Re: how to enable TLs encryption only ?
JOYDEEP wrote: Now I want to restrict cyrus so that it only allow TLS encrption and nothing else. any suggestion ? allowplaintext: no If you use non-plain authentication mechanisms, you need to adjust sasl_minimum_layer option also. Could you read even the slightest bit of documentation before asking on the list, please? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
TLS/SSL failures
Good morning Our cyrus is occasionally logging following errors: ---8--- Mar 26 19:11:06 server cyrus/imapsext[1]: imaps TLS negotiation failed: [client.ip.address] Mar 26 19:11:06 server cyrus/imapsext[1]: Fatal error: tls_start_servertls() failed ---8--- I have ignored these errors until the day before yesterday, when something happened. SSL-wrapped imap service stopped responding and only logged those 2 lines for (every?) connection attempt. Restarting cyrus fixed the problem. There is a chance that this was caused by too low maxchild setting in /etc/cyrus.conf, but I'm not sure. It doesn't seem intuitive that cyrus logs TLS errors when maxchild is reached, though. Here is imapd.conf: ---8--- configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail servername: server.name.domain duplicate_db: skiplist tlscache_db: skiplist annotation_db: skiplist mboxlist_db: skiplist ptscache_db: skiplist quota_db: quotalegacy seenstate_db: skiplist subscription_db: flat imapidresponse: no altnamespace: no unixhierarchysep: no lmtp_downcase_rcpt: yes allowanonymouslogin: no popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: no sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd sasl_auto_transition: no tls_cert_file: /etc/ssl/certs/server.pem tls_key_file: /etc/ssl/private/server.key tls_ca_file: /etc/ssl/certs/server-cacert.pem tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/spool/postfix/extern/cyrus/lmtp idlemethod: poll idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus ---8--- And cyrus.conf ---8--- START { recover cmd=/usr/sbin/ctl_cyrusdb -r delprunecmd=/usr/sbin/cyr_expire -E 3 tlsprunecmd=/usr/sbin/tls_prune } SERVICES { imapext cmd=imapd -U 30 listen=ip.address:imap prefork=0 maxchild=500 imapsextcmd=imapd -s -U 30 listen=ip.address:imaps prefork=0 maxchild=500 imaplocal cmd=imapd -U 30 -C /etc/imapd.conf.localhost listen=127.0.0.1:imap prefork=0 maxchild=500 imapslocal cmd=imapd -s -U 30 -C /etc/imapd.conf.localhost listen=127.0.0.1:imaps prefork=0 maxchild=100 lmtpunixcmd=lmtpd listen=/var/spool/postfix/extern/cyrus/lmtp prefork=1 maxchild=20 sieve cmd=timsieved -C /etc/imapd.conf.localhost listen=localhost:sieve prefork=0 maxchild=100 notify cmd=notifyd listen=/var/run/cyrus/socket/notify proto=udp prefork=1 } EVENTS { checkpoint cmd=/usr/sbin/ctl_cyrusdb -c period=30 delprunecmd=/usr/sbin/cyr_expire -E 3 at=0401 tlsprunecmd=/usr/sbin/tls_prune at=0401 squatter_1 cmd=/usr/bin/nice -n 19 /usr/sbin/squatter -s period=120 squatter_a cmd=/usr/sbin/squatter at=0517 } ---8--- Cyrus version: name : Cyrus IMAPD version: v2.2.13-Debian-2.2.13-10 2006/11/13 16:17:53 vendor : Project Cyrus support-url: http://asg.web.cmu.edu/cyrus os : Linux os-version : 2.6.18-3-686-bigmem environment: Built w/Cyrus SASL 2.1.22 Running w/Cyrus SASL 2.1.22 Built w/Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Running w/Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Built w/OpenSSL 0.9.8c 05 Sep 2006 Running w/OpenSSL 0.9.8c 05 Sep 2006 CMU Sieve 2.2 TCP Wrappers NET-SNMP mmap = shared lock = fcntl nonblock = fcntl idle = poll Thank you for help :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Skiplist feedback (was: BerkeleyDB problems, converting away)
Good morning I understood that you wanted to hear feedback from users about skiplist. A couple of weeks ago I converted all remaining cyrus databases to skiplist. The conversion went fine and skiplist is working very well. I got rid of berleleydb errors and I am happy :) I can recommend this to anybody who does not like berkeleydb. I used this simple conversion script ---8--- #!/bin/sh /etc/init.d/cyrus2.2 stop cd /root/cyrus-tietokantakonversio/ cp /var/lib/cyrus/deliver.db /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp /var/lib/cyrus/tls_sessions.db /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp -r /var/lib/cyrus/db/ /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp berkeleydb-vanhat/deliver.db ./deliver.db.berkeley cp berkeleydb-vanhat/tls_sessions.db ./tls_sessions.db.berkeley /usr/sbin/cvt_cyrusdb /root/cyrus-tietokantakonversio/deliver.db.berkeley berkeley /root/cyrus-tietokantakonversio/deliver.db.skiplist skiplist /usr/sbin/cvt_cyrusdb /root/cyrus-tietokantakonversio/tls_sessions.db.berkeley berkeley /root/cyrus-tietokantakonversio/tls_sessions.db.skiplist skiplist cp imapd.conf.skiplist /etc/imapd.conf cp deliver.db.skiplist /var/lib/cyrus/deliver.db cp tls_sessions.db.skiplist /var/lib/cyrus/tls_sessions.db rm -f /var/lib/cyrus/db/log.* /etc/init.d/cyrus2.2 start ---8--- Cyrus developers, please, change the defaults to skiplist, or anything else than berkeleydb. At least in this use berkeleydb seems to be really crappy, and I personally find stupid defaults very annoying, especially when changing them afterwards might be risky. Some background info about server: ~50 users, ~50 GB mail, ~1500 incoming messages/day. So not very busy one. Decent server hardware. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: BerkeleyDB problems, converting away
[EMAIL PROTECTED] wrote: These are not real errors, see: Yes they are, look at the numbers :( I converted deliver.db and tls_sessions.db databases to skiplist. Conversion took about 3 seconds and everything seems to be working fine. One mysterious thing is this berkeleydb log file that appears every time cyrus is started. Any ideas what causes it or if I should be worried? /var/lib/cyrus/db/log.01: Berkeley DB (Log, version 8, native byte-order) There should be no more berkeleydb databases in use, /etc/imapd.conf: duplicate_db: skiplist tlscache_db: skiplist annotation_db: skiplist mboxlist_db: skiplist ptscache_db: skiplist quota_db: quotalegacy seenstate_db: skiplist subscription_db: flat (what is ptscache_db? I didn't convert it because I couldn't find it, just added it to imapd.conf) Thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to copy shared folders from one cyrus to another?
Hello I have succesfully copied users' mail folders with imapsync. But How can I copy shared folders? The problem seems to be that imapsync always adds INBOX. to the destination folder name, like this: From [shared.vitsit] Parse 1 To [INBOX.shared.vitsit] Parse 1 Verifying [shared.vitsit] - [INBOX.shared.vitsit] I have tried lots of different options, like this: imapsync --host1 source.imap.server --ssl1 --authuser1 cyrus --user1 testi2 --authmech1 PLAIN --passfile1 cyrus-salasana.txt --host2 localhost --ssl2 --authuser2 cyrus --user2 jorma --authmech2 PLAIN --passfile2 cyrus-salasana.txt --syncinternaldates --folder 'shared.vitsit' --prefix1 'INBOX.' Removing --prefix1 'INBOX.' makes no difference. Or is there another tool which suits here better? Thank you :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus imapd stalling with multiple instances
Ken Murchison wrote: Entries in cyrus.conf need to have unique names, like 'imapext' and 'imapint' or 'imap1', 'imap2', etc Thank you, it looks like this has fixed the problem. This is a good example of very sad configuration error. My configuration was clearly illegal, and as such, pretty easily recognizable by software. Also it resulted in very annoying and hard to debug behaviour. What I'm trying to say is that in case like this, cyrus should have complained about illegal configuration and either refused to start or disabled duplicate entries. Some kind of log entry like Error: duplicate service name in cyrus.conf line X or anything. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus imapd stalling with multiple instances
Hello everyone I'm trying to accomplish 2 things: 1) prevent plain logins without ssl/tls over network 2) prevent cyrus admin user(s) from logging in over network (users are authenticated from ldap and admin(s) from local sasldb) I have figured out one way to do this. Please tell me if I'm trying to do it incorrectly or in otherwise not-so-wise way. I have tried to run 2 separate cyrus imapd instances: one for users to connect over network (which listens on imap.lanwan.fi service ip address) and another for administrative use which only listens on localhost. Both instances are defined in /etc/cyrus.conf. The platform is debian testing (etch RC1), with cyrus installed from debian provided package. The problem is, that with this kind of configuration, cyrus occasionally stops responding to one (or both) addresses. Cyrus is running, and tcp connection is fine, but imapd doesn't respond with usual imap banner or to any commands at all. After waiting for some while (a minute or five), imapd (usually) responds again. Maybe an example is in place to point out what I mean. Normally when everything works fine, this is what I see: # telnet imap.lanwan.fi imap Trying 213.255.190.58... Connected to imap.lanwan.fi. Escape character is '^]'. * OK imap.lanwan.fi Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready But when problems occur, thing look this way (I have deliberately disconnected telnet after waiting a while): # telnet imap.lanwan.fi imap Trying 213.255.190.58... Connected to imap.lanwan.fi. Escape character is '^]'. ^] telnet c Connection closed. I have searched mailing lists and google, but not found anything like this. I tried to debug cyrus and here are the results. The debug log (CYRUS_VERBOSE=1) doesn't reveal anything special: (here the tcp connection is established) Jan 9 15:27:37 delta cyrus/master[5616]: set maximum file descriptors to 256/256 Jan 9 15:27:37 delta cyrus/master[5616]: about to exec /usr/lib/cyrus/bin/imapd Jan 9 15:27:37 delta cyrus/imap[5616]: running external debugger: /usr/bin/strace -tt -o /tmp/strace.cyrus.imapd.5616 -p 5616 - 21 Jan 9 15:27:37 delta cyrus/imap[5616]: debugger returned exit status: 0 Jan 9 15:27:37 delta cyrus/imap[5616]: executed (here cyrus responds with imap banner) Jan 9 15:28:35 delta cyrus/master[5578]: process 5593 exited, status 0 Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 2 Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in READY state: now unavailable and in BUSY state Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Jan 9 15:28:35 delta cyrus/imap[5616]: accepted connection Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 3 Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in BUSY state: now serving connection Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready workers Here is also an excerpt from imapd strace: 15:27:37.130492 stat64(/usr/lib/cyrus/bin/imapd, {st_mode=S_IFREG|0755, st_size=984752, ...}) = 0 15:27:37.130579 open(/var/lib/cyrus/socket/imap-0.lock, O_RDWR|O_CREAT, 0600) = 12 15:27:37.130651 rt_sigaction(SIGALRM, {0x8088300, [], SA_ONESHOT}, NULL, 8) = 0 15:27:37.130698 rt_sigaction(SIGHUP, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130746 rt_sigaction(SIGINT, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130792 rt_sigaction(SIGQUIT, {0x8088300, [], SA_RESTART|SA_ONESHOT}, NULL, 8) = 0 15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0} (previous line is last after tcp connection is established, and below is the same line and some that follow after cyrus responds with imap banner, so it looks like that imapd process stalls in fcntl64() syscall?) 15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0 15:28:35.286038 stat64(/usr/lib/cyrus/bin/imapd, {st_mode=S_IFREG|0755, st_size=984752, ...}) = 0 15:28:35.286153 accept(4, 0, NULL) = 13 15:28:35.286199 fcntl64(12, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 15:28:35.286247 alarm(0)= 0 Here are complete cyrus configuration files (with debugging turned off and comments stripped): /etc/cyrus.conf START { recover cmd=/usr/sbin/ctl_cyrusdb -r delprunecmd=/usr/sbin/cyr_expire -E 3 tlsprunecmd=/usr/sbin/tls_prune } SERVICES { imapcmd=imapd -U 30 listen=213.255.190.58:imap prefork=0 maxchild=100 imaps cmd=imapd -s -U 30 listen=213.255.190.58:imaps prefork=0 maxchild=100 imapcmd=imapd -U 30 -C /etc/imapd.conf.localhost listen=127.0.0.1:imap prefork=0 maxchild=100 lmtpunixcmd=lmtpd listen=/var/spool/postfix/extern/cyrus/lmtp prefork=0 maxchild=20 sieve cmd=timsieved listen=localhost:sieve prefork=0 maxchild=100
Restricting admin login
As Cyrus has an imap admin account that is needed to do various administrative things, I think it would be good to have an ability to restrict login to that account on ip address basis. I have not found such feature in cyrus, is there not one or am I just blind? imapd.conf option like admin_networks: 192.168.0.0/24 Similar options to other admin-like accounts, like lmtp_admins and proxyservers would also be good I think. --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Weird problem with user folders
[sending this message third time, let's see if it passes through] Weird things are happening with my cyrus test installation. It seems that some users can change and create folders as normal, but some can not. I have been unable to determine anything common linking these problematic and non-problematic users. This is hard to explain but I'll try. I have used 2 imap clients: mutt and pine. Let's start with mutt. When working user logs in and tries to change folder (keys c and ? pressed in mutt) mutt displays folder list and lets user choose folder (INBOX.toinen in this example) without problems. Logs related to this case look like this: ---8--- Jan 23 15:48:25 torakka1 master[20335]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:48:25 torakka1 imap[20335]: executed Jan 23 15:48:25 torakka1 imapd[20335]: accepted connection Jan 23 15:48:25 torakka1 imapd[20335]: mystore: starting txn 2147483667 Jan 23 15:48:25 torakka1 imapd[20335]: mystore: committing txn 2147483667 Jan 23 15:48:25 torakka1 imapd[20335]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:48:33 torakka1 imapd[20335]: login: localhost.localdomain[127.0.0.1] tjt plaintext+TLS Jan 23 15:48:33 torakka1 imapd[20335]: seen_db: user tjt opened /v/net/imap.cc.jyu.fi/var/user/t/tjt.seen Jan 23 15:48:33 torakka1 imapd[20335]: open: user tjt opened INBOX Jan 23 15:49:11 torakka1 imapd[20335]: open: user tjt opened INBOX.toinen ---8--- Also creating new folder in mutt (c,?,C) works fine. Then, using problematic user account and trying to change folders (c,?) results in mutt opening new connection and asking login/pass again. This happens 3 times (first after ?, second after choosing INBOX. tree and third when opening folder). ---8--- Jan 23 15:53:54 torakka1 master[20345]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:53:54 torakka1 imap[20345]: executed Jan 23 15:53:54 torakka1 imapd[20345]: accepted connection Jan 23 15:53:54 torakka1 imapd[20345]: mystore: starting txn 2147483679 Jan 23 15:53:54 torakka1 imapd[20345]: mystore: committing txn 2147483679 Jan 23 15:53:54 torakka1 imapd[20345]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:53:58 torakka1 imapd[20345]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:53:58 torakka1 imapd[20345]: seen_db: user aapo opened /v/net/imap.cc.jyu.fi/var/user/a/aapo.seen Jan 23 15:53:58 torakka1 imapd[20345]: open: user aapo opened INBOX Jan 23 15:54:02 torakka1 master[20346]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:02 torakka1 imap[20346]: executed Jan 23 15:54:02 torakka1 imapd[20346]: accepted connection Jan 23 15:54:02 torakka1 imapd[20346]: mystore: starting txn 2147483684 Jan 23 15:54:02 torakka1 imapd[20346]: mystore: committing txn 2147483684 Jan 23 15:54:02 torakka1 imapd[20346]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:07 torakka1 imapd[20346]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:08 torakka1 master[20347]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:08 torakka1 imap[20347]: executed Jan 23 15:54:08 torakka1 imapd[20347]: accepted connection Jan 23 15:54:08 torakka1 imapd[20347]: mystore: starting txn 2147483689 Jan 23 15:54:08 torakka1 imapd[20347]: mystore: committing txn 2147483689 Jan 23 15:54:08 torakka1 imapd[20347]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:13 torakka1 imapd[20347]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:18 torakka1 master[20348]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:18 torakka1 imap[20348]: executed Jan 23 15:54:18 torakka1 imapd[20348]: accepted connection Jan 23 15:54:18 torakka1 imapd[20348]: mystore: starting txn 2147483694 Jan 23 15:54:18 torakka1 imapd[20348]: mystore: committing txn 2147483694 Jan 23 15:54:18 torakka1 imapd[20348]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:22 torakka1 imapd[20348]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:22 torakka1 imapd[20348]: seen_db: user aapo opened /v/net/imap.cc.jyu.fi/var/user/a/aapo.seen Jan 23 15:54:22 torakka1 imapd[20348]: open: user aapo opened INBOX.testi ---8--- Same things happen with pine, it asks login 3 times. With working user pine doesn't ask login more than 1 time. With problem user mutt refuses to create new folders, pressing C results always in new connection and nothing else. Pine still creates folders, but asks login every time 2 times. I have tried to debug this a lot and searched mailing list, but have found nothing. So please, if someone could tell me what's going wrong, i'd be very happy. Here is my cyrus imapd.conf: ---8--- postmaster: postmaster configdirectory: /v/net/imap.cc.jyu.fi/var partition-default: