Re: [Dovecot] managesieve proxy cyrus
Thanks you so much, it's working !! I love when the week begin with a such good monday. Stephan Bosch wrote: Mathieu Kretchner schreef: Ok thanks for your help, By the way I've another question, we have configure a postfix smtp proxy with plain text database in order to redirect mail that coming to imap proxy to be delivered to the right imap backend. Does the dovecot imap proxy do to the local delivery itself to the right backend server ? The IMAP proxy has nothing to do with mail delivery. It merely forwards IMAP connections to the backend. Stephan Bosch wrote: Mathieu Kretchner schreef: It seems like the problem comes from dovecot in proxy mode ?? (only to connect to a cyrus sieve server, because it's working well with a dovecot sieve server) I'll do a few tests in the coming days. Let's see what I can find out. If you want some other network capture or tests I've done let me known, it would be a pleasure to help you ! Ok, this was caused by Dovecot. Fixed: http://hg.rename-it.nl/dovecot-1.1-managesieve/rev/f575c6b41697 I also added a proper log message in subsequent changes. Regards, begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2004 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:mathieu.kretch...@sophia.inria.fr tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] managesieve proxy cyrus
Mathieu Kretchner wrote: Thanks you so much, it's working !! Yes, but keep in mind that Dovecot may show different SIEVE capabilities during login than Cyrus does. With v1.1 you are still using the cmusieve plugin, so these may match well. With the new Sieve plugin, this will definitely not match and I am not sure how this could be mended. Regards, Stephan.
Re: [Dovecot] managesieve proxy cyrus
Mathieu Kretchner schreef: Ok thanks for your help, By the way I've another question, we have configure a postfix smtp proxy with plain text database in order to redirect mail that coming to imap proxy to be delivered to the right imap backend. Does the dovecot imap proxy do to the local delivery itself to the right backend server ? The IMAP proxy has nothing to do with mail delivery. It merely forwards IMAP connections to the backend. Stephan Bosch wrote: Mathieu Kretchner schreef: It seems like the problem comes from dovecot in proxy mode ?? (only to connect to a cyrus sieve server, because it's working well with a dovecot sieve server) I'll do a few tests in the coming days. Let's see what I can find out. If you want some other network capture or tests I've done let me known, it would be a pleasure to help you ! Ok, this was caused by Dovecot. Fixed: http://hg.rename-it.nl/dovecot-1.1-managesieve/rev/f575c6b41697 I also added a proper log message in subsequent changes. Regards, -- Stephan Bosch step...@rename-it.nl
Re: [Dovecot] managesieve proxy cyrus
Does Squirrelmail try to use STARTTLS? Having full session traffic logs I don't think Squirrelmail is trying to use STARTTLS. But anyway I've tried to trace the sieve connection protocol, you could find it in the attachement. It's approximatively the same data, I've posted yesterday with extra protocol tcp/ip :) of when Squirrelmail is logging into Dovecot proxy and when logging into Cyrus proxy would be helpful (ngrep, wireshark, etc). If Squirrelmail uses STARTTLS, this doesn't really work though (but at least the logs will reveal that it is doing STARTTLS). Also if it is doing that, perhaps the issue is SASL PLAIN after all, since Dovecot proxy won't do STARTTLS to the Cyrus. Also if you set auth_debug=yes, what do you see in Dovecot logs when attempting to log in? Here is my dovecot log with auth_debug=yes : Jan 28 09:31:24 myservername dovecot: auth(default): client in: AUTH 3 PLAIN service=managesieve secured lip=127.0.0.1 rip=127.0.0.1 lport=2000 rport=42791 resp=hidden Jan 28 09:31:24 myservername dovecot: auth-worker(default): sql(imap2,127.0.0.1): query: SELECT NULL AS password, host, destuser, 'Y' as nopassword, 'Y' AS proxy FROM proxy WHERE user = 'imap2' Jan 28 09:31:24 myservername dovecot: auth(default): client out: OK3 user=imap2 host=138.138.138.138 destuser=imap2 proxy pass=hidden Jan 28 09:31:24 myservername dovecot: managesieve-login: Disconnected: user=imap2, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Jan 28 09:31:24 myservername dovecot: auth(default): new auth connection: pid=4760 Frame 1 (74 bytes on wire, 74 bytes captured) Arrival Time: Jan 28, 2009 09:31:24.796988000 Time delta from previous packet: 0.0 seconds Time since reference or first frame: 0.0 seconds Frame Number: 1 Packet Length: 74 bytes Capture Length: 74 bytes Protocols in frame: eth:ip:tcp Ethernet II, Src: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f), Dst: Dell_1e:1e:1e (1e:1e:1e:1e:1e:1e) Destination: Dell_1e:1e:1e (1e:1e:1e:1e:1e:1e) Address: Dell_1e:1e:1e (1e:1e:1e:1e:1e:1e) ...0 = Multicast: This is a UNICAST frame ..0. = Locally Administrated Address: This is a FACTORY DEFAULT address Source: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f) Address: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f) ...0 = Multicast: This is a UNICAST frame ..0. = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: IP_proxy_dovecot (IP_proxy_dovecot), Dst: Ip_cyrus_server (Ip_cyrus_server) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 60 Identification: 0x7d21 (32033) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xa5f8 [correct] Good: True Bad : False Source: IP_proxy_dovecot (IP_proxy_dovecot) Destination: Ip_cyrus_server (Ip_cyrus_server) Transmission Control Protocol, Src Port: 53996 (53996), Dst Port: sieve (2000), Seq: 0, Len: 0 Source port: 53996 (53996) Destination port: sieve (2000) Sequence number: 0(relative sequence number) Header length: 40 bytes Flags: 0x0002 (SYN) 0... = Congestion Window Reduced (CWR): Not set .0.. = ECN-Echo: Not set ..0. = Urgent: Not set ...0 = Acknowledgment: Not set 0... = Push: Not set .0.. = Reset: Not set ..1. = Syn: Set ...0 = Fin: Not set Window size: 5840 Checksum: 0x384f [correct] Options: (20 bytes) Maximum segment size: 1460 bytes SACK permitted Time stamp: tsval 1185633227, tsecr 0 NOP Window scale: 4 (multiply by 16) Frame 2 (74 bytes on wire, 74 bytes captured) Arrival Time: Jan 28, 2009 09:31:24.797024000 Time delta from previous packet: 0.36000 seconds Time since reference or first frame: 0.36000 seconds Frame Number: 2 Packet Length: 74 bytes Capture Length: 74 bytes Protocols in frame: eth:ip:tcp Ethernet II, Src: Dell_1e:1e:1e (1e:1e:1e:1e:1e:1e), Dst: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f) Destination: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f) Address: Xensourc_1f:1f:1f (1f:1f:1f:1f:1f:1f) ...0 = Multicast: This is a UNICAST frame ..0. = Locally Administrated Address: This is a FACTORY DEFAULT address Source: Dell_1e:1e:1e
Re: [Dovecot] managesieve proxy cyrus
I've found this in the cyrus log file : Jan 28 13:19:18 cyrus_server sieve[10793]: login: proxy_dovecot[138.138.138.138] imap2 PLAIN User logged in When I test with sivtest -a myuser I can connect with PLAIN mechanism. If I replay with a telnet cyrus_server 2000 exactly what avelsieve send to a dovecot server I got this : telnet cyrus_server sieve Trying 138.138.138.138... Connected to cyrus_server.inria.fr (138.138.138.138). Escape character is '^]'. IMPLEMENTATION Cyrus timsieved v2.2.12 SASL PLAIN SIEVE fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex STARTTLS OK AUTHENTICATE PLAIN AGltYXAyAGltYXAy OK CAPABILITY IMPLEMENTATION Cyrus timsieved v2.2.12 SIEVE fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex OK It's like avelsieve just stop the connection by itself because once the user is logged, there is no other command send ! I don't understand why avelsieve tell me : unable to connect to server IMAP. localhost. I've done some others tests : - sivtest to a dovecot sieve server it's working. - telnet cyrus_server 2000 : it's working too - directly telnet dovecot 2000 : it's working too - telnet dovecot_proxy 2000 : it's not working ! (complain with NO Authentication failed.) It seems like the problem comes from dovecot in proxy mode ?? (only to connect to a cyrus sieve server, because it's working well with a dovecot sieve server) Mathieu Kretchner wrote: Does Squirrelmail try to use STARTTLS? Having full session traffic logs I don't think Squirrelmail is trying to use STARTTLS. But anyway I've tried to trace the sieve connection protocol, you could find it in the attachement. It's approximatively the same data, I've posted yesterday with extra protocol tcp/ip :) of when Squirrelmail is logging into Dovecot proxy and when logging into Cyrus proxy would be helpful (ngrep, wireshark, etc). If Squirrelmail uses STARTTLS, this doesn't really work though (but at least the logs will reveal that it is doing STARTTLS). Also if it is doing that, perhaps the issue is SASL PLAIN after all, since Dovecot proxy won't do STARTTLS to the Cyrus. Also if you set auth_debug=yes, what do you see in Dovecot logs when attempting to log in? Here is my dovecot log with auth_debug=yes : Jan 28 09:31:24 myservername dovecot: auth(default): client in: AUTH 3 PLAIN service=managesieve secured lip=127.0.0.1 rip=127.0.0.1 lport=2000 rport=42791 resp=hidden Jan 28 09:31:24 myservername dovecot: auth-worker(default): sql(imap2,127.0.0.1): query: SELECT NULL AS password, host, destuser, 'Y' as nopassword, 'Y' AS proxy FROM proxy WHERE user = 'imap2' Jan 28 09:31:24 myservername dovecot: auth(default): client out: OK3 user=imap2 host=138.138.138.138 destuser=imap2 proxy pass=hidden Jan 28 09:31:24 myservername dovecot: managesieve-login: Disconnected: user=imap2, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Jan 28 09:31:24 myservername dovecot: auth(default): new auth connection: pid=4760 begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2004 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:mathieu.kretch...@sophia.inria.fr tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] managesieve proxy cyrus
Ok thanks for your help, By the way I've another question, we have configure a postfix smtp proxy with plain text database in order to redirect mail that coming to imap proxy to be delivered to the right imap backend. Does the dovecot imap proxy do to the local delivery itself to the right backend server ? Stephan Bosch wrote: Mathieu Kretchner schreef: It seems like the problem comes from dovecot in proxy mode ?? (only to connect to a cyrus sieve server, because it's working well with a dovecot sieve server) I'll do a few tests in the coming days. Let's see what I can find out. If you want some other network capture or tests I've done let me known, it would be a pleasure to help you ! Regards, begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2004 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:mathieu.kretch...@sophia.inria.fr tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] managesieve proxy cyrus
Mathieu Kretchner wrote: Hello all, I've configured a dovecot server in proxy mode. It seems to work well but. I've tested managesieve with squirrelmail and it's working correctly but I can't connect to cyrus sieve server : timsieved First of all, what versions are you using? How is it all configured? Do the Dovecot and Cyrus logs contain anything useful? Does anybody here have configure a sieve proxy to do this ? Your setup is a bit odd. I haven't tried this ever and doubt anyone else has. The proxying feature is mainly implemented with Dovecot back-ends in mind. In an ideal world this should work however, so there is a possibility that the Dovecot proxy is not working properly. Or is it a normal behavior and dovecot sieve proxy can't speak with cyrus sieve ? Theoretically, this setup should be possible. However, the protocol specification is unfortunately not always followed to the letter. Also, Cyrus possibly does not allow you to login with the SASL PLAIN mechanism (the only one supported for proxying now). This seems unlikely though, since the IMAP proxy does work. Without more information I can only guess what is going on. Could you sniff the communication between Dovecot and Cyrus (e.g. using ngrep)? Perhaps, if it is not too much trouble, I can make it work... Regards, Stephan
Re: [Dovecot] managesieve proxy cyrus
On Tue, 2009-01-27 at 18:04 +0100, Mathieu Kretchner wrote: I think you've right, I've done some tcpdump and don't see a lot of thing but there is some data on the 2000 port of my cyrus server. But I realy wonder if the SASL PLAIN mechanism is the key of the problem ? telnet imap-serv sieve Trying 138.XX.XX.XX... Connected to imap-serv. Escape character is '^]'. IMPLEMENTATION Cyrus timsieved v2.2.12 SASL PLAIN SIEVE fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex STARTTLS OK If I configure my remote squirrelmail to directly access to my cyrus server, it works ! But as soon as I plug squirrelmail on the proxy it's crashing ... Does Squirrelmail try to use STARTTLS? Having full session traffic logs of when Squirrelmail is logging into Dovecot proxy and when logging into Cyrus proxy would be helpful (ngrep, wireshark, etc). If Squirrelmail uses STARTTLS, this doesn't really work though (but at least the logs will reveal that it is doing STARTTLS). Also if it is doing that, perhaps the issue is SASL PLAIN after all, since Dovecot proxy won't do STARTTLS to the Cyrus. Also if you set auth_debug=yes, what do you see in Dovecot logs when attempting to log in? signature.asc Description: This is a digitally signed message part
Re: [Dovecot] managesieve proxy cyrus
I've tried to take some data with tethereal : The only data I'm able to see between cyrus and dovecot (without protocol noise) : Data (41 bytes) 41 55 54 48 45 4e 54 49 43 41 54 45 20 22 50 4c AUTHENTICATE PL 0010 41 49 4e 22 20 22 41 47 6c 74 59 58 41 79 41 47 AIN AGltYXAyAG 0020 6c 74 59 58 41 79 22 0d 0altYXAy.. Data (22 bytes) 4f 4b 20 22 4c 6f 67 6f 75 74 20 43 6f 6d 70 6c OK Logout Compl 0010 65 74 65 22 0d 0a ete.. As you told me, the problem seems to be at authentication time. Whereas I've found this in my imapd.conf of cyrus server : # for sieveshell sasl_mech_list: PLAIN And in order to have a reference: between dovecot proxy and imap dovecot : Data (41 bytes) 41 55 54 48 45 4e 54 49 43 41 54 45 20 22 50 4c AUTHENTICATE PL 0010 41 49 4e 22 20 22 41 47 6c 74 59 58 41 78 41 47 AIN AGltYXAxAG 0020 6c 74 59 58 41 78 22 0d 0altYXAx.. Data (17 bytes) 4f 4b 20 22 4c 6f 67 67 65 64 20 69 6e 2e 22 0d OK Logged in.. 0010 0a. Data (12 bytes) 43 41 50 41 42 49 4c 49 54 59 0d 0a CAPABILITY.. Mathieu Kretchner wrote: Stephan Bosch wrote: Mathieu Kretchner wrote: Hello all, I've configured a dovecot server in proxy mode. It seems to work well but. I've tested managesieve with squirrelmail and it's working correctly but I can't connect to cyrus sieve server : timsieved First of all, what versions are you using? How is it all configured? Do the Dovecot and Cyrus logs contain anything useful? I've to do a migration between cyrus and dovecot so we have choosen to use dovecot (1.1.8) proxy in front of an old cyrus 2.2.12 and our new dovecot server. Does anybody here have configure a sieve proxy to do this ? Your setup is a bit odd. I haven't tried this ever and doubt anyone else has. The proxying feature is mainly implemented with Dovecot back-ends in mind. In an ideal world this should work however, so there is a possibility that the Dovecot proxy is not working properly. Or is it a normal behavior and dovecot sieve proxy can't speak with cyrus sieve ? Theoretically, this setup should be possible. However, the protocol specification is unfortunately not always followed to the letter. Also, Cyrus possibly does not allow you to login with the SASL PLAIN mechanism (the only one supported for proxying now). This seems unlikely though, since the IMAP proxy does work. I think you've right, I've done some tcpdump and don't see a lot of thing but there is some data on the 2000 port of my cyrus server. But I realy wonder if the SASL PLAIN mechanism is the key of the problem ? telnet imap-serv sieve Trying 138.XX.XX.XX... Connected to imap-serv. Escape character is '^]'. IMPLEMENTATION Cyrus timsieved v2.2.12 SASL PLAIN SIEVE fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex STARTTLS OK If I configure my remote squirrelmail to directly access to my cyrus server, it works ! But as soon as I plug squirrelmail on the proxy it's crashing ... Thank you for your help Without more information I can only guess what is going on. Could you sniff the communication between Dovecot and Cyrus (e.g. using ngrep)? Perhaps, if it is not too much trouble, I can make it work... Regards, Stephan begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2004 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:mathieu.kretch...@sophia.inria.fr tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
