Re: saslauthd and multiple dc levels
Hi, I'm trying to follow your suggestion. So, first I changed openldap configuration with sasl-secprops none to have also plain auth enabled. Running pluginviewer to see the plugins: Sonicle XStream Server (XStreamOS/illumos) SunOS 5.11 xs_153 Apr 2014 sonicle@www:~$ pluginviewer -m PLAIN Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin sasldb , API version: 8 supports store: yes Installed and properly configured SASL (server side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (server side) mechanisms matching your criteria are: PLAIN List of server plugins follows Plugin plain [loaded],API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Installed and properly configured SASL (client side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL OTP CRAM-MD5 PLAIN ANONYMOUS List of client plugins follows Plugin plain [loaded],API version: 4 SASL mechanism: PLAIN, best SSF: 0 security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Now running a search of SASL mechs: sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms' dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS Now, try plain auth doing a earch of an existing user: sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H ldap://localhost -W Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Can't find a reason for ldapsearch not finding the plain mech. Also, slapd has been built with sasl: sonicle@www:~$ ldd /sonicle/libexec/slapd libdb-4.8.so =/sonicle/lib/libdb-4.8.so libpthread.so.1 =/lib/libpthread.so.1 libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 libdl.so.1 =/lib/libdl.so.1 libssl.so.0.9.8 =/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 libresolv.so.2 =/lib/libresolv.so.2 libgen.so.1 =/lib/libgen.so.1 libnsl.so.1 =/lib/libnsl.so.1 libsocket.so.1 =/lib/libsocket.so.1 libc.so.1 =/lib/libc.so.1 libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 libmd.so.1 =/lib/libmd.so.1 libmp.so.2 =/lib/libmp.so.2 libm.so.2 =/lib/libm.so.2 Any clue? Or...any simpler way to let saslauthd do multiple search base takes?...or maybe let it choose the correct search base depending on the number of dc arguments determined? Thanks for your help! Gabriele. -- Da: Dan White A: Willy Offermans Cc: Gabriele Bulfon Raffaele Fullone info-cyrus@lists.andrew.cmu.edu Data: 23 dicembre 2014 16.52.46 CET Oggetto: Re: saslauthd and multiple dc levels On 12/23/14 16:07 +0100, Willy Offermans wrote: Hello Dan, On Tue, Dec 23, 2014 at 08:50:07AM -0600, Dan White wrote: On 12/23/14 15:22 +0100, Gabriele Bulfon wrote: How can I let saslauthd support both configurations? Is the server OpenLDAP? If so, using olcAuthzRegexp would be a far more flexible way to handle this scenario. Within saslauthd's ldap config, use 'ldap_use_sasl' without specifying a search filter or base. Within slapd, your regex rules could perform a subtree search, or a simple string replacement for each domain. See http://www.openldap.org/doc/admin24/sasl.html and slapd-config(5). I don't understand how this works. ldap_use_sasl in saslauthd.conf tells saslauthd to contact OpenLDAP server via sasl protocol directly. Is this correct? Correct. The ldap backend to saslauthd itself performs sasl authentication. And what happens then? How do saslauthd and slapd communicate and how is authentication performed? The communication between Cyrus IMAP and saslauthd would not change. imapd would still communicate with saslauthd in the same manor, by submitting a username and password via the saslauthd mux. The ldap backend to saslauthd can be configured to perform SASL over LDAP authentication to slapd (not to be confused with SASL over IMAP authentication). slapd would simply return a successful bind code back to the saslauthd backend, which in turn would respond with an 'OK' to cyrus IMAP. Using SASL within the LDAP saslauthd backend is a much simpler configuration. i.e.: ldap_servers: ldap://ldap.example.com ldap_use_sasl: yes ldap_mech: PLAIN (This may require you to configure olcSaslSecProps) The '-r' option to saslauthd may be necessary, if you're not already
Re: Empty folders
On 12/30/14 07:10, Niels Dettenbach (Syndicat IT Internet) wrote: Am 29. Dezember 2014 23:02:10 MEZ, schrieb Andrea Venturoli m...@netfence.it: cyradm dm does not delete this folder (and its files) from the filesystem. This is OK as long as you clearify for you that there is no folder before you recreate the cyrus folder from/over cyrus again - means: delete it by hand (rm) if still there. _ restore the old cyrus.* files. This should be done by reconstruct -r -f over the (correct) folders - if not, you still have any problem in your setup or procedure as this command must work for general/further proper cyrus functionality. Thanks again. In fact I found a faster procedure: _ dm user.A.B.D (this won't delete anything); _ stop imapd; _ reconstruct -r -f user.A (this will discover the folders I just only formally deleted); _ start imapd; _ restore permissions for user.A*. Only thing, I'll have to script this, since I've got a lot of problematic folders... arrgh, sound's timeconsuming - so good luck... Personally i prefer perl with the official cyrus imap/admin perl modules for any cyrus scripting. Could you share a pointer? I'm not proficient with perl, but I'd gladly look into them anyway. If don't know the reason behind the problem it may make sense to generate database dumps of the mboxlist by cron from time to time and check if there further such bad folders get generated by a script or similiar. I don't know where the problem originated from, so I'll check a number of times in the next few days/weeks. However I'm suprised: looking into cyrus imap as a black box, it's almost like it has two databases for the same things. bye Thanks av. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Empty folders
Am 30.12.2014 um 11:24 schrieb Andrea Venturoli m...@netfence.it: _ dm user.A.B.D (this won't delete anything); This is only for „deleting“ possibly existing but corrupt(ed) database entries. _ stop imapd; _ reconstruct -r -f user.A (this will discover the folders I just only formally deleted); _ start imapd; _ restore permissions for user.A*. hmm, OK, restarting should not be required afaik (but might be i’m wrong here) - but if it help’s you, OK. Could you share a pointer? I'm not proficient with perl, but I'd gladly look into them anyway. For Perl Modules, CPAN should be your first friend: http://www.cpan.org but many distributions bring the cyrus perl modules still somewhere within the cyrus (or cyrus dev) packages. Relevant Modules are i.e.: Cyrus::IMAP::Admin http://search.cpan.org/~eestabroo/IMAP-Admin-1.6.7/Admin.pm http://www.manpagez.com/man/3/Cyrus::IMAP::Admin/ manpages and perldoc are typical doc and example resources too for any (installed) perl modules. There are many (very helpful) examples around which should be relatively easy to adopt for your needs, even if you are a perl „newcomer“. cyradm is the „alter ego of“ Cyrus::IMAP::Shell which is „just“ a „wrapper“ around that module: https://cyrusimap.org/docs/cyrus-imapd/2.2.13p1/man/cyradm.1.php so it offers/does anything in the same way cyradm does, but object oriented and/or perled. some further examples: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2011-April/034798.html http://doc.gabosh.net/howto_IMAP_POP3_Server.html However I'm suprised: looking into cyrus imap as a black box, it's almost like it has two databases for the same things. Yes and no, i understand that for many „newer“ cyrus users cyrus behaves like a „black box“, but it widely isn’t in practice. The major parts are the mailbox list db (which is typically „outside“ the IMAP spool / filesystem) and the indices withIN the mailboxes and both could be handled by proper tools even „around“ cyradm shell. Different possible database formats (and BDB versions too) could „confuse“ users seriously… But in my experience users could live on the „blackbox level“ and rely on it even in disaster scenarios (like in yours, where the cyradm shell plus standard filesystem ops are „enough), except in cases of i.e. BDB version upgrades or arch migrations which should be handled with care / the official procedures. good luck, cheerioh, Niels. Syndicat IT Internet http://www.syndicat.com signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sieve vacation with start and end date
On Sun, 2014-12-28 at 10:20 +0100, Marcus Schopen wrote: does sieve vacation understand a start and end date? Something like this does not work: --- require [date, relational, vacation]; if allof(currentdate :value ge date 2007-06-30, currentdate :value le date 2007-07-07) { vacation :days 7 I'm away during the first week in July.; } --- System: cyrus 2.4.12 on Ubuntu 12.04 LTS It may or may not; depends on what extensions/plugins are activated in your SIEVE. Is the above documented syntax from somewhere? Horde's Ingo application uses regular expressions to match dates in order to implement vacation start/end. I believe date matching in SIEVE is a relatively recent thing, and I am not sure to what level it is implemented [anywhere]. -- Adam Tauno Williams mailto:awill...@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sieve vacation with start and end date
On Tue, 2014-12-30 at 08:39 -0500, Adam Tauno Williams wrote: On Sun, 2014-12-28 at 10:20 +0100, Marcus Schopen wrote: does sieve vacation understand a start and end date? Something like this does not work: --- require [date, relational, vacation]; if allof(currentdate :value ge date 2007-06-30, currentdate :value le date 2007-07-07) { vacation :days 7 I'm away during the first week in July.; } --- System: cyrus 2.4.12 on Ubuntu 12.04 LTS It may or may not; depends on what extensions/plugins are activated in your SIEVE. Is the above documented syntax from somewhere? It looks like there is an open bug. Implement date extension (rfc5260) https://bugzilla.cyrusimap.org/show_bug.cgi?id=3724 Horde's Ingo application uses regular expressions to match dates in order to implement vacation start/end. I believe date matching in SIEVE is a relatively recent thing, and I am not sure to what level it is implemented [anywhere]. -- Adam Tauno Williams mailto:awill...@whitemice.org GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sieve vacation with start and end date
Quoting Adam Tauno Williams awill...@whitemice.org: On Sun, 2014-12-28 at 10:20 +0100, Marcus Schopen wrote: does sieve vacation understand a start and end date? Something like this does not work: --- require [date, relational, vacation]; if allof(currentdate :value ge date 2007-06-30, currentdate :value le date 2007-07-07) { vacation :days 7 I'm away during the first week in July.; } --- System: cyrus 2.4.12 on Ubuntu 12.04 LTS It may or may not; depends on what extensions/plugins are activated in your SIEVE. Is the above documented syntax from somewhere? Horde's Ingo application uses regular expressions to match dates in order to implement vacation start/end. I believe date matching in SIEVE is a relatively recent thing, and I am not sure to what level it is implemented [anywhere]. Cyrus sieve does not have the date extension. I wish it did. :) Regards, Ken Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sieve vacation with start and end date
On Tue, Dec 30, 2014, at 08:51 AM, k...@rice.edu wrote: Quoting Adam Tauno Williams awill...@whitemice.org: On Sun, 2014-12-28 at 10:20 +0100, Marcus Schopen wrote: does sieve vacation understand a start and end date? Something like this does not work: --- require [date, relational, vacation]; if allof(currentdate :value ge date 2007-06-30, currentdate :value le date 2007-07-07) { vacation :days 7 I'm away during the first week in July.; } --- System: cyrus 2.4.12 on Ubuntu 12.04 LTS It may or may not; depends on what extensions/plugins are activated in your SIEVE. Is the above documented syntax from somewhere? Horde's Ingo application uses regular expressions to match dates in order to implement vacation start/end. I believe date matching in SIEVE is a relatively recent thing, and I am not sure to what level it is implemented [anywhere]. Cyrus sieve does not have the date extension. I wish it did. :) cyrus 2.5 will have the date extension. It has already been implemented in the master git branch. Likely, it could be backported to 2.4 if anyone is up to the task. Regards, Ken V/r, James Cassell Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: saslauthd and multiple dc levels
On 12/30/14 10:52 +0100, Gabriele Bulfon wrote: So, first I changed openldap configuration with sasl-secprops none to have also plain auth enabled. Running pluginviewer to see the plugins: sonicle@www:~$ pluginviewer -m PLAIN List of server plugins follows Plugin plain [loaded],API version: 4 List of client plugins follows Plugin plain [loaded],API version: 4 sonicle@www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms' dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS Now, try plain auth doing a earch of an existing user: sonicle@www:~$ ldapsearch -Y PLAIN -U test.u...@sonicle.com -H ldap://localhost -W Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Can't find a reason for ldapsearch not finding the plain mech. Odd. Add a '-d -1' to get more detail. See the ldap.conf(5) manpage, and verify you don't have any conflicting options set via relevant ENVIRONMENT VARIABLES or FILES. Check your syslog for any additional details (auth facility). Also, slapd has been built with sasl: sonicle@www:~$ ldd /sonicle/libexec/slapd libdb-4.8.so =/sonicle/lib/libdb-4.8.so libpthread.so.1 =/lib/libpthread.so.1 libsasl2.so.2 =/sonicle/lib/libsasl2.so.2 libdl.so.1 =/lib/libdl.so.1 libssl.so.0.9.8 =/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8 libresolv.so.2 =/lib/libresolv.so.2 libgen.so.1 =/lib/libgen.so.1 libnsl.so.1 =/lib/libnsl.so.1 libsocket.so.1 =/lib/libsocket.so.1 libc.so.1 =/lib/libc.so.1 libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1 libmd.so.1 =/lib/libmd.so.1 libmp.so.2 =/lib/libmp.so.2 libm.so.2 =/lib/libm.so.2 How about your libldap library and client utilities? Do they have access to libsasl2 and the PLAIN shared library/mechanism? Try: ldd `which ldapsearch` And verify that the linked sasl library is the same as for slapd, or if not, uses a good libsasl installation. Also, you may want to try ldapsearch from another system with a known good sasl installation. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: sieve vacation with start and end date
On Tue, Dec 30, 2014 at 09:25:48AM -0500, James Cassell wrote: On Tue, Dec 30, 2014, at 08:51 AM, k...@rice.edu wrote: Quoting Adam Tauno Williams awill...@whitemice.org: On Sun, 2014-12-28 at 10:20 +0100, Marcus Schopen wrote: does sieve vacation understand a start and end date? Something like this does not work: --- require [date, relational, vacation]; if allof(currentdate :value ge date 2007-06-30, currentdate :value le date 2007-07-07) { vacation :days 7 I'm away during the first week in July.; } --- System: cyrus 2.4.12 on Ubuntu 12.04 LTS It may or may not; depends on what extensions/plugins are activated in your SIEVE. Is the above documented syntax from somewhere? Horde's Ingo application uses regular expressions to match dates in order to implement vacation start/end. I believe date matching in SIEVE is a relatively recent thing, and I am not sure to what level it is implemented [anywhere]. Cyrus sieve does not have the date extension. I wish it did. :) cyrus 2.5 will have the date extension. It has already been implemented in the master git branch. Likely, it could be backported to 2.4 if anyone is up to the task. Regards, Ken Very, very cool! Regards, Ken Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Patch for adding tls_honor_cipher_order
On 17 Oct 2014, at 11:34, Jeroen van Meeuwen (Kolab Systems) vanmeeu...@kolabsys.com wrote: On 2014-10-16 19:32, Kristian Kræmmer Nielsen wrote: Hi, Patch attached. Something similar is already in cyrus-imapd-2.4: http://git.cyrusimap.org/cyrus-imapd/commit/?h=cyrus-imapd-2.4id=4b26d2d7244eeaa481871c337e57cd393fd76dfe Is this commit considered part of the stable 2.4 version yet? or only with some upcoming 2.4.18 tag? Regards, Mark Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus