quota check befor sieve script?
Hi, i don't know if this is a bug or a feature, but it seems that lmtpd checks quota befor a e-mail is parsed by the sieve script. This causes over quota bounces for messages that would have been discarded or redirected. Is there a way to only send the over quota bounces if the message hits a keep, fileinto or implicite keep action or to accept the email if it hits a forward or discarde action and to ignore the keep and fileinto actions in case of overquota? regards Michael Menge M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus, Radius, Radiator, Vasco
The Cyrus server I run for my employer is sat on our internal network, and remote users access either the IMAP port or the associated Squirrelmail instance via our VPN. They come in via a Cisco IPSec VPN server, secured with SecureID. My private Cyrus server, which sits in borrowed space in someone else's datacentre, doesn't have such luxuries. The IMAP port is openly available, and there is a Squirrelmail server that will allow anyone to attempt to log in. All the IMAP clients that access it use STARTTLS and/or one of the MD5 authentication styles, the Squirrelmail server only operates over https and the passwords are generated with /dev/random, so I've not got too much to worry about. But the datacentre is a University CS department where I do some lecturing, so all sorts of things could happen. I'm considering using the Radiator product, which directly supports Vasco tags and will run on Solaris (my platform of choice), and a Vasco evaluation kit to upgrade the security. This should only involve having saslauthd talk to Radius via PAM, but my experience of incorporating SecureID into other systems is that there are many little places where things go wrong. Has anyone done anything similar? ian Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
dracauth/RPC problem
I get a lot of these in my cyrus log; Jan 29 11:53:54 svea pop3[2703]: accepted connection Jan 29 11:53:54 svea pop3[2703]: login: someone.cust.bredbandsbolaget.se [213.112.58.xxx] mpb0xxx plaintext User logged in Jan 29 11:53:54 svea pop3[2703]: dracauth: localhost: RPC: Port mapper failure - RPC: Unable to receive Jan 29 11:53:54 svea pop3[2703]: DRAC notifications disabled What does it mean, and how do I correct it? Anders. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: quota check befor sieve script?
Quoting Alain Spineux [EMAIL PROTECTED]: On Jan 29, 2008 9:06 AM, Michael Menge [EMAIL PROTECTED] wrote: Is there a way to only send the over quota bounces if the message hits a keep, fileinto or implicite keep action or to accept the email if it hits a forward or discarde action and to ignore the keep and fileinto actions in case of overquota? Sieve script need often mail header data to make its check. This means the mail was already accepted by LMTP when sieve script run. This means probably no to your question. I havent looked at the LMTP protokoll, but i think it is like the SMTP protokoll if I'm correct we can reject a message in the DATA stage, after we have recieved the message. A problem may be with messages to more then one user. The sending server don't know which user caused the over quota. On the other hand there is the option lmtp_strict_quota which means that lmtpd knows the size, but as far as i know from SMTP the size is not part of the envelope but the data. Anyway your question is not without interest, but add such a feature add some problemes like what to do at each retry of the SMTP ? Run the same sieve script again and again on the same piece of mail until the quota let it in? On, i would only return an 4xx or 5xx error if the message was not discarded and not forwarded and if quota was exceeded. This would mean that discarded and forwarded messages would be only seen once, and messages that would only be stored in a folder may cause an over quota bounce. But this may cause that local copies of forwarded messages may be lost, as the message would only be forwarded. Same applies to discarded messages, but i don't see a reason why anyone would discard a mail in one rule and safe it in an other. The other way would be to remember all actions to be performed on a message and if the message will be stored (fileinto, keep) and the quota is exceeded then bounce and perform no action. If the message is not stored the message does not exceede the quota and the actions can be performed. M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen smime.p7s Description: S/MIME krytographische Unterschrift Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Create in frontend: Unknown/invalid partition
BTW. 29.01.2008 16:52, Alexey Lobanov пишет: A log from frontend: 120151877915 list Maillists.%.% 1201518779* LIST (\HasNoChildren) . Maillists.DSBL.majordomo * LIST (\HasNoChildren) . Maillists.DSBL.removal 15 OK Completed (0.000 secs 3 calls) 120151878917 create Maillists.ttt 120151878917 NO Unknown/invalid partition This IMAP_PARTITION_UNKNOWN (imap/imap_err.et) status seems to be bogus anyway in a frontend server having no any partitions at all. I am looking in imap/imapd.c now without understanding. The only IMAP_PARTITION_UNKNOWN is line 8080, do_xfer_single(). It is not related to Create, is it? Alexey Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Create in frontend: Unknown/invalid partition
Hello Michael. 29.01.2008 16:11, Michael Menge пишет: Hi, i think the problem is that folders under user can only be created on the backands, as the frontend has noway to know on which backend the new folder No, it is not a problem because it is a properly documented behavior. New users should be created at their home backends. BTW, Thunderbird or any other regular IMAP clients just are not able to create new users and INBOX'es, and the whole story is about user-level operations with folders under an existing user INBOX. A log from frontend: 120151877915 list Maillists.%.% 1201518779* LIST (\HasNoChildren) . Maillists.DSBL.majordomo * LIST (\HasNoChildren) . Maillists.DSBL.removal 15 OK Completed (0.000 secs 3 calls) 120151878917 create Maillists.ttt 120151878917 NO Unknown/invalid partition So, we see that parent box Maillists exists (at a backend, of course) but new Maillists.ttt should be created at an unknown partition. The backend server logs nothing for this Create, it does not reach the backend. should be created. Other folders like user.testuser.test or a rename will use the parent/old backend and partition. Yes, It should work but it does not work somewhy. http://cyrusimap.web.cmu.edu/ag.html The following operations occur for CREATE on the front end: 1. proxyd: verify that mailbox doesn't exist in MUPDATE mailbox list. 2. proxyd: decide where to send CREATE (the server of the parent mailbox, as top level mailboxes cannot be created by the proxies). 3. proxyd - back end: duplicate CREATE command and verifies that the CREATE does not create an inconsistency in the mailbox list (i.e. the folder name is still unique). Alexey Quoting Alexey Lobanov [EMAIL PROTECTED]: Hello all. I am building a Cyrus IMAP cluster for corporate use and the only problem now is Create command. In accordance with the manuals, a frontend should redirect Create to the appropriate backend, and after that the backend propagates changed list through mupdate. In my system any Create at any frontend is cancelled instantly with NO Unknown/invalid partition. Rename works fine both at frontends and at backends, and changes are propagated properly in whole cluster. All regular mail access operations work fine. The server roles are: one is master+frontend, two are pure backends (just old production servers), one is frontend+backend. The mentioned behavior is seen in both frontends. Cyrus version is 2.3.9, imapd-disable-referrals patch does not affect anything. The clients are Cyradm and Thunderbird. Any ideas for tests are highly appreciated. Both frontend Cyrus instances are not in production use and can be tweaked freely. Alexey Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: dracauth/RPC problem
Gary Mills skrev: On Tue, Jan 29, 2008 at 12:01:47PM +0100, Anders Norrbring wrote: I get a lot of these in my cyrus log; Jan 29 11:53:54 svea pop3[2703]: accepted connection Jan 29 11:53:54 svea pop3[2703]: login: someone.cust.bredbandsbolaget.se [213.112.58.xxx] mpb0xxx plaintext User logged in Jan 29 11:53:54 svea pop3[2703]: dracauth: localhost: RPC: Port mapper failure - RPC: Unable to receive Jan 29 11:53:54 svea pop3[2703]: DRAC notifications disabled What does it mean, and how do I correct it? Is rpcbind/portmap running? Is rpc.dracd running? Try `rpcinfo -p'. It should show program number 900101 for the DRAC daemon. Thanks Gary, that was exactly the issue, the drac daemon was faulty somehow and died ~10 seconds after it started. Reinstallation of it solved the problem... Anders. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: dracauth/RPC problem
On Tue, Jan 29, 2008 at 12:01:47PM +0100, Anders Norrbring wrote: I get a lot of these in my cyrus log; Jan 29 11:53:54 svea pop3[2703]: accepted connection Jan 29 11:53:54 svea pop3[2703]: login: someone.cust.bredbandsbolaget.se [213.112.58.xxx] mpb0xxx plaintext User logged in Jan 29 11:53:54 svea pop3[2703]: dracauth: localhost: RPC: Port mapper failure - RPC: Unable to receive Jan 29 11:53:54 svea pop3[2703]: DRAC notifications disabled What does it mean, and how do I correct it? Is rpcbind/portmap running? Is rpc.dracd running? Try `rpcinfo -p'. It should show program number 900101 for the DRAC daemon. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: quota check befor sieve script?
On Jan 29, 2008 9:06 AM, Michael Menge [EMAIL PROTECTED] wrote: Hi, i don't know if this is a bug or a feature, but it seems that lmtpd checks quota befor a e-mail is parsed by the sieve script. This causes over quota bounces for messages that would have been discarded or redirected. Is there a way to only send the over quota bounces if the message hits a keep, fileinto or implicite keep action or to accept the email if it hits a forward or discarde action and to ignore the keep and fileinto actions in case of overquota? Sieve script need often mail header data to make its check. This means the mail was already accepted by LMTP when sieve script run. This means probably no to your question. Anyway your question is not without interest, but add such a feature add some problemes like what to do at each retry of the SMTP ? Run the same sieve script again and again on the same piece of mail until the quota let it in? Regards. regards Michael Menge M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Alain Spineux aspineux gmail com May the sources be with you Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: quota check befor sieve script?
Michael Menge wrote: Hi, i don't know if this is a bug or a feature, but it seems that lmtpd checks quota befor a e-mail is parsed by the sieve script. This causes over quota bounces for messages that would have been discarded or redirected. Is there a way to only send the over quota bounces if the message hits a keep, fileinto or implicite keep action or to accept the email if it hits a forward or discarde action and to ignore the keep and fileinto actions in case of overquota? I understand your concern, but the problem is that by definition, if a Sieve script fails, the message MUST be delivered to the intended mailbox. However, if the mailbox is over quota, we can't do this. The simplest way to handle the situation is to do the quota check before processing the script, regardless of the final disposition. If you want to look at the code and find a better way, I'll be happy to look at a patch. -- Kenneth Murchison Systems Programmer Project Cyrus Developer/Maintainer Carnegie Mellon University Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Create in frontend: Unknown/invalid partition
Hello all. I am building a Cyrus IMAP cluster for corporate use and the only problem now is Create command. In accordance with the manuals, a frontend should redirect Create to the appropriate backend, and after that the backend propagates changed list through mupdate. In my system any Create at any frontend is cancelled instantly with NO Unknown/invalid partition. Rename works fine both at frontends and at backends, and changes are propagated properly in whole cluster. All regular mail access operations work fine. The server roles are: one is master+frontend, two are pure backends (just old production servers), one is frontend+backend. The mentioned behavior is seen in both frontends. Cyrus version is 2.3.9, imapd-disable-referrals patch does not affect anything. The clients are Cyradm and Thunderbird. Any ideas for tests are highly appreciated. Both frontend Cyrus instances are not in production use and can be tweaked freely. Alexey Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Create in frontend: Unknown/invalid partition
Hi, i think the problem is that folders under user can only be created on the backands, as the frontend has noway to know on which backend the new folder should be created. Other folders like user.testuser.test or a rename will use the parent/old backend and partition. Quoting Alexey Lobanov [EMAIL PROTECTED]: Hello all. I am building a Cyrus IMAP cluster for corporate use and the only problem now is Create command. In accordance with the manuals, a frontend should redirect Create to the appropriate backend, and after that the backend propagates changed list through mupdate. In my system any Create at any frontend is cancelled instantly with NO Unknown/invalid partition. Rename works fine both at frontends and at backends, and changes are propagated properly in whole cluster. All regular mail access operations work fine. The server roles are: one is master+frontend, two are pure backends (just old production servers), one is frontend+backend. The mentioned behavior is seen in both frontends. Cyrus version is 2.3.9, imapd-disable-referrals patch does not affect anything. The clients are Cyradm and Thunderbird. Any ideas for tests are highly appreciated. Both frontend Cyrus instances are not in production use and can be tweaked freely. Alexey Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen smime.p7s Description: S/MIME krytographische Unterschrift Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: quota check befor sieve script?
On Jan 29, 2008 3:16 PM, Michael Menge [EMAIL PROTECTED] wrote: Quoting Alain Spineux [EMAIL PROTECTED]: On Jan 29, 2008 9:06 AM, Michael Menge [EMAIL PROTECTED] wrote: Is there a way to only send the over quota bounces if the message hits a keep, fileinto or implicite keep action or to accept the email if it hits a forward or discarde action and to ignore the keep and fileinto actions in case of overquota? Sieve script need often mail header data to make its check. This means the mail was already accepted by LMTP when sieve script run. This means probably no to your question. I havent looked at the LMTP protokoll, but i think it is like the SMTP protokoll if I'm correct we can reject a message in the DATA stage, after we have recieved the message. A problem may be with messages to more then one user. The sending server don't know which user caused the over quota. No because lmtpd return an accept or reject address by address something like 250 [EMAIL PROTECTED] 250 [EMAIL PROTECTED] ... On the other hand there is the option lmtp_strict_quota which means that lmtpd knows the size, but as far as i know from SMTP the size is not part of the envelope but the data. Anyway your question is not without interest, but add such a feature add some problemes like what to do at each retry of the SMTP ? Run the same sieve script again and again on the same piece of mail until the quota let it in? On, i would only return an 4xx or 5xx error if the message was not discarded and not forwarded and if quota was exceeded. This would mean that discarded and forwarded messages would be only seen once, and messages that would only be stored in a folder may cause an over quota bounce. But this may cause that local copies of forwarded messages may be lost, as the message would only be forwarded. Same applies to discarded messages, but i don't see a reason why anyone would discard a mail in one rule and safe it in an other. You must extend sieve with LMTP return code.This is to the script writer to choose what to do when this append, and witch code to return to LMTP. The other way would be to remember all actions to be performed on a message and if the message will be stored (fileinto, keep) and the quota is exceeded then bounce and perform no action. If the message is not stored the message does not exceede the quota and the actions can be performed. If you have forwarded the mail but were not able to deliver it, you must remember for next LMTP retry to not forward it again ! M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen -- Alain Spineux aspineux gmail com May the sources be with you Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
migrating to virtual domain support
Hi, I am running a cyrus imap server 2.2.x without virtual domain support. Usernames are simple (fred, bob, ...) and authenticated using SASL - saslauthd - PAM - /etc/passwd. Mailboxes are in unix hierarchy style (user/fred, user/bob/spam). Because number of users raises, collisions become more and more probably. For example, the mail server (postfix) receives mail for [EMAIL PROTECTED] and [EMAIL PROTECTED] (where the two fred's are not the same person!). Currently there exist user fred (for domain1.com) and user fred2 (for domain2.net) in /etc/passwd - but this becomes more and more ugly. So I wanted to migrate to virtual domain support, so that there are now two separate users [EMAIL PROTECTED] and [EMAIL PROTECTED] I know hot to create those virtual mailboxes and how to configure the cyrus imap server. But how to realize authentication? In the current configuration using /etc/passwd such usernames ([EMAIL PROTECTED]) are not possible. My preferred solution would be an LDAP server with a user hierarchy like cn=fred,ou=domain1.com and cn=fred,ou=domain2.net etc. But how do I configure cyrus imapd and/or SASL correctly to achieve this? The virtual domain part of a userid ([EMAIL PROTECTED]) must somehow be used as a search filter for the LDAP query that represents the correct user... Or maybe this approach is totally gaga, and there are solutions much better than that? TIA Regards -stefan- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus, Radius, Radiator, Vasco
Hi, Ian G Batten wrote: The Cyrus server I run for my employer is sat on our internal network, and remote users access either the IMAP port or the associated Squirrelmail instance via our VPN. They come in via a Cisco IPSec VPN server, secured with SecureID. My private Cyrus server, which sits in borrowed space in someone else's datacentre, doesn't have such luxuries. The IMAP port is openly available, and there is a Squirrelmail server that will allow anyone to attempt to log in. All the IMAP clients that access it use STARTTLS and/or one of the MD5 authentication styles, the Squirrelmail server only operates over https and the passwords are generated with /dev/random, so I've not got too much to worry about. But the datacentre is a University CS department where I do some lecturing, so all sorts of things could happen. I'm considering using the Radiator product, which directly supports Vasco tags and will run on Solaris (my platform of choice), and a Vasco evaluation kit to upgrade the security. This should only involve having saslauthd talk to Radius via PAM, but my experience of incorporating SecureID into other systems is that there are many little places where things go wrong. Has anyone done anything similar? We have our Cyrus authenticate to saslauthd via pam_radius to a Radiator server, so that works. We're also using Radiator with Vasco tokens (on Linux), and that works too. But I don't think it will be very easy to combine the two: the Vasco tokens provide you with one-time passwords, and for IMAP access, you'll have more then just one connection. My Thunderbird client already makes a new connection for each folder I open, squirrelmail isn't much better. (Only thing is that you could cache the one time password in Radiator, but you'll end up having different problems if you open more then one client.) We use these Vasco tokens actually for administrators, authenticating for SSH and so forth. The other use case is our single-signon environment. There you might have more luck, as you login just once, and get some kind of cookie and session variables as prove that you logged in. As soon as you can use that within squirrelmail - that would be fine. We didn't do that yet; although I do think it should be possible: check whether the user is logged in, and use the cyrus admin user to authorize as the real user. I never had the time to play with that. The non-admin users also have the option of authenticating to the SSO system using PKI certificates; and actually that is also my last suggestion: we don't just use that for our web environment, but also for e-mail! There is actually an SSL proxy based on stunnel in front of our Cyrus setup that enforces the client certificates on imaps. Cyrus could do this as well, with tls_require_cert set to 1, but we have stunnel as some extra paranoidity I guess (and/or historic). Perhaps certificates can be of use? (You could easily create them with TinyCA or something.) Only issue we have is with nomadic use: if you end up at an internet cafe, it's still better to use a one-time-password token then install your certificate locally. (And that is why we also have that as an option for the SSO system - but then I still have to login using username/password afterwards in our case - not very SSO.) But people rarely use webmail here, and TB works just fine with client-certificates. (Otherwise you could use stunnel on the client side...) Regards, Paul P.S. If you want to have more similarities with your employers setup: you could also run a VPN (for instance OpenVPN) with token based authentication. Something else I still want to try, although we're doing this with our certificates too - I'm quite sure it is possible to hook it up to pam for instance. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
