Re: ptloader segfaulting while looking up LDAP groups
Sorry, I must have butchered the original patch when I was pulling it out of a larger patch (that does some Columbia specific stuff). Igor's patch makes it look like the correct version. -Patrick The last commit has an issue. Please try this patch and report back: --- ldap.c.orig 2006-08-09 14:42:05.023665000 -0400 +++ ldap.c 2006-08-09 14:42:41.274455000 -0400 @@ -1065,11 +1065,11 @@ continue; strcpy((*newstate)-groups[i].id, group:); + int j; - strcpy((*newstate)-groups[i].id, group:); - for(j =0; j strlen(vals[i]); j++) { - if(isupper(vals[i][j])) - vals[i][j]=tolower(vals[i][j]); + for(j =0; j strlen(vals[0]); j++) { + if(isupper(vals[0][j])) + vals[0][j]=tolower(vals[0][j]); } strlcat((*newstate)-groups[i].id, vals[0], -- Igor Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Odd quota problem
have you tried fixing the quota cyr_quota -f user.username (The name for cyr_quota may be quota depending on your installation) also what version of Cyrus? -Patrick On Aug 3, 2006, at 10:49 AM, Karl Boyken wrote: We have one user who has very large disk usage, 3,880,884 kb. His quota is 4,250,000 kb. Interestingly, when I do a du of this guy's mailbox, I get 1,889,972 kb. He has on the order of 23,000 messages in his Inbox. Despite the fact that he is under quota, lmtpunix is refusing delivery, failing with an Over quota error: Aug 3 09:39:54 serv07 lmtpunix[30003]: verify_user(user.kearney) failed: Over quota Any ideas or help would be greatly appreciated--this guy is an associate dean here. Karl Boyken -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Odd quota problem
Is all that usage for his INBOX? If it is spread across multiple IMAP folders then you could set a quota separately for each one. It may be that you are suffering from the 2GB quota limit in Cyrus 2.2 that Daniel mentioned. Maybe just remove his quota? liverwurst.cc.columbia.edu sq user.ct2213f none remove quota liverwurst.cc.columbia.edu lq user.ct2213f / #Quota file still exists. Not sure if you need to remove it. -bash-3.00$ cyr_quota -f user.ct2213f Quota % Used Used Root 7 user.ct2213f rm /var/cyrus/quota/K/user.ct2213f -bash-3.00$ cyr_quota -f user.ct2213f Quota % Used Used Root liverwurst.cc.columbia.edu lq user.ct2213f -Patrick On Aug 3, 2006, at 12:53 PM, Karl Boyken wrote: I've been helping my over-quota user move mail out of his Inbox into local folders with Thunderbird. His disk usage is down to a current usage of 1524826 bk, and a du shows 1642048 kb. But lmtpunix is still bouncing his mail with Over quota messages, even though his quota is still 4,250,000 kb. Karl -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: sieve[25275]: Couldn't find mech PLAIN
What program are you using to connect to the sieve port? What does imtest -p 2000 hostname tell you on the SASL line? mine says S: IMPLEMENTATION Cyrus timsieved v2.2.12 S: SASL GSSAPI PLAIN S: SIEVE fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex S: STARTTLS S: OK If you don't see PLAIN, try imtest hostname and see what capabilities your server offers for the IMAP port. -Patrick On Aug 3, 2006, at 2:34 PM, Joseph Silverman wrote: So, I migrated my email server from a fedora core 3 to a mandrake based distro yesterday - since then sieve has quit working with the error message in the subject. Any ideas what is wrong? THANKS! P.s. imap and pop work as expected and desired. my imapd.conf: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus allowanonymouslogin: no altnamespace: true unixhierarchysep: true sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true allowplaintext: 1 sasl_pwcheck_method: saslauthd sieve_maxscriptsize: 100 my /etc/sysconfig/saslauthd: # $Id: saslauthd.sysconfig,v 1.1 2001/05/02 10:55:48 wiget Exp $ # Authentications mechanism (for list see saslauthd -v) SASL_AUTHMECH=ldap # Hostname for remote IMAP server (if rimap auth mech is used) # Ldap configuration file (if ldap auth mech is used) SASL_MECH_OPTIONS= # Extra options (for list see saslauthd -h) SASLAUTHD_OPTS= my /etc/saslauthd.conf: ldap_servers: ldap://.laszlosystems.com/ ldap_bind_dn: cn=,dc=laszlosystems,dc=com ldap_bind_pw: ldap_scope: sub ldap_search_base: ou=,dc=laszlosystems,dc=com ldap_auth_method: bind Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: SSL certs on proxy pool?
we have a mail.columbia.edu cert on each of our frontends. They are behind a load balancer which has the name mail.columbia.edu. Clients connect to the load balancer which passes them to one of the frontends. The CN name in the cert matches the name the client thinks they connected to and things work fine. -Patrick On Aug 1, 2006, at 8:27 PM, Vincent Fox wrote: Wondering how people deal with SSL certs with multiple frontends? Do you put wildcard certs on the proxies and leave the SSL processing on each unit? Do you use an SSL-aware load-balancer and let it hold a cert for the published hostname and do the heavy lifting? If there's some 3rd way, I'm interested to hear it. I'm not really clear what would happen on a load-balancer with TLS switchovers, doesn't that imply the load-balancer has to be application-aware not just like a hardware version of stunnel? Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm problem. sasl?
what happens if you do --auth LOGIN instead of PLAIN? PLAIN requires start TLS. The version of Cyrus you are using probably doesn't support startTLS with cyradm. -Patrick On Jul 27, 2006, at 8:57 AM, jocke khazad wrote: Hello everyone! Iam trying to setup a mailserver with postfix, cyrus-imap, cyrus- sasl, mysql, pam_mysql on Redhat Enterprise 4. Everything seems to work ok accept when I use cyradm to login on my imap server. root cyradm --user cyrus --server localhost --auth plain rootpassword: this is where my maillog spits out an error message ( imap[2302]: badlogin: localhost [127.0.0.1 ] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] ) rootIMAP password: --- this checks against mysql and seems to work fine.. I get into my imap server after this. here is a paste of my maillog after I tried this. Jul 26 09:28:50 mail56 imap[2302]: accepted connection Jul 26 09:28:51 mail56 imap[2302]: badlogin: localhost [127.0.0.1] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required] Jul 26 09:28:55 mail56 imap[2302]: login: localhost [127.0.0.1] cyrus plaintext User logged in Ive been on this, googling, reading asking.. for a cpl of weeks now and it starts to get on my nervs. Can anyone give me a hint on what to do here? A couple of notes: 1. postfix works fine, it also authenticates fine, I can send and resieve mail 2. imap works, I can login to my imap server from outlook express, and view my mails. 3. I tryed to auth against sasldb with testsasl, and imtest. It works without any problems. 4. I prolly read every post out ther about this problem and noone gives a clear answer why this problem exists =) If someone want to explain to me why the first authentication is ther for I would also be glad =) cyradm --user cyrus --server localhost --auth plain password - why this one? what is it supposed to contact? Ive read that its contacting sasldb2, but when I run saslauthd in debugmode I see nothing IMAP password - this one makes sence, it checks my mysql tables and this also works and lets me into my imap server, even tho the first pw auth fails. Here is my a few of my confs /etc/imapd.conf: postmaster: postmaster configdirectory: /var/lib/imap/ partition-default: /var/spool/imap admins: cyrus allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: mail56 autocreatequota: 1 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sievedir: /usr/sieve sendmail: /usr/sbin/sendmail sieve_maxscriptsize: 32 sieve_maxscripts: 5 #unixhierarchysep: yes tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca- bundle.crt /etc/sysconfig/saslauthd # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run saslauthd -v to get a list # of which mechanism your installation was compiled to use. MECH=pam # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS= /etc/cyrus.conf # standard standalone server implementation START { # do not delete this entry! recover cmd=ctl_cyrusdb -r # this is only necessary if using idled for IMAP IDLE # idledcmd=idled } # UNIX sockets start with a slash and are put into /var/lib/imap/ sockets SERVICES { # add or remove based on preferences imap cmd=imapd listen=imap prefork=5 imaps cmd=imapd -s listen=imaps prefork=1 pop3 cmd=pop3d listen=pop3 prefork=3 pop3s cmd=pop3d -s listen=pop3s prefork=1 sieve cmd=timsieved listen=sieve prefork=0 # these are only necessary if receiving/exporting usenet via NNTP # nntp cmd=nntpd listen=nntp prefork=3 # nntpscmd=nntpd -s listen=nntps prefork=1 # at least one LMTP is required for delivery # lmtp cmd=lmtpd listen=lmtp prefork=0 lmtpunix cmd=lmtpd listen=/var/lib/imap/socket/lmtp prefork=1 # this is only necessary if using notifications # notify cmd=notifyd listen=/var/lib/imap/socket/notify proto=udp prefork=1 } EVENTS { # this is required checkpointcmd=ctl_cyrusdb -c period=30 # this is only necessary if using duplicate delivery suppression, # Sieve or NNTP delprune cmd=cyr_expire -E 3 at=0400 # this is only necessary if caching TLS sessions tlsprune cmd=tls_prune at=0400 } Thank you all for reading and trying to help me with this! / Jocke Cyrus Home Page:
Re: cyradm lm returns empty list but mailboxes are accessible via
what command line options are you using with cyradm? do you have GSSAPI enabled and Keberos in your environment? On Jul 23, 2006, at 11:25 AM, [EMAIL PROTECTED] wrote: I asked this question (see below) two weeks ago but had no reply. Just posting it one more time, hoping to get an answer :) thanks I do not know what went wrong but now if I log in using cyradm to administrator console i can't get nither mailboxes list nor create/delete functionality or even see info. What i did was patched the system (instructions below) and now sieve works fine.. please advise. alex patching instractions I have installed Cyrus+SIEVE and i can even see SIEVE running if i telnet to the 2000 port, but if i run sieveshell I get the following error. Can't locate Cyrus/SIEVE/managesieve.pm in @INC (@INC contains: /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/local/bin/sieveshell line 44. BEGIN failed--compilation aborted at /usr/local/bin/sieveshell line 44. but the module is there locate /managesieve.pm /usr/local/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi/ Cyrus/SIEVE/managesieve.pm /usr/local/src/cyrus-imapd-2.2.12/perl/sieve/managesieve/ managesieve.pm /usr/local/src/cyrus-imapd-2.2.12/perl/sieve/managesieve/blib/ lib/Cyrus/SIEVE/managesieve.pm /usr/local/src/cyrus-imapd-2.2.13/perl/sieve/managesieve/ managesieve.pm /usr/local/src/cyrus-imapd-2.2.13/perl/sieve/managesieve/blib/ lib/Cyrus/SIEVE/managesieve.pm /opt/cyrus-imapd-2.2.12/perl/sieve/managesieve/managesieve.pm /opt/cyrus-imapd-2.2.12/perl/sieve/managesieve/blib/lib/Cyrus/ SIEVE/managesieve.pm Please help. I have wasted 2 days already. Re-installed from scratch the whole system number of times. What i am actually is trying to archive is to create SIEVE script which will be placing 'users' spam messages (marked as a SPAM in the subj. field by SpamAssassin) into user.$user.Spam folder. The failure-message tells you that sieveshell cannot locate the managesieve.pm, and also all the places where it looked. So there are two possible solutions: either tell perl to also look in /usr/ local/lib for managesieve.pl, or to install the perl parts of Cyrus not in /usr/local but in /usr/lib/perl5. I've opted for the second solution, and every time I build Cyrus, I apply a simple patch (included). The only drawback it has is that sieveshell itself will be installed in /usr/lib/perl5 as well. The patch can be installed by doing: cd cyrus-imapd-2.2.12 make distclean patch -p1 cyrus-imapd-perl_prefix.patch ./configure any options make Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Starting cyrus - what output should I see?
you probably want to use '-d' instead of '' to make master run in the background. After that you can look in log files for cyrus. The location of the log file depends on your syslog.conf ( I think wherever local6.* points to). Any problems should be reported there. On Jul 12, 2006, at 8:49 AM, James Brown wrote: (I posted this before with an incorrect subject line). I'm having problems starting and connecting to imapd. I type: sudo /usr/cyrus/bin/master The following line gets returned to the screen: [1] 190 Looking at the processes running with 'top' there is a process 'sudo' with PID of 190 running. There is no process called imapd running. Is this correct behaviour? When I try to telnet in to test it I get: mail1-bordo-com-au:~ jlbrown$ telnet localhost imap Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host I'm at a loss as to how to proceed, or what I have done wrong. Any help would be much appreciated. Thanks, James. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder without Kerberos?
We use PLAIN to authenticate between all the machines in our murder. What version of Cyrus are you using? do you have a sasl_mech_list: line in your imapd.conf? Can you auth using imtest and DIGEST-MD5? Do you support other mechanisms for users? -Patrick On Jul 6, 2006, at 8:54 AM, Andrew Findlay wrote: Is anyone running a Cyrus Murder without using Kerberos? I am trying to build a Murder using DIGEST-MD5 authentication, but I am running into weird problems and would like to know if it has been done before. I am particularly keen to know what SASL options are needed in this environment. Thanks Andrew -- -- - | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | -- - Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Murder without Kerberos?
I haven't tried it with 2.3.6, but PLAIN should work. I would suggest starting with sasl_mech_list: PLAIN in all your imapd.conf files (make sure it says only PLAIN). and make sure there is no force_sasl_client_mech lines anywhere. Then make sure you can use imtest (with -m PLAIN and -t (for tls)) to connect to backends, and then see if the backends will communicate correctly. -Patrick On Jul 6, 2006, at 2:32 PM, Andrew Findlay wrote: On Thu, Jul 06, 2006 at 11:43:50AM -0400, Patrick Radtke wrote: We use PLAIN to authenticate between all the machines in our murder. That is very interesting. I found that I had to enable MD5 because the backends (and mupdate?) would not accept lower-strength authentication. PLAIN would be preferable for several reasons. What version of Cyrus are you using? 2.3.6 do you have a sasl_mech_list: line in your imapd.conf? That is commented out at the moment, to allow MD5. I started with PLAIN and LOGIN only. Can you auth using imtest and DIGEST-MD5? Yes Do you support other mechanisms for users? I would like to support PLAIN, LOGIN, and DIGEST-MD5, but the latter requires a plaintext password database so it will probably be judged too risky. Thanks Andrew -- -- - | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | -- - Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: defeated about Murder.....
I've tried to summarize the different ways of doing mail delivery in a murder http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/ CyrusMurderMailDelivery There are some brief instructions on setting up lmtpproxyd to query the localhost. Try those out and let me know if you have questions. -Patrick On Jun 18, 2006, at 5:12 PM, Xue, Jack C wrote: You're options are to 1. Have lmtpproxyd query the local server for each incoming message. This decreases load on the murder master. You do this by creating a config file for lmtpproxyd and setting murder master to the localhost. Then you just need to get the auth setup. Can you show me how to configure lmtpproxyd to use localhost as murder master? Thanks -Jack Xue Quoting Andrzej Kwiatkowski [EMAIL PROTECTED]: Hi.. I'was thinking that Murder is a very good concept for cyrus... Till today. I've started some performance test: I've 4 MTA with Postfix+Cyrus frontend 2.2.12 4 backend with Cyrus 2.3.6 and 1 Mupdate with cyrus 2.2.12. I've started with smtp-stone sending 3000 msg (1000 for each of 3 users on 1 backend). Backend load was very low. But in this time mupdate have load about 1,5 (why ?) The concept was that mupdate is only for changing location of mailboxes... My frontend have information on mailboxes (checked with ctl_mboxlist -d) but they still are looking in mupdate which causes high load and SIGSEGV... Which causes lmtpproxy to drop connecitons and growing queue in postfix... Am i doing something wrong ? Authentication is doing by sasl digest-md5 to avoid SQL database performance, so i think this is no problem.. So why mupdate causes such problems ? Thanks AK Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: defeated about Murder.....
I also added http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/WhyMailDeliverySlow to the FAQ It lists the causes of mail delivery problems that we've seen. -Patrick On Jun 18, 2006, at 8:57 AM, Andrzej Kwiatkowski wrote: Hi.. I'was thinking that Murder is a very good concept for cyrus... Till today. I've started some performance test: I've 4 MTA with Postfix+Cyrus frontend 2.2.12 4 backend with Cyrus 2.3.6 and 1 Mupdate with cyrus 2.2.12. I've started with smtp-stone sending 3000 msg (1000 for each of 3 users on 1 backend). Backend load was very low. But in this time mupdate have load about 1,5 (why ?) The concept was that mupdate is only for changing location of mailboxes... My frontend have information on mailboxes (checked with ctl_mboxlist -d) but they still are looking in mupdate which causes high load and SIGSEGV... Which causes lmtpproxy to drop connecitons and growing queue in postfix... Am i doing something wrong ? Authentication is doing by sasl digest-md5 to avoid SQL database performance, so i think this is no problem.. So why mupdate causes such problems ? Thanks AK Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: PTLOADER and LDAP for authorization and ptloader dies
Does ptloader die in both 2.2.12 and 2.3.3 or only 2.3.3?I've seen it die like that in 2.3 (don't recall the minor version), but never had a chance to investigate it.-PatrickOn Jun 15, 2006, at 5:30 AM, Sebas PRE wrote:This is my intallation:- Red Hat Enterprise 3- imapd-2.2.12 or imapd-2.3.3 (I tested both)- cyrus-sasl-2.1.15I have in 'cyrus.conf': ptloader cmd="ptloader" listen="/u01/config/ptclient/ptsock" prefork=1in the file 'imapd.conf':# LDAP PTLOADERauth_mech: ptspts_module: ldapptloader_sock: /u01/config/ptclient/ptsockptscache_db: skiplistptscache_timeout: 10800ldap_sasl: 0ldap_uri: ldap://ldapserver:port/ldap_bind_dn: cn=adminuserldap_password: adminpassldap_base: ou=main,dc=orgldap_scope: subldap_version: 3ldap_size_limit: 0and in 'saslauthd.conf'ldap_servers: ldap://ldapserver:port/ldap_search_base: ou=main,dc=orgldap_bind_dn: cn=adminuserldap_password: adminpassWhen I run 'master' process I cann´t connect to IMAP and I obtain the typicalbad password error. Now I see this in my cyrus.log:Jun 14 19:05:16 cyrus-server ptloader[13081]: starting: $Id: ptloader.c,v1.32.2.9 2005/02/25 07:19:06 shadow Exp $Jun 14 19:05:31 cyrus-server imap[13021]: accepted connectionJun 14 19:05:31 cyrus-server imap[13021]: ptload(): pinging ptloaderJun 14 19:05:31 cyrus-server ptloader[13081]: accepted connectionJun 14 19:05:31 cyrus-server imap[13021]: ptload(): empty response from ptloaderserverJun 14 19:05:31 cyrus-server master[13014]: process 13081 exited, signaled todeath by 11Jun 14 19:05:31 cyrus-server master[13014]: service ptloader pid 13081 in READYstate: terminated abnormallyJun 14 19:05:31 cyrus-server imap[13021]: badlogin:srv-ln-pre1.datadec-online.com [192.168.65.130] plaintext user001 invalid userJun 14 19:05:31 cyrus-server master[13082]: about to exec/uc01-cyr1/server/2.3/bin/ptloaderJun 14 19:05:31 cyrus-server ptloader[13082]: executedCan anybody help me?Greetings and thanks.Sebastian Calero.Cyrus Home Page: http://asg.web.cmu.edu/cyrusCyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.eduList Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: problem with :DBERROR db4: Logging region out of m
On Jun 8, 2006, at 7:28 AM, Marek Must wrote: Jun 8 14:04:48 mail lmtpunix[13729]: DBERROR db4: Logging region out of memory; you may need to increase its size Jun 8 14:04:48 mail lmtpunix[13729]: DBERROR: opening /var/lib/ imap/deliver.db: Cannot allocate memory Jun 8 14:04:48 mail lmtpunix[13729]: DBERROR: opening /var/lib/ imap/deliver.db: cyrusdb error i come to this problem all the time, and i seem not geting any solotion.. if i restart postifx then all fall into place and it will work for couple of houers an then i hve to restart posfix again.. using cyrus-imapd-2.2.12-3.RHEL4.1. can i dont anything or can i only make aliases for restarting postfix and stuf?:) Marek Not sure what you've tried, but here are some options: 1. Switch the deliver.db (or possibly others) to skiplist 2. Have you tried creating a DB_CONFIG file in the db directory? something like db_stat -l -h /var/cyrus/db will tell you stats about logging in the DB_CONFIG you could have stuff like set_cachesize 0 8388608 8 #the line below sets the size of the logging region set_lg_regionmax 524288 set_lg_bsize 2097152 you need to run db_recover to make changes in your DB_CONFIG take affect. cachesize is how large you want the DB to be -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus ACL and groups ...
I'm not sure if there is anything besides 'man imapd.conf' On Jun 5, 2006, at 3:28 AM, Brasseur Valéry wrote: That nearly what i am looking for !!! Where is the doc for pts ? and the LDAP part ? Thanks -Message d'origine- De : Patrick Radtke [mailto:[EMAIL PROTECTED] Envoyé : vendredi 2 juin 2006 16:54 À : Brasseur Valéry Cc : info-cyrus@lists.andrew.cmu.edu Objet : Re: cyrus ACL and groups ... Are your users stored in a LDAP server as well? If so, then you can have Cyrus speak LDAP and get the info. Plus it can do caching (ptscache_timeout) In Cyrus 2.3 you'd want to do something like #make the authz mechanism be pts auth_mech: pts #make pts talk to ldap pts_module: ldap ldap_base: dc=cc,dc=columbia,dc=edu ldap_group_base: ou=group,dc=cc,dc=columbia,dc=edu ldap_member_base: ou=group,dc=cc,dc=columbia,dc=edu ldap_member_method: filter ldap_member_filter:(memberuid=%U) ldap_member_attribute: cn ldap_size_limit: 100 ldap_sasl: 0 ldap_uri: ldap://ldapserver:prt ptloader_sock: /var/cyrus/socket/ptsock look for ldap_* options in `man imapd.conf` -Patrick On Jun 2, 2006, at 4:31 AM, Brasseur Valéry wrote: I have seen in the code that when you want to use groups in ACL for cyrus, the group is a UNIX one ... (calling setgrent, getpwnam ... ) Is there a a way to use LDAP groups instead ... Thanks Valery Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus ACL and groups ...
Are your users stored in a LDAP server as well? If so, then you can have Cyrus speak LDAP and get the info. Plus it can do caching (ptscache_timeout) In Cyrus 2.3 you'd want to do something like #make the authz mechanism be pts auth_mech: pts #make pts talk to ldap pts_module: ldap ldap_base: dc=cc,dc=columbia,dc=edu ldap_group_base: ou=group,dc=cc,dc=columbia,dc=edu ldap_member_base: ou=group,dc=cc,dc=columbia,dc=edu ldap_member_method: filter ldap_member_filter:(memberuid=%U) ldap_member_attribute: cn ldap_size_limit: 100 ldap_sasl: 0 ldap_uri: ldap://ldapserver:prt ptloader_sock: /var/cyrus/socket/ptsock look for ldap_* options in `man imapd.conf` -Patrick On Jun 2, 2006, at 4:31 AM, Brasseur Valéry wrote: I have seen in the code that when you want to use groups in ACL for cyrus, the group is a UNIX one ... (calling setgrent, getpwnam ... ) Is there a a way to use LDAP groups instead ... Thanks Valery Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus IMAPd 2.3.4 Released
On May 25, 2006, at 6:00 AM, Robert Mueller wrote:1. There's no regression testing with cyrus at all. I did try and start a cyrus regression test a while back (just a perl script to test basic IMAP functionality) but there wasn't really interest in taking it up. I still strongly believe that some form of basic regression test that is built up more and more over time is is important. I'm interested in a nice regression suite.I've been doing some OpenLDAP stuff recently and they have (what seems like) 2 hours worth of tests that occur once you build the software.For a long time, I've been meaning to look at how they do it and see if a similar approach could be used with Cyrus IMAPd, but other projects always take a priority.The nice thing about regression testing is that we can start small. If there was some agreed upon methodology then when anyone (e.g. Ken, someone submitting a patch, someone reporting a bug, etc) can create a tests to show how a bug gets triggered or that new code/patch doesn't introduce bugs.-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication specifics
On May 23, 2006, at 4:48 PM, David Korpiewski wrote: So I got into a big argument with the people in my department about how replication works and I'm seeking some guidance from the community: (1)The worst fear of any prof here at UMASS is the potential of losing a single email. So my question is this: If we set up replication, and we have to failover to the replica, is there any way to get back email that may not have been replicated -- ones that currently only exists on the defunct master? If the replica updates every 10 seconds, then we have the potential to lose 10 seconds of email. Or worse case, the sync_client dies and we lose 30 minutes or more of emails before we failover! Once we have the primary/master backend machine working again after a failover (assuming its RAID is still intact) we do a find for any messages that have timestamps just prior to the the machine failing. We then compare this list to the messages on the replica. Since we have delayed expunge on, we can still determine if a specific message was replicated even if the user deleted it. We also monitor the sync_client process and someone gets alerted if it goes away. Of course some messages can be lost. But the same is true for any of your smtp machines. If one suffers a catastrophic failure then any messages queued on the machine would be lost. Do other folks out there plan for this potential for lost emails or do you just failover and if a few messages get lost, you don't worry about it? (2)Also, is there a master sync transaction log file somewhere that specifies what is being done? In other words, if we failed over, could we find a transaction log that would tell us what was not committed and then manually run through it to make the updates? I found the log files in /var/lib/imap/sync, but these are very uninformative: for example: SEEN davidk user.davidk SEEN davidk user.davidk SEEN davidk user.davidk it would be nice to see SEEN update message READ 12020 for user.davidk.INBOX, but I don't know if this detailed information is somewhere on the system or just resides in memory. We look there as well (and back it up prior ). Then we just look in the users' folders for the timestamps on messages. (3) My final question is this: If we do a manual sync_client update, is the update a full copy or is it a differential copy? So I want to know if we run a manual sync_client if it is going to overwrite the entire replica's mailstore or just search and find what is different and just update those portions. I believe it does a diff (I haven't looked at the code) -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mailboxes.db backend comparison
On May 18, 2006, at 12:11 PM, Andrew Morgan wrote: On Wed, 17 May 2006, Wesley Craig wrote: On 17 May 2006, at 14:21, Andrew Morgan wrote: My most recent test was to rebuild the mupdate master mailboxes.db from my backend server. skiplist - 20-25 minutes berkeley - 3 minutes How many mailboxes are there? Is there also a speed difference when running 'time ctl_mboxlist -mw' from your backends? -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mailboxes.db backend comparison
On May 22, 2006, at 1:55 PM, Andrew Morgan wrote: On Mon, 22 May 2006, Patrick Radtke wrote: On May 18, 2006, at 12:11 PM, Andrew Morgan wrote: On Wed, 17 May 2006, Wesley Craig wrote: On 17 May 2006, at 14:21, Andrew Morgan wrote: My most recent test was to rebuild the mupdate master mailboxes.db from my backend server. skiplist - 20-25 minutes berkeley - 3 minutes How many mailboxes are there? About 145000. Is there also a speed difference when running 'time ctl_mboxlist -mw' from your backends? That's what I did. :) haha, yup:) I should have been clearer. I want to know the diff speed, not the rebuild speed. So how long does ctl_mboxlist -mw take to run when the mupdate master is in sync with the backend. For example, with backend and murder master in sync, ctl_mboxlist takes 16 seconds to run here. If I'm rebuilding the murder master db from scratch then it takes 2+ hours. We have 782443 mailboxes, divided up across a bunch of backends. I would like the speed of berkley, but I don't trust it to be stable. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication problem
with cipher AES256-SHA (256/256 bits new) no authentication May 17 11:30:57 lmc1 sync_client[20376]: Doing a peer verify Running log of the Replica: -- May 17 11:30:56 lmc2 master[17441]: about to exec /usr/lib/cyrus- imapd/sync_server May 17 11:30:56 lmc2 syncserver[17440]: accepted connection May 17 11:30:56 lmc2 syncserver[17440]: cmdloop(): startup May 17 11:30:57 lmc2 syncserver[17441]: executed May 17 11:30:57 lmc2 syncserver[17440]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication May 17 11:30:57 lmc2 syncserver[17438]: login: lmc1.cs.umass.edu [128.119.243.236] cyrus PLAIN+TLS User logged in May 17 11:30:57 lmc2 master[17442]: about to exec /usr/lib/cyrus- imapd/sync_server May 17 11:30:57 lmc2 syncserver[17441]: accepted connection May 17 11:30:57 lmc2 syncserver[17442]: executed May 17 11:30:57 lmc2 syncserver[17441]: cmdloop(): startup May 17 11:30:57 lmc2 syncserver[17440]: login: lmc1.cs.umass.edu [128.119.243.236] cyrus PLAIN+TLS User logged in May 17 11:30:57 lmc2 master[17443]: about to exec /usr/lib/cyrus- imapd/sync_server May 17 11:30:57 lmc2 syncserver[17442]: accepted connection May 17 11:30:57 lmc2 syncserver[17442]: cmdloop(): startup May 17 11:30:57 lmc2 syncserver[17443]: executed Thank you for any help! It is much appreciated! David Patrick H Radtke wrote: PLAIN for sasl_pwcheck_method isn't a valid option. Keep it as saslauthd (and then make sure the testsaslauthd program works with your sync username and password). I think you showed me your primary imapd.conf and not the replica's. What does imtest show you when you log into the replica (capability lines)? -Patrick On Tue, 16 May 2006, David Korpiewski wrote: Hello Patrick! I set the sasl_pwcheck_method to be PLAIN from what it used to be (saslauthd) on the replica server. Still doesn't work though, it gives me this error: badlogin: lmc1.cs.umass.edu [128.119.243.236] DIGEST-MD5 [SASL (-13): user not found: no secret in database] HISTORY: our servers are set up with saslauthd for their sasl_pwcheck_method. Saslauthd uses PAM for ldap authentication. This works fine for receiving email and authenticating users with their mail clients. However, this doesn't appear to work for sync_server when authenticating the sync_client. These are pieces of my replica's imapd.conf: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN sync_authname: cyrus sync_log: 1 sync_host: lmc2.cs.umass.edu sync_repeat_interval: 5 sync_password: XX Thank you for any help you can offer! David Patrick Radtke wrote: did you try setting sasl_pwcheck_method on the replica? 'unix' isn't a SASL mechanism. you may want to try PLAIN (what do you use currently on the primary server)? on the replica use this line sasl_mech_list: PLAIN to make it only advertise PLAIN authentication, and then the primary machine will try using that sasl mechanism when connecting. This will then invoke what you have for your sasl_pwcheck_method. -Patrick On May 16, 2006, at 3:47 PM, David Korpiewski wrote: I'm in the middle of trying to set up replication. However, I keep running into a problem. The replication error I'm getting on the replica is this if I don't specify a sync_authname and sync_password: syncserver[7682]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication I get this error if I'm specifying a sync_authname and sync_password: badlogin: lmc1.cs.umass.edu [128.119.243.236] DIGEST-MD5 [SASL (-13): user not found: no secret in database] MY QUESTION IS THIS: How can I change what sync_server uses for its authentication? I want it to either use LDAP or the local passwd/shadow files. It obviously keeps trying to use DIGEST-MD5, in which case it would have to look for a md5 file in a particluar location, but I don't see how to specify that either. I tried setting auth_mech and sasl_auth_mech to be unix in the /etc/imapd.conf but that doesn't change anything. Can anyone help me? Thanks, David -- David Korpiewski Phone: 413-545-4319 Software Specialist IFax: 413-577-2285 Department of Computer Science ICQ: 7565766 University of Massachusetts Amherst Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- David Korpiewski Phone: 413-545-4319 Software Specialist IFax: 413-577-2285 Department of Computer Science ICQ: 7565766 University of Massachusetts Amherst -- David Korpiewski Phone
reconstruct removes messages?
We had a user with approx 525 messages in her mailbox, but she was only able to see about 500 of them (e.g (two different) clients said there were 525 messages, but only 500 where available to see) We ran reconstruct (with -r) on her inbox and all but 9 of the messages disappeared. any ideas? We're going to do a tape restoral but that won't really work if reconstruct just deletes the messages we restore... running 2.3 with delayed expunge. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication problem
did you try setting sasl_pwcheck_method on the replica? 'unix' isn't a SASL mechanism. you may want to try PLAIN (what do you use currently on the primary server)? on the replica use this line sasl_mech_list: PLAIN to make it only advertise PLAIN authentication, and then the primary machine will try using that sasl mechanism when connecting. This will then invoke what you have for your sasl_pwcheck_method. -Patrick On May 16, 2006, at 3:47 PM, David Korpiewski wrote: I'm in the middle of trying to set up replication. However, I keep running into a problem. The replication error I'm getting on the replica is this if I don't specify a sync_authname and sync_password: syncserver[7682]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication I get this error if I'm specifying a sync_authname and sync_password: badlogin: lmc1.cs.umass.edu [128.119.243.236] DIGEST-MD5 [SASL (-13): user not found: no secret in database] MY QUESTION IS THIS: How can I change what sync_server uses for its authentication? I want it to either use LDAP or the local passwd/shadow files. It obviously keeps trying to use DIGEST-MD5, in which case it would have to look for a md5 file in a particluar location, but I don't see how to specify that either. I tried setting auth_mech and sasl_auth_mech to be unix in the / etc/imapd.conf but that doesn't change anything. Can anyone help me? Thanks, David -- David Korpiewski Phone: 413-545-4319 Software Specialist IFax: 413-577-2285 Department of Computer Science ICQ: 7565766 University of Massachusetts Amherst Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: doing replication from two machine to one machine
On May 3, 2006, at 8:34 AM, Rudy Gevaert wrote: Hi, At our site I'm going to set up several cyrus servers to store all the email for staff and students. We now have only one cyrus server for the staff. In the near future we are going to several backends running cyrus for staff and students. I'm looking into replication. Now I was wondering if it is possible to replicate two (or more) cyrus servers to one replica server? I believe so, but then what are you fail over plans? Are you running this in a murder? -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Make cyradm use plain+tls
On May 2, 2006, at 3:24 PM, Perry Brown wrote:I log into imtest: /opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u cyrus -a cyrus -m plain Run C: XFER user.vbperry server2.sub2.domain.com and get C: NO Server(s) unavailable to complete operationAm I using the right auth mode? should the imtest connect or xfer command be formatted differently? I looking in the archives and could not locate the thread you mentioned, was that on list? No, our discussion was off list.What does syslog say (on both servers)?Can you log in with imtest to the 2nd server?Do you allow other SASL mechanisms? I think what we tried with Richard may have only worked since PLAIN is the only mechanism his 2nd server offered.What other mechanism does your secondary server offer? it should be part of the CAPABILITY response when imtest logs in.-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Make cyradm use plain+tls
On May 2, 2006, at 4:19 PM, Perry Brown wrote: On May 2, 2006, at 3:24 PM, Perry Brown wrote: I log into imtest: /opt/mail/cyrus-imapd/bin/imtest -t -p imap -u cyrus -a cyrus - m plain Run C: XFER user.vbperry server2.sub2.domain.com and get C: NO Server(s) unavailable to complete operation Am I using the right auth mode? should the imtest connect or xfer command be formatted differently? I looking in the archives and could not locate the thread you mentioned, was that on list? No, our discussion was off list. What does syslog say (on both servers)? We have cyrus logging to local6 so I'll assume that is what you are interested in. On source server: May 2 13:11:42 server1 imap[5927]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication May 2 13:11:46 server1 imap[5927]: login: localhost.localdomain [127.0.0.1] cyrimap PLAIN+TLS User logged in May 2 13:12:12 server1 imap[5927]: couldn't authenticate to backend server: generic failure May 2 13:12:12 server1 imap[5927]: Could not move mailbox: user.vbperry, Initial backend connect failed On Destination server: May 2 13:12:12 server2 master[6574]: about to exec /opt/mail/cyrus- imapd/bin/imapd May 2 13:12:12 server2 imap[6574]: executed Can you log in with imtest to the 2nd server? Yes server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -t -p imap -u cyrus -a cyrus -m plain server2.sub2 S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM- MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: enter passwd for cyrus account C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 Do you allow other SASL mechanisms? I think what we tried with Richard may have only worked since PLAIN is the only mechanism his 2nd server offered. What other mechanism does your secondary server offer? it should be part of the CAPABILITY response when imtest logs in. It's offering AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 Should the connect use plain since it is the first available? How can I disbale the other AUTH mechanisms? Its not the first available though. If you look at the first capability call, PLAIN isn't offered. Its only get seen after the STARTTLS when the CAPABILITY called is offered again. To remove the other Auth mechanisms (I'm assuming you don't use them), put sasl_mech_list: PLAIN in your imapd.conf file on the second machines. -Patrick -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus admin user that can read messge on all accounts?
The 'cyrus' user. what ever is in 'admins:' in your imapd.conf file or if you don't want to use that one, you can create a user and add to 'proxy_authname' that allows you to authenticate as the proxy user but then take on the authorization of a target user. -Patrick On Apr 28, 2006, at 3:08 PM, Kevin Baker wrote: Is there an admin user that has permissions to access all other accounts? I am running IMAPSync between two servers, a couple times a day for backups. The newest version of IMAPSync allows for a seperate admin auth user to be specified so that you do not need to know the password for all users you are syncing. If there is no user like this, how would I go about creating it in Cyrus? I realize there are security risks to this, but this seems to be the best solution for us right now. Thanks, Kevin __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: huge time for rename
Does the user have a lot of folders? Is the load high on your murder master? I haven't used xfer much, but possibly it takes time for the 2nd machine to created the index and cache files. -Patrick On Apr 25, 2006, at 11:02 AM, roos wrote: Hi, transfer of mailbox which size is 15mb between backends takes up to 1min(on powerful servers and 1G ethernet, without any other load)! What can it be? Thank you. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
Bascially: Cyrus Imapd uses a SASL mechanism to talk between cyrus machines. The SASL mechanism you are using is PLAIN (I don't think LOGIN is a SASL mechanism, its a imap specific) PLAIN requires TLS TLS requires certificates. You don't have certificates. if imtest -t -m PLAIN -a cyrus -u cyrus servername does not work, then xfer never will. Get a cert! :) -Patrick On Apr 21, 2006, at 4:30 PM, Perry Brown wrote: Sorry to keep bugging everyone on this but it seems I am close I'm just over looking something obvious. I looked through the config on the hosts and we are using pam. I changed the imapd.conf a little defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password force_sasl_client_mech: LOGIN PLAIN Imtest looks to work Ok with Login server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -p imap -m login WARNING: no hostname supplied, assuming localhost S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: L01 LOGIN cyrus {8} S: + go ahead C: omitted S: L01 OK User logged in Authenticated. Security strength factor: 0 This works to the localhost as well as to server2. I try the xfer from server1 to server2: server1.sub1% /opt/mail/cyrus-imapd/bin/cyradm --user cyrus -- server server1.sub1 --auth login IMAP Password: server1.sub1.domain.com server1.sub1.domain.com xfer user.vbperry server2.sub2 xfermailbox: Server(s) unavailable to complete operation the log from server2 shows: Apr 21 12:56:31 server2 imap[27408]: badlogin: server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not match required] /etc/sysconfig/saslauthd MECH=pam FLAGS=${FLAGS:=} Is there a doc on the sysconfig/saslauthd flags? I looked through the docs that came with cyrus-imap and cyrus-sasl and did not find anything. From server1 I can log into server2 with imtest, testsaslauthd works OK as well. What security flags do not match? Is there a way to kick up the verbosity of the logging to see if that would give a clue? Perry I tried with plain: /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap And it got rejected. C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz S: A01 NO no mechanism available Authentication failed. generic failure Security strength factor: 0 I can not find a tls conf file so I do not thing starttls is set up. I added the entry mentioned to imapd.conf $ cat /etc/imapd.conf defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password force_sasl_client_mech: PLAIN And it gets things furthur along then before $ sudo /opt/mail/cyrus-imapd/bin/cyradm --user cyrus --server server1 --auth PLAIN domain.com authorized use only. [EMAIL PROTECTED] Password: Password: IMAP Password: server1.sub1.domain.com server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com xfermailbox: Server(s) unavailable to complete operation log on source: Apr 20 17:42:05 server1 imap[1458]: accepted connection Apr 20 17:42:07 server1 imap[1458]: badlogin: server1.ssub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not match required] Apr 20 17:42:14 server1 imap[1458]: login: server1.sub1.domain.com [10.12.12.12] cyrus plaintext User logged in Apr 20 17:42:41 server1 master[27630]: process 32354 exited, status 0 Apr 20 17:42:41 server1 master[2161]: about to exec /opt/mail/ cyrus-imapd/bin/imapd Apr 20 17:42:41 server1 imap[2161]: executed Apr 20 17:42:55 server1 imap[1458]: couldn't authenticate to backend server: authentication failure Apr 20 17:42:55 server1 imap[1458]: Could not move mailbox: user.vbperry, Initial backend connect failed But I'm now at least seeing something on the destination server: Apr 20 17:42:52 server2 imap[24375]: badlogin: server1.sub1.domain.com [10.12.12.12] PLAIN [SASL(-4): no mechanism available: security flags do not match required] If I can take a step back (sorry I'm trying to decipher how the previous admin had things set up in the environment). The document on how this was set up states. cyrus-sasl was config'ed with ./configure
Re: mupdate slave master on the same machine?
On Apr 20, 2006, at 5:16 PM, Andrew Morgan wrote: On Thu, 20 Apr 2006, Patrick Radtke wrote: I'm not sure if its to clear from the documentation (or if its in there) but you can also configure lmtpproxyd on each frontend to query the slave mupdate process on the localhost. On a busy system this can reduce the load on the murder master since lmtpproxyd won't be connecting to it for every incoming email message. How do you do this? I can't find a manpage for lmtpproxyd on my v2.2.12 box. Andy probably isn't a manpage... I think I just read the lmtpd one and assumed they would be similar in Cyrus.conf we have lmtpunixcmd=lmtpproxyd -C /etc/lmtp.conf listen=/var/cyrus/ socket/lmtp prefork=15 maxchild=540 /etc/lmtp.conf is identical to our imapd.conf file except that it has this line (which tell lmtp to connect locally) mupdate_server: localhost we connect locally using plaintext and the 'frontend' user. Then we run mupdate on the same machine with the relevant portions admins: cyrus murder frontend #allowplaintext: no mupdate_server: notdog so on each frontend, mupdate talks to the murder master and then lmtpproxyd talks to the local mupdate. We found this had several benefits: 1. Less load on murder master 2. Faster response for lmtpproxyd queries 3. Easier to keep mail being delivered during a murder master outage (we had 2-3 hosts dedicated to just lmtpproxyd, so during a murder master outage we just run mupdate with the -m on those frontends. This effectively makes the machine think its the master, and makes it 'ready' for connections and allows mail delivery to continue. When murder master has been fixed, we remove the '-m' and it becomes a salve to the real murder master) This worked great until our mail volume got to high, so we switched most of our mail to be sent directly to the backends using sendmail aliases. anyhow, hope that helps someone:) -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
You need to use tls as well for PLAIN to work. add -t to your arguments What mechanism do you want to use for connecting between backends? If its PLAIN then you want force_sasl_client_mech: PLAIN in your imapd.conf file. Otherwise, the machines will see GSSAPI advertised and will try using that. -Patrick On Apr 20, 2006, at 5:19 PM, Perry Brown wrote: Perry Brown wrote: Thanks for the imtest idea. It looks like I can log in OK. server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m login -p imap server2.sub2.domain.com Force imtest to use one of the SASL mechanisms that are listed. The backends *only* use SASL, not protocol specific login commands (IMAP LOGIN, POP3 USER/PASS, NNTP AUTHINFO USER/PASS). I'm sorry I got my dounce cap on today or something. Should I change the -m login to -m and one of the AUTH= values from the CAPABILITY output? ie -m GSSAPI? or digest-md5 etc... Andy Morgan wrote: Maybe -m plain? thank you for the suggestion Andy but no luck. server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m plain -p imap WARNING: no hostname supplied, assuming localhost S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: A01 AUTHENTICATE PLAIN Y3lyaW1hcABjeXJpbWFwAGpTdXZTMTFz S: A01 NO no mechanism available Authentication failed. generic failure Security strength factor: 0 I gave this a try with GSSAPI, and got nothing. digest-md5, server1.sub1% /opt/mail/cyrus-imapd/bin/imtest -m digest-md5 WARNING: no hostname supplied, assuming localhost S: * OK server1.sub1.domain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL- IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: wkrnfjknf (etc list of characters) Please enter your password: (I enter passwd for cyrus) C: dXNlcm5h (another long list of characters) S: A01 NO user not found Authentication failed. generic failure Security strength factor: 128 This is what I see in local6.log on server1.sub1 Apr 20 11:04:32 server1 imap[17729]: accepted connection Apr 20 11:04:38 server1 imap[17729]: badlogin: localhost.localdomain [127.0.0.1] DIGEST-MD5 [SASL(-13): user not found: no secret in database] This is in the auth.log Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db / etc/sasldb2: No such file or directory Apr 20 11:06:26 server1 imap[15971]: unable to open Berkeley db / etc/sasldb2: No such file or directory Apr 20 11:06:26 server1 imap[15971]: no secret in database cram-md5 got me pretty much the same thing. Is there a cyrus or sasl command I should/can run to get the auth for digest-md5 working? Perry S: * OK server2.sub2.domain.com Cyrus IMAP4 v2.2.8 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: L01 LOGIN cyrus {8} S: + go ahead C: omitted S: L01 OK User logged in Authenticated. Security strength factor: 0 CAPABILITY Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
On Apr 19, 2006, at 12:54 PM, Ken Murchison wrote: Andrew Morgan wrote: On Wed, 19 Apr 2006, Ken Murchison wrote: Perry Brown wrote: Here is what my imapd.conf looks like: defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves:yes proxy_authname: cyrus proxy_password: password proxyservers: cyrus Just tested XFER on 2.2.13 and it works fine. Your problem is that you've specified the password for a machine named 'proxy'. Presumably, you want: server1_password: password server2_password: password on the respective machines I have a test murder environment running with v2.2.12. I've been using proxy_authname and proxy_password on my frontend server just fine. The man page says that those parameters set the defaults for connecting to a backend, but they an be overridden with hostname specific versions. Hmm. You're right. Then I'd try using imtest to connect to the backends using the proxy_authname and proxy_password to see what its complains about. Also try testing it with out the 'srvtab' line and with force_sasl_client_mech: PLAIN The machine might be trying to do some kerberos stuff and I'm thinking you just want to use PLAIN -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Avoiding deliver.db corruption
basically duplicate suppression might miss a few messages (since you've deleted what it does its comparison against). Also, I think it resets any state associated with vacation. e.g. Someone who has already gotten a vacation auto-response, may get another one after the deliver.db is deleted and if they send another message to the address using vacation. -Patrick On Apr 19, 2006, at 1:12 PM, Karl Boyken wrote: If I hacked our init script to delete deliver.db before starting Cyrus IMAPD, what adverse consequences would there be, if any? We recently were bitten by deliver.db corruption when our mail server went down ungracefully. Thanks in advance. Karl Boyken -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: does xfer require murder?
what happens if you use cyradm to log into the second host from the first host using the proxy username and password? I think xfer is going to connect on the imap port of the 2nd machine. Is syslog in the debug level? if not, that might give you a better hint. It seems that its the connection from the 1st to second server that's tripping you up . Do the two servers use the same source for authentication verification? -Patrick On Apr 18, 2006, at 1:29 PM, Perry Brown wrote: PLease if anyone has any suggestions. I've been banging my head against a desk on this one. perry I thought nscd might have been tripping me up so I tried by IP address with the same results. Also thought it may be an issue with a firewall between these 2 hosts blocking a port so I tried 2 other cyrus servers that do not have a FW between them with the same result (anyone know what port(s) xfer uses?). Any suggestions? Thank you Perry I set up imapd.conf how I think it should be and restarted cyrus (even rebooted hosts). I log into the source server cyradm: sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com --auth plain Run the xfer server1.sub1.domain.com xfer user.vbperry server2.sub2.domain.com And get: xfermailbox: Server(s) unavailable to complete operation This is in log on source: Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to backend server: generic failure Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox: user.vbperry, Initial backend connect failed This is on destination server: Apr 14 15:08:15 server2 imap[3022]: accepted connection Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/ cyrus-imapd/bin/imapd Apr 14 15:08:15 server2 imap[3125]: executed This is what the imapd.conf looks like on both servers. defaultpartition: imap1 configdirectory: /var/imap partition-imap1: /var/spool/imap1 admins: cyrus support srvtab: /var/imap/srvtab quotawarn: 85 popminpoll: 0 autocreatequota: 3 sasl_pwcheck_method: saslauthd lmtp_over_quota_perm_failure: 1 allowusermoves: yes proxy_authname: cyrus proxy_password: password The systems are in different subdomains sub1.domain.com and sub2.domain.com and when I tried to do the hostname_password option it did not like dot's in the name so I did short names and added the sub#.domain.com to the resolv.conf so each host could ping by short name. I still got the error from above so I changed the imapd.conf entry servername_password to proxy_password since the cyrus account has the same password on both servers and still got the error above. Any ideas what I am missing? Thank you Perry Perry Brown wrote: Thank you for the reply. Some follow up questions. (sorry to be so dense I'm making this change on production servers so wanted to make sure I've got it right). SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd - a pam Our pam.d configs for both imap and pop look like auth required /lib/security/pam_stack.so service=system-auth accountrequired /lib/security/pam_stack.so service=system-auth Looking at the install-murder doc I should set up all the boxes like they where frontends? (I pasted in what I think will only apply to my set up from install-murder). Additional backend configuration If your authentication system requires usernames, passwords, etc, to authenticate (e.g. it isn't Kerberos), then you will also need to specify proxy_authname (and friends) in the backend imapd.confs as well. This is so that the backends can authenticate to eachother to facilitate maibox moves. (Backend machines will need to be full admins). In short I just need to set up a common user account in the OS on each box and define the user as proxy_authname: and put the password for that account listed as host1_password: and host2_password etc Correct. Do I need to add this proxy_authname to imapd.conf admins: as well for the full admins requirement? Yes. Perry Brown wrote: Hi All, We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two RHEL 3 servers with about 4800 users split between them. I am looking to migrate the users to 2 new RHEL3 hosts with the same cyrus-imap and sasl versions. I added the allowusermoves to imapd.conf restarted cyrus and tried to do a test move. host1.domain.com xfer user/ host2.domain.com xfermailbox: Mailbox does not exist Both cyrus-imap and cyrus-sasl where compiled with --enable- murder (least that is what my notes say is there a way to verify?), but it looks like murder has not been set up with a master or imapd.conf file changes. Question, Is it possible to xfer a mailbox without configuring murder? Yes and no. You don't need mupdate, but the backends need to know how to authenticate to each other. Look at install-murder.html and take a look at the stuff regarding authentication. Also note that you can't XFER the entire user/
Re: cyrus vacation notice problem
On Apr 14, 2006, at 9:46 AM, Andri Herumurti wrote: when i try cyrus vacation notice at first it runs normally, but yesterday the probelm start, cyrus vacation notice not working properly, some times sent a auto reply vacation notice, some times not. how to fix this? where is the file / database that save the cyrus vacation notice? may be i need to delete or repair that files. Thanks for your help Andri I think the deliver.db tracks who's been replied to with vacation. Vacation is designed to respond only once every 'n' days to a specific address. If you're testing by sending mail from the same address then you're probably observing the correct behavior. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: SASL/Sieve problems
do you allow plain text logins? (I don't think sieveshell won't work with it disabled) you can try using sievec to compile the current sieve scripts and make them active. you can debug with sivtest # sivtest bratwurst S: IMPLEMENTATION Cyrus timsieved v2.3-alpha S: SASL GSSAPI S: SIEVE comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy S: STARTTLS S: OK Authentication failed. no mechanism available Security strength factor: 0 Our server requires starttls and I didn't do it so #sivtest -t bratwrust does the trick -Patrick On Apr 7, 2006, at 1:49 PM, David H. Lynch Jr. wrote: I recently had to rebuild a Cyrus 2.2 Mail Server. I cloned the root partition first. Built the new system. copied the appropriate configuration from the old system, checked permissions and got everything running. Cyrus IMAP works fine. cyradm works fine. but sieve filters on accounts are inactive - they are present in /var/spool/sieve And sieveshell will not authenticate. authlog has lots of cyrus/sieve errors every time I try to run sieveshell. basically sieveshell appears to be running through a bunch of SASL authentication methods (NTLM, OTP, DIGEST-MD5, ..) and failing each and finally complaining that there are no worthy mechs I have scoured the old system and I can not find anywhere that sieve/SASL is configured separately from cyrus imap - and my imapd.conf, and cyrus.conf have not changed. I am using sasldb for authentication. I have run sasldblistusers2 with expected results, checked permissions on everything sasl related. What am I missing ? How can cyrus imap be using SASL correctly but sieve is not ? -- Dave Lynch DLA Systems Software Development:Embedded Linux 717.627.3770 [EMAIL PROTECTED]http://www.dlasys.net fax: 1.253.369.9244Cell: 1.717.587.7774 Over 25 years' experience in platforms, languages, and technologies too numerous to list. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Too slow
On Apr 7, 2006, at 2:58 PM, Sascha Bieler wrote: Everythings working just fine, but when I want to delete an email it's so slowly... Has anyone a hint for me? I assume deleting is expunging the messages and not just flagging the messages as deleted.I don't have a hint for your setup, but cyrus-imapd 2.3 has a delayed expunge function that (among several things )speeds up the apparent speed of expunging by removing the message from the message index (I think) but not performing the actual delete. To the user the messages is expunged.In off peak hours, cyr_expire can be run to remove all the expunged messages from disk.-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: murder config
On Apr 4, 2006, at 12:49 PM, Brasseur Valéry wrote:If I "manually" populate the "remote mailbox" in the murder server is it sufficient? It is until a user creates a new mailbox or deletes one. The none Cyrus Imap server won't be in synch with the murder master for any future changes-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
ctl_mboxlist -u doesn't seem to work (2.3)
I was testing getting a text dump using ctl_mboxlist -d and then restoring using u. It all seems to work until I connect and get errors. I'm doing this test using a CVS version from March 30th. The machine is a frontend. I do [EMAIL PROTECTED]:/var/cyrus/proc /etc/init.d/cyrus stop Stopping cyrusmaster: [ OK ] [EMAIL PROTECTED]:/var/cyrus/proc su cyrus -c ctl_mboxlist -d /tmp/ mlist [EMAIL PROTECTED]:/var/cyrus/proc mv /var/cyrus/mailboxes.db /var/ cyrus/mailboxes.bk [EMAIL PROTECTED]:/var/cyrus/proc su cyrus -c ctl_mboxlist -u /tmp/ mlist when logging in I get -- phr2101 Tue Apr 4 13:55:15 2006 11441733150003 SELECT INBOX 11441733150003 NO Unknown/invalid partition 11441733150004 LOGOUT 1144173315* BYE LOGOUT received 0004 OK Completed prior to running the test, logging in would reveal -- phr2101 Tue Apr 4 13:46:57 2006 11441728170003 SELECT INBOX 1144172817* FLAGS (\Answered \Flagged \Draft \Deleted \Seen NotJunk Junk JunkRecorded $NotJunk $Junk $Forwarded) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen NotJunk Junk JunkRecorded $NotJunk $Junk $Forwarded \*)] * 2215 EXISTS * 2 RECENT * OK [UNSEEN 673] * OK [UIDVALIDITY 1120243065] * OK [UIDNEXT 40335] 0003 OK [READ-WRITE] Completed Like wise mbpath no longer works [EMAIL PROTECTED]:/var/cyrus/log/phr2101 mbpath user.phr2101 while before [EMAIL PROTECTED]:/etc/mail mbpath user.phr2101 bratwurst.cc.columbia.edu!2 here's what my entry looks like [EMAIL PROTECTED]:/var/cyrus/log/phr2101 grep user.phr2101 /tmp/mlist user.phr2101bratwurst.cc.columbia.edu!2 phr2101 lrswipcda Shouldn't I be able to restore from a text file? -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: terminated abnormally
On Mar 23, 2006, at 8:27 AM, Ken Murchison wrote: Patrick Radtke wrote: Every day we get a number of 'terminated abnormally' messages on our frontends. When they happen just occasionally then everything still seems to run fine. However sometimes, there will be a large number of them in a short time span and this is a sure sign that people are having trouble logging in or are being disconnected. here is examples from the log Mar 22 10:50:07 tofu master[19506]: service pop3s pid 18311 in READY state: terminated abnormally Mar 22 10:50:10 tofu master[19506]: service imaps pid 18128 in READY state: terminated abnormally Mar 22 10:50:20 tofu master[19506]: service imaps pid 18348 in READY state: terminated abnormally Mar 22 10:50:23 tofu master[19506]: service imaps pid 13063 in READY state: terminated abnormally Mar 22 10:50:32 tofu master[19506]: service pop3s pid 18404 in READY state: terminated abnormally Mar 22 10:50:33 tofu master[19506]: service pop3s pid 18218 in READY state: terminated abnormally Mar 22 11:01:42 valoney master[2581]: service imaps pid 25617 in READY state: terminated abnormally Mar 22 11:01:46 valoney master[2581]: service pop3s pid 25682 in READY state: terminated abnormally Mar 22 11:01:47 valoney master[2581]: service imaps pid 25903 in READY state: terminated abnormally searching on just a fail process id shows Mar 22 11:01:38 valoney imaps[25903]: imaps failed: [local] Mar 22 11:01:47 valoney master[2581]: service imaps pid 25903 in READY state: terminated abnormally Mar 22 11:01:51 valoney master[2581]: service imaps pid 25903: while trying to process message 0x2: not registered yet Mar 22 11:01:52 valoney master[2581]: service imaps pid 25903 in UNKNOWN state: processing message 0x2 ar 22 11:01:04 valoney pop3s[25440]: starttls: TLSv1 with cipher RC4-MD5 (128/128 bits new) no authentication Mar 22 11:01:20 valoney pop3s[25440]: login: pool-141-155-147-109.ny5030.east.verizon.net [141.155.147.109] jg2378 plaintext+TLS User logged in Mar 22 11:01:21 valoney pop3s[25440]: failed to bind to address 128.59.48.36: Cannot assign requested address Mar 22 11:01:21 valoney pop3s[25440]: Doing a peer verify Mar 22 11:01:21 valoney pop3s[25440]: Doing a peer verify Mar 22 11:01:21 valoney pop3s[25440]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Mar 22 11:01:36 valoney pop3s[25440]: pop3s failed: [local] Mar 22 11:01:37 valoney pop3s[25440]: Fatal error: tls_start_servertls() failed Mar 22 11:01:41 valoney master[2581]: service pop3s pid 25440 in READY state: terminated abnormally Mar 22 11:01:52 valoney master[2581]: service pop3s pid 25440: while trying to process message 0x2: not registered yet Mar 22 11:01:52 valoney master[2581]: service pop3s pid 25440 in UNKNOWN state: processing message 0x2 I've never seen behavior like this before. You have a pop3d which looks like it successfully does TLS+PLAIN, but then attempts TLS again. What I don't know is if the client has disconnected in between, or if there is some kind of race condition. Ken, is the second TLS just proxyd connecting to a backend? Syslog on debug (with today's CVS cyrus 2.3 )shows: Mar 30 13:15:05 hotdog imap[18602]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Mar 30 13:15:07 hotdog imap[18602]: ptload(): fetched cache record (phr2101)(mark 1143741894, current 1143742507, limit 1143738907) Mar 30 13:15:07 hotdog imap[18602]: ptload returning data Mar 30 13:15:07 hotdog imap[18602]: canonified phr2101 - phr2101 Mar 30 13:15:07 hotdog imap[18602]: login: asiago.cc.columbia.edu [128.59.59.74] phr2101 PLAIN+TLS User logged in Mar 30 13:15:07 hotdog imap[18602]: Doing a peer verify Mar 30 13:15:07 hotdog imap[18602]: Doing a peer verify Mar 30 13:15:07 hotdog imap[18602]: received server certificate Mar 30 13:15:07 hotdog imap[18602]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Mar 30 13:15:07 hotdog imap[18602]: ptload(): fetched cache record (phr2101)(mark 1143741894, current 1143742507, limit 1143738907) Mar 30 13:15:07 hotdog imap[18602]: ptload returning data Mar 30 13:15:07 hotdog imap[18602]: canonified phr2101 - phr2101 Mar 30 13:15:07 hotdog imap[18602]: ptload(): fetched cache record (murder)(mark 1143741895, current 1143742507, limit 1143738907) Mar 30 13:15:07 hotdog imap[18602]: ptload returning data Mar 30 13:15:07 hotdog imap[18602]: canonified murder - murder Mar 30 13:15:07 hotdog imap[18602]: open: user phr2101 opened INBOX on bratwurst.cc.columbia.edu Proxyd is getting a server certificate which makes me think the 2nd tls is just encrypting the frontend to backend communication. Additionally it also looking up the 'murder' user which is the proxy user we use when frontends log into backends Increasing the log level to debug shows a lot of Mar 30 13:20:09 mockmeat master[23360]: service imaps pid 26574
Re: Disallowing PLAIN login without TLS
We just use allowplaintext: no that stops plaintext logins and will require the session to be encrypted before the PLAIN mechanism is used -Patrick On Mar 29, 2006, at 10:05 AM, Nikola Milutinovic wrote: Hi all. I am setting up our internal IMAP server. Open SUSE Linux 10.0 Cyrus IMAP 2.2.12-13 (unlucky :-)) Cyrus SASL 2.1.21-3 I would like to ban PLAIN without TLS, but can't seam to pinpoint the right config combination. We either ban all PLAIN logins (with and without TLS) or allow them all. The client is Thunderbird 1.5. This is what we have so far in the imapd.conf: ## # #Login ## # allowanonymouslogin:no allowplaintext: yes allowplainwithouttls: no loginuseacl:no plaintextloginpause:0 normalizeuid: yes # loginrealms: list of realms for cross-auth ## # # SASL ## # sasl_auto_transition: no sasl_maximum_layer: 256 sasl_minimum_layer: 56 sasl_pwcheck_method:saslauthd # sasl_option: Any SASL option can be set by preceeding it with sasl_. # srvtab: The pathname of srvtab file containing the server's private key. This is letting us authenticate using PLAIN. When we change allowplainlogin to yes, we can login using PLAIN, although allowplainwithouttls is set to no. In my opinion, both that setting and SASL min SSF = 56 should have cut off login via PLAIN. Any ideas? Nix. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
terminated abnormally
Every day we get a number of 'terminated abnormally' messages on our frontends. When they happen just occasionally then everything still seems to run fine. However sometimes, there will be a large number of them in a short time span and this is a sure sign that people are having trouble logging in or are being disconnected. here is examples from the log Mar 22 10:50:07 tofu master[19506]: service pop3s pid 18311 in READY state: terminated abnormally Mar 22 10:50:10 tofu master[19506]: service imaps pid 18128 in READY state: terminated abnormally Mar 22 10:50:20 tofu master[19506]: service imaps pid 18348 in READY state: terminated abnormally Mar 22 10:50:23 tofu master[19506]: service imaps pid 13063 in READY state: terminated abnormally Mar 22 10:50:32 tofu master[19506]: service pop3s pid 18404 in READY state: terminated abnormally Mar 22 10:50:33 tofu master[19506]: service pop3s pid 18218 in READY state: terminated abnormally Mar 22 11:01:42 valoney master[2581]: service imaps pid 25617 in READY state: terminated abnormally Mar 22 11:01:46 valoney master[2581]: service pop3s pid 25682 in READY state: terminated abnormally Mar 22 11:01:47 valoney master[2581]: service imaps pid 25903 in READY state: terminated abnormally searching on just a fail process id shows Mar 22 11:01:38 valoney imaps[25903]: imaps failed: [local] Mar 22 11:01:47 valoney master[2581]: service imaps pid 25903 in READY state: terminated abnormally Mar 22 11:01:51 valoney master[2581]: service imaps pid 25903: while trying to process message 0x2: not registered yet Mar 22 11:01:52 valoney master[2581]: service imaps pid 25903 in UNKNOWN state: processing message 0x2 ar 22 11:01:04 valoney pop3s[25440]: starttls: TLSv1 with cipher RC4- MD5 (128/128 bits new) no authentication Mar 22 11:01:20 valoney pop3s[25440]: login: pool-141-155-147-109.ny5030.east.verizon.net [141.155.147.109] jg2378 plaintext+TLS User logged in Mar 22 11:01:21 valoney pop3s[25440]: failed to bind to address 128.59.48.36: Cannot assign requested address Mar 22 11:01:21 valoney pop3s[25440]: Doing a peer verify Mar 22 11:01:21 valoney pop3s[25440]: Doing a peer verify Mar 22 11:01:21 valoney pop3s[25440]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Mar 22 11:01:36 valoney pop3s[25440]: pop3s failed: [local] Mar 22 11:01:37 valoney pop3s[25440]: Fatal error: tls_start_servertls () failed Mar 22 11:01:41 valoney master[2581]: service pop3s pid 25440 in READY state: terminated abnormally Mar 22 11:01:52 valoney master[2581]: service pop3s pid 25440: while trying to process message 0x2: not registered yet Mar 22 11:01:52 valoney master[2581]: service pop3s pid 25440 in UNKNOWN state: processing message 0x2 Anyone know what's going on? Are the process being terminated since they are in an UNKNOWN state or are they in an UNKNOWN state since they are being terminated? The log time stamps suggest the latter, but why are some of them dying? We thought it correlated to a sudden increase in incoming connections, but then sometimes these errors happen at 6am when not too many users are logging in. anyone have any ideas? 2.2.12 frontends. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Renaming A User
there is a proc directory in your cyrus folder that lists which users are logged in through which imap process. You can look in there. You might also want to check if the user has any shared mailboxes that other users are accessing. As for preventing the user from logging you can temporarily disable their password (at least thats what we've done with kerberos) -Patrick On Mar 22, 2006, at 12:41 PM, Kai Wang wrote: Simon, How do you know if a user is logged in? Simon Matter wrote: Hi all I Googled it and looked over the archives and couldn't find a definitive answer, so I'm going to ask here... I have a user who got married and changed her name. On the UNIX side of things, the name change is pretty easy. I can handle this part. The part where I'm having trouble is with the name change in cyradm. I found the old documentation from the O'Reilly book. However, that's apparently extremely out of date. I tried to find an updated version of Managing IMAP, but there is apparently not enough call for it. I have some pretty heavy lifting to do in the next few months and would like to have a good reference. On a different list, someone flippantly suggested I just rename the user in cyradm. Is this prudent? If she has a lot of sub- mailboxes, will they all make it over in the newer versions of cyrus? As I recall, this wasn't completely functional at the time the book was written. You need 'allowusermoves: yes' in /etc/imapd.conf to make renaming work. Then, when you rename, make absolutely sure the user is not logged in while renaming in cyradm. Simon Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Kai Wang System Services Information Technologies, University of Calgary, 2500 University Drive, N.W., Calgary, Alberta, Canada T2N 1N4 Phone (403) 220-2423, Fax (403) 282-9361 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.3.3 Replication Documentation
On Mar 21, 2006, at 1:05 PM, Joel Nimety wrote: Muenz, Michael wrote: Can someone point me to documentation for setting up and managing the new replication feature in 2.3? I've looked through the cyrus docs folder and man pages but I thought there might be more somewhere. Thanks. cyrus-imapd-2.3.3/doc/install-replication.html How does one failover to the replica? Depends on your setup. You can have a VIF on the primary machine and if it fails, up the VIF on replica (and of course turn off sync_server) -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Renaming A User
rename works fine when we've used it. You just need to make sure their new account has a password and the same ACLs as the old account (for shared mailboxes). -Patrick On Mar 20, 2006, at 3:08 PM, Michael Johnson wrote: Hi all I Googled it and looked over the archives and couldn't find a definitive answer, so I'm going to ask here... I have a user who got married and changed her name. On the UNIX side of things, the name change is pretty easy. I can handle this part. The part where I'm having trouble is with the name change in cyradm. I found the old documentation from the O'Reilly book. However, that's apparently extremely out of date. I tried to find an updated version of Managing IMAP, but there is apparently not enough call for it. I have some pretty heavy lifting to do in the next few months and would like to have a good reference. On a different list, someone flippantly suggested I just rename the user in cyradm. Is this prudent? If she has a lot of sub- mailboxes, will they all make it over in the newer versions of cyrus? As I recall, this wasn't completely functional at the time the book was written. I'm running version 2.2.8 on RHEL ES3 with the 2.4.21 kernel. TIA -Michael --- I never teach my pupils; I only attempt to provide the conditions in which they can learn. --Albert Einstein Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Imap login as user using imap administrator credentials?
I don't think most mail clients support proxy authentication like imtest (imtest -a cyrus -u username -t -m PLAIN host). The one exception is pine (I've only tested this with GSSAPI) To log in as a user 1. be root 2. su username 3. kinit cyrus(or your admin name) 4. pine Pine will use the cyrus ticket to authenticate to pine but the authorization will be for whatever user you ran pine as. There may be other ways to do this with pine. You also might have to stick in some 'kdestroy' to deal with some permission issues when trying to get the cyrus ticket. -Patrick On Mar 14, 2006, at 9:41 AM, John McMonagle wrote: Is it possible to login as user using imap administrator credentials? With uw-imap can do userid*adminid for user. Looks like imtest can do it. One can log in as the imap administrator but it's not quite the same as being the user. It would be really useful for many things including user support to be able to log into any imap client as a user. Thanks John -- John McMonagle IT Manager Advocap Inc. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: we need some information about cyrus-imap server
On Mar 14, 2006, at 2:11 PM, Jure Pečar wrote:That many accounts is nothing an old dual p3 can't hande, if it has properly set up storage behind it. How many simultaneous users are connecting? Mostly IMAP or POP users? We're doing about 5K accounts per server spread across 4 partitions of about 1.4 TB each. We're planning on having largish quotas.-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus murder, mupdate sucking up CPU
We have the same/similar problems with mupdate on RHEL4. Our problem usually shows up when we are creating new users or if users are creating new mailboxes. The mailbox creation may hang or go extremely slow (and eventually start hanging). This seems to be linked to when a frontend restarts and is synching its mailbox list. Mupdate uses 99% of cpu apparently doing nothing. If we do the strace -f -p then the the process does idle, but also stops doing anything at all (nothing is logged to the log files from that point on). If we restart the murder master, then all our frontends (10) and backends (14) reconnect and the murder master starts dropping connections, and the frontends connect again and then get disconnected (and so on). we're still investigating this one. The worker thread count keeps increasing as the frontends keep reconnecting. It seems our only way to restart the murder master is by using iptables to block connections from the backends and then slowly re-allow connections once the frontends have re-synched. It appears that frontends re-synching and backends creating mailboxes at the same time do not get along in our setup. -Patrick On Mar 3, 2006, at 2:53 PM, Aleksandar Milivojevic wrote: I've asked about this problem earlier while trying out version 2.3.1. I've just compiled 2.3.3 (Simon's SRPM package) and still having the same problem. This is the show stopper for me for upgrading from 2.2 to 2.3. The problem is mupdate process sucks all CPU cycles it can get. Now for the weird stuff. Running strace -p 3990 (3990 being PID of mupdate process) just shows it waiting in accept system call. However, running strace -f -p 3990 showed this: [pid 3995] clock_gettime(CLOCK_REALTIME, unfinished ... [pid 3998] futex(0x8122134, FUTEX_WAKE, 1 unfinished ... [pid 3995] ... clock_gettime resumed {1141412737, 901972000}) = 0 [pid 3994] ... futex resumed ) = 0 [pid 3998] ... futex resumed ) = 1 [pid 3995] futex(0x8119fe0, FUTEX_WAKE, 1 unfinished ... [pid 3994] futex(0x8122134, FUTEX_WAKE, 1 unfinished ... [pid 3998] gettimeofday( unfinished ... [pid 3995] ... futex resumed ) = 0 [pid 3994] ... futex resumed ) = 0 [pid 3998] ... gettimeofday resumed {1141412737, 902155}, NULL) = 0 [pid 3995] futex(0x8119fe4, FUTEX_WAIT, -106641967, {59, 99476} unfinished ... [pid 3994] time( unfinished ... [pid 3998] clock_gettime(CLOCK_REALTIME, unfinished ... [pid 3995] ... futex resumed ) = -1 EAGAIN (Resource temporarily unavailable) [pid 3994] ... time resumed NULL)= 1141412737 [pid 3998] ... clock_gettime resumed {1141412737, 902307000}) = 0 [pid 3995] futex(0x8119fe0, FUTEX_WAIT, 2, NULL unfinished ... [pid 3994] select(7, [6], NULL, NULL, {0, 0}finished ... [pid 3992] ... clock_gettime resumed {1141412737, 903913000}) = 0 Now the strange thing, after I exit strace, mupdate starts to behave and goes to idling. Attaching again to it with strace still shows the same output, but it is not consuming almost any CPU cycles. However, it is still huge, around 170MB. Even more strange is that if I restart it (stop Cyrus, start it again), the new mupdate process also seems to work OK!? Reboot the system, and get the same problem again. Could it be that I'm hitting a bug somewhere else in the system (like kernel)? Is anybody else running Cyrus 2.3.x in murder configuration on CentOS4 or RHEL4 (update 2)? This message was sent using IMP, the Internet Messaging Program. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.3.3 replication
What happens if you use '-r' instead of '-u' I thought -u needed a list of users to follow it. -Patrick On Mar 2, 2006, at 4:39 PM, Marco Schirrmeister wrote: Hello, I try to setup replication according the docs. But it is not working at the moment. If I try the following command as cyrus user /usr/lib/cyrus-imapd/ sync_client -S centos4-vm2 -u I get the following error messages. Can not connect to server 'centos4-vm2' syslog shows the following sync_client[25660]: connect(centos4-vm2) failed: Invalid argument Here is some of my imapd.conf from the master. The imapd.conf on the replica is the same, but without the sync_ options. sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt sync_host: 10.11.1.166 sync_authname: cyrus sync_password: imap sync_machineid: 1 sync_log: 1 allowplaintext: yes allowapop: yes sasl_minimum_layer: 0 sasl_maximum_layer: 512 sasl_auto_transition: yes sasl_saslauthd_path: /var/run/saslauthd/mux sasl_sasldb_path: /etc/sasldb2 tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH I can successful login to the replica with the following command. imtest -u cyrus -a cyrus -t -m PLAIN centos4-vm2 Any hints? cheers Marco Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.3.1 replication and deliver problem
On Jan 31, 2006, at 4:06 AM, Dmitry Melekhov wrote: David Carter wrote: On Tue, 31 Jan 2006, Dmitry Melekhov wrote: This is what I see. Promoting: MAILBOX user.dm - USER dm Error in do_sync(): bailing out! Not too informational message... syslog should tell you why it decided to bail out. Unfortunately I see in log (i.e. -l ) only what I see on console with -v. Maybe check the log on your replica. Possibly something is going wrong with sync_server (though it seems unlikely since sync_client -u works) For debugging, you could try setting '-w 60' and then attaching gdb to the running process. -w 60 make sync_client wait 60 seconds before processing the log file. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
mupdate worker thread problem
We've been seeing a lot of mupdate worker thread problems the last 2 days. Things like Jan 24 12:38:42 notdog mupdate[5295]: could not start a new worker thread (not fatal) Jan 24 12:38:42 notdog last message repeated 353 times Jan 24 12:38:45 notdog mupdate[5295]: login: mettwurst.cc.columbia.edu [128.59.33.138] backend PLAIN User logged in we're trying to debug the cause of the problem, but I'd thought I'd ask on the list if anyone had any insights. Logins are infrequent and generally there aren't that many connections established. lsof | grep mupdate- | wc -l 18 We increased the max number of worker threads, and max connections mupdate_workers_max: 400 mupdate_connections_max: 1792 We increased a lot of the ulimits and increase the maxfds mupdate cmd=mupdate -m listen=mupdate prefork=1 maxfds=5048 We're running on RHEL4 and Cyrus 2.3 Thanks for any help or pointers. -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
high load cpu/usage on murder master
We've noticed a strange pattern of load and cpu usage on our murder master. The machine will go a few days will minimal load and very little cpu usage (~5%). Then for a few days load will jump to 2, and CPU usage will jump to 40% (35% in system mode). So the CPU usage graph looks like (ASCII art) ||| there doesn't seem to be any correlation with the day of the week or time of day. Anyone know what's going on, or how to figure out what's occurring? thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS support in cyradm?
If you're building Cyrus yourself then you can just patch it to add TLS support. I don't recall where these patches originally came from (collected from past postings I'm told). Once patched, cyradm takes the password as (-w secret) on the command line, so you probably don't want to run it on a public machine. The patch also make changes to seiveshell, the Cyrus/IMAP perl libraries and imclient.c cyrus-starttls.patch Description: Binary data -Patrick On Jan 10, 2006, at 9:13 AM, Jorey Bump wrote: Jorey Bump wrote: Apparently cyradm does not have STARTTLS support, yet, so you can do this in cyrus.conf to ensure that no plaintext service is exposed to the Internet: imap cmd=imapd listen=localhost:imap prefork=0 imaps cmd=imapd -s listen=imaps prefork=0 # pop3cmd=pop3d listen=localhost:pop3 prefork=0 pop3s cmd=pop3d -s listen=pop3s prefork=0 Granted, you sacrifice STARTTLS on ports 110 143, but not many clients seem to support it anyway, and this arrangement will help to prevent accidental transmission of plaintext passwords. I should also point out that this will restrict the use of cyradm to the localhost. While I assume this is normally the case, cyradm does have the ability to connect to other hosts (much like the mysql client). If this is important to you, you will need to investigate other authentication mechanisms, use a packet filter to control access to the unencrypted port (still risky, depending on the location of the client), or offer some code that allows cyradm to use STARTTLS. As Nikola pointed out, another option is to use an SSL (or SSH) tunnel. These always feel kludgy to me, though, and usually indicate the need for a better solution. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyrus sync_client always refuses to run with an 'Invalid Argument'
Have you tried synctest? Usage: synctest [options] hostname -p port : port to use (default=standard port for protocol) -k # : minimum protection layer required -l # : max protection layer (0=none; 1=integrity; etc) -u user : authorization name to use -a user : authentication name to use -w pass : password to use (if not supplied, we will prompt) -v : verbose -m mech : SASL mechanism to use -f file : pipe file into connection after authentication -r realm : realm -t file : Enable TLS. file has the TLS public and private keys (specify to not use TLS for authentication) -c : enable challenge prompt callbacks (enter one-time password instead of secret pass-phrase) -n : number of auth attempts (default=1) -I file : output my PID to (file) (useful with -X) -x file : open the named socket for the interactive portion -X file : same as -X, except close all file descriptors dameonize Also, don't you want sync_log: 1? Otherwise there will be no log file for sync_client to use as input. Do you have cysnc defined in /etc/services? try forcing the use of port 2005 when connecting. On Jan 6, 2006, at 6:16 PM, Febo Aristots wrote: sync_host: replica..xxx sync_authname: user sync_password: x sync_log: 0 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: replication sync_client dying cyrus-imap 2.3.0
Easiest way is as the cyrus user run, sync_client -r We have an init.d script to start sync_client back up, and another perl script that connects to cyrus and makes a sync log file of all the accounts on the machine. We then feed the log file to sync_client to process. Lastly, we have a sanity check script that compares user quota usage on the primary machine and the replica. This way we can easily spot any discrepancies and fix them. I've attached the scripts in case anyone wants them as a starting pont (they contain some columbia specific stuff) and probably need some editing to work on your system. sync_client Description: Binary data List mailboxes is loosely based on the imapcreate.pl script #!/usr/bin/perl -w # #This will output a file containing all mailboxes in a format for sync_client #Each shared mailbox will be outputed as #MAILBOX mailboxname #Each user account will be outputed as #USER username # # # use Getopt::Long; use Cyrus::IMAP::Admin; use strict; # CLI options my ($debug,$authmech,$pass,$cyrus); #Conncetion variables my ($user); sub usage { print listmailboxes - formats mailbox list in a way that sync_client understands; print usage:\n; print listmailboxes [--auth mechanism] [-p pass] server\n; print \n; print If no password is submitted with -p, we'll prompt for one.\n; print if -v is set, we'll run in debug mode, and print information on stdout\n; print \n; print The default mechanism is used for authentication. If you need another\nmechanism, (try LOGIN), use --auth mechanism option\n; print \n; print example: Must run as the CYRUS user\n; printlistmailboxes.pl --auth GSSAPI localhost; print \n; exit 0; } GetOptions( auth=s = \$authmech, p|pass=s = \$pass, v|verbose = \$debug ); my $server = shift(@ARGV) if (@ARGV); usage unless $server; $user=cyrus; # Authenticate print Connecting\n; $cyrus = Cyrus::IMAP::Admin-new($server); if ($authmech) { $cyrus-authenticate(-mechanism = $authmech, -user = $user, -password = $pass); } else { $cyrus-authenticate( -user = $user, -password = $pass); } die $cyrus-error if $cyrus-error; unless (open SYNCFILE, /var/cyrus/sync/listing.log) { die Cannot create syncfile: $!; } print Writing mailbox list to /var/cyrus/sync/listing.log\n; my @mailboxesT = $cyrus-list('%', 'user.'); foreach my $mailbox (@mailboxesT) { $mailbox-[0] =~ s/user\.(.*)/user $1/; print SYNCFILE $mailbox-[0]\n; } my @sharedT = $cyrus-list('%', ''); foreach my $sharedbox (@sharedT) { if($sharedbox-[0] ne 'user') { print SYNCFILE MAILBOX $sharedbox-[0]\n; my @subsharedT = $cyrus-list('*',$sharedbox-[0].); foreach my $subsharedbox (@subsharedT) { print SYNCFILE MAILBOX $subsharedbox-[0]\n; } } #$mailbox-[0] =~ s/user\.(.*)/user $1/; #print SYNCFILE $mailbox-[0]\n; } close SYNCFILE; Cyrus_sync_check ssh's into our primary machines and into the replicas and calls 'cyr_quota'. It then diffs the output of the primary and the replica and pipes it to awk to make the output pretty. It uses a columbia specific tool called 'ourhosts', and relies on the fact that our replica machines have the same name as the primaries but with a 2 stuck on the end. cyrus_sync_check Description: Binary data -Patrick On Dec 20, 2005, at 10:03 AM, Patrice wrote: ok, I understand better now, thank you ! what would be the best way to restart it ? stop/start cyrus or another command ? thanks Patrice Patrick H Radtke wrote: If sync_client cannot contact the replica server (or if there is some other error that it can't recover from) then it 'bails out' and stops running. I guess the idea being that sync_client can't do aynthing until you fix the problem. We run monitoring software that lets us know if sync_client dies, and attempts to restart it for us. -Patrick On Tue, 20 Dec 2005, Patrice wrote: Hi, yesterday evening my replication was working on my test system. I unplugged network and came back today , plugged it again. I tried to send an email but this one wasn't replicated on the replica. (I waited a few minutes and my sync_repeat_interval is 60) I made a ps aux and saw that the 2 processes sync_client where not existing that was the cause of no replication. my authentication is made via saslauthd on another server on openldap if authentication cannot be made, it seems that sync_client die I launched by hand: su - cyrus -c /cyrus-imap/bin/sync_client -r -- sync ok and now 2 processes sync_client now are running. here is my config for replication: sync_host: 192.168.1.2 sync_authname: cyrus sync_password: xx sync_machineid: 1 sync_log: yes sync_repeat_interval: 60 and ideas about this behavior ? thanks in advance Patrice Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info:
Re: SASL Authentication
You must use a secure connection when using PLAIN. Try with a ' -t '. (I assuming you have a certificate already installed) -Patrick On Dec 16, 2005, at 1:06 PM, [EMAIL PROTECTED] wrote: Perhaps it could be usefull for someone... If I try: imtest -a cyrus -m plain -p imap localhost I receive: C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS LISTEXT LIST- SUBSCRIBED ANNOTATEMORE X-NETSCAPE S: C01 OK Completed Authentication failed. no mechanism available Security strength factor: 0 Could it be usefull? Thanks a lot! Stefano C. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Design for a largish Cyrus server
On Dec 14, 2005, at 12:00 PM, Jure Pečar wrote:About iSCSI ... any expirience with it? I know throughput is good enough, but what about latencies? Are they comparable with local disks or fibrechannel?I attended a "iSCSI is great" seminar last week, where a similar question was raised.Their answer (people trying to sell us iSCSI gear) was something like:Most of the latency is in the disk (order of magnitude greater then the iSCSI overhead).Since iSCSI arrays are often larger then direct attached, then you have more disk spindles and then more throughput.Of course if the iSCSI array and the direct attached have the same number of spindles then you don't get the throughput advantage.We opted for direct attached (and using the replication code of 2.3 to create a hot spare) instead of iSCSI since it was significantly cheaper.-Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Imtest failure
The second case is using DIGEST-MD5 for the auth mechanism. Is that what you intended to use? Did you tell outlook to use tls? On Dec 5, 2005, at 10:43 AM, Rajeev wrote: Hi I have done a cyrus installation with tls support and I am not able to send messages through the Outlook or Outlook express. But I can send it with web mail (Open Xchange webmail). When I tried to do the following command I get the result as below:- Imtest –t “” -a user-name –p imap localhost -- gives a success Imtest –a user-name –p imap localhost - gives no authentication The first one shows 256 bit encryption and the later shows 128 bit encryption Flowing lines shows the screen shots [EMAIL PROTECTED] imap]# imtest -a rajeev -p imap localhost S: * OK mail.cracknell.com Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST- SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9IjVkeGNEL045bmR0NDZtY1luUFllYkpGZG9ZYktYQ0ZaZXJvNzhYZUlOWEk9Ii xyZWFsbT0ibWFpbC5jcmFja25lbGwuY29tIixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1j b25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixtYXhidWY9NDA5Ni xjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw== Please enter your password: C: dXNlcm5hbWU9InJhamVldiIscmVhbG09Im1haWwuY3JhY2tuZWxsLmNvbSIsbm9uY2U9Ij VkeGNEL045bmR0NDZtY1luUFllYkpGZG9ZYktYQ0ZaZXJvNzhYZUlOWEk9Iixjbm9uY2U9 ImdCYSs4V2hsbmdDMTZWT2dyOWM5UkN2RDlvU2JERzloaFgvbmgyV0JpUUU9IixuYz0wMD AwMDAwMSxxb3A9YXV0aC1jb25mLGNpcGhlcj1yYzQsbWF4YnVmPTEwMjQsZGlnZXN0LXVy aT0iaW1hcC9sb2NhbGhvc3QubG9jYWxkb21haW4iLHJlc3BvbnNlPWNmYWRkNTk4ZmFjMT ZjYmRkYWQwZTY1ZGFkNjhiY2I4 S: A01 NO One time use of a plaintext password will enable requested mechanism for user Authentication failed. generic failure Security strength factor: 128 [EMAIL PROTECTED] imap]# imtest -t -a rajeev -p imap localhost S: * OK mail.cracknell.com Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST- SUBSCRIBED X-NETSCAPE S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST- SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: A01 AUTHENTICATE PLAIN AHJhamVldgBha2NydnI= S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 Following shows my /etc/imapd.conf configdirectory: /var/lib/imap defaultpartition: default partition-default: /var/spool/imap lmtp_downcase_rcpt: yes admins: mailadmin cyrus quotawarn: 90 reject8bit: no lmtp_overquota_perm_failure: no virtdomains: userid defaultdomain: cracknell.com sendmail: /usr/sbin/sendmail allowanonymouslogin: no popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN DIGEST-MD5 sasl_auto_transition: yes sasl_minimum_layer: 0 tls_ca_path: /var/lib/imap/ tls_cert_file: /var/lib/imap/server.pem tls_key_file: /var/lib/imap/server.pem tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH lmtpsocket: /var/run/imap/socket/lmtp lmtpunix:/var/run/imap/socket/lmtp idlesocket: /var/run/imap/socket/idle Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
lmtpproxyd dissapearing
A couple of times this week, lmtpproxyd has stopped running. I don't see anything in logs about why Usually there will be 8 of them running (same as the number of sendmail processes) ps -ef | grep lmtppr cyrus 5579 21975 0 14:51 ?00:00:02 lmtpproxyd cyrus 7085 21975 0 14:57 ?00:00:01 lmtpproxyd cyrus 7341 21975 0 14:58 ?00:00:00 lmtpproxyd cyrus 9363 21975 0 15:07 ?00:00:00 lmtpproxyd cyrus11689 21975 0 15:19 ?00:00:00 lmtpproxyd cyrus12803 21975 0 15:25 ?00:00:00 lmtpproxyd cyrus12902 21975 0 15:26 ?00:00:00 lmtpproxyd cyrus14328 21975 0 15:33 ?00:00:00 lmtpproxyd root 14527 22772 0 15:35 pts/200:00:00 grep lmtppr but then suddenly, there will be no lmtp processes and then the number of sendmail processes skyrockets (~7,000). anyone know why lmtpproxyd dissapears? Cyrus 2.2.12 -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
imaps has -1 workers?!?
We had a bit of melt down on 2 of our frontends. I've saw a lot of errors like Nov 30 17:56:54 tofu imaps[2309]: imaps failed: [local] ov 30 09:39:55 tofu master[4581]: imaps has -1 workers?!? service imaps pid 4922: while trying to process message 0x2: not registered yet Nov 30 17:59:10 tofu master[2250]: service pop3 pid 3258: while trying to process message 0x3: not registered yet Nov 30 17:59:11 tofu master[2250]: service pop3 pid 3258 in UNKNOWN state: processing message 0x3 anyone know what would cause such a thing? Running Cyrus 2.2.12 as a frontend I upped the open files ulimit incase thats what was causing the problems thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
mupdate: bad file descriptor
I got a bunch of errors like this last night on our murder master before the mupdate process died. the errors then repeated again this morning. Nov 22 20:14:09 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:14:09 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:14:09 notdog mupdate[16698]: select() failed: Bad file descriptor Nov 22 20:14:09 notdog mupdate[16698]: select() failed: Bad file descriptor Nov 22 20:14:09 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:14:09 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:15:00 notdog mupdate[16698]: select() failed: Bad file descriptor Nov 22 20:14:58 notdog last message repeated 2 times Nov 22 20:15:00 notdog mupdate[16698]: select() failed: Bad file descriptor Nov 22 20:15:00 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:15:00 notdog mupdate[16698]: Bad file descriptor, closing connection Nov 22 20:15:00 notdog mupdate[16698]: prot_select() failed in thread_main: Bad file descriptor Nov 22 20:15:00 notdog mupdate[16698]: prot_select() failed in thread_main: Bad file descriptor Nov 22 20:15:00 notdog mupdate[16698]: prot_select() failed in thread_main Nov 22 20:15:00 notdog mupdate[16698]: prot_select() failed in thread_main Nov 22 20:15:00 notdog master[16689]: service mupdate pid 16698 in READY state: terminated abnormally Nov 22 20:15:00 notdog master[16689]: service mupdate pid 16698 in READY state: terminated abnormally My ulimits for root are root# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited pending signals (-i) 1024 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 2048 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 138239 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited A few weeks ago we had errors like Nov 3 21:12:05 notdog mupdate[11581]: Server too busy, droping connection. so I increased the number of worker threads, connections and maxfds. The relevant part of our config files look like: from imapd.conf mupdate_workers_max: 200 mupdate_connections_max: 1792 from cyrus.conf SERVICES { # mupdate database master! mupdate cmd=mupdate -m listen=mupdate prefork=1 maxfds=2048 anyone know what make a file descriptor bad? We're using Cyrus 2.3 on RHEL4 thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
mailbox listed twice
For some of our users I see the following when listing their mailboxes. user.des2004.Professors and Faculty (\HasNoChildren) user.des2004.Professors and Faculty (\Noselect \HasChildren) The mailbox is listed twice. Sometimes clients (Apple Mail) get confused by this (sometime you can store messages in the folder, and other times you can't) Mailbox is only listed once in the mailboxes.db Anyone know why this happens? Using cyrus 2.3. thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mailbox listed twice
On Nov 3, 2005, at 1:57 PM, Ken Murchison wrote: For some of our users I see the following when listing their mailboxes. user.des2004.Professors and Faculty (\HasNoChildren) user.des2004.Professors and Faculty (\Noselect \HasChildren) The mailbox is listed twice. Sometimes clients (Apple Mail) get confused by this (sometime you can store messages in the folder, and other times you can't) Mailbox is only listed once in the mailboxes.db Anyone know why this happens? Can you capture the actual LIST/LSUB command? Same deal with mailbox listed twice imtest -t -a cyrus -u des2004 localhost Authenticated. Security strength factor: 256 c list P% * LIST (\HasNoChildren) . Professors and Faculty * LIST (\HasNoChildren) . Professors and Faculty Fall 03 * LIST (\Noselect \HasChildren) . Professors and Faculty c OK Completed (0.000 secs 4 calls) c list P%.% * LIST (\HasNoChildren) . Professors and Faculty.Professors and Faculty Spring 04 c OK Completed (0.000 secs 2 calls) from the mailbox list (mailbox is listed only once) [EMAIL PROTECTED] ctl_mboxlist -d | grep user.des2004.P user.des2004.Professors and Faculty 3 des2004 lrswipcda user.des2004.Professors and Faculty Fall 03 3 des2004 lrswipcda user.des2004.Professors and Faculty.Professors and Faculty Spring 043 des2004 lrswipcda -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mupdate signaled to death by 11
Hey Ken, New patches work great. I've seen no reoccurrence of the errors since we installed it last week. thanks, -Patrick On Oct 27, 2005, at 10:46 AM, Ken Murchison wrote: Patrick Radtke wrote: Ken suggested I try the following patch https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2720 This looks like it solved all our problems. We've had no errors since I patched Cyrus. Patrick, Just added you as a CC to this bug. Any chance you can revert back to the original auth_unix.c code and try the alternate patch instead? There is a similar problem with auth_krb5.c and my patch *should* fix both problems. On Oct 24, 2005, at 9:08 AM, Ken Murchison wrote: Patrick Radtke wrote: Several times an hour, our mupdate process on the murder master dies. Oct 19 07:12:41 notdog master[2277]: process 15588 exited, signaled to death by 11 Oct 19 07:25:41 notdog master[2277]: process 16681 exited, signaled to death by 11 Oct 19 07:32:41 notdog master[2277]: process 17644 exited, signaled to death by 11 Oct 19 07:49:40 notdog master[2277]: process 18241 exited, signaled to death by 11 Oct 19 07:51:41 notdog master[2277]: process 19416 exited, signaled to death by 11 Oct 19 08:09:41 notdog master[2277]: process 19553 exited, signaled to death by 11 Oct 19 08:36:40 notdog master[2277]: process 20817 exited, signaled to death by 11 Oct 19 08:45:41 notdog master[2277]: process 22409 exited, signaled to death by 11 Oct 19 10:07:41 notdog master[25967]: process 25975 exited, signaled to death by 11 Oct 19 10:07:44 notdog master[25967]: process 28288 exited, signaled to death by 6 Oct 19 10:33:41 notdog master[25967]: process 28295 exited, signaled to death by 11 I don't see anything that signifies an error elsewhere in the log file. I've seen previous posts like this but couldn't find an answer. Any core dumps that can be debugged? --Kenneth Murchison Systems Programmer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Kenneth Murchison Systems Programmer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: mupdate signaled to death by 11
Ken suggested I try the following patch https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2720 This looks like it solved all our problems. We've had no errors since I patched Cyrus. Thanks Ken! -Patrick On Oct 24, 2005, at 9:08 AM, Ken Murchison wrote: Patrick Radtke wrote: Several times an hour, our mupdate process on the murder master dies. Oct 19 07:12:41 notdog master[2277]: process 15588 exited, signaled to death by 11 Oct 19 07:25:41 notdog master[2277]: process 16681 exited, signaled to death by 11 Oct 19 07:32:41 notdog master[2277]: process 17644 exited, signaled to death by 11 Oct 19 07:49:40 notdog master[2277]: process 18241 exited, signaled to death by 11 Oct 19 07:51:41 notdog master[2277]: process 19416 exited, signaled to death by 11 Oct 19 08:09:41 notdog master[2277]: process 19553 exited, signaled to death by 11 Oct 19 08:36:40 notdog master[2277]: process 20817 exited, signaled to death by 11 Oct 19 08:45:41 notdog master[2277]: process 22409 exited, signaled to death by 11 Oct 19 10:07:41 notdog master[25967]: process 25975 exited, signaled to death by 11 Oct 19 10:07:44 notdog master[25967]: process 28288 exited, signaled to death by 6 Oct 19 10:33:41 notdog master[25967]: process 28295 exited, signaled to death by 11 I don't see anything that signifies an error elsewhere in the log file. I've seen previous posts like this but couldn't find an answer. Any core dumps that can be debugged? -- Kenneth Murchison Systems Programmer Carnegie Mellon University Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm login
Can you post what you are using as arguments for cyradm imtest and what capabilities the server advertises with imtest and also the output from testsaslauthd when testing the cyrus username/password. thanks, Patrick On Oct 21, 2005, at 9:35 AM, Jt Chiodi wrote: Jt Chiodi wrote: I am having trouble logining in as cyrus to cyradm. I can login as regular user but I get this message if I login as cyrus IMAP Password:Login failed: authentication failure at /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/Cyrus/IMAP/ Admin.pm line 118 cyradm: cannot authenticate to server with plain as cyradm if I do an imtest as cyrus, i get Authenticated. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html hmmm ... 'plain'. are you, by any chance, attempting to auth to cyradm over TLS? cyradm, apparently, does not support auth over TLS. i'd struggled with this same issue for a bit -- finally finding this approach: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info- cyrusmsg=36999 that works. Hi, No, I am not trying to auth to cyradm. I am not doing any encryption. plain text passwords authenticating through pam to a mysql database. regular users are working fine. it is just the cyrus account that can't login. when I do the imtest with the password for the cyrus account it says authenticated, but when I run cyradm I get the above error. thanks, jt Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: cyradm login
On Oct 21, 2005, at 10:28 AM, Jt Chiodi wrote: On 10/21/05, Patrick Radtke [EMAIL PROTECTED] wrote: Can you post what you are using as arguments for cyradm imtest and what capabilities the server advertises with imtest and also the output from testsaslauthd when testing the cyrus username/password. thanks, Patrick I am having trouble logining in as cyrus to cyradm. I can login as regular user but I get this message if I login as cyrus IMAP Password:Login failed: authentication failure at /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/Cyrus/IMAP/ Admin.pm line 118 cyradm: cannot authenticate to server with plain as cyradm if I do an imtest as cyrus, i get Authenticated. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html cyradm --user cyradm --server localhost --auth plain earth:/root# imtest -m login -a cyrus localhost S: * OK earth.squeegy.org Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-6.fc4 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LISTEXT LIST-SUBSCRIBED X-NETSCAPE S: C01 OK Completed Please enter your password: C: L01 LOGIN cyrus {9} S: + go ahead C: omitted S: L01 OK User logged in Authenticated. Security strength factor: 0 earth:/root# testsaslauthd -u cyrus -p 0: OK Success. try cyradm -u cyrus --auth login localhost -Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
mupdate signaled to death by 11
Several times an hour, our mupdate process on the murder master dies. Oct 19 07:12:41 notdog master[2277]: process 15588 exited, signaled to death by 11 Oct 19 07:25:41 notdog master[2277]: process 16681 exited, signaled to death by 11 Oct 19 07:32:41 notdog master[2277]: process 17644 exited, signaled to death by 11 Oct 19 07:49:40 notdog master[2277]: process 18241 exited, signaled to death by 11 Oct 19 07:51:41 notdog master[2277]: process 19416 exited, signaled to death by 11 Oct 19 08:09:41 notdog master[2277]: process 19553 exited, signaled to death by 11 Oct 19 08:36:40 notdog master[2277]: process 20817 exited, signaled to death by 11 Oct 19 08:45:41 notdog master[2277]: process 22409 exited, signaled to death by 11 Oct 19 10:07:41 notdog master[25967]: process 25975 exited, signaled to death by 11 Oct 19 10:07:44 notdog master[25967]: process 28288 exited, signaled to death by 6 Oct 19 10:33:41 notdog master[25967]: process 28295 exited, signaled to death by 11 I don't see anything that signifies an error elsewhere in the log file. I've seen previous posts like this but couldn't find an answer. we are running cyrus 2.3 on RHEL4. thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
I think you need to use either TLS or SSL but not both at the same time.If you listen on the regular imap port, then clients will connect and issue a START_TLS command and the session will be encrypted.When you connect to imaps the session is already encrypted with SSL, so trying to start TLS doesn't get you anything.To stop unsecured logins on the imap port you also want to setallowplaintext: no-PatrickOn Sep 30, 2005, at 9:30 AM, Ivan R. Sy Jr. wrote:Sep 30 20:40:04 mail imaps[41090]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: High-Availability IMAP server
We are running the replication code in production at Columbia. We made great use of it Monday morning when one of our backend machines failed. Switching to the replica was quite simple and relatively fast (maybe 5 to 10 minutes from deciding to switch to the replica before replica was fully in action) I consider the code to stable, though on occasion strange things happen (e.g. when user renames user.INBOX to user.saved.INBOX) and you have to restart the replication process (no downtime to Cyrus involved). -Patrick Radtke On Sep 27, 2005, at 8:24 AM, Ken Murchison wrote: David Carter wrote: The complication is that there doesn't appear to be anyone left at CMU to release new versions of Cyrus at the moment. Poor Jeffrey Eaton seems to be the last man standing there. My own experience of running things single handed is that it doesn't leave much time for development work. Jeff will have development help real soon now. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: group ACLS problem
I figured out my one problem ( I had left ldap_member_attribute: cn out of my imapd.conf), but I still have another. I have an ldap group with the name 'WWW' but when I create an ACL in cyrus it shows up in lower case. spam.cc.columbia.edu sam ldap group:WWW all spam.cc.columbia.edu lam ldap group:www lrswipcda Is there an option to make the ACL checker case insensitive? On Sep 12, 2005, at 12:19 PM, [EMAIL PROTECTED] wrote: I'm having a problem with group ACLS. I have configure it to use the pts module and do ldap authentication. When logging in I see these queries performed against ldap conn=1 op=0 BIND dn= method=128 conn=1 op=0 RESULT tag=97 err=0 text= conn=1 op=1 SRCH base=dc=cc,dc=columbia,dc=edu scope=2 deref=0 filter=(uid=phr2101) conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=2 SRCH base=ou=group,dc=cc,dc=columbia,dc=edu scope=2 deref=0 filter=(memberUid=phr2101) conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=8 text= These queries are what I would expect and return results. [EMAIL PROTECTED] ldapsearch -LLL -x -h samehost -p 3400 -b ou=group,dc=cc,dc=columbia,dc=edu -a never memberuid=phr2101 cn dn: cn=www,ou=group,dc=cc,dc=columbia,dc=edu cn: www dn: cn=staff,ou=group,dc=cc,dc=columbia,dc=edu cn: staff dn: cn=acct,ou=group,dc=cc,dc=columbia,dc=edu cn: acct dn: cn=sy,ou=group,dc=cc,dc=columbia,dc=edu cn: sy dn: cn=wheel,ou=group,dc=cc,dc=columbia,dc=edu cn: wheel dn: cn=src,ou=group,dc=cc,dc=columbia,dc=edu cn: src dn: cn=wwwsy,ou=group,dc=cc,dc=columbia,dc=edu cn: wwwsy however when I try to access the public folder 'sy' with the following ACLs, it does not appear even though I am in that group spam.cc.columbia.edu lam sy group:sy lrswipcda If I give myself full ACLs then I can see the folder fine. Anyone know why my group ACLs aren't working? We're using Cyrus 2.3 thanks, Patrick Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Messages don't show up in imap view...
Thunderbird has a lot of bugs. We've done copies with Thunderbird that never seem to end, while with another client we tested like Outlook Express the copies happened instantly. After you perform a copy, Cyrus repsonds with something like OK [COPYUID 1116262918 3221:3222,3224:3227,3229:3234,3236:3239,3242,3248:3250,3253:3254,3256,32 59,3263:3268,3272,3287,3290:3291,3298,3301:3306,3309:3312,3314,3316,3319 ,3322,3324:3326] Completed. (It lists the message were that it copied). Sometimes when that list of messages is very long, Thunderbird gets confused. I would try testing with another client. -Patrick On Aug 26, 2005, at 1:50 AM, Forrest Aldrich wrote: I just finished copying a few thousand (grin) messages to various folders on my new Cyrus installation (2.2). One of the folders, email from 2002, is not showing up with any mail via the imap client (Thunderbird, in my case), yet I see the messages in the physical directory mailstore. I don't believe Thunderbird is the issue here, as other items are working. I tried restarting the master process, and stopping then restarting, no luck. What could he wrong here? I'm guessing so many messages were transferring that perhaps something got mangled - perhaps I need to rebuild the indices, or... Thanks. Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: multiple authentication methods?
Have you tried sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN GSSAPI Our pine users connect useing a Kerb5 ticket. Our other users (like Apple Mail) send us a username/password over a secure connection. They are then validated by saslauthd. -Patrick On Aug 25, 2005, at 12:42 PM, Tim Strobell ((Contractor)) wrote: We need to support Kerberos credentials directly from the clients; pam_krb5 only proxies the username and passwords to the KDC for authentication. I use gssapi authentication with Mutt against Cyrus using the actual Kerberos credentials, so it would seem to work. Of course -- but can Cyrus be configured to support _both_ Kerberos (credentials authenticated via GSSAPI) and LDAP (via saslauthd)? Some users will use Kerberos credentials, others may use username/password which we will look up in LDAP. (It is not necessarily the case that all users will have corresponding Kerberos credentials, else pam_krb5 would be appropriate.) I suspect the answer is no, but I need independent verification. -Tim -- Tim Strobell, Sr. Systems Administrator V 202 767 8449 Center for Computational Science, Naval Research Lab F 202 404 7402 Code 5595 (A49-32), 4555 Overlook Ave SW, Washington DC 20375 Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus Reconstruct Problems
I don't see a -i as a valid argument in the reconstruct src. Maybe its from an older version. What upgrade did you perform? To 10.4 I assume. I think you need to run reconstruct with -rfx user.username.foldername (wherever the missing mail is located) to rebuild the index. You might want to back up all the cyrus.* files before doing this, since you've had unpredictable results. Some mail clients (I think Apple Mail and outlook) can get confused about the date for the missing messages after a reconstruct. Can your user's IMAP client access the inbox? or is that still a problem? -Patrick On Aug 18, 2005, at 5:46 PM, Jed Davidow wrote: I have been having some serious cyrus problems all week. I do not understand why they are occurring, and I hope that someone here can help me out. We are runnng Mac OS Server 10.3.9 After an upgrade, I have one user (out of 10) whose inbox was truncated from 3000 messages to 6. I checked, and the messages are still in /var/spool/imap/user/USER. I stopped the mail server and ran (as cyrus) /usr/bin/cyrus/bin/reconstruct -f -r user/USER What did this do? It makes the user's inbox dissapear. It shows up in cyradmin, shows up in a client subscribe list, but the IMAP client cannot access it, and I get this error when mail is delivered to it: Aug 18 14:28:42 localhost postfix/pipe[1876]: 76E1E3656F6: to=, orig_to=, relay=procmail, delay=23, status=deferred (temporary failure) Note: This is the THIRD time this particular thing has happened to this user's inbox. I also managed to nuke on of his subfolders in the same manner. I also tried to run /usr/bin/cyrus/bin/reconstruct -x user/USER but this did not help. To fix this, I have had to rebuild the ENTIRE cyrus db. And when I do, the reconstruct tool seems to miss some of the mail in this user's folders. (reconstruct -i). Does anyone have any ideas? Any at all? Apple TS is zero help. Some other questions: what is the reconstruct -i switch for? It seems to help rebuild the DB, but I cannto find any documentaion on it (I got it from another user who suggested to use that to rebuild). I am really just trying to understand why all this is happening. Thanks in advance. Jed Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Quota Issue - New To List
It's not clear to me if you've tried setting a quota using cyradm. Once you use that to set the quota, then the quota folder will appear. It will contain a file like 'user.username' (e.g. user.phr2101) with info on that user's quota. -Patrick On Jul 21, 2005, at 2:35 PM, Kurt Laurinaitis wrote: Hello all.. Got Cyrus up and running but don't want people to abuse my space on my system, so I would like to setup a quota. I looked into the docs and it mentioned a folver in /var/imap but I have no quota folder, here is the step because my partition is ext2 *LINUX SYSTEMS USING EXT2FS ONLY*: Set the user, quota, and partition directories to update synchronously. Failure to do this may lead to data corruption and/or loss of mail after a system crash. Unfortunately, doing so may result in a serious performance hit. If you are using a newer filesystem than ext2fs on Linux, this step should not be necessary. (Running ext3 in any mode is safe.) cd /var/imap chattr +S user quota user/* quota/* I only have the user folder so I am not sure if I just create the folder or where I would begin to setup a quota...can someone point me in the right direction? Kurt chattr +S /var/spool/imap /var/spool/imap/* --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
XFER fails for users with quota set
I'm trying to move users between two backend machines. If the user has a quota, I get this message xfermailbox: The remote Server(s) denied the operation the log file on the machine the user is to be moved too has this in the log file Jul 20 15:25:09 alpenwurst imap[16698]: kick_mupdate: can't connect to target: No such file or directory the machine the user is on has this in the log Jul 20 15:25:09 bratwurst imap[4769]: Could not move mailbox: user.phr2101test, failed setting initial quota root I'm running Cyrus 2.3. Is this a bug? Known issue? Configuration problem on my part? thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
sieve and frontends
I'm trying to test our frontends. They work with imap and pop transactions, but if I connected to a frontend to use sieve I get an error. sieveshell -u phr2101 -a phr2101 -t frontend connecting to tofu verify error:num=19:self signed certificate in certificate chain Please enter your password: list Bad protocol from MANAGESIEVE server: lost connection We have allowplaintextlogins to be off. Anyone know what would cause this? I thought the frontend was supposed to send back a referral to the appropriate backend for sieve transactions. In the logs I see a login to the frontend, but not into the back end. The frontends are running 2.2.12 version of Cyrus thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
saslauthd failures during xfer command
I'm trying to transfer a user between two machines in a murder using the xfer command. Using cyradm xfer user.testuser hostname 1 xfermailbox: The remote Server(s) denied the operation Looking through the log files, it appears that the user gets partially transferred and then saslauthd on the mudermaster starts returning 'Password verification failed'. Running saslauthd in debug mode gives saslauthd[30903] :do_auth : auth failure: [user=backend] [service=mupdate] [realm=] [mech=kerberos5] [reason=saslauthd internal error] The log file on the host the user is moving to shows un 28 15:45:19 bratwurst imap[3465]: authentication to remote mupdate server failed: undefined error! Jun 28 15:45:19 bratwurst imap[3465]: can not connect to mupdate server for reservation on 'user.testuser.bxscience' We have saslauthd using keberos5. We have an MIT KDC. I didn't see anything useful in the KDC logs We are using the cyrus SASL (versions 2.1.19) rpm that comes with REHL4. During the transfer there are lots and lots of authentications occurring on the murder master for the 'backend' user. Anyone know where my problem is, or why it is happening? Is it saslauthd choking or my KDC rejecting the password? thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: designing a backup mail server
On Jun 24, 2005, at 2:09 AM, Shaun Feeley wrote:Hi Guys,I'm not sure if I'm at the right place so sorry if this is annoyingbut...I run a cyrus mail server here at Cytopia supporting about 35 users. Ihave recently purchased some new boxes to upgrade the servers. I amupgrading the Cyrus server, but I am also keen to run a mirror backupcyrus server. Now my question is, can anyone give me any pointers onhow to go about designing a backup mail server.I would suggest using the 2.3 replication mechanism. I've been using it for 6-7 weeks in production with about 100 users.The basic idea is that a program(sync_client) runs on your main cyrus server and pushes any changes to the backup.I have configured one box as I want, then mirrored in onto another. ButI am confused about the DNS setup .. should I create an alias ie mailthat can point to either?? We run our setup in a murder, so we just update the mailbox list on the frontends to point to the backup server in case of a failure.And secondly I am keen to somehow have the mail server polled and if itstops responding bring the backup server into play. To keep themsyncronised I am planning to use rsync... but then how do I keep thesasl backend in sync, with different realms etc?Our failover step is manual. We think failures will be rare, and don't want to be concerned with an automatic mechanism mistakenly making the backup server active.-Patrick
Re: backup/restores
So what does /var/lib/imap/db directory actually hold? This is the only thing I am not clear on right now. Files like __db.001 that in the folder are the bdb shared memory cache. The log.0001 type files are transaction logs for bdb. If there is a problem with the bdb databases, you can sometimes fix the problem from the transaction log (this is what ctl_cyrusdb doees) These are used by ctl_cyrusdb to recover (usually done when cyrus starts up) the bdb databases. If you are backing up your bdb files with bd_dump then you don't need to worry about these files. on a side note you can run db_stat -m -h /var/lib/imap/db to get information on your bdb cache performance. -Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: 2.2 and 2.3 imapd
We had the same problem a few weeks back. I filed a bug at https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2669 Our solution was to have the backends and murder master run the 2.3 code, and the frontends run the 2.2 code. This works for us since the 2.3 features that we want (replication, unexpunge) are only needed on the backend. Another alternative is to try the unified murder (backends and frontends are the same machine), but I do not know what state that code is in. -Patrick On Jun 22, 2005, at 12:29 AM, Mark wrote: Hello, There is a 2.2-imapd (2.2.12) murder enabled environment (front ends, murder master, back ends) working nice, and so I set up another front end with the 2.3 cvs code for testing. After setting it all up, I'm having problems fetching mail through it. What happens is, a mail client (tried mutt and Thunderbird) connects to 2.3 proxy fine, authenticates, and then fetches INBOX and gets stuck, mail headers never arrive. I'm a bit out of ideas, and in fact wanted to know if this kind of setup should work, and if it is recommended at all. If it should work, and anyone has an idea where I should look, that would be great help. And if not, what is a good way to upgrade to 2.3? Here are cyrus logs from both 2.3 front end that gets stuck, and also a working one (2.2.12) just in case it helps. Lines will probably be broken.. - start 2.3 that gets stuck - 1119119387a0003 OK User logged in 1119119387a0004 LIST 1119119387* LIST (\Noselect) / a0004 OK Completed (0.000 secs 0 calls) 1119119387a0005 SELECT INBOX 1119119387* FLAGS (\Answered \Flagged \Draft \Deleted \Seen Junk $MDNSent) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen Junk $MDNSent \*) ] * 831 EXISTS * 0 RECENT * OK [UNSEEN 827] * OK [UIDVALIDITY 1101173713] * OK [UIDNEXT 18056] a0005 OK [READ-WRITE] Completed - end of 2.3 - - start 2.2 that works ok - 1119116500a0003 OK User logged in 1119116500a0004 LIST 1119116500* LIST (\Noselect) / a0004 OK Completed 1119116500a0005 SELECT INBOX 1119116500* FLAGS (\Answered \Flagged \Draft \Deleted \Seen Junk $MDNSent) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen Junk $MDNSent \*) ] * 833 EXISTS * 0 RECENT * OK [UNSEEN 827] * OK [UIDVALIDITY 1101173713] * OK [UIDNEXT 18053] a0005 OK [READ-WRITE] Completed 1119116500a0006 MYRIGHTS INBOX 1119116500* MYRIGHTS INBOX lrswipcda a0006 OK Completed 1119116500a0007 FETCH 1:833 (UID FLAGS INTERNALDATE RFC822.SIZE BODY.PEEK[HEAD ER.FIELDS (DATE FROM SUBJECT TO CC MESSAGE-ID REFERENCES CONTENT-TYPE IN-REPLY-T O REPLY-TO LINES X-LABEL)]) 1119116500* 1 FETCH (FLAGS (\Answered \Seen) UID 8 INTERNALDATE 16-Dec-2004 1 0:14:28 -0500 RFC822.SIZE 1765 BODY[HEADER.FIELDS (DATE FROM SUBJECT TO CC MESS AGE-ID REFERENCES CONTENT-TYPE IN-REPLY-TO REPLY-TO LINES X-LABEL)] {268} Message-ID: ... [ and so on, it fetches it all ] - end of 2.2 log - Thanks for any help and pointers. Mark Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: backup without stopping the imap server?
If you are adventurous you can try running the 2.3 code from CVS. You can build it with replication, and then it can replicate everything from one machine to a secondary/replica machine. That way you always have a backup that is just a few seconds behind the original. To make tape backup you can shutdown the replica and copy from that. The primary server stays running and no users are affected. -Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Unable to login
Try it with testsaslauthd first to see if saslauthd is working correctly. testsaslauthd -u cyrus -p password 0: OK Success. -Patrick On Jun 2, 2005, at 8:47 AM, Imran Aziz wrote: Hello All, I have finally managed to install Cyrus IMAP. But I am unable to login to the server to create new accounts. I am using this command /usr/local/bin/imtest -m login -a USER localhost but I get a authentication failure and my imapd.conf has this configuration configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt I have changed the cyrus user password created on the OS to login using that, but it does not work. I am new to this, so dont know which authentication database I am using and how to manage it. Please kindly give me some tips how to manage the IMAP server. Thanks a lot. Imran. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Unable to login
You have the -u and -a parameters mixed up. You want to authenticate (-a) as 'cyrus' and be authorized (-u) as USER. In your imapd.conf file you have sasl_mech_list: PLAIN So the only SASL mechanism that will be advertised by the server is PLAIN. It will only be advertised if you connect securely. Try adding a -t to you command line arguments as well. To know what AUTH mech are available look at the output from imtest. Example: The first CAPABILITY call returns no AUTH mechanisms. Then we establish a TLS connection and issues the call again. Then we get the AUTH=PLAIN mechanism available. imtest -a cyrus -u tc2154 -t -p imap localhost S: * OK notdog.cc.columbia.edu Cyrus IMAP4 v2.3-alpha server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR S: C01 OK Completed Please enter your password: hope that helps, -Patrick On Jun 2, 2005, at 10:21 AM, Imran Aziz wrote: Thanks a lot for your response. That works perfectly fine for me, however using imtest -u cyrus -a USER -m login -p imap -v localhost The same details dont work. Any other pointers. How can I find out which authentication method is configured for my installation imtest docs say that supported methods are listed in the AUTH details displayed on login , but for my install there is no AUTH details. Imran. --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Does Proxy User Work?
You can proxy as another user automatically with the cyrus user imtest -t -a cyrus -u tc2154 host. You give the cyrus password for authentication and then are authorized as tc2154. If you want to use an account besides cyrus for authentication set these in imapd.conf proxy_authname: proxyname proxy_password: password Now you could do imtest -t -a proxyname -u tc2154 host. and give the proxyname's password -Patrick On Jun 1, 2005, at 4:18 PM, Tim Pushor wrote: How about backing up the ldap directory, resetting the passwords to a known (to you) password, do the transition, and restore the directory? If thats not possible, how about setting up a new temporary directory with your user accounts and the known password, temporarily point cyrus to it until after the transition, then point it back? Thanks, Tim John C. Amodeo wrote: I've been researching a way to proxy as another user for 2 days without luck. It seems that Cyrus/SASL has the ability to take a proxy command, but I cannot find any feasible application of it. I need help. Here's the situation: I need to migrate 4 legacy Cyrus 2.0.17 servers to a new Cyrus 2.1.15 server. For multiple reasons, I would rather perform the migration via imap using a sync utility like imapsync (or the equivalent) rather than trying to merge the 4 servers through a manual upgrade / reconstruct. I need to be able to login as a normal user, say Bob Smith, as the Cyrus superuser using Cyrus's credentials. If not, it will be a nightmare (and a bad practice) to collect my user's id's and passwords to run the conversion... I would love to work in batch mode where I would only need to supply userid (of the user) and then the cyrus super account credentials (or equivalent...) I'm reading all over the place about the difference between authcid and authzid, proxyservers: cyrus, etc. etc. but can't find any true application for how this might work in real life. I've tried every manageable combination of command line arguments with imtest to no avail... Both my 2.0.16 boxes and my 2.1.15 box authenticate against a central LDAP directory using sasl_mech_list: PLAIN. Does anyone have any ideas or suggestions? I really want to avoid hacking the SASL code to take a master password for any user. Thanks in advance. -John --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
frontend can see mailboxes but not messages
This my first time setting up a murder. I can get the frontend too see all the mailboxes, but when I try to read a message, or even list the messages in a mailbox, the operation just times out. Anyone know what the likely cause is? We are running 2.3 from cvs. Our proxy_authname is murder. Using imtest I can authenticate as murder and be authorized as another user. Our frontend is called tempeh, and the backend is called spam May 24 13:58:07 spam imap[17661]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication May 24 13:58:07 spam imap[17661]: login: tempeh.cc.columbia.edu [128.59.59.180] tc2154 PLAIN+TLS User logged in So it looks like the frontend is able to connect as the user. A sample session through the frontend looks like 1116958139A5 SELECT INBOX 1116958139* FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 1 EXISTS * 0 RECENT * OK [UIDVALIDITY 1116865041] * OK [UIDNEXT 2] A5 OK [READ-WRITE] Completed ---then it times out searching the mailbox while if I connect directly to the backend I get 1116958559A5 SELECT INBOX 1116958559* FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] * 1 EXISTS * 0 RECENT * OK [UIDVALIDITY 1116865041] * OK [UIDNEXT 2] A5 OK [READ-WRITE] Completed 1116958559A6 SEARCH UNSEEN 1116958559* SEARCH A6 OK Completed (0 msgs in 0.000 secs) 1116958559A7 SEARCH DELETED 1116958559* SEARCH A7 OK Completed (0 msgs in 0.000 secs) 1116958559A8 MYRIGHTS INBOX 1116958559* MYRIGHTS INBOX lrswipcda A8 OK Completed 1116958559A9 FETCH 1 (FLAGS RFC822.SIZE UID INTERNALDATE ENVELOPE BODYSTRUCTURE) --message returned I've tried with mulberry and apple mail. any suggestions would be great. thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
does ctl_mboxlist support tls?
I am wondering if ctl_mboxlist supports tls? If not, is it because of a technical reason or 'lack of time to add feature' reason? We have plain text logins disabled on the murder master. mupdatest works fine mupdatetest -p 3905 -a cyrus -t host does what is expected but ctl_mboxlist does not ctl_mboxlist -mw couldn't connect to mupdate server May 18 17:10:31 spam ctl_mboxlist[15598]: authentication to remote mupdate server failed: SASL(-4): no mechanism available: No worthy mechs found our imapd.conf file looks like #murder stuff mupdate_username: cyrus mupdate_password: password mupdate_server: host mupdate_port: 3905 Am I missing a configuration option? We are running 2.3 from cvs thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
auth_unix
I have a question about the --with-auth=unixmethod for authorization. I would assume that a user would only be authorized to access mailboxes that the user has rights to if the user has a unix account in the first place. e.g. If there are 2 mailboxes 'box1' with acls 'testuser lrswipcda' and mailbox 'box2' with acls 'anyone lrswipcda'. If testuser has no unix account I would not expect him to see box1 (since no unix account == no authorization), but be able to see box2 From my testing, these does not seem to be the case. testuser has no unix account but can still access all mailboxes that have a acl with his name. It appears that --with-auth=unix is good for doing authorization with group acls. in the code I would have assumed if ( from auth_unix.c, method struct auth_state *auth_newstate(const char *identifier) ) getpwnam(identifier) returned null (the unix account does not exist) then *newstate should remain null, and the login would only be authorized for anyone, anonymous acl stuff I have read a bunch of post about doing ldap filters with saslauthd or pam_ldap to control who has access, but I'd prefer using the --with-auth mechanism for various reasons (one of which is we prefer running salsauthd -a kerberos5) Is the behavior I see from -with-auth=unix the intended and desired behavior? does -with-auth-pts with -with-pts=ldap behave the same as --with-auth=unix? i.e. If user can login he is authorized to view his own mailbox regardless of wether he exist according to the authorization mechanism? or if there is no user matching user in ldap, will it fail and not let them login (acceptable for our use)? cyrus-imapd-2.2.12 thanks, Patrick Radtke --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: using imclient
On Mar 17, 2005, at 1:21 PM, Patrick Welche wrote: On Wed, Mar 16, 2005 at 04:04:48PM -0500, Patrick Radtke wrote: I'll add a little code sample // server returns NO on an error imclient_addcallback(imclient, NO, CALLBACK_NOLITERAL, callback_error, error_string, NULL); nc =1; imclient_send(imclient,end_command,(void*) nc,create \user/bigtestuser3\); while(nc 0) { imclient_processoneevent(imclient); } cout create data is error_string endl; So bigtestuser3 already exists. So I would expect the imap server to return 'NO Mailbox already exists'. So I add a callback on the keyword 'NO', but it never gets called. Are there other settings I need to use on the callback? Just experimenting, you could try CALLBACK_NUMBERED instead of CALLBACK_NOLITERAL, or just NULL, and you could even use instead of NO at least to start by catching all responses.. Cheers, Patrick I tried various combinations of CALLBACK_NUMBERED, NULL, and NO and did not have any luck. I tried making things as simple as possible. static void callback_generic(struct imclient *imclient, void *rock, struct imclient_reply *reply) { cout in gerneric callback endl; cout \tKeyword: reply-keyword endl \tMsgno: reply-msgno endl \tText: reply-text endl endl; } then in main imclient_addcallback(imclient, ,/*also tried NO */ NULL, /*also tried CALLBACK_NUMBERED*/ callback_generic, msg_string, NULL); nc =1; imclient_send(imclient,end_command,(void*) nc,create \user/bigtestuser10\); while(nc 0) { imclient_processoneevent(imclient); } and I've tried both setting and not setting (my server supports LITERAL+) imclient_setflags(imclient, IMCLIENT_CONN_NONSYNCLITERAL); Is there some other step that must be performed? Things like getquota, getacl work fine. From reading through 'man imclient' and the Imap V4 rev 1 RFC, it appears that imclient_addcallback is only good for untagged data response from the server. While the response I am trying to detect (OK, NO) is a tagged response. Does anyone know how to process a tagged response with imclient? -Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: using imclient
I figured out how to determine the OK,BAD tagged response. I modified the end_command from 'man imclient' static void end_command (struct imclient *connection, void* rock, struct imclient_reply *inmsg) { cout in end_command endl; cout \tKeyword: inmsg-keyword endl \tMsgno: inmsg-msgno endl \tText: inmsg-text endl endl; (*(int*)rock)--; } now when I do nc =1; imclient_send(imclient,end_command,(void*) nc,CREATE %s,user/bigtestuser10); I see this output in end_command Keyword: NO Msgno: -1 Text: Mailbox already exists I had just been looking in the wrong place previously. -Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
using imclient
Hi, I am trying to write a program using imclient. I am not sure how to detect errors when I use send. For example when I send 'create user/phr2101' I am unsure how to get the error message from the action (since the account already exists). Does anyone know? or have sample code using imclient that I could look at? thanks, Patrick --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html