue here. could u suggest any alternative please ? thanks and have a great day. Best regards Roland JOYDEEP wrote: Roland Felnhofer wrote: Hi, that should give you a hint: saslauthd.conf ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com ldap_password: password ldap_scope: one ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: uid=%u The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, ldap_password) should be sufficient. Dear Roland, thanks for your response. I already have the following entries in my saslauthd.conf - ldap_servers: ldap://localhost:389 ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in ldap_bind_pw: secret ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in ldap_version: 3 ldap_filter: uid=%U ldap_default_domain: kolkatainfoservices.in -- But having problem with *disallow bind_anon*. I have also checked the settings u hv suggested like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but no success yet. executing cyradm with valid user (in LDAP) and password reports Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34512 (IP=0.0.0.0:389) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn= method=128 Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH base=ou=Users,dc=kolkatainfoservices,dc=in scope=2 deref=0 filter=(uid=aftab) Mar 20 14:52:06 linux slapd[20480]: = bdb_equality_candidates: (uid) index_param failed (18) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND dn=uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in method=128 Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind as user uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in (Invalid credentials) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn= method=128 Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure: [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Mar 20 14:52:06 linux imap[20519]: badlogin: linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13): authentication failure: checkpass failed
Re: disallow bind_anon creates problem in cyrus
Hi, that should give you a hint: saslauthd.conf ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com ldap_password: password ldap_scope: one ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: uid=%u The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, ldap_password) should be sufficient. Best regards Roland JOYDEEP wrote: Dear list, to secure my ldap server I have added the line disallow bind_anon in slapd.conf. I have checked by ldapsearch command and now my ldap doesn't allow anonymous bind. But I have now problem to use cyrus as it also based on LDAP authentication. I can't log in in cyrus with Correct userid and passwd but if I disable the disallow bind_anon I can again use cyrus. Could any one kindly sugeest me to fix it ? here is my /etc/imapd.conf == configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_mech_list: LOGIN PLAIN allowanonymouslogin: no autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes unixhierarchysep: yes loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp == Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: disallow bind_anon creates problem in cyrus
Hi, hmm, let me guess - you are running saslauthd with -a PAM?! try running it /usr/sbin/saslauthd -a ldap no need (with a more or less up-to-date version of saslauthd) to do it via PAM - use LDAP directly. Less layers less potential problems. What log entry and result do you get by executing: ldapsearch -x -b ou=Users,dc=kolkatainfoservices,dc=in -D cn=Manager,dc=kolkatainfoservices,dc=in -w secret uid=aftab Best regards Roland JOYDEEP wrote: Roland Felnhofer wrote: Hi, that should give you a hint: saslauthd.conf ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=proxyagent,ou=special_users,dc=example,dc=com ldap_password: password ldap_scope: one ldap_uidattr: uid ldap_filter_mode: yes ldap_filter: uid=%u The first 4 (ldap_servers, ldap_search_base, ldap_bind_dn, ldap_password) should be sufficient. Dear Roland, thanks for your response. I already have the following entries in my saslauthd.conf - ldap_servers: ldap://localhost:389 ldap_bind_dn: cn=Manager,dc=kolkatainfoservices,dc=in ldap_bind_pw: secret ldap_search_base: ou=Users,dc=kolkatainfoservices,dc=in ldap_version: 3 ldap_filter: uid=%U ldap_default_domain: kolkatainfoservices.in -- But having problem with *disallow bind_anon*. I have also checked the settings u hv suggested like ldap_scope: one, ldap_uidattr: uid , ldap_filter_mode: yes. but no success yet. executing cyradm with valid user (in LDAP) and password reports Mar 20 14:52:06 linux slapd[20480]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34512 (IP=0.0.0.0:389) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 BIND dn= method=128 Mar 20 14:52:06 linux slapd[20480]: conn=1 op=0 RESULT tag=97 err=0 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SRCH base=ou=Users,dc=kolkatainfoservices,dc=in scope=2 deref=0 filter=(uid=aftab) Mar 20 14:52:06 linux slapd[20480]: = bdb_equality_candidates: (uid) index_param failed (18) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 BIND dn=uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in method=128 Mar 20 14:52:06 linux saslauthd[19448]: pam_ldap: error trying to bind as user uid=aftab,ou=Users,dc=kolkatainfoservices,dc=in (Invalid credentials) Mar 20 14:52:06 linux slapd[20480]: conn=1 op=2 RESULT tag=97 err=49 text= Mar 20 14:52:06 linux slapd[20480]: conn=1 op=3 BIND dn= method=128 Mar 20 14:52:06 linux saslauthd[19448]: do_auth : auth failure: [user=aftab] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Mar 20 14:52:06 linux imap[20519]: badlogin: linux.kolkatainfoservices.in [127.0.0.1] plaintext aftab SASL(-13): authentication failure: checkpass failed -- could u kindly help me to fix the problem as my system has a security risk untill I stop the anynomous user login. thanks Best regards Roland JOYDEEP wrote: Dear list, to secure my ldap server I have added the line disallow bind_anon in slapd.conf. I have checked by ldapsearch command and now my ldap doesn't allow anonymous bind. But I have now problem to use cyrus as it also based on LDAP authentication. I can't log in in cyrus with Correct userid and passwd but if I disable the disallow bind_anon I can again use cyrus. Could any one kindly sugeest me to fix it ? here is my /etc/imapd.conf == configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_mech_list: LOGIN PLAIN allowanonymouslogin: no autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes unixhierarchysep: yes loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp == Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: GUI to administrate cyrus
Hi, check Websieve: http://sourceforge.net/projects/websieve Best regards Roland JOYDEEP wrote: Dear list, is there any GUI tool to administrate existing cyrus users in my linux box ? thanks. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Questions... need Sieve primer
How did you create your imap/cyrus accounts - what is your authentication source? sasldb2, passwd, ldap (which I prefer) ??? Best regards Roland Jason Bailey, Sun Advocate Webmaster wrote: Malcolm Locke wrote: On Wed, Mar 14, 2007 at 05:34:52PM -0600, Jason Bailey, Sun Advocate Webmaster wrote: Roland Felnhofer wrote: Hi Jason, is that what you want? # Mail rules to file Junk require [fileinto]; if allof (header :contains X-Spam-Flag YES) { fileinto INBOX.Junk; } Best regards Roland Jason Bailey, Sun Advocate Webmaster wrote: Hello all, I am familiar with what Sieve does, but have never used it. We now have a need, and I'm struggling to find info on sieve, particularly relating to Cyrus. I want a sieve script that moves all mail marked as junk by spam assassin (x-spam-flag) into the Junk folder (for only one of 4 domains we host). Is this possible, and if so, is there a good place to look for help? I know my Cyrus has sieve support and the directories are defined, but I don't know how to enable or install the script, and I have few questions on sieve scripting in general. Suggestions? I think so, except I need it to only apply to one mail domain. In other words, if recipient is part of domain.com1, and X-Spam-Flag is set to YES, move it into the junk - otherwise do nothing. The reasoning is that the other domains we host are entirely POP3 based, and mail moved into junk folders on the server could be detrimental to their work flow. Sieve is applied per mailbox, not across the whole server. To upload and enable the sieve script 'mysieve' for mailbox 'joebloggs': $ sieveshell -a joebloggs -u joebloggs cyrusserver # Enter joebloggs IMAP / POP password put mysieve activate mysieve list mysieve - active script You will have to tune the contents of 'mysieve' to your needs, if you google 'spamassassin sieve' you should find plenty of examples. Malc I have been doing some reading in the mean time, and discovered sieveshell. Unfortunately, it doesn't allow me to login. unable to connect to server at /usr/bin/sieveshell line 174, STDIN line 1. I checked the logs and it says: Mar 14 17:08:16 fs2 sieve[2714]: executed Mar 14 17:08:16 fs2 sieve[2714]: accepted connection Mar 14 17:08:19 fs2 sieve[2714]: no secret in database Mar 14 17:08:19 fs2 sieve[2714]: badlogin: localhost[127.0.0.1] CRAM-MD5 authentication failure Mar 14 17:08:22 fs2 sieve[2714]: badlogin: localhost[127.0.0.1] LOGIN authentication failure Cyrus is set up to use /etc/sasldb2 for authentication. This is where I'm the most incapable when it comes to Cyrus. I'm lucky I even got the software to do what it does now. In my imapd.conf, I have: configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowanonymouslogin: no reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost #sasl_pwcheck_method: saslauthd lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes virtdomains: userid loginrealms: domain1.com domain2.com domain3.com autocreatequota: 102400 quotawarnkb: 5120 unixhierarchysep: yes altnamespace: yes allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 saslauthd is set up to use pam and is running (the default config for the rpm). I have /etc/pam.d/imap and /etc/pam.d/sieve. But given I am using /etc/sasldb2, shouldn't it look there before defaulting to saslauthd in the first place? I am running SLES 10 on x86_64 (EM64T) Jason Bailey, Web/IT Administrator Sun Advocate / Emery County Progress [EMAIL PROTECTED] / [EMAIL PROTECTED] (435) 637-0732 (ext 31) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Okay... sieve is per mailbox. That actually works out to my benefit. So how do I get sieveshell to let me login? The authentication aspects of Cyrus are my weakest spot... I don't know what I'm doing. All I know is that it won't let me login. Documentation is spotty at best. What now? The imaptest works, logins directly through cyrus (or cyradm, for that matter) work fine. But sieveshell doesn't. Ideas? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: QUestions... need Sieve primer
Hi Jason, is that what you want? # Mail rules to file Junk require [fileinto]; if allof (header :contains X-Spam-Flag YES) { fileinto INBOX.Junk; } Best regards Roland Jason Bailey, Sun Advocate Webmaster wrote: Hello all, I am familiar with what Sieve does, but have never used it. We now have a need, and I'm struggling to find info on sieve, particularly relating to Cyrus. I want a sieve script that moves all mail marked as junk by spam assassin (x-spam-flag) into the Junk folder (for only one of 4 domains we host). Is this possible, and if so, is there a good place to look for help? I know my Cyrus has sieve support and the directories are defined, but I don't know how to enable or install the script, and I have few questions on sieve scripting in general. Suggestions? smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Cyrus + LDAP = death by 13
Dear all, Distro: Linux From Scratch 6.1.1 + Beyond Linux From Scratch 6.1 + different packages from source (not in BLFS) HW: 2 CPU Pentium III (Katmai) saslauthd 2.1.22 (/usr/sbin/saslauthd -a ldap) cyrus-imapd 2.3.7 (tested 2.2.12 as well) OpenLDAP2.3.34 (tested 2.2.24 as well) NSS 2.3.4 (=Glibc 2.3.4) NOT working with nss_ldap 246 to nss_ldap 255 Best regards Roland Distro FC6 for x64, OpenLDAP 2.3.27/SASL 2.1.22/Cyrus IMAP 2.3.7/NSS 3.11.5-0.6.1 All standard Redhat RPMs. -Original Message- From: Konstantin V. Gavrilenko [mailto:[EMAIL PROTECTED] Sent: 11 March 2007 22:15 To: [EMAIL PROTECTED] Cc: info-cyrus@lists.andrew.cmu.edu Subject: Re: Cyrus + LDAP = death by 13 Some more nss_ldap testing results. nss_ldap-255NOT working nss_ldap-254NOT working nss_ldap-253NOT working nss_ldap-252NOT working nss_ldap-251NOT working nss_ldap-250NOT working nss_ldap-249NOT working nss_ldap-248NOT working nss_ldap-247- not tested - nss_ldap-246NOT working(SuSE source RPM) nss_ldap-245!! could not find source !! nss_ldap-244WORKING nss_ldap-243- not tested - nss_ldap-242- not tested - nss_ldap-241- not tested - nss_ldap-240WORKING Guus, can you say what distro you using and what architecture you've compiled it for? Since I have no problem on amd64, but on x86 it exists. yours, kos Respectfully, Konstantin V. Gavrilenko Managing Director Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com Guus Leeuw jr. wrote: Chaps, nss_ldap-253 WORKING (As in I never saw the problem you described earlier) Guus -Original Message- From: [EMAIL PROTECTED] [mailto:info-cyrus- [EMAIL PROTECTED] On Behalf Of Konstantin V. Gavrilenko Sent: 06 March 2007 23:42 To: info-cyrus@lists.andrew.cmu.edu Cc: [EMAIL PROTECTED] Subject: Re: Cyrus + LDAP = death by 13 Hi list, Been in contact with Roland Felnhofer, who also experiences the same problem. He narrowed it down to the version of nss_ldap in use. Here is the list of different versions of nss_ldap and how it affects the cyrus operations. nss_ldap-248NOT working nss_ldap-247- not tested - nss_ldap-246NOT working(SuSE source RPM) nss_ldap-245!! could not find source !! nss_ldap-244WORKING nss_ldap-243- not tested - nss_ldap-242- not tested - nss_ldap-241- not tested - nss_ldap-240WORKING Maybe it will be helpful to someone. Respectfully, Konstantin V. Gavrilenko Managing Director Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com Konstantin V. Gavrilenko wrote: Hi list, I have a problem with my cyrus server that I managed to track to the presence of the LDAP on the system. The user and group information is obtained form the LDAP server. When this functionality is enabled, when I start cyrus I get the following error: Feb 12 14:58:12 pingo master[22999]: about to exec /usr/lib/cyrus/idled Feb 12 14:58:12 pingo master[22963]: ready for work Feb 12 14:58:12 pingo master[22963]: process 23054 exited, signaled to death by 13 Feb 12 14:58:12 pingo master[22963]: process 23055 exited, signaled to death by 13 Feb 12 14:58:12 pingo master[22963]: process 23056 exited, signaled to death by 13 Feb 12 14:58:14 pingo master[22963]: process 23057 exited, signaled to death by 13 Feb 12 14:58:14 pingo master[22963]: service imaps pid 23057 in READY If I change the nssswitch.conf to obtain the group information from files, cyrus starts up fine. passwd: files ldap #group: files ldap group: files When I shut down ldap server, leave the nsswitch.conf to obtain the info from files ldap and start cyrus, I get the following error for some time, and them cyrus starts up normally. Feb 12 15:13:07 pingo master[32551]: retrying with 1024 (current max) Feb 12 15:13:07 pingo master[32551]: process started Feb 12 15:13:07 pingo master[32554]: nss_ldap: failed to bind to LDAP server ldaps://localhost/: Can't contact LDAP server Feb 12 15:13:07 pingo master[32554]: nss_ldap: failed to bind to LDAP server ldaps://localhost/: Can't contact LDAP server Feb 12 15:13:07 pingo master[32554]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Feb 12 15:13:08 pingo master[32554]: nss_ldap: failed to bind to LDAP server ldaps://localhost/: Can't contact LDAP server Feb 12 15:13:08 pingo master[32554
Re: Cyrus + LDAP = death by 13
Hi Kos, maybe I found the underlaying problem!!! # Connection policy: # persist: DSA connections are kept open (default) # oneshot: DSA connections destroyed after request +nss_connect_policy oneshot -#nss_connect_policy persist I set 'nss_connect_policy' to oneshot and Cyrus IMAP starts without problems (so far - I'll run further test) !!! I saw in the ldap.log that if I did a 'ls -all' over a directory the ldap chat terminated (successfully - but nonetheless) with the following lines_ Mar 12 13:34:50 roka2 slapd[2942]: conn=449 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 12 13:34:50 roka2 slapd[2942]: conn=449 fd=42 closed (connection lost) I changed to and the chat ended with the following lines: Mar 12 13:52:50 roka2 slapd[2942]: conn=511 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 12 13:52:50 roka2 slapd[2942]: conn=511 op=2 UNBIND Mar 12 13:52:50 roka2 slapd[2942]: conn=511 fd=42 closed Where when I did a ldapsearch uid=whateveraccount it terminated with the following lines: Mar 12 13:55:53 roka2 slapd[2942]: conn=521 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 12 13:55:53 roka2 slapd[2942]: conn=521 op=2 UNBIND Mar 12 13:55:53 roka2 slapd[2942]: conn=521 fd=44 closed I was irritated by 'closed (connection lost)'. 'Connection lost' does not look like a clean termination of a communication. Best regards Roland Some more nss_ldap testing results. nss_ldap-255NOT working nss_ldap-254NOT working nss_ldap-253NOT working nss_ldap-252NOT working nss_ldap-251NOT working nss_ldap-250NOT working nss_ldap-249NOT working nss_ldap-248NOT working nss_ldap-247- not tested - nss_ldap-246NOT working(SuSE source RPM) nss_ldap-245!! could not find source !! nss_ldap-244WORKING nss_ldap-243- not tested - nss_ldap-242- not tested - nss_ldap-241- not tested - nss_ldap-240WORKING Guus, can you say what distro you using and what architecture you've compiled it for? Since I have no problem on amd64, but on x86 it exists. yours, kos Respectfully, Konstantin V. Gavrilenko Managing Director Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com Guus Leeuw jr. wrote: Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html