Re:
Kővári János wrote:
> I have a postfix relay server and a (local) cyrus imap server on the
> same machine. Everything was fine until I thought, I change the imap
> authentication from sasldb to saslauth, to have global authentication
> on postfix and cyrus.
> Postfix uses saslauthd, which is configured for PAM. It works
> perfectly, with plain/login/cram/digest mechanisms, with or without
> tls/ssl, absolutely no problems with it. Saslauth tests are all fine
> obviously.
> So I decided to use this with cyrus imap too. Set it to use the same
> saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs.
> Since then, I can not login with plain or login mechs, because they
> aren't being offered at all by cyrus imapd. I can login with cram or
> digest fine.
> I understand that plain login isn't offered by default, only after a
> successfull tls session setup, but if I understand correctly, the
> "allowplaintext: yes" option should still force imapd to offer plain
> logins. But it doesn't. I tried it with different sasl_min|max_levels,
> to no avail.
> This is the first thing I don't understand.
> The second is: after establishing a tls or ssl connection, plain and
> login are offered, but I can not login with these mechs.
> (I'm using imtest to test it all.)
> However, with "testsaslauth", I am able to authenticate fine.
>
> I'm quite new to cyrus and linux systems, but I read all kinds of
> manuals and FAQs nd documentation, and googled a lot, but I was unable
> to find the culprit. So you are my last hope.
> If nothing else works, I leave it as is, with digest and cram it works
> and it's more secure. Or I go back to sasldb, which is less
> comfortable for me...
Please include the following information, so we can get a better idea of
your setup:
Postfix and Cyrus IMAP version
Postfix SASL config:
grep sasl main.cf
cat /etc/postfix/sasl/smtpd.conf (or wherever smtpd.conf it located on
your system)
Your cyrus imap.conf config
saslauthd does not support cram-md5 or digest-md5, so you may be (also)
using the sasldb auxprop in Postfix.
- Dan
Hello Dan,
Postfix version: 2.5.4
Cyrus IMAP version: 2.2.13
cat /etc/postfix/main.cf | grep sasl
smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relaypw
broken_sasl_auth_clients = yes
cat /etc/postfix/sasl/smtpd.conf
saslauthd_version: 2
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
cat /etc/imapd.conf
configdirectory: /var/lib/cyrus
imap_admins: cyrus jani
hashimapspool: 1
idlemethod: poll
popminpoll: 1
allowplaintext: yes
allowanonymouslogin: no
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasl_auto_transition: no
tls_cert_file: /etc/ssl/certs/some_server.pem
tls_key_file: /etc/ssl/private/some_server.key
tls_ca_path: /etc/ssl/certs/demoCA
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL: @STRENGTH
sievedir: /var/spool/sieve
sieveusehomedir: false
lmtpsocket: /var/run/cyrus/socket/lmtp
lmtp_downcase_rcpt: yes
notifysocket: /var/run/cyrus/socket/notify
partition-default: /var/spool/cyrus/mail
autocreatequota: 100
newsspool: /var/spool/news
partition-something: /media/data/cyrus
admins: cyrus jani
idlesocket: /var/run/cyrus/socket/idle
autocreatequota_units: 1048576
syslog_prefix: cyrus
unixhierarchysep: 1
umask: 077
cat /etc/default/saslauthd
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
#(I think the options line is wrong, the -m part is unneded, but it
was like that, and it works...)
ps -ef | grep saslauthd
root 5142 1 0 07:50 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root 5144 5142 0 07:50 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root 5146 5142 0 07:50 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root 5147 5142 0 07:50 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root 5148 5142 0 07:50 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
What do i do wrong?
Regards,
Janos
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple IMAP connections from new IMAP clients
On Thu, Apr 23, 2009 at 02:23:10PM -0500, Nic Bernstein wrote: > On 04/23/2009 01:57 PM, Gary Mills wrote: > >We've had a problem recently with the number of imapd processes on our > >Cyrus front-end increasing steadily until it filled the process table. > >It seems that some recent IMAP clients will normally open a number of > >IMAP connections to their server, and will open more based on user > >activity. Each of these causes a new imapd process to be spawned on > >the front-end. As far as I know, the server treats each connection > >independantly, even though the client may consider one to be permanent > >and the others to be transient. > > > >What are people doing to protect their Cyrus servers from this > >increasing number of connections, each of which consumes resources on > >the server? This problem is going to get worse as more sophisticated > >clients become popular. Is many small front-ends the solution? > > > We've been using imapproxyd to help solve just this kind of problem. > Haven't used it with a murder, but expect it could still be useful. Does it actually combine separate connections from a single client into one connection to the server? I don't know how it could do that without violating the protocol. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple IMAP connections from new IMAP clients
On 04/23/2009 01:57 PM, Gary Mills wrote: > We've had a problem recently with the number of imapd processes on our > Cyrus front-end increasing steadily until it filled the process table. > It seems that some recent IMAP clients will normally open a number of > IMAP connections to their server, and will open more based on user > activity. Each of these causes a new imapd process to be spawned on > the front-end. As far as I know, the server treats each connection > independantly, even though the client may consider one to be permanent > and the others to be transient. > > What are people doing to protect their Cyrus servers from this > increasing number of connections, each of which consumes resources on > the server? This problem is going to get worse as more sophisticated > clients become popular. Is many small front-ends the solution? > > We've been using imapproxyd to help solve just this kind of problem. Haven't used it with a murder, but expect it could still be useful. Cheers, -nic -- Nic Bernstein n...@onlight.com Onlight llc. www.onlight.com 2266 North Prospect Avenue #610 v. 414.272.4477 Milwaukee, Wisconsin 53202-6306 f. 414.290.0335 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Imap plaintext authentication with saslauth & PAM
Kővári János wrote: > I have a postfix relay server and a (local) cyrus imap server on the > same machine. Everything was fine until I thought, I change the imap > authentication from sasldb to saslauth, to have global authentication > on postfix and cyrus. > Postfix uses saslauthd, which is configured for PAM. It works > perfectly, with plain/login/cram/digest mechanisms, with or without > tls/ssl, absolutely no problems with it. Saslauth tests are all fine > obviously. > So I decided to use this with cyrus imap too. Set it to use the same > saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs. > Since then, I can not login with plain or login mechs, because they > aren't being offered at all by cyrus imapd. I can login with cram or > digest fine. > I understand that plain login isn't offered by default, only after a > successfull tls session setup, but if I understand correctly, the > "allowplaintext: yes" option should still force imapd to offer plain > logins. But it doesn't. I tried it with different sasl_min|max_levels, > to no avail. > This is the first thing I don't understand. > The second is: after establishing a tls or ssl connection, plain and > login are offered, but I can not login with these mechs. > (I'm using imtest to test it all.) > However, with "testsaslauth", I am able to authenticate fine. > > I'm quite new to cyrus and linux systems, but I read all kinds of > manuals and FAQs nd documentation, and googled a lot, but I was unable > to find the culprit. So you are my last hope. > If nothing else works, I leave it as is, with digest and cram it works > and it's more secure. Or I go back to sasldb, which is less > comfortable for me... Please include the following information, so we can get a better idea of your setup: Postfix and Cyrus IMAP version Postfix SASL config: grep sasl main.cf cat /etc/postfix/sasl/smtpd.conf (or wherever smtpd.conf it located on your system) Your cyrus imap.conf config saslauthd does not support cram-md5 or digest-md5, so you may be (also) using the sasldb auxprop in Postfix. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Multiple IMAP connections from new IMAP clients
We've had a problem recently with the number of imapd processes on our Cyrus front-end increasing steadily until it filled the process table. It seems that some recent IMAP clients will normally open a number of IMAP connections to their server, and will open more based on user activity. Each of these causes a new imapd process to be spawned on the front-end. As far as I know, the server treats each connection independantly, even though the client may consider one to be permanent and the others to be transient. What are people doing to protect their Cyrus servers from this increasing number of connections, each of which consumes resources on the server? This problem is going to get worse as more sophisticated clients become popular. Is many small front-ends the solution? -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus Imap plaintext authentication with saslauth & PAM
Hello everyone! I'm new to this mailing list, actually, this is the first mailing list I've ever subscribed. :) So greetings to all from Hungary! (And excuse my really bad english, please) I'm not sure if I can ask for help here, but I didn't find any answer elsewhere, so trying this out. I have a postfix relay server and a (local) cyrus imap server on the same machine. Everything was fine until I thought, I change the imap authentication from sasldb to saslauth, to have global authentication on postfix and cyrus. Postfix uses saslauthd, which is configured for PAM. It works perfectly, with plain/login/cram/digest mechanisms, with or without tls/ssl, absolutely no problems with it. Saslauth tests are all fine obviously. So I decided to use this with cyrus imap too. Set it to use the same saslauth daemon, and plain, login, cram-md5 and digest-md5 mechs. Since then, I can not login with plain or login mechs, because they aren't being offered at all by cyrus imapd. I can login with cram or digest fine. I understand that plain login isn't offered by default, only after a successfull tls session setup, but if I understand correctly, the "allowplaintext: yes" option should still force imapd to offer plain logins. But it doesn't. I tried it with different sasl_min|max_levels, to no avail. This is the first thing I don't understand. The second is: after establishing a tls or ssl connection, plain and login are offered, but I can not login with these mechs. (I'm using imtest to test it all.) However, with "testsaslauth", I am able to authenticate fine. I'm quite new to cyrus and linux systems, but I read all kinds of manuals and FAQs nd documentation, and googled a lot, but I was unable to find the culprit. So you are my last hope. If nothing else works, I leave it as is, with digest and cram it works and it's more secure. Or I go back to sasldb, which is less comfortable for me... Any help is greatly appreciated! Thanks! Regards, Janos Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Using the quota command question
On Thu, 23 Apr 2009, Tim Champ wrote: > Hello all. > > Quick (hopefully) question - the man page for "quota" says it isn't > recommended to do a "-f" when specifying a user. Due to some issues > that would take a while to explain, we will need to fix quite a few > quotas on users as we "xfer" them to a new system. > > Is this an outdated statement in the man page? If not, what is the > risk? I'd hate to have to run "quota -f" across a server of many > thousand users just to fix one. I use "quota -f user.foo" all the time to fix quotes on mailboxes restored from backups. I've never had any errors or problems, so I don't know why the manpage gives that recommendation. Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Using the quota command question
Tim Champ wrote: > Hello all. > > Quick (hopefully) question - the man page for "quota" says it isn't > recommended to do a "-f" when specifying a user. Due to some issues > that would take a while to explain, we will need to fix quite a few > quotas on users as we "xfer" them to a new system. > > Is this an outdated statement in the man page? If not, what is the > risk? I'd hate to have to run "quota -f" across a server of many > thousand users just to fix one. > > Thanks for any help! > Tim Champ > UMBC DoIT Unix Infrastructure Team > Sigh -- I forgot to add our version - 2.3.8. Sorry about that, and the resulting double mail. The version of software is the same on the to/from machines. If you have any questions, I'm happy to answer them. Thanks! Tim Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Using the quota command question
Hello all. Quick (hopefully) question - the man page for "quota" says it isn't recommended to do a "-f" when specifying a user. Due to some issues that would take a while to explain, we will need to fix quite a few quotas on users as we "xfer" them to a new system. Is this an outdated statement in the man page? If not, what is the risk? I'd hate to have to run "quota -f" across a server of many thousand users just to fix one. Thanks for any help! Tim Champ UMBC DoIT Unix Infrastructure Team Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[no subject]
Greets! I am researching lemonade compliance and what email servers may be able to support key extensions, especially RFC 5465 - IMAP NOTIFY. As it stands, no support appears to be available from any vendor. Cyrus 2.4 looks like it will support much of the new lemonade functionality, but little information has been made available. Can anyone shed light on when we might expect a 2.4 or lemonade-oriented release and what might be included? Thanks! Colin Jaccino Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: much information from cyrus log
We need the information about which ip is connecting to which mailbox, and what is this user doing: opening, deleting, authenticating, ... Thanks in advance - ANNA - Quoting "Andreas Winkelmann" : >> I'm trying to get as much information as possible from the cyrus log. >> I've tried several modification of the syslog configuration >> filewithout success. >> >> I also create a folder at /var/log/.. per user getting as much >> information I want but... it's in different files and folders, and >> is per user based solution, which is difficult to administrate. >> >> Any clue on how to configure cyrus and syslog to retrieve all this info? > > Maybe you should go the other way around. Tell what information you need. > > Cyrus sends alot of information with LOG_DEBUG to syslog, check if you > catch these Messages. The directories you mentioned are telemetry Logs, > these Dirs are in $configdirectory, which is normally not in /var/log/... > > -- > Andreas > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
