Re: Cyrus/SASL Authentication
Hey guys, I was wondering if anyone knew of a tool or method for migrating Cyrus-imap from a freebsd machine to a linux 7.0 machine. We are using postfix instead of sendmail. I want to try to preserve the emails and mailbox structure as much as possible. Thanks in advance. James
Re: virtual hosting, revisited...
> On Sun, 10 Dec 2000 22:48:33 -0800, > Michael Fair <[EMAIL PROTECTED]> (mf) writes: mf> I have thought a lot about this. I even patched mf> 1.6.24 to use email addresses as IDs, and had mf> different domains residing in different namespaces mf> (implemented as different top-level folders). Would the folks login using their email address as the login name? mf> This allowed each domain to have its own set of mf> users and shared folders without name collisions mf> in other domains. As I think it should be. Though, I suppose they share configuration settings, correct? mf> I authenticated out of a database using the domain mf> name as the table name to get the data out of and mf> didn't do any "per domain" configuration other mf> than creating a separate partition for each. Ah, I see. mf> It worked, but was by no means a generic solution. mf> It was merely a proof of concept to see how much mf> work was really involved. "A lot, but doable" mf> was my conclusion. It's certainly no small task, mf> however the Cyrus system is far from being a lost mf> cause about it. In fact, during the "upgrade" mf> several other features can easily be integrated mf> with minimal extra effort. Such as a (compile time) mf> configurable separator character for those who mf> want something other than "." and the ability to mf> create folders at the same level as "inbox" (like mf> Drafts, Trash, Sent Items, etc..) Hmm... this is getting pretty involved My concern with this approach, as you later point out, is that it deviates enormously from the original code base. It seems to also introduce considerable complexity, but perhaps that's just from a first reading of this. Also, I don't think that having folks login using their fully qualified email address is desirable. It certainly doesn't convey that they are using their own little service, which ideally is the perception most desirable when providing a service to totally disjoint domains. Perhaps not ultimately the most desirable in the long run, but seems to me that simply providing a `-c configfile' option to master, which then propagated that setting to all the auxiliary services, is the tidiest code-wise. Even if more elaborate schemes were to subsequently follow, it's not like the availability of this `-c' option would preclude that. Seems like this might be useful for other things, like testing or something. The next thing, and even this doesn't seem like it would be too complicated, would be to allow binding the services to particular addresses. Perhaps a syntax along these lines: imap cmd="imapd" listen="imap" prefork=0 imap cmd="imapd" listen="mailhost.example.org:imap" prefork=0 imap cmd="imapd" listen="[255.255.255.255]:imap" prefork=0 Perhaps I'm taking too many liberties with over simplification, but it seems like this would rather expediently provide the capability to support multiple domains without radically diverging from the current source code. As for the jail approach suggested, I'm afraid that one of the potential deployments is using Solaris 8, on an E250 to be exact. -- Amos
Re: How to tell imapd and imspd to advertize LOGIN?
Kenneth Murchison writes: > >I don't know about imspd, but for imapd run it with '-p 2' (or higher). >Check imapd(8) for details. And here I was reading the source looking for a way, and RTFM would have done it. However, I wouldn't have guessed that from the man page: OPTIONS -p ssf Tell imapd that an external layer exists. An SSF (security strength factor) of 1 means an integrity pro- tection layer exists. Any higher SSF implies some form of privacy protection. Now, my real problem is that I'm using a php-based web client that uses imap-2000a c-client to connect to the Cyrus IMAP (and IMSP) servers. Both run on the same host, so network security is not an issue. C-client is supposed to authenticate with either CRAM-MD5 or LOGIN, but it seems only to use CRAM-MD5. I suspect that this is because the servers don't advertize LOGIN. I'm using the auto_transition feature of SASL to populate the CRAM-MD5 database from plaintext passwords. This means that users can login via the php-based web client until they have done one plaintext login by some other method. The result is mass confusion. I need a way out of this mess without degrading security too much. Any suggestions? -- -Gary Mills--Unix Support--U of M Academic Computing and Networking-
Re: Proper way to repair and remove quota in Cyrus 1.6.24
[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Wiechman wrote: > > OK, > > Thanks, How do I tell Linux to add more file descriptors? eg: echo 16384 > /proc/sys/fs/file-max I've had to do this on LOTS of my Linux boxen. This should be documented somewhere in cyrus docs, since any reasonable size server will need this. I think the default is 4096, and you'll hit that quick. If your running RedHat, look at the /etc/sysctl.conf file for the best way to do this on boot. regards, David -- David L. Parsley Network Administrator Roanoke College
Re: Generic notify hook
On Thu, 7 Dec 2000, Jeremy Howard wrote: > I'd like to see something like this generic notify hook added to the > distribution--what do others think? The Perl daemon needn't necessarily be > included, although I think that would be handy too. Now, that would be nice. We've got a system that currently does the notification in a program sitting between the MTA and deliver, which we want to update to use LMTP deliveries (ie. no intermediate delivery agent.) Having this sort of facility available would let us do this without losing the ability to do notification (your code should be handy here, but a standard feature in the distribution would be even better.) Chris.
Un-deletable mailbox
I am running cyrus imap-1.6.24 on RH6.2 A user created(with Netscape, a folder under INBOX.Collaborators named "B.R.Shaw" This had the effect of creating directories B, R, and Shaw under Collaborators. This is not what he wanted, but he cannot remove the folders using netscape, nor can I as administrator Note the parens on mailbox user.arnold.Collaborators.B Why is this? ... imap> listmailbox "user.arnold.Collaborators" user.arnold.Collaborators imap> listmailbox "user.arnold.Collaborators.B" (user.arnold.Collaborators.B) imap> setaclmailbox user.arnold.Collaborators.B cyrusadmin d command failed: Mailbox does not exist How can I remove this mailbox? thanks Shelley Waltz Center for Advanced Biotechnology and Medicine (CABM) 679 Hoes Lane Piscataway, NJ 08854-5638 phone: (732) 235-3346
Re: How to tell imapd and imspd to advertize LOGIN?
[EMAIL PROTECTED] wrote: > > I'm using cyrus-imapd-2.0.7, cyrus-imspd-v1.6a2, and sendmail-8.11.1 > with cyrus-sasl-1.5.24. I've built SASL with LOGIN authentication. > How to I tell imapd and imspd to advertize this method? They only > advertize DIGEST-MD5 and CRAM-MD5 now. For sendmail, I had to add > LOGIN to the AuthMechanisms list in sendmail.cf to make it announce > > 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN > > What do I do with imapd and imspd? I don't know about imspd, but for imapd run it with '-p 2' (or higher). Check imapd(8) for details. Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Proper way to repair and remove quota in Cyrus 1.6.24
I forgot to mention: when my Linux box ran out of fd's, LOTS of mailboxes got corrupted db files and such. Very messy. In the end, I ran 'at 2am' and had it do a reconstruct -r user. For a while there, reconstruct was my friend. Thankfully, I haven't needed to run it in a while. regards, David Paul Wiechman wrote: > > edited it in /proc/sys/fs/file-max > > Went to the extreme to try to get it to work. > > Paul > > Daryl Tester wrote: > > > > Paul Wiechman wrote: > > > > > That didn't work. Gave Linux 65535 FD's and quota still gives 'quota: > > > System I/O error Too many open files'. > > > > _Where_ (and how) did you give Linux that many file descriptors? > > There is a system wide limit defined (in fs.file-max and > > fs.inode-max in sysctl naming convention, from memory), and a > > per-process limit defined by ulimit. And I believe with the > > system wide limit, fs.inode-max >= 3 * fs.file-max. > > > > -- > > Regards, > > Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. > > > > "Who knows what men lurk in the heart of eval?" -- David L. Parsley Network Administrator Roanoke College
Re: Proper way to repair and remove quota in Cyrus 1.6.24
Paul Wiechman wrote: > edited it in /proc/sys/fs/file-max > > Went to the extreme to try to get it to work. Well, as I said, you need to bump up fs.inode-max (/proc/sys/fs/inode-max in old-speak) as well, plus you neet to bump up your per-process limit (the kernel documentation in Documentation/proc.txt mentions this). On my RedHat 6.1 box, ulimit -Sn and -Hn return 1024, so unless you've adjusted those as well, you'll still strike this limit. -- Regards, Daryl Tester, Software Wrangler and Bit Herder, IOCANE Pty. Ltd. "Who knows what men lurk in the heart of eval?"
Re: virtual hosting, revisited...
I have thought a lot about this. I even patched 1.6.24 to use email addresses as IDs, and had different domains residing in different namespaces (implemented as different top-level folders). This allowed each domain to have its own set of users and shared folders without name collisions in other domains. The patch was alpha quality and only patched the imapd directory. I authenticated out of a database using the domain name as the table name to get the data out of and didn't do any "per domain" configuration other than creating a separate partition for each. It worked, but was by no means a generic solution. It was merely a proof of concept to see how much work was really involved. "A lot, but doable" was my conclusion. It's certainly no small task, however the Cyrus system is far from being a lost cause about it. In fact, during the "upgrade" several other features can easily be integrated with minimal extra effort. Such as a (compile time) configurable separator character for those who want something other than "." and the ability to create folders at the same level as "inbox" (like Drafts, Trash, Sent Items, etc..) I had targeted these points as my conditions of satisfaction: - Different domains authenticate out of potentially different sources. (Essentially becomes each domain has it's own configuration information). - Allow any legal folder name in a domain without naming conflicts from other domains. - Each domain stores its directories in a different subtree of the filesystem. Essentially allowing you to "delete" one subtree and all associated files for that domain would be deleted (Misusing the "partition" feature of cyrus partially addresses this one). - Have some method for determining which domain the user was attempting to reach (using email address as login, binding to a unique IP, special tags in the user name (like myd_username or yourd_username), other). These are some "first thoughts" about the subject. What I really have questions about are what the right way to go about it is. Do we use the "realm" feature of SASL and Kerberos to handle the domain separation or reserve those for something else? I personally disagree with the 1 IP per domain theory of virtual hosting, but it is used by many people and thus should be supported. Furthermore, without some way of finding out what domain a client is trying to reach _before_ it tries to login the only method is to somehow encode the domain into the userid, which is also a sub-optimal solution. I am thinking that since the modifications actually create a very different product, we might even need to use a completely separate CVS branch so that things could be broken while people did the modifications, and then merged back into the main source tree once it was stable enough to be considered. These modifications combined with what the server already does would make cyrus the "feature complete" server for me to use in all my installations. I absolutely believe that we will get virtual domain support coded into the server soon enough. I know I'm not the only one who has this set of patches as a high prioirity on their "TODO" list. Eventually one of us is going to come up with a good, clean, solution and take the time to complete the patches. Fortunately, the CMU guys have been gracious enough to let us know that these patches would be accepted which removes the "I hope I'm not wasting my effort" concern that I had when I originally thought about doing it. May we all be blessed with good tidings, -- Michael -- - Original Message - From: "Amos Gouaux" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, December 10, 2000 6:23 PM Subject: virtual hosting, revisited... > A while ago there was some ideas kicking around regarding supporting > different virtual domains. Have these thoughts progressed any? > Just curious where that had been left off. > > Perhaps master could take a -c option to override the imapd.conf > location? You could then select a LMTP socket specific for that > domain. I guess the other issue would be to have imapd listen on a > specific IP address. (A capability that would also be nice for the > lmtpd server.) > > While having one imapd.conf support the various domains would be > convenient, seems like that would be a rather considerable task to > encapsulate all those settings at a per-domain level. At that > point, wouldn't it just be practical to have a different imapd.conf > anyway? On the other hand, I suppose it could be like the ISC DHCP > server config file. > > -- > Amos >