Re: how to enable TLs encryption only ?
JOYDEEP wrote: Now I want to restrict cyrus so that it only allow TLS encrption and nothing else. any suggestion ? allowplaintext: no If you use non-plain authentication mechanisms, you need to adjust sasl_minimum_layer option also. Could you read even the slightest bit of documentation before asking on the list, please? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
TLS/SSL failures
Good morning
Our cyrus is occasionally logging following errors:
---8---
Mar 26 19:11:06 server cyrus/imapsext[1]: imaps TLS negotiation
failed: [client.ip.address]
Mar 26 19:11:06 server cyrus/imapsext[1]: Fatal error:
tls_start_servertls() failed
---8---
I have ignored these errors until the day before yesterday, when
something happened. SSL-wrapped imap service stopped responding and only
logged those 2 lines for (every?) connection attempt. Restarting cyrus
fixed the problem. There is a chance that this was caused by too low
maxchild setting in /etc/cyrus.conf, but I'm not sure. It doesn't seem
intuitive that cyrus logs TLS errors when maxchild is reached, though.
Here is imapd.conf:
---8---
configdirectory: /var/lib/cyrus
defaultpartition: default
partition-default: /var/spool/cyrus/mail
servername: server.name.domain
duplicate_db: skiplist
tlscache_db: skiplist
annotation_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: quotalegacy
seenstate_db: skiplist
subscription_db: flat
imapidresponse: no
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_cert_file: /etc/ssl/certs/server.pem
tls_key_file: /etc/ssl/private/server.key
tls_ca_file: /etc/ssl/certs/server-cacert.pem
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/spool/postfix/extern/cyrus/lmtp
idlemethod: poll
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
---8---
And cyrus.conf
---8---
START {
recover cmd=/usr/sbin/ctl_cyrusdb -r
delprunecmd=/usr/sbin/cyr_expire -E 3
tlsprunecmd=/usr/sbin/tls_prune
}
SERVICES {
imapext cmd=imapd -U 30 listen=ip.address:imap
prefork=0 maxchild=500
imapsextcmd=imapd -s -U 30 listen=ip.address:imaps
prefork=0 maxchild=500
imaplocal cmd=imapd -U 30 -C /etc/imapd.conf.localhost
listen=127.0.0.1:imap prefork=0 maxchild=500
imapslocal cmd=imapd -s -U 30 -C
/etc/imapd.conf.localhost listen=127.0.0.1:imaps prefork=0 maxchild=100
lmtpunixcmd=lmtpd
listen=/var/spool/postfix/extern/cyrus/lmtp prefork=1 maxchild=20
sieve cmd=timsieved -C /etc/imapd.conf.localhost
listen=localhost:sieve prefork=0 maxchild=100
notify cmd=notifyd
listen=/var/run/cyrus/socket/notify proto=udp prefork=1
}
EVENTS {
checkpoint cmd=/usr/sbin/ctl_cyrusdb -c period=30
delprunecmd=/usr/sbin/cyr_expire -E 3 at=0401
tlsprunecmd=/usr/sbin/tls_prune at=0401
squatter_1 cmd=/usr/bin/nice -n 19 /usr/sbin/squatter -s
period=120
squatter_a cmd=/usr/sbin/squatter at=0517
}
---8---
Cyrus version:
name : Cyrus IMAPD
version: v2.2.13-Debian-2.2.13-10 2006/11/13 16:17:53
vendor : Project Cyrus
support-url: http://asg.web.cmu.edu/cyrus
os : Linux
os-version : 2.6.18-3-686-bigmem
environment: Built w/Cyrus SASL 2.1.22
Running w/Cyrus SASL 2.1.22
Built w/Sleepycat Software: Berkeley DB 4.2.52: (December
3, 2003) Running w/Sleepycat Software: Berkeley DB 4.2.52:
(December 3, 2003)
Built w/OpenSSL 0.9.8c 05 Sep 2006
Running w/OpenSSL 0.9.8c 05 Sep 2006
CMU Sieve 2.2
TCP Wrappers
NET-SNMP
mmap = shared
lock = fcntl
nonblock = fcntl
idle = poll
Thank you for help :)
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Skiplist feedback (was: BerkeleyDB problems, converting away)
Good morning I understood that you wanted to hear feedback from users about skiplist. A couple of weeks ago I converted all remaining cyrus databases to skiplist. The conversion went fine and skiplist is working very well. I got rid of berleleydb errors and I am happy :) I can recommend this to anybody who does not like berkeleydb. I used this simple conversion script ---8--- #!/bin/sh /etc/init.d/cyrus2.2 stop cd /root/cyrus-tietokantakonversio/ cp /var/lib/cyrus/deliver.db /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp /var/lib/cyrus/tls_sessions.db /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp -r /var/lib/cyrus/db/ /root/cyrus-tietokantakonversio/berkeleydb-vanhat cp berkeleydb-vanhat/deliver.db ./deliver.db.berkeley cp berkeleydb-vanhat/tls_sessions.db ./tls_sessions.db.berkeley /usr/sbin/cvt_cyrusdb /root/cyrus-tietokantakonversio/deliver.db.berkeley berkeley /root/cyrus-tietokantakonversio/deliver.db.skiplist skiplist /usr/sbin/cvt_cyrusdb /root/cyrus-tietokantakonversio/tls_sessions.db.berkeley berkeley /root/cyrus-tietokantakonversio/tls_sessions.db.skiplist skiplist cp imapd.conf.skiplist /etc/imapd.conf cp deliver.db.skiplist /var/lib/cyrus/deliver.db cp tls_sessions.db.skiplist /var/lib/cyrus/tls_sessions.db rm -f /var/lib/cyrus/db/log.* /etc/init.d/cyrus2.2 start ---8--- Cyrus developers, please, change the defaults to skiplist, or anything else than berkeleydb. At least in this use berkeleydb seems to be really crappy, and I personally find stupid defaults very annoying, especially when changing them afterwards might be risky. Some background info about server: ~50 users, ~50 GB mail, ~1500 incoming messages/day. So not very busy one. Decent server hardware. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: BerkeleyDB problems, converting away
[EMAIL PROTECTED] wrote: These are not real errors, see: Yes they are, look at the numbers :( I converted deliver.db and tls_sessions.db databases to skiplist. Conversion took about 3 seconds and everything seems to be working fine. One mysterious thing is this berkeleydb log file that appears every time cyrus is started. Any ideas what causes it or if I should be worried? /var/lib/cyrus/db/log.01: Berkeley DB (Log, version 8, native byte-order) There should be no more berkeleydb databases in use, /etc/imapd.conf: duplicate_db: skiplist tlscache_db: skiplist annotation_db: skiplist mboxlist_db: skiplist ptscache_db: skiplist quota_db: quotalegacy seenstate_db: skiplist subscription_db: flat (what is ptscache_db? I didn't convert it because I couldn't find it, just added it to imapd.conf) Thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to copy shared folders from one cyrus to another?
Hello I have succesfully copied users' mail folders with imapsync. But How can I copy shared folders? The problem seems to be that imapsync always adds INBOX. to the destination folder name, like this: From [shared.vitsit] Parse 1 To [INBOX.shared.vitsit] Parse 1 Verifying [shared.vitsit] - [INBOX.shared.vitsit] I have tried lots of different options, like this: imapsync --host1 source.imap.server --ssl1 --authuser1 cyrus --user1 testi2 --authmech1 PLAIN --passfile1 cyrus-salasana.txt --host2 localhost --ssl2 --authuser2 cyrus --user2 jorma --authmech2 PLAIN --passfile2 cyrus-salasana.txt --syncinternaldates --folder 'shared.vitsit' --prefix1 'INBOX.' Removing --prefix1 'INBOX.' makes no difference. Or is there another tool which suits here better? Thank you :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus imapd stalling with multiple instances
Ken Murchison wrote: Entries in cyrus.conf need to have unique names, like 'imapext' and 'imapint' or 'imap1', 'imap2', etc Thank you, it looks like this has fixed the problem. This is a good example of very sad configuration error. My configuration was clearly illegal, and as such, pretty easily recognizable by software. Also it resulted in very annoying and hard to debug behaviour. What I'm trying to say is that in case like this, cyrus should have complained about illegal configuration and either refused to start or disabled duplicate entries. Some kind of log entry like Error: duplicate service name in cyrus.conf line X or anything. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus imapd stalling with multiple instances
Hello everyone
I'm trying to accomplish 2 things:
1) prevent plain logins without ssl/tls over network
2) prevent cyrus admin user(s) from logging in over network
(users are authenticated from ldap and admin(s) from local sasldb)
I have figured out one way to do this. Please tell me if I'm trying to
do it incorrectly or in otherwise not-so-wise way. I have tried to run 2
separate cyrus imapd instances: one for users to connect over network
(which listens on imap.lanwan.fi service ip address) and another for
administrative use which only listens on localhost. Both instances are
defined in /etc/cyrus.conf.
The platform is debian testing (etch RC1), with cyrus installed from
debian provided package.
The problem is, that with this kind of configuration, cyrus occasionally
stops responding to one (or both) addresses. Cyrus is running, and tcp
connection is fine, but imapd doesn't respond with usual imap banner or
to any commands at all. After waiting for some while (a minute or five),
imapd (usually) responds again. Maybe an example is in place to point
out what I mean.
Normally when everything works fine, this is what I see:
# telnet imap.lanwan.fi imap
Trying 213.255.190.58...
Connected to imap.lanwan.fi.
Escape character is '^]'.
* OK imap.lanwan.fi Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready
But when problems occur, thing look this way (I have deliberately
disconnected telnet after waiting a while):
# telnet imap.lanwan.fi imap
Trying 213.255.190.58...
Connected to imap.lanwan.fi.
Escape character is '^]'.
^]
telnet c
Connection closed.
I have searched mailing lists and google, but not found anything like
this. I tried to debug cyrus and here are the results. The debug log
(CYRUS_VERBOSE=1) doesn't reveal anything special:
(here the tcp connection is established)
Jan 9 15:27:37 delta cyrus/master[5616]: set maximum file descriptors
to 256/256
Jan 9 15:27:37 delta cyrus/master[5616]: about to exec
/usr/lib/cyrus/bin/imapd
Jan 9 15:27:37 delta cyrus/imap[5616]: running external debugger:
/usr/bin/strace -tt -o /tmp/strace.cyrus.imapd.5616 -p 5616 - 21
Jan 9 15:27:37 delta cyrus/imap[5616]: debugger returned exit status: 0
Jan 9 15:27:37 delta cyrus/imap[5616]: executed
(here cyrus responds with imap banner)
Jan 9 15:28:35 delta cyrus/master[5578]: process 5593 exited, status 0
Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready
workers
Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 2
Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in READY
state: now unavailable and in BUSY state
Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready
workers
Jan 9 15:28:35 delta cyrus/imap[5616]: accepted connection
Jan 9 15:28:35 delta cyrus/imap[5616]: telling master 3
Jan 9 15:28:35 delta cyrus/master[5578]: service imap pid 5616 in BUSY
state: now serving connection
Jan 9 15:28:35 delta cyrus/master[5578]: service imap now has 0 ready
workers
Here is also an excerpt from imapd strace:
15:27:37.130492 stat64(/usr/lib/cyrus/bin/imapd,
{st_mode=S_IFREG|0755, st_size=984752, ...}) = 0
15:27:37.130579 open(/var/lib/cyrus/socket/imap-0.lock,
O_RDWR|O_CREAT, 0600)
= 12
15:27:37.130651 rt_sigaction(SIGALRM, {0x8088300, [], SA_ONESHOT}, NULL,
8) = 0
15:27:37.130698 rt_sigaction(SIGHUP, {0x8088300, [],
SA_RESTART|SA_ONESHOT}, NULL, 8) = 0
15:27:37.130746 rt_sigaction(SIGINT, {0x8088300, [],
SA_RESTART|SA_ONESHOT}, NULL, 8) = 0
15:27:37.130792 rt_sigaction(SIGQUIT, {0x8088300, [],
SA_RESTART|SA_ONESHOT}, NULL, 8) = 0
15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET,
start=0, len=0}
(previous line is last after tcp connection is established, and below is
the same line and some that follow after cyrus responds with imap
banner, so it looks like that imapd process stalls in fcntl64() syscall?)
15:27:37.130839 fcntl64(12, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET,
start=0, len=0}) = 0
15:28:35.286038 stat64(/usr/lib/cyrus/bin/imapd,
{st_mode=S_IFREG|0755, st_size=984752, ...}) = 0
15:28:35.286153 accept(4, 0, NULL) = 13
15:28:35.286199 fcntl64(12, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET,
start=0, len=0}) = 0
15:28:35.286247 alarm(0)= 0
Here are complete cyrus configuration files (with debugging turned off
and comments stripped):
/etc/cyrus.conf
START {
recover cmd=/usr/sbin/ctl_cyrusdb -r
delprunecmd=/usr/sbin/cyr_expire -E 3
tlsprunecmd=/usr/sbin/tls_prune
}
SERVICES {
imapcmd=imapd -U 30 listen=213.255.190.58:imap
prefork=0 maxchild=100
imaps cmd=imapd -s -U 30
listen=213.255.190.58:imaps prefork=0 maxchild=100
imapcmd=imapd -U 30 -C /etc/imapd.conf.localhost
listen=127.0.0.1:imap prefork=0 maxchild=100
lmtpunixcmd=lmtpd
listen=/var/spool/postfix/extern/cyrus/lmtp prefork=0 maxchild=20
sieve cmd=timsieved listen=localhost:sieve
prefork=0 maxchild=100
Restricting admin login
As Cyrus has an imap admin account that is needed to do various administrative things, I think it would be good to have an ability to restrict login to that account on ip address basis. I have not found such feature in cyrus, is there not one or am I just blind? imapd.conf option like admin_networks: 192.168.0.0/24 Similar options to other admin-like accounts, like lmtp_admins and proxyservers would also be good I think. --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Weird problem with user folders
[sending this message third time, let's see if it passes through] Weird things are happening with my cyrus test installation. It seems that some users can change and create folders as normal, but some can not. I have been unable to determine anything common linking these problematic and non-problematic users. This is hard to explain but I'll try. I have used 2 imap clients: mutt and pine. Let's start with mutt. When working user logs in and tries to change folder (keys c and ? pressed in mutt) mutt displays folder list and lets user choose folder (INBOX.toinen in this example) without problems. Logs related to this case look like this: ---8--- Jan 23 15:48:25 torakka1 master[20335]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:48:25 torakka1 imap[20335]: executed Jan 23 15:48:25 torakka1 imapd[20335]: accepted connection Jan 23 15:48:25 torakka1 imapd[20335]: mystore: starting txn 2147483667 Jan 23 15:48:25 torakka1 imapd[20335]: mystore: committing txn 2147483667 Jan 23 15:48:25 torakka1 imapd[20335]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:48:33 torakka1 imapd[20335]: login: localhost.localdomain[127.0.0.1] tjt plaintext+TLS Jan 23 15:48:33 torakka1 imapd[20335]: seen_db: user tjt opened /v/net/imap.cc.jyu.fi/var/user/t/tjt.seen Jan 23 15:48:33 torakka1 imapd[20335]: open: user tjt opened INBOX Jan 23 15:49:11 torakka1 imapd[20335]: open: user tjt opened INBOX.toinen ---8--- Also creating new folder in mutt (c,?,C) works fine. Then, using problematic user account and trying to change folders (c,?) results in mutt opening new connection and asking login/pass again. This happens 3 times (first after ?, second after choosing INBOX. tree and third when opening folder). ---8--- Jan 23 15:53:54 torakka1 master[20345]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:53:54 torakka1 imap[20345]: executed Jan 23 15:53:54 torakka1 imapd[20345]: accepted connection Jan 23 15:53:54 torakka1 imapd[20345]: mystore: starting txn 2147483679 Jan 23 15:53:54 torakka1 imapd[20345]: mystore: committing txn 2147483679 Jan 23 15:53:54 torakka1 imapd[20345]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:53:58 torakka1 imapd[20345]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:53:58 torakka1 imapd[20345]: seen_db: user aapo opened /v/net/imap.cc.jyu.fi/var/user/a/aapo.seen Jan 23 15:53:58 torakka1 imapd[20345]: open: user aapo opened INBOX Jan 23 15:54:02 torakka1 master[20346]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:02 torakka1 imap[20346]: executed Jan 23 15:54:02 torakka1 imapd[20346]: accepted connection Jan 23 15:54:02 torakka1 imapd[20346]: mystore: starting txn 2147483684 Jan 23 15:54:02 torakka1 imapd[20346]: mystore: committing txn 2147483684 Jan 23 15:54:02 torakka1 imapd[20346]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:07 torakka1 imapd[20346]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:08 torakka1 master[20347]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:08 torakka1 imap[20347]: executed Jan 23 15:54:08 torakka1 imapd[20347]: accepted connection Jan 23 15:54:08 torakka1 imapd[20347]: mystore: starting txn 2147483689 Jan 23 15:54:08 torakka1 imapd[20347]: mystore: committing txn 2147483689 Jan 23 15:54:08 torakka1 imapd[20347]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:13 torakka1 imapd[20347]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:18 torakka1 master[20348]: about to exec /v/net/imap.cc.jyu.fi/cyrus/bin/imapd Jan 23 15:54:18 torakka1 imap[20348]: executed Jan 23 15:54:18 torakka1 imapd[20348]: accepted connection Jan 23 15:54:18 torakka1 imapd[20348]: mystore: starting txn 2147483694 Jan 23 15:54:18 torakka1 imapd[20348]: mystore: committing txn 2147483694 Jan 23 15:54:18 torakka1 imapd[20348]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jan 23 15:54:22 torakka1 imapd[20348]: login: localhost.localdomain[127.0.0.1] aapo plaintext+TLS Jan 23 15:54:22 torakka1 imapd[20348]: seen_db: user aapo opened /v/net/imap.cc.jyu.fi/var/user/a/aapo.seen Jan 23 15:54:22 torakka1 imapd[20348]: open: user aapo opened INBOX.testi ---8--- Same things happen with pine, it asks login 3 times. With working user pine doesn't ask login more than 1 time. With problem user mutt refuses to create new folders, pressing C results always in new connection and nothing else. Pine still creates folders, but asks login every time 2 times. I have tried to debug this a lot and searched mailing list, but have found nothing. So please, if someone could tell me what's going wrong, i'd be very happy. Here is my cyrus imapd.conf: ---8--- postmaster: postmaster configdirectory: /v/net/imap.cc.jyu.fi/var partition-default:
