sieve is working with allowplaintext: yes
OK list, finally I have solved it. in /etc/imapd.cong I have modified allowplaintext: yes sasl_minimum_layer: 0 sasl_mech_list: LOGIN PLAIN and now sieve is working well. but I like to know how [allowplaintext: yes] can effect my security than [allowplaintext: no] ? thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
how to secure authentication ?
Dear list , SSL encryption is working now :-) the next step of security is securing the authentication. I am using PLAIN and LOGIN. is it secure ? How to securely authenticate ? please enlighten me ? here is my /etc/imapd.conf --- configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_minimum_layer: 0 sasl_mech_list: LOGIN PLAIN allowanonymouslogin: no autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd #auxprop saslauthd #sasl_auxprop_plugin: sasldb2 servername: linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/openldap/myca/servercert.pem tls_key_file: /etc/openldap/myca/serverkey.pem tls_ca_file: /etc/openldap/myca/cacert.pem tls_ca_path: /etc/openldap/myca/ #tls_require_cert: no #tlscache_db: berkeley unixhierarchysep: yes virtdomains: yes defaultdomain: kolkatainfoservices.in loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to secure authentication ?
On Thu, Apr 05, 2007 at 11:37:29AM +0530, JOYDEEP wrote: SSL encryption is working now :-) the next step of security is securing the authentication. I am using PLAIN and LOGIN. is it secure ? How to securely authenticate ? please enlighten me ? here is my /etc/imapd.conf --- configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_minimum_layer: 0 sasl_minimum_layer 128 Try this. By. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Is it possible to run a mailserver on a remote pc which doesn't have DNS server on it ?
Dear list, Is it possible to run a mailserver on a remote pc which doesn't have DNS server on it ? I am totally confused about it. I like to setup egroupware on a remote server configured by PLESK. but due to the expiration of the license I am going to remove the PLESK from that server. hence I'll lose all the DNS configuration set by PLESK. now if I point that server through dydns is it posible to send receive mail from that server ? I also like to know about any free web-based tool which can let me configured the DNS and mail related setting in that remote server. please enlighten me. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to secure authentication ?
Dmitriy Kirhlarov wrote: On Thu, Apr 05, 2007 at 11:37:29AM +0530, JOYDEEP wrote: SSL encryption is working now :-) the next step of security is securing the authentication. I am using PLAIN and LOGIN. is it secure ? How to securely authenticate ? please enlighten me ? here is my /etc/imapd.conf --- configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes sasl_minimum_layer: 0 sasl_minimum_layer 128 Try this. Hi Dmitriy, I have changed sasl_minimum_layer: 0 to 128. I have no problem to login to the inbox. but sieve is not working with sasl_minimum_layer: 128. I have 2 question here 1 how can I check that authentication is secure by the setting sasl_minimum_layer 128 ? 2 what to do to enable the sieve ? thanks for your guidance. By. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: how to secure authentication ?
Hi! On Thu, Apr 05, 2007 at 01:40:03PM +0530, JOYDEEP wrote: I have changed sasl_minimum_layer: 0 to 128. I have no problem to login to the inbox. but sieve is not working with Is your sieve client support TLS? Is it properly configured (CAcert.pem at least)? sasl_minimum_layer: 128. I have 2 question here 1 how can I check that authentication is secure by the setting sasl_minimum_layer 128 ? Try to force connection without using SSL/TLS. 2 what to do to enable the sieve ? Sorry, I forget, what version of cyrus imapd you are using? WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder / frontend does not connect to backend
Selon Andrew Morgan [EMAIL PROTECTED]: On Wed, 4 Apr 2007, [EMAIL PROTECTED] wrote: Thanks for your answer, I use 1 frontend because it's a test lab. Cyradm was just an example tool. My main question was How to troubleshoot IMAP connection to backend. I am unable to make a SELECT with imtest or any IMAP client. See below the results with imtest. [snip] S: L01 OK User logged in Authenticated. Security strength factor: 0 a SELECT INBOX a NO Server(s) unavailable to complete operation b SELECT user.user1.INBOX b NO Server(s) unavailable to complete operation and the log Mar 23 09:50:44 proxy1 cyrus/proxyd[12409]: connect(imapback.rescom.mi) failed: Invalid argument Why there is no communication when connecting to IMAP ? What does mean connect(default) failed: Invalid argument in the log ? Can you post your frontend, backend, and murder imapd.conf files (sanitize any passwords, of course)? I suspect there is an authentication problem. Andy Thanks Here's the frontend config. FYI, users are authenticated against a LDAP server with saslauthd and cyrus, proxy_murder and murder are defined locally on each machine in a sasldb2 database. FRONTEND CONFIG (proxy1) --- configdirectory: /var/lib/cyrus defaultpartition: proxy1 proxy1-default: /tmp altnamespace: no unixhierarchysep: no lmtp_downcase_rcpt: yes admins: cyrus postfix murder lmtp_admins: postman postfix murder mupdate_admins: murder proxyservers: proxy_murder allowanonymouslogin: no popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes allowplainwithouttls:yes sasl_mech_list: PLAIN LOGIN sasl_pwcheck_method: saslauthd auxprop sasl_auxprop_plugin: sasldb sasl_auto_transition: no force_sasl_client_mech: plain login tls_cert_file: /etc/3mi/pki/server.cert tls_key_file: /etc/3mi/pki/server.key tls_ca_file: /etc/3mi/pki/rootca.pem imap_tls_cert_file: /etc/3mi/pki/server.cert imap_tls_key_file: /etc/3mi/pki/server.key imap_tls_ca_file: /etc/3mi/pki/rootca.pem tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH mupdate_server: mupdate.rescom.mi mupdate_port: 3905 mupdate_username: murder mupdate_authname: murder mupdate_password: password mupdate_retry_delay: 10 infra1_password:password imapback_password:password proxy_authname:murder proxy_password:password lmtpsocket: /var/run/cyrus/socket/lmtp idlemethod: idled idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus ---/END FRONTEND --- BACKEND CONFIG (imapback) - servername:imapback.rescom.mi configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /var/spool/cyrus/mail altnamespace: no lmtp_downcase_rcpt: yes unixhierarchysep: no admins: cyrus proxy_murder murder mupdate_admins: murder proxy_murder allowanonymouslogin: no popminpoll: 1 umask: 077 autocreatequota: 0 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes allowplainwithouttls:yes sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: PLAIN sasl_minimum_layer: 0 sasl_auto_transition: no lmtpsocket: /var/run/cyrus/socket/lmtp idlemethod: poll idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrusback proxyservers: proxy_murder mupdate_server: mupdate.rescom.mi mupdate_port: 3905 mupdate_username: murder mupdate_authname: murder mupdate_password: password tls_cert_file: /etc/3mi/pki/server.cert tls_key_file: /etc/3mi/pki/server.key tls_ca_file: /etc/3mi/pki/rootca.pem imap_tls_cert_file: /etc/3mi/pki/server.cert imap_tls_key_file: /etc/3mi/pki/server.key imap_tls_ca_file: /etc/3mi/pki/rootca.pem /END BACKEND - MUPDATE (mupdate)-- configdirectory: /var/lib/mupdate defaultpartition: default partition-default: /tmp altnamespace: no lmtp_downcase_rcpt: yes unixhierarchysep: no admins: cyrus murder mupdate_admins: murder umask: 077 allowplaintext: yes sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: PLAIN LOGIN syslog_prefix: mupdate /END MUPDATE Thanks for your help. -- Arnaud Brugnon Opensquad Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Can list mailboxes through impad. limtpd cannot
Hello, I am running cyrus imap 2.2 ( Debian etch package ) and have been trying to configure it to accept connections through lmtpd tcp/ip. I can connect though imapd using telnet, or imtest or cyradm using the admin user listed in /etc/imapd.conf. In each case, the admin user is authenticated, and can list the mailboxes. I can also connect through lmtpd using telnet or lmtest. In each case the admin user is authenticated but cannot list the mailboxes. I have monitored the connections through strace, ltrace and via the usual /var/log/mail.log and /var/log/auth.log to see if the user was being authenticated properly ( it was via cyrus sasl auxprop and postgres tables for what it's worth ) I can also see that lmtpd is opening mailboxes.db but then shortly afterwards, reports that the mailbox requested does not exist or I do not have permission to view it. They do exist, and the permissions are for anyone to read the mailbox in question. I can list them through imapd/cyradm. I have changed many settings over several days, and deleted then re-installed cyrus - along with the config files - twice, in an attempt to figure out what is wrong, but I have never been able to list mailboxes through lmtpd. I know I have made a fundamental error somewhere. Any pointers would be much appreciated. I am happy to supply any logs, config files etc. Thanks for any pointers. Steve Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder / frontend does not connect to backend
On Thu, 5 Apr 2007, [EMAIL PROTECTED] wrote: Thanks Here's the frontend config. FYI, users are authenticated against a LDAP server with saslauthd and cyrus, proxy_murder and murder are defined locally on each machine in a sasldb2 database. FRONTEND CONFIG (proxy1) --- admins: cyrus postfix murder lmtp_admins: postman postfix murder mupdate_admins: murder proxyservers: proxy_murder mupdate_server: mupdate.rescom.mi mupdate_port: 3905 mupdate_username: murder mupdate_authname: murder mupdate_password: password mupdate_retry_delay: 10 infra1_password:password imapback_password:password proxy_authname:murder proxy_password:password ---/END FRONTEND --- BACKEND CONFIG (imapback) - servername:imapback.rescom.mi admins: cyrus proxy_murder murder mupdate_admins: murder proxy_murder proxyservers: proxy_murder mupdate_server: mupdate.rescom.mi mupdate_port: 3905 mupdate_username: murder mupdate_authname: murder mupdate_password: password /END BACKEND - MUPDATE (mupdate)-- admins: cyrus murder mupdate_admins: murder /END MUPDATE I chopped out the non-murder config options from above to make it simpler to see. On your frontend you have proxy_authname:murder (so the frontend will connect to the backend as user murder). On the backend you have proxyservers: proxy_murder (so only user proxy_murder is allowed to proxy for other users). I'm pretty sure you should set proxyservers: murder on the backend, or change to proxy_authname: proxy_murder on the frontend (sync those two usernames up). Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Is it possible to run a mailserver on a remote pc which doesn't have DNS server on it ?
On Thursday 05 April 2007 03:08, JOYDEEP wrote: I also like to know about any free web-based tool which can let me configured the DNS and mail related setting in that remote server. A DNS service doesn't have to run on the same box as an email server. However, in order for mail to be routed to your server, you must be running a DNS server that hosts your domain information. Please email in private if you want any more info as this is really off-topic for this list. wt -- Warren Turkal Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LMTP AUTH with sendmail?
on the sendmail lmtp server in imapd.conf look for lmtpproxy_authname: user lmtpproxy_password: pwd lmtpsocket: /spool/lmtp.socket and on the imap add proxyusers. imapserver_password: pwd proxy_authname: user All in the manual. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I'm about to set up a Cyrus IMAP server machine and want to have several other machines running sendmail to deliver mail to the IMAP server using LMTP over TCP (btw: all machines are running Linux) This raises the question of authenticating the mail delivery machines to the IMAP server. I already have a setup running with pre-authorization (lmtpd option -a) using the following configuration settings: In /etc/cyrus.conf on the IMAP server machine: SERVICES { [...] lmtp cmd=lmtpd -a listen=lmtp prefork=1 [...] } In /etc/hosts.allow on the IMAP server machine: [...] lmtp: a.b.c.72, a.b.c.80, a.b.c.91 [...] In /etc/hosts.deny on the IMAP server machine: [...] lmtp: ALL [...] In /etc/mail/sendmail.mc on the mail delivery machines: [...] define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `TCP my.cyrus.server.tld lmtp')dnl [...] In order to improve security I'd rather use real authentication for the LMTP client against the LMTP server, but I have not found a single piece of documentation or example of how to do this with sendmail (I have found examples for postfix or exim, though) I know how to set up SMTP AUTH with sendmail (both as client and as server), but not LMTP AUTH (as client) Is real LMTP AUTH with sendmail possible at all? Has anyone already set up such a beast? I'd appreciate any hints or configuration examples! Thanks! - - andreas - -- Andreas Haumer | mailto:[EMAIL PROTECTED] *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGFN2rxJmyeGcXPhERAuiXAKCVQms7Nc3x7ghZlanbKhYFha+aHQCgu530 mcW+T3kbwyMGzg6G2EKYbhc= =gRCt -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LMTP AUTH with sendmail?
i have a murder with different servers like imap smtp, configure cyrus with murder enabled and add the things i wrote before + many other things like authentication and so on... then it work. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Many thanks for your reply! Casper schrieb: on the sendmail lmtp server in imapd.conf look for lmtpproxy_authname: user lmtpproxy_password: pwd I guess this configuration settings are used by the cyrus deliver program, correct? lmtpsocket: /spool/lmtp.socket I want to use LMTP over TCP (sendmail and cyrus imap server run on different machines, connected by TCP/IP network), how does the configuration of a Unix domain socket fit into scenario? and on the imap add proxyusers. imapserver_password: pwd proxy_authname: user All in the manual. Hm, which cyrus imapd version are you talking about? I'm using 2.2.13 and lmtpproxy_authname, lmtpproxy_password and imapserver_password are neither mentioned in the manual page nor in the HTML docs (or in any of the cyrus-imapd-2.2.13 distribution source files...). Is this a new feature? - - andreas - -- Andreas Haumer | mailto:[EMAIL PROTECTED] *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGFU44xJmyeGcXPhERAirIAJ9TOh/Ye/zqZjnT/NrpnxsuSFUq5gCfRwCG RMrQ54q3nhbI95BxGl3UBd8= =cFTZ -END PGP SIGNATURE- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: FastMail.FM patchset - new patches
On Thu, Mar 15, 2007 at 04:12:11PM +1100, Bron Gondwana wrote: All the patches mentioned here are available for download at: http://cyrus.brong.fastmail.fm/ We've been busy working on a bunch of cyrus issues since I last posted. In particular things we have hit cleaning up from the sync_server left files lying around after a bail out that caused random messages to be overwritten a lot later bug. Ken - some of these are definite candidates for upstream. As much as possible we've made new behaviour optional with the default being the current behaviour. Thanks for including some of these Ken. I've noticed the commits going in. I've updated the page again, with ACCEPTED UPSTREAM added to the title of each patch as I see it (or something functionally equivalent) go in to CVS. Admittedly, this is largely for my own use because when 2.3.9 comes out or we decide to move back to following CVS then I'll want to be able to find the patches I don't need to apply any more! I've also changed the abort on mismatched UUIDs to warn on mistmatched UUIDs. It still won't blat the incorrect message on the replica, but at least it won't stop replication happening for everything else while it waits for us to sort it out. Our log monitoring system should still notify us and (hopefully oneday) automatically do_the_right_thing[tm]. Bron. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html