Re: Can murder be used for IMAP server migration?
On Wed, 2007-01-03 at 20:08 -0600, Gary Mills wrote: On Wed, Jan 03, 2007 at 08:18:15AM -0500, Ken Murchison wrote: Gary Mills wrote: Can I use the old server as both a front end and one of the back ends for a murder configuration, with the new server as the second back end? Will that allow me to migrate mailboxes at my convenience? How do I prevent a port conflict between the IMAP server and the proxy on the old server? You'll have to run the frontend + mupdate master on a separate machine. Unfortunately, all the clients know the IP address of the old server, so the frontend has to run there. Yes. But not the way you think - assign old server ip to the new machine with frontend. Of course, the old IMAP server has to run there too. Wrong. Assign new ip to the old server. Frankly there are simplier ways to do the migration than playing with frontend and mupdate - perdition. You will use same scheme though - assign the ip users are used to use to the perdition and give new ip to the old server. M. -- Mirosław Psyborg Jaworski GCS/IT d- s+:+ a C++$ UBI$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O- M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y? We are no more than candles burning in the wind. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
xfer failed
Hi all, When I do a xfer operation, it returns xfermailbox: The remote Server(s) denied the operation and in the log : Could not move mailbox: user.testone, LOCALCREATE failed I'm using cyrus 2.3.7 mupdate_config: unified Simple testing environment: one mupdate master, two unified cyrus. Is it related to unified config ? This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap lookup with different search_base' s? [auf Viren überprüft]
Andreas Winkelmann schrieb: Hmm, you can use ldapdb. Then you can specify multiple authz-regexp In slapd.conf. Seperate them somehow in the Matching-Pattern. That's what I would recommend too. I havn't tested this, but I think it's a try worth. It works. Slapd converts the the SASL uid for u. Create a general regexp for the user, which points to something like cn=$1,ou=users,dc=mailservices and a special regexp for uid admin (or cyrus ...), which points to cn=admin,dc=mailservices. What do I have to enter at admins in /etc/imapd.conf? Something that matches your special regexp. In my following example it is cyrus. I.e. snip authz-regexp uid=cyrus,cn=[^,]*,cn=auth dn:cn=admin,dc=mailservices authz-regexp uid=([^,]*),cn=[^,]*,cn=auth dn.regex:cn=$1,ou=users,dc=mailservices snap Ask man slap.conf for authz-policy and authz-regexp. And man slapd.access. Hans Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: [ Re: why does salspasswd2 always append a realm?]
Uroš Gruber wrote: So I really need to login without a realm. Wrong. You need a login where the realm matches the hostname of the machine, which will solve the problem for you. If you check the sasl debug, you'll see that no realm becomes the result of gethostbyname() during the sasl query. I was trying to figure this out a while ago. Thanks for enlightening me :). Is this possible to be added in documentation. Docs say clearly how an empty realm is processed. It's a SASL thing, not an IMAP thing. If I can add here because it's more about virtual users. I still don't understand is how can I create global admin user. I think in previous versions of cyrus this works but in latest I can only see users from primary domain or server hostname. I'm running latest, and it works just fine. Hasn't changed since Ken first published his patch for this. -- Jo Rhett Network/Software Engineer Net Consonance Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Can murder be used for IMAP server migration?
Gary Mills wrote: On Wed, Jan 03, 2007 at 08:18:15AM -0500, Ken Murchison wrote: Gary Mills wrote: Can I use the old server as both a front end and one of the back ends for a murder configuration, with the new server as the second back end? Will that allow me to migrate mailboxes at my convenience? How do I prevent a port conflict between the IMAP server and the proxy on the old server? You'll have to run the frontend + mupdate master on a separate machine. Unfortunately, all the clients know the IP address of the old server, They actually use the IP address instead of a DNS name? so the frontend has to run there. Of course, the old IMAP server has to run there too. Is there not a way to have the old IMAP server listen on different ports, so that only the frontend connects to it? If not, could it listen on a secondary IP address only? AFAIK, the proxy is hardcoded to talk to the backend(s) on port 143. Perhaps you could force imapd to only listen on localhost, but then you have to find a way to get the mailboxes.db used by the proxy to use localhost as the servername for the existing mailboxes. It *might* make sense to upgrade the existing server to 2.3.x, since imapd can both proxy and serve local mailboxes (a unified Murder). -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Can murder be used for IMAP server migration?
On Thu, 2007-01-04 at 07:47 -0500, Ken Murchison wrote: Can I use the old server as both a front end and one of the back ends for a murder configuration, with the new server as the second back end? Will that allow me to migrate mailboxes at my convenience? How do I prevent a port conflict between the IMAP server and the proxy on the old server? You'll have to run the frontend + mupdate master on a separate machine. Unfortunately, all the clients know the IP address of the old server, They actually use the IP address instead of a DNS name? Various broken client resolvers ruin the idea of shortening ttl of the mail service record(s) and switching traffic by changing it/them to another ip. Best approach is to made the service accessible under same ip and play with ip address(es) of the old server(s) acting as backends. M. -- Mirosław Psyborg Jaworski GCS/IT d- s+:+ a C++$ UBI$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O- M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y? The hen is an egg's way of producing another egg. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Can murder be used for IMAP server migration?
On Thu, Jan 04, 2007 at 09:22:24AM +0100, Miros?aw Jaworski wrote: On Wed, 2007-01-03 at 20:08 -0600, Gary Mills wrote: On Wed, Jan 03, 2007 at 08:18:15AM -0500, Ken Murchison wrote: Gary Mills wrote: Can I use the old server as both a front end and one of the back ends for a murder configuration, with the new server as the second back end? Will that allow me to migrate mailboxes at my convenience? How do I prevent a port conflict between the IMAP server and the proxy on the old server? You'll have to run the frontend + mupdate master on a separate machine. Unfortunately, all the clients know the IP address of the old server, so the frontend has to run there. Yes. But not the way you think - assign old server ip to the new machine with frontend. That won't work either. There are many different services linked to that IP address. I don't want to move all of them. Of course, the old IMAP server has to run there too. Wrong. Assign new ip to the old server. Frankly there are simplier ways to do the migration than playing with frontend and mupdate - perdition. You will use same scheme though - assign the ip users are used to use to the perdition and give new ip to the old server. I've investigated perdition, but I don't think it supports all of the SASL mechanisms that our clients use. Some use NTLM, for example. So many things work nicely with Cyrus that I'd like to stick with it. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Can murder be used for IMAP server migration?
On Thu, Jan 04, 2007 at 07:47:54AM -0500, Ken Murchison wrote: Gary Mills wrote: On Wed, Jan 03, 2007 at 08:18:15AM -0500, Ken Murchison wrote: Gary Mills wrote: Can I use the old server as both a front end and one of the back ends for a murder configuration, with the new server as the second back end? Will that allow me to migrate mailboxes at my convenience? How do I prevent a port conflict between the IMAP server and the proxy on the old server? You'll have to run the frontend + mupdate master on a separate machine. Unfortunately, all the clients know the IP address of the old server, They actually use the IP address instead of a DNS name? They actually use a CNAME, but the same one for SMTP and IMAP, with the same SSL certificate for both. It would be painful to split them up now. so the frontend has to run there. Of course, the old IMAP server has to run there too. Is there not a way to have the old IMAP server listen on different ports, so that only the frontend connects to it? If not, could it listen on a secondary IP address only? AFAIK, the proxy is hardcoded to talk to the backend(s) on port 143. Perhaps you could force imapd to only listen on localhost, but then you have to find a way to get the mailboxes.db used by the proxy to use localhost as the servername for the existing mailboxes. It *might* make sense to upgrade the existing server to 2.3.x, since imapd can both proxy and serve local mailboxes (a unified Murder). That sounds like the way to go. I'll investigate and try it on my test servers. Thanks for the suggestion. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: why does salspasswd2 always append a realm?
Hello, So I really need to login without a realm. Wrong. You need a login where the realm matches the hostname of the machine, which will solve the problem for you. Even while using virtdomains: userid? If you check the sasl debug, you'll see that no realm becomes the result of gethostbyname () during the sasl query. Well, would it also be possible to set this in imapd.conf: admins: cyrus defaultdomain: imap.localhost and add a user [EMAIL PROTECTED] in sasldb? Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: ldap lookup with different search_base' s? [auf Viren überprüft]
Hello, What do I have to enter at admins in /etc/imapd.conf? Something that matches your special regexp. In my following example it is cyrus. I.e. snip authz-regexp uid=cyrus,cn=[^,]*,cn=auth dn:cn=admin,dc=mailservices authz-regexp uid=([^,]*),cn=[^,]*,cn=auth dn.regex:cn=$1,ou=users,dc=mailservices snap where can I find more examples of this? My saslauthd.conf looks like this: /etc/saslauthd.conf ldap_servers: ldap://1.2.3.4/ ldap_timeout: 10 ldap_time_limit: 10 ldap_search_base: ou=users,dc=mailservices ldap_auth_method: bind ldap_filter: (cn=%u) ldap_debug: 0 ldap_verbose: off ldap_ssl: no ldap_start_tls: no ldap_referrals: no And this is my imapd.conf: /etc/imapd.conf configdirectory: /var/cyrus/config partition-default: /var/cyrus/spool admins: cyrus sievedir: /var/cyrus/config/sieve sendmail: /usr/sbin/sendmail altnamespace: true hashimapspool: true unixhierarchysep: true virtdomains: userid allowusermoves: true sasl_pwcheck_method: saslauthd servername: imap.localhost munge8bit: true username_tolower: true From what I can see, the user cyrus would never be passed to LDAP, since the saslauthd.conf defines which searchbase to use. And sasl would never simply pass cyrus but attach the hostname on an empty realm, so LDAP would get something like [EMAIL PROTECTED] Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: [ Re: why does salspasswd2 always append a realm?]
Uroš Gruber wrote: If I can add here because it's more about virtual users. I still don't understand is how can I create global admin user. I think in previous versions of cyrus this works but in latest I can only see users from primary domain or server hostname. See Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki Under virtual domains -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur Direction ICT, Infrastructure dept. Groep Systemen Systems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
example for ldap options in imapd.conf?
Hello, the manpage for imapd.conf shows a lot of options for ldap but I cannot find an example configuration using these in the Cyrus documentation or wiki. Is anyone aware of such examples and can point me to related websites? Thanks in advance. Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: 2.6 Kernel and POP issues
As of this time I am happy to report that adding --with-devrandom=/dev/urandom to the sasl config has solved the issue for a 2.6 kernel. I was finally able to implement the compile time feature last week and seem to be running fine. Just a follow-up to the thread... -Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert T. Covell Sent: Saturday, December 02, 2006 1:24 PM To: Sebastian Hagedorn Cc: info-cyrus@lists.andrew.cmu.edu Subject: RE: 2.6 Kernel and POP issues Well it figures that I recomplied cyrus imap only and NOT sasl. I will recompile that and put in the allowapop statement. Report to follow... -Thanks Bob From: Sebastian Hagedorn [mailto:[EMAIL PROTECTED] Sent: Sat 12/2/2006 12:20 PM To: Robert T. Covell Cc: info-cyrus@lists.andrew.cmu.edu Subject: RE: 2.6 Kernel and POP issues -- Robert T. Covell [EMAIL PROTECTED] is rumored to have mumbled on 1. Dezember 2006 18:50:11 -0600 regarding RE: 2.6 Kernel and POP issues: I have recompiled my cyrus implementation (--with-devrandom=/dev/urandom) and my kernel with no luck. I reboot from the newest 2.4 kernel and my pop clients hang. When checking the 2.6 kernel I looked at /proc/sys/kernel/random/entropy_avail and saw that it very low (like 5-30, not sure on specifics). Is there something I am not doing right with either the kernel or cyrus? Well, recompiling SASL *should've* taken care of that, but you could also try disabling APOP in /etc/imapd.conf: allowapop: 0 Restart Cyrus after you make the change. If that helps it means that, for whatever reason, Cyrus still uses /dev/random instead of /dev/urandom ... if it doesn't help, something else must be wrong. I have no idea what that might be. -- Sebastian Hagedorn - RZKR-R1 (Flachbau), Zi. 18, Robert-Koch-Str. 10 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln / Cologne University - Tel. +49-221-478-5587 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.6 Kernel and POP issues
On 05.01.2007, at 00:24, Robert T. Covell wrote: As of this time I am happy to report that adding “--with-devrandom=/ dev/urandom” to the sasl config has solved the issue for a 2.6 kernel. I was finally able to implement the compile time feature last week and “seem” to be running fine. As exim suffers from the same problem, would it be secure to just link /dev/random to /dev/urandom, or would that cause any issues? wogri -- [EMAIL PROTECTED] http://www.wogri.com http://www.einradfilm.at Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html