Re: Disable client authentication with certificates
Stefan Gofferje wrote, on 10.12.2013 16:33: > Maybe the existing options could just be extended, like in the Postfix > setting for TLS, e.g. > > tls_imap_require_cert: no|ask|require Changing the way how existing options work and breaking compatibility to existing configurations is most likely not the best idea;-) > I think, having logical options which are clear to the admin are better > than some implicit consequences which are not not bilaterally logical. > I don't know if I express this right/understandable :). Adding a new option is easy. Done in 30 minutes. I can do it if a official dev says it makes sense and will be added... but I don't get any answers from Bron for very long time now. So I'm pushing the patches I use myself locally to bugzilla waiting for a response. > The background is that a bunch of TLS tutorials on the web include > configuring the CA but not explaining in detail why, so an inexperienced > admin could assume that he should put the CA certificate for the server > cert's CA there. TLS tutorials for cyrus-imapd including tls_ca_path/file by default? Most likely to get rid of the debug warnings. Greetings, Wolfgang -- Wolfgang Breyha | http://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/10/2013 12:49 PM, Wolfgang Breyha wrote: > cyrus distinguishes between asking for a cert and requiring a cert. I don't > know why, sorry. Sometimes it is practical to ask for a cert and only try to > verify it without enforcing it. But asking for certs while incapable to verify > them (without CAs) seems odd. That's why I decided to do it that way. Maybe the existing options could just be extended, like in the Postfix setting for TLS, e.g. tls_imap_require_cert: no|ask|require I think, having logical options which are clear to the admin are better than some implicit consequences which are not not bilaterally logical. I don't know if I express this right/understandable :). The background is that a bunch of TLS tutorials on the web include configuring the CA but not explaining in detail why, so an inexperienced admin could assume that he should put the CA certificate for the server cert's CA there. -Stefan -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
Stefan Gofferje wrote, on 10.12.2013 08:17: > There are options? > > tls_require_cert: false > tls_imap_require_cert: false > tls_pop3_require_cert: false > tls_lmtp_require_cert: false > tls_sieve_require_cert: false > > Why ask for a cert when the config says it's not needed? Or do I see > this too naive? cyrus distinguishes between asking for a cert and requiring a cert. I don't know why, sorry. Sometimes it is practical to ask for a cert and only try to verify it without enforcing it. But asking for certs while incapable to verify them (without CAs) seems odd. That's why I decided to do it that way. Greetings, Wolfgang -- Wolfgang Breyha | http://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/09/2013 07:10 PM, Wolfgang Breyha wrote: > My patch is not suitable for general use. IMO client cert requests should > either depend on a new option or on the availability of configured CAs. > Both is possible, but I'm not aware of the reason why client certs are > requested historically. > > I would simply make it dependent of CA availability. There are options? tls_require_cert: false tls_imap_require_cert: false tls_pop3_require_cert: false tls_lmtp_require_cert: false tls_sieve_require_cert: false Why ask for a cert when the config says it's not needed? Or do I see this too naive? -Stefan -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 2013-12-09 18:10, Wolfgang Breyha wrote: > I would simply make it dependent of CA availability. proposed patch for that: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3830 Greetings, Wolfgang -- Wolfgang Breyha | http://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 2013-12-09 16:59, Stefan Gofferje wrote: > That worked fine :). Thanks. Is it planned to integrate your patch into > Cyrus? It *is* kinda illogical to ask for a client cert when client cert > authentication is explicitly disabled ^^. My patch is not suitable for general use. IMO client cert requests should either depend on a new option or on the availability of configured CAs. Both is possible, but I'm not aware of the reason why client certs are requested historically. I would simply make it dependent of CA availability. Greetings, Wolfgang -- Wolfgang Breyha | http://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/09/2013 03:09 PM, Wolfgang Breyha wrote: > You can either connect to ports 993/995 to prevent the use of client certs That worked fine :). Thanks. Is it planned to integrate your patch into Cyrus? It *is* kinda illogical to ask for a client cert when client cert authentication is explicitly disabled ^^. -Stefan -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 2013-12-07 10:08, Stefan Gofferje wrote:
> On 12/03/2013 09:28 PM, Stefan Gofferje wrote:
>> So why does Thunderbird ask me which certificate to use for
>> authentication? Does my Cyrus ask for a client certificate or does it
>> not? ^^
>
> Nobody a clue?
It depends. On IMAPS/POP3S ports cyrus never asks for client certs. On the
other hand it always asks for them doing STARTTLS. That's caused by the way
tls_init_serverengine() is called in imapd.c and pop3d.c.
You can either connect to ports 993/995 to prevent the use of client certs
or you can completely disable client certs with this patch (still works on
2.4.17):
# cat SOURCES/cyrus-imapd-2.3.14-disable_clientcerts.patch
diff -urN cyrus-imapd-2.3.14.orig/imap/imapd.c cyrus-imapd-2.3.14/imap/imapd.c
--- cyrus-imapd-2.3.14.orig/imap/imapd.c2009-05-06 14:05:17.0
+0200
+++ cyrus-imapd-2.3.14/imap/imapd.c 2009-05-06 14:09:48.0 +0200
@@ -6764,7 +6764,7 @@
result=tls_init_serverengine("imap",
5,/* depth to verify */
-!imaps, /* can client auth? */
+0,/* can client auth? */
!imaps); /* TLS only? */
if (result == -1) {
diff -urN cyrus-imapd-2.3.14.orig/imap/pop3d.c cyrus-imapd-2.3.14/imap/pop3d.c
--- cyrus-imapd-2.3.14.orig/imap/pop3d.c2009-05-06 14:05:17.0
+0200
+++ cyrus-imapd-2.3.14/imap/pop3d.c 2009-05-06 14:10:05.0 +0200
@@ -1077,7 +1077,7 @@
result=tls_init_serverengine("pop3",
5,/* depth to verify */
-!pop3s, /* can client auth? */
+0,/* can client auth? */
!pop3s); /* TLS only? */
if (result == -1) {
---
Greetings, Wolfgang
--
Wolfgang Breyha | http://www.blafasel.at/
Vienna University Computer Center | Austria
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/2013 09:28 PM, Stefan Gofferje wrote: > So why does Thunderbird ask me which certificate to use for > authentication? Does my Cyrus ask for a client certificate or does it > not? ^^ Nobody a clue? -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/2013 08:01 PM, Dan White wrote: >> On 12/03/2013 04:39 PM, Dan White wrote: > This looks successful, from the server's viewpoint. Yesyes, when I click "cancel" when Thunderbird asks which certificate to use, everything goes fine. However, if I *do* tell Thunderbird to use a certificate, the following happens: Dec 3 21:19:50 home imap[17566]: executed Dec 3 21:19:50 home imap[17566]: accepted connection Dec 3 21:19:50 home imap[17567]: executed Dec 3 21:19:50 home imap[17567]: accepted connection Dec 3 21:19:50 home imap[17568]: executed Dec 3 21:19:50 home imap[17568]: accepted connection Dec 3 21:19:58 home imap[17568]: DBMSG: 20 lockers Dec 3 21:19:58 home imap[17568]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17566]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17566]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17568]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17567]: TLS server engine: cannot load CA data Dec 3 21:19:58 home imap[17567]: imapd:Loading hard-coded DH parameters Dec 3 21:19:58 home imap[17566]: SSL_accept() incomplete -> wait Dec 3 21:19:58 home imap[17568]: SSL_accept() incomplete -> wait Dec 3 21:19:58 home imap[17567]: SSL_accept() incomplete -> wait Dec 3 21:20:11 home imap[20102]: fetching user_deny.db entry for '' Dec 3 21:20:11 home imap[20104]: fetching user_deny.db entry for '' Dec 3 21:20:11 home imap[17566]: Doing a peer verify Dec 3 21:20:11 home imap[17566]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:11 home imap[17566]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:11 home imap[17566]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:11 home imap[17566]: Connection reset by peer, closing connection Dec 3 21:20:11 home imap[20104]: fetching user_deny.db entry for '' Dec 3 21:20:11 home imap[20102]: fetching user_deny.db entry for '' Dec 3 21:20:12 home imap[20104]: SQUAT failed to open index file Dec 3 21:20:12 home imap[20104]: SQUAT failed Dec 3 21:20:12 home imap[20104]: fetching user_deny.db entry for '' Dec 3 21:20:12 home imap[20104]: fetching user_deny.db entry for '' Dec 3 21:20:13 home imap[20104]: fetching user_deny.db entry for '' Dec 3 21:20:14 home imap[17567]: Doing a peer verify Dec 3 21:20:14 home imap[17567]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:14 home imap[17567]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:14 home imap[17567]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:17 home imap[17568]: Doing a peer verify Dec 3 21:20:17 home imap[17568]: verify error:num=20:unable to get local issuer certificate Dec 3 21:20:17 home imap[17568]: no certificate returned in SSL_accept() -> fail Dec 3 21:20:17 home imap[17568]: STARTTLS negotiation failed: enterprise.net.loc [xxx.xxx.xxx.xxx] Dec 3 21:20:17 home imap[17567]: Connection reset by peer, closing connection > imtest -t "" > > will attempt a starttls connection without submitting a client certificate. > If that succeeds, then it proves that your server supports TLS without > client authentication. I know that is does :) - see above... But here is the output: S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] home.gofferje.net Cyrus IMAP v2.3.16 server ready C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE X-NETSCAPE URLAUTH S: C01 OK Completed Authentication failed. generic failure Security strength factor: 256 So why does Thunderbird ask me which certificate to use for authentication? Does my Cyrus ask for a client certificate or does it not? ^^ -S -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/13 19:52 +0200, Stefan Gofferje wrote: >On 12/03/2013 04:39 PM, Dan White wrote: >> What log entries do you see during TLS authentication? > >Dec 3 19:13:10 home imap[17224]: SSL_accept() succeeded -> done >Dec 3 19:13:10 home imap[17224]: starttls: TLSv1 with cipher >DHE-RSA-CAMELLIA256-SHA (256/256 bits new) no authentication >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: login: enterprise.net.loc >[xxx.xxx.xxx.xxx] plain+TLS User logged in This looks successful, from the server's viewpoint. >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: created decompress buffer of 4102 bytes >Dec 3 19:13:10 home imap[17224]: created compress buffer of 4102 bytes >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: client id: "name" "Thunderbird" >"version" "24.1.0" >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17225]: seen_db: user opened >/var/lib/imap/user/s/.seen >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' >Dec 3 19:13:10 home imap[17224]: seen_db: user opened >/var/lib/imap/user/s/sgofferj.seen >Dec 3 19:13:10 home imap[17225]: open: user opened INBOX >Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' > >> Verify that this is a server side problem with imtest. > >Unfortunately, I don't know how to use imtest, nor do I speak IMAP >fluently so I could test with netcat... imtest -t "" will attempt a starttls connection without submitting a client certificate. If that succeeds, then it proves that your server supports TLS without client authentication. See that manpage for other options (e.g. imaps). >On my Android, I use K9-mail and that does not ask which client >certificate to use but it could be that K9 doesn't support certificate >authentication anyway plus I don't have any client certificates >installed there... -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/2013 04:39 PM, Dan White wrote: > What log entries do you see during TLS authentication? Dec 3 19:13:10 home imap[17224]: SSL_accept() succeeded -> done Dec 3 19:13:10 home imap[17224]: starttls: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits new) no authentication Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: login: enterprise.net.loc [xxx.xxx.xxx.xxx] plain+TLS User logged in Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: created decompress buffer of 4102 bytes Dec 3 19:13:10 home imap[17224]: created compress buffer of 4102 bytes Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: client id: "name" "Thunderbird" "version" "24.1.0" Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17225]: seen_db: user opened /var/lib/imap/user/s/.seen Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: fetching user_deny.db entry for '' Dec 3 19:13:10 home imap[17224]: seen_db: user opened /var/lib/imap/user/s/sgofferj.seen Dec 3 19:13:10 home imap[17225]: open: user opened INBOX Dec 3 19:13:10 home imap[17225]: fetching user_deny.db entry for '' > Verify that this is a server side problem with imtest. Unfortunately, I don't know how to use imtest, nor do I speak IMAP fluently so I could test with netcat... On my Android, I use K9-mail and that does not ask which client certificate to use but it could be that K9 doesn't support certificate authentication anyway plus I don't have any client certificates installed there... -S -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Disable client authentication with certificates
On 12/03/13 14:29 +0200, Stefan Gofferje wrote: >Hi, > >I have a Cyrus IMAP and Postfix running. Some time ago, I configured >them for TLS and recently, I started to use also Thunderbird on those >and Thunderbird is asking me on startup which certificate to use for >identification for IMAP. Is there a way to tell Cyrus to *not* request >the client certificates at all? > >Config attached. >rfc_ignore_8bit: on >configdirectory: /var/lib/imap >#artition-default: /var/spool/imap >partition-default: /server/imap >sievedir: /var/lib/sieve >admins: cyrus nobody >lmtp_admins: cyrus nobody >allowanonymouslogin: no >autocreatequota: 1 >#reject8bit: no >quotawarn: 90 >timeout: 30 >poptimeout: 10 >dracinterval: 0 >drachost: localhost >sasl_pwcheck_method: auxprop >auxprop_plugin: sasldb >postuser: shared >allowplaintext: yes > >lmtp_overquota_perm_failure: no >lmtpsocket: /var/spool/postfix/public/lmtp ># ># if you want TLS, you have to generate certificates and keys ># >tls_cert_file: /etc/apache2/x.x.x.pem >tls_key_file: /etc/apache2/x.x.x.pem >tls_ca_file: /etc/apache2/ca-certs.pem >#tls_ca_path: /usr/ssl/CA >tls_require_cert: false >tls_imap_require_cert: false >tls_pop3_require_cert: false >tls_lmtp_require_cert: false >tls_sieve_require_cert: false What log entries do you see during TLS authentication? Verify that this is a server side problem with imtest. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Disable client authentication with certificates
Hi, I have a Cyrus IMAP and Postfix running. Some time ago, I configured them for TLS and recently, I started to use also Thunderbird on those and Thunderbird is asking me on startup which certificate to use for identification for IMAP. Is there a way to tell Cyrus to *not* request the client certificates at all? Config attached. -Stefan -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface rfc_ignore_8bit: on configdirectory: /var/lib/imap #artition-default: /var/spool/imap partition-default: /server/imap sievedir: /var/lib/sieve admins: cyrus nobody lmtp_admins: cyrus nobody allowanonymouslogin: no autocreatequota: 1 #reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: auxprop auxprop_plugin: sasldb postuser: shared allowplaintext: yes lmtp_overquota_perm_failure: no lmtpsocket: /var/spool/postfix/public/lmtp # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/apache2/x.x.x.pem tls_key_file: /etc/apache2/x.x.x.pem tls_ca_file: /etc/apache2/ca-certs.pem #tls_ca_path: /usr/ssl/CA tls_require_cert: false tls_imap_require_cert: false tls_pop3_require_cert: false tls_lmtp_require_cert: false tls_sieve_require_cert: false smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
