Re: delprune on a single mailbox

[Andrew Morgan via Info-cyrus]

On Fri, 6 Nov 2015, Marcus Schopen via Info-cyrus wrote:


Am Mittwoch, den 04.11.2015, 06:36 -0500 schrieb Adam Tauno Williams via
Info-cyrus:

globally in cyrus.conf delprune is set to
> > > > delprunecmd="/usr/sbin/cyrus expire -E 1 -X 7 -D 7"
> > > > at=0501
> > > > For a single mailbox I don't want to keep deleted mails for 7
> > > > days,
> > > > but
> > > > expire them immediately or once a day per cron. How to do that?
> > > Forogt to say that delete_mode and expunge_mode is set to
> > > delayed.
> > > Via cron this should work for an immediate cleanup/expire:
> > You can set an expire annotation per mailbox. 
> How do I do that? From cyr_expire manpage:

> "The value of the /vendor/cmu/cyrus-imapd/expire annotation is
> inherited by all children of the given mailbox, so an entire mailbox
> tree can be expired by seting a single annotation on the root of that
> tree. If a mailbox does not have a /vendor/cmu/cyrus-imapd/expire
> annotation set on it (or does not inherit one), then no messages are
> expired from the mailbox."

Via cyradm -

cyrus.example.com> mboxcfg user.adam expire 365 
cyrus.example.com> info user.adam 
{user.adam}:

  condstore: false
  duplicatedeliver: false
  expire: 365
  lastpop:
  lastupdate: 13-Aug-2008 19:37:31 -0400
  partition: default
  sharedseen: false
  size: 12325671

AFAIK the annotations supported by cyradm/mboxcfg are:

* comment – A free-form text comment or description to be attached to
the mailbox.
* condstore – This annotation is only supported in the 2.3.x release
series starting with 2.3.3 although its use is not recommended until
2.3.8. As of the 2.4.x release series CONDSTORE functionality is
enabled on all mailboxes regardless of annotation and attempting to set
this annotation will result in a permission denied message. On releases
where this annotation is supported setting a value of “true” will
enable CONDSTORE functionality1.
* expire – If an expire value is provided messages will be
automatically deleted from the mailbox once the specified number of
days has elapsed.
* news2mail - 
* sharedseen - Enables the use of a shared \Seen flag on messages

rather than a per-user \Seen flag. The 's' right in the mailbox ACL
still controls whether a user can set the shared \Seen flag.
* sieve – In the case of a shared folder the “sieve” parameter
specifies the name of a global SIEVE script that will be used for every
message delivered to the folder.  This value is ignored for personal
mailboxes (mailboxes including and subordinate to a user's INBOX).
* squat – Flags the mailbox to be included for indexing when the SQUAT
process performs index generation.


> But is it possible to expunge a message immediately when it's deleted
> by client and not with the next expire run?

Not if delayed expunge is enabled AFAIK; that would defeat the purpose.


I set "mboxcfg user.test expire 1" on a test mailbox, but it has no
effect on nightly delprune set in cyrus.conf EVENT: 


 delprune cmd="/usr/sbin/cyrus expire -E 1 -X 7 -D 7" at=0501"

Messages deleted two days ago are still in the file system.

localhost> info user.test
{user.test}:
 duplicatedeliver: false
 expire: 1
 lastpop:
 lastupdate:  4-Nov-2015 17:14:20 +0100
 partition: default
 pop3newuidl: true
 sharedseen: false
 size: 0


The expire annotation causes Cyrus to delete messages older than  
days.  If you have delayed_expunge enabled, the messages still remain on 
the filesystem until you purge them using cyr_expire.


Andy
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Problems with murder upgrade from 2.2.13 to 2.5.8

[Andrew Morgan via Info-cyrus]

I've found that backends should be upgraded before frontends...

You'll run into frontends trying to use features that don't exist on the 
backends.  Usually, you can work around that with the 
suppress_capabilities setting in imapd.conf, but it may require less 
testing to upgrade the frontends last.


Regarding you specific permissions problem, I think Mathieu has already 
posted the answer.  Although, I wonder if the frontend is enforcing 
permissions that can't exist on the backend yet...


For reference, these are the permissions on my v2.4.18 mailbox:

localhost> lam user.morgan
morgan lrswipkxtecda


Andy

On Mon, 6 Jun 2016, Jean Charles Delépine via Info-cyrus wrote:


Hello,

I'm on the way to make a big (late) upgrade. 

My murder config is composed of 16 1To backends. I can't upgrade 
all of them simultaneously. So I planed to :


 - upgrade mupdate server (make a new one, and update frontend's and
   backend's conf)
 - replace frontends with upgraded one's
 - upgrade backends one after the other, nightly, on serveral night

mupdate server upgrade is ok. But I have problems with 2.5 frontends and 2.2
backends interaction. All seems fine (no error), but users can't create new sub 
mailboxes (admin can create mailboxes and sub mailboxes) :


loggued as mailbox owner :
imap-01> lam INBOX
delepine lrswipcda
anyone p
imap-01> cm INBOX.hop
createmailbox: Permission denied

My tests say that, whichever mupdate server version :
 Frontend 2.2 can create 2.2 mailboxes and 2.5 mailboxes
 Frontend 2.5 can't create 2.2 mailboxes but can create 2.5 mailboxes

All others tested features work.

The 2.2 is using saslauthd + pam_ldap for authentification. The 2.5 is using 
either
ldapdb or saslauthd + ptoader and ldap.

With or without
 suppress_capabilities: ESEARCH QRESYNC XLIST LIST-EXTENDED WITHIN
on 2.5 frontends.

2 questions :
 - do you have an idea why users can't create submailboxes on 2.2
   backends with 2.5 frontends ? Is there any acl new option I
   miss ? ...
 - what are the risks if I wait for all backends to migrate before
   using 2.5 frontends ? My option with this problem. I didn't find
   any problem... but surely, if there's one, my users will find it.

Options that might be relevant :
On backends :
 proxyservers: proxy
 proxy_authname: proxy

On frontends:
 proxy_authname: proxy
 proxy_password: <>
 proxyd_allow_status_referral: 0
 proxyd_disable_mailbox_referrals: 1

backends are in an internal non routable network.

Sincerly,
 Jean Charles Delépine

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: [cyrus 3.0] 20 delayed mailbox deleted limit?

[Andrew Morgan via Info-cyrus]

On Thu, 9 Jun 2016, Andre Felipe Machado via Info-cyrus wrote:


Bron Gondwana via Info-cyrus  wrote ..

On Thu, Jun 9, 2016, at 03:02, Andre Felipe Machado via Info-cyrus wrote:

Hello,
At future release notes I read
"Under delete_mode: delayed, only the 20 most recently deleted mailboxes are

kept for any given name."

https://cyrusimap.org/imap/release-notes/3.0/x/3.0.0-beta2.html
Is there any configuration parameter to increase this limit?
Why this limit is needed?


denial of service / space wastage protection.  There's no config option 
available
right now.  I could be convinced to change it.

How would you suggest we protect against exploiting delayed delete to fill the
server without going over quota?  Maybe a new quota field for "total mailbox 
usage
including deleted stuff" that can be set to a high enough value that no 
reasonable
user will ever hit it?

Bron.

--
  Bron Gondwana
  br...@fastmail.fm



Hello, Bron
I understand the problem.
But at a corporate scenario, it is a rare event, because of jobs at stake, 
tracked user accounts,  antispam measures, etc.
It is more likely a "rogue" client,  bug/misconfiguration on a smartphone 
causing such problems.
We stay with official debian repositories versions as long as we could, 
receiving security patches.
So, mantaining an unofficial patch will be a big problem.
The sysadmin configurable parameters will be a more elegant solution.
Having configurations at sysadmin control will mantain cyrus flexible for use 
at different usage scenarios.
For the DoS / waste space problems, the 2 quota limits configurations are more 
suitable than counting folders quantity.
What if each folder contains 1 TB deleted messages?
Maybe a reasonable default (10 times user quota?) for those not wanting to 
configure is good idea.
Even better to have also a way to control individual accounts total quotas, for those 
corporate accounts like "sa...@foo.bar" that  receive lots of legitimate emails 
and have to
delete them after processing.
We have zabbix monitoring space at our cyrus backends, and need unlimited  or 
configurable delayed expunge limits for recovering messages and folders for 
years at corporate
scenario.
Thanks .
Andre Felipe


Remember, this is a limit on the number of deleted *mailboxes* kept, not 
messages.


Bron, this could impact Pine/Alpine users that frequently postpone 
messages.  Pine creates a folder named "postponed-msgs" to store drafts. 
The folder is created when a draft is saved and deleted when all drafts 
have been deleted/sent.


Here is my personal deleted folders list, right now:

DELETED.user.morgan.postponed-msgs.5755CF0C 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F446 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F486 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F4D1 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F4E4 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F50E 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F65F 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5755F844 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5756ECFC 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.5756F602 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.575706F8 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.57585C5D 0 p2 morgan lrswipkxtecda
DELETED.user.morgan.postponed-msgs.57587FE1 0 p2 morgan lrswipkxtecda

We are removing deleted mailboxes after 7 days:

delprune  cmd="/usr/local/cyrus/bin/cyr_expire -E 1 -X 7 -D 7" at=0100


I don't know if other IMAP clients have similar quirky behavior, but I 
could see myself running into this limit.  However, I certainly don't care 
about recovering my old postponed-msgs mailboxes.


Hmmm, is this a limit per-mailbox (user.morgan.postponed-msgs) or per-user 
(all mailboxes under user.morgan)?


Thanks,
Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: prefork and IPv6

[Andrew Morgan via Info-cyrus]

On Thu, 9 Jun 2016, Wolfgang Breyha via Info-cyrus wrote:


Hi!

I recently wondered why some of my preforked processes on my murder backends
never get used. I detected them because some quite old lmtpd's were holding
locks on an already deleted deliver.db.

After some debugging I recognized that cyrus-master seems to fork the
configured amount of "prefork" daemons twice. One half listening on IPv4 and
the other half on IPv6. Since IPv6 is practically never used from our
frontends they stay forever doing nothing on the backends.

Is there some reasonable way to prevent this other than setting prefork=0?

I'm only using SERVICE entries like:
 Bimap  cmd="imapd" listen="imap" prefork=5

Only the port is used for listen= without interface/IP.


Use the proto argument:

  proto=tcp
The protocol used for this service (tcp,  tcp4,  tcp6,  udp,  udp4,  udp6). 
  This
string argument is optional.

tcp4, udp4: These arguments are used to bind the service to IPv4 only.
tcp6,  udp6:  These  arguments  are  used to bind the service to IPv6 only, 
if the
operating system supports this.
tcp, udp: These arguments are used to bind to both IPv4 and IPv6 if 
possible.


Here is my cyrus.conf entry:

  imap   cmd="/usr/local/cyrus/bin/imapd" listen="imap" proto="tcp4" prefork=10 
maxchild=4000


Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: unable to delete corrupted mail box on cyrus v2.3.16

[Andrew Morgan via Info-cyrus]

On Mon, 11 Jan 2016, Sophie Loewenthal via Info-cyrus wrote:


Hi!

I have a broken mailbox that I would like to delete.

This is Cyrus v2.3.16 on CentOS 6.

I tried reconstructing the mailbox from scratch ( Because I suspect this 
was manually deleted from disc ).



mkdir imap-store/spool/imap/domain/example.com/user/kat^long
cd imap-store/spool/imap/domain/example.com/user/kat^long
chmod 755 .
chown cyrus:mail .
touch cyrus.header
chown cyrus:mail cyrus.header

log into cyradm:
localhost> lam user/kat.long
kat.l...@example.com lrswipkxtecda
localhost> reconstruct -r user/kae.long
reconstruct: Mailbox has an invalid format
localhost> dm user/kat.long
deletemailbox: Permission denied

Names and domain names replaced with false entries.

How could I remove this?


Here are my steps for recreating a mailbox (normally when I'm restoring a 
mailbox from backups):


1. Locate user's mail directory (/var/spool/cyrus/mail/prefix/user/username).
2. Change to that directory.
3. Make a RESTORE directory (mkdir RESTORE).
4. Fix ownership/perms (chown cyrus:mail RESTORE; chmod 700 RESTORE).
5. Change to the directory containing the mail folder the user wants restored.
6. Run 'recover', the Legato backup client.
7. 'changetime' to change the time to recover data from.
8. 'add filename' to add the files to restore.  To restore all the messages in 
the folder, use 'add *.'.
9. 'relocate RESTORE' to recover files into the RESTORE directory instead of 
the current directory.
10. 'recover' to recover the files.
11. 'quit' to quit out of the recover program.
12. Create a dummy cyrus.header file "(touch RESTORE/cyrus.header; chown 
cyrus:mail RESTORE/cyrus.header; chmod 600 RESTORE/cyrus.header).
13. Run "su cyrus -c '/usr/local/cyrus/bin/reconstruct -x -f user.username'".
14. Run "su cyrus -c '/usr/local/cyrus/bin/quota -f user.username'".

I think you're following the same basic steps, but I would try running 
reconstruct externally, not from cyradm.  Don't forget the quota command 
either.


When you run reconstruct, check syslog for errors too.

Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: 2.4.18, problem with reconstruct

[Andrew Morgan via Info-cyrus]

On Fri, 5 Feb 2016, Sergey via Info-cyrus wrote:


Hello.

I attempted to reconstruct some damaged mailboxes with empty
folders, but it does not work. I use this command:

su -l cyrus -s /bin/bash -c "/usr/lib/cyrus/reconstruct -f -r user/user@domain"

Mail directory contains "Trash" subdirectory without any files (manualy
created from backup). Reconstruct works if I put any of files cyrus.* to
this subdirectory. At the same time there was the opposite problem:
I can not delete existing directory, reconstruct restores it.

Is this is a bug or require any other settings to run reconstruct ?


I usually use these steps to add a new folder using reconstruct:

  touch cyrus.header
  chown cyrus:mail cyrus.header
  reconstruct -f -r user.

So, I think the behavior you are seeing is expected.  Create an empty 
cyrus.header file, with the correct ownership, before running reconstruct.


Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Request: Please sign this list's messages via DKIM or SPF

[Andrew Morgan via Info-cyrus]

On Tue, 5 Apr 2016, lst_hoe02--- via Info-cyrus wrote:



Zitat von Binarus via Info-cyrus :



Combine SPF / DKIM with domain blacklisting, and then you *have* an 
efficient spam fighting tool.




As stated the spam actually reaching our inboxes after around 90% cutoff is 
valid DKIM/SPF signed as it is mostly from the big free providers like 
Outlook.com, Google and Yahoo. Some other big share is from professional spam 
farms with always alternating IP and Domains ranges from all over the world 
with also valid DKIM/SPF. Next big share is from educational servers also 
mostly valid DKIM/SPF. The tiny rest with around 10% is in fact not DKIM/SPF 
signed.
From the valid e-mail around 20% looks like having a valid SPF/DKIM, mostly 
professional newsletters not personal mail from customers.


So No, SPF/DKIM is no useful spam fighting tool at least not in our corner of 
the world.


Another recent standard, DMARC (https://dmarc.org/) allows the domain 
owner to specify what the recipient should do with messages that fail DKIM 
or SPF checks.


We ran into this recently and discovered that Yahoo's DMARC records tell 
the recipient to REJECT messages that fail DKIM or SPF.  Google is 
honoring that DMARC record by putting the message into the Spam folder.


This seems like a pretty effective method to prevent someone from spoofing 
email from your domain.  Of course, it does not prevent an actual Yahoo 
account from sending spam, so you still need traditional spam detection 
tools as well.  However, it is nice that a third-party sender cannot harm 
your domain's reputation through spoofing.


Note: I don't care whether this email list uses SPF or DKIM.

Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Cyrus Murder with different Cyrus IMAP Server versions

[Andrew Morgan via Info-cyrus]

On Wed, 2 Mar 2016, Jack Snodgrass via Info-cyrus wrote:


I have a older Cyrus 2.2 version setup and running in production.

I want to move to a newer Cyrus 2.4 system with minimal downtime.

The goal is 1) limit down time and 2) keep the SAME ip address for the users 
imap configs.


I can convert my existing Cyrus 2.2 ( Debian v6 ) to Cyrus 2.4 ( Debian v8 ) 
but will be down around 8 ( at least ) for the two debian upgrades and 
converting 200gig of Cyrus 2.2 mail to Cyrus 2.4 - indexes and what not.


I was thinking.. maybe another approach would be to setup Cyrus Murder ( 2.2 
) on my existing Cyrus 2.2 box and connect it up with a new Cyrus 2.4 server 
( on a new Debian v8 box ) and just move mail accounts over one at a time 
until all of the mail was off of the old box.  Once all of the mail was off 
of the old Cyrus 2.2 box, I could then upgrade that to debian v8 and Cyrus 
2.4 and then have 2 systems that the mail could be split between.


Can I run a Murder 2.2 server and have it talk with a Cyrus 2.4 IMAP box or 
do the versions have to be the same?


In a Cyrus Murder, you want the frontend server to be upgraded last.  If a 
newer frontend is used, it will issue newer IMAP commands that the older 
backend doesn't support.  When you are upgrading an existing Murder 
cluster, you upgrade in this order: mupdate master, backends, then 
frontends.


Murder does allow you to (mostly) transparently move mailboxes between 
backends.  I have upgraded many times by simply moving the mailboxes to a 
new backend server with newer versions of the OS and Cyrus.  However, 
you'll need to create 2 new hosts - a frontend and mupdate master.  Then 
you'll need to move the DNS CNAME from the existing 2.2 server to the 
frontend.


A Murder is a bit complicated (don't forget about mail delivery too!), so 
let me suggest an alternative that keeps the downtime short.


Build a new server with Debian 8.  I'd probably install Cyrus v2.5.latest 
by hand.  Compiling Cyrus is very easy on Debian.  Cyrus v2.5 has a major 
advantage over v2.4 - you can run a script to upgrade the mailbox format 
instead of waiting for the user to open the mailbox.  See the release 
notes for upgrade instructions:


  http://cyrusimap.org/imap/release-notes/2.5/x/2.5.0.html

Anyways, build the new server with Debian and whatever version of Cyrus 
makes you comfortable.  Then, weeks before you plan to make the cutover, 
use rsync to copy to the mail from the old server to the new server.  Of 
course, the first run will take a long time to copy 200GB.  Successive 
rsyncs will take less time as the deltas are smaller.  In the week before 
the scheduled outage, run rsync every night.


During your outage window, stop Cyrus on the old server, run a final 
rsync, then swap IP addresses and/or DNS names, and start Cyrus on the new 
server.


There are a couple advantages to this approach.  You'll be able to test 
how the new server works with your actual mail.  You can make 
configuration changes if needed.  You can also time how long the rsync 
will take, so you know how much time to schedule for the outage.  Even if 
there isn't much data to rsync on the final pass, it can still take a long 
time to calculate the differences between the 2 filesystems.


Before I ran Cyrus Murder, this is how I upgraded our Cyrus server to new 
hardware.


Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: drown/SSL issue

[Andrew Morgan via Info-cyrus]

On Thu, 3 Mar 2016, Tony Galecki via Info-cyrus wrote:

Lots of fiddling arround, tls_versions: ssl3 tls1_2 in the imapd.conf 
file also fixed the issue. However, some clients (notably older Mac Mail 
clients) were not able to connect.


Don't you want to include tls1_0 and tls1_1 in the list?  Here at OSU, we 
use the defaults, "tls_versions: tls1_0 tls1_1 tls1_2".


Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Is there a way to send custom warning to all IMAP users?

[Andrew Morgan via Info-cyrus]

On Mon, 28 Mar 2016, francis picabia via Info-cyrus wrote:


We have migrated all email on a server to a cloud email platform.
The users were notified by email beforehand, but hundreds are still
connecting to the standard IMAP service.  They may not
even remember they have set up devices to connect here.
Is there a way to send a custom warning through some setting,
similar to how quota warnings are generated.  Really if there is
any error I can fake, and customize the message, it would work.
We are using Linux, pam authentication, Cyrus with saslauthd.

Just shutting down the service is also a solution, but given over 600
unique users have logged in today, I'd rather not dump that load on
the service desk.


When we migrated some of our users to Google Mail, we placed a final 
message in their Cyrus mailbox.  When they login, they can see "You've 
been migrated to Google!", and the message tells them how to find their 
email on Google.


To bypass email routing, you can use the "deliver" program on the Cyrus 
server to drop the message in the Cyrus mailbox.


Let me know if you need more information.

Thanks,
Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: how to deal with mail retention/archival.

[Andrew Morgan via Info-cyrus]

Could your retention needs be satisfied with Cyrus' delayed_delete and 
delayed_expunge functionality?


Thanks,
Andy

On Fri, 26 Aug 2016, Alvin Starr via Info-cyrus wrote:

Well the MTA still does not deal with archival because it will need to be 
passed through to Yet Another MDA to handle the archival and management 
process.


For the pure archival of the input/output stream including duplicate 
deliveries and all spam always_bcc into YAMDA would work.


In my thinking Cyrus is responsible for the storage and management of email 
so archival would be a part of that process.




On 08/26/2016 09:17 AM, Nic Bernstein wrote:

Alvin,
This is really more of an issue for your MTA, such as Postfix or Exim.  The 
MDA -- Cyrus in this case -- has little or nothing to do with the sort of 
archiving/retention you need for compliance. Take a look at always_bcc and 
similar directives in Postfix, or the equivalent in whatever your MTA is.

-nic

On 08/26/2016 08:09 AM, Alvin Starr via Info-cyrus wrote:

A company I am working with is facing issues of regulatorymail retention.

Some searching has yielded little useful results other than putting a 
system in front to store all incoming messages.


What are others doing for mail archival?

An ideal solution would let the users carry on using current use patterns 
and not impose extra restrictions.


--
Alvin Starr   ||   voice: (905)513-7688
Netvel Inc.   ||   Cell:  (416)806-0133
al...@netvel.net   ||



Cyrus Home Page:http://www.cyrusimap.org/
List Archives/Info:http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


--
Nic bernstein...@onlight.com
Onlight Inc.www.onlight.com
6525 W Bluemound Rd., Ste 24  v. 414.272.4477
Milwaukee, Wisconsin  53213-4073  f. 414.290.0335


--
Alvin Starr   ||   voice: (905)513-7688
Netvel Inc.   ||   Cell:  (416)806-0133
al...@netvel.net  ||




Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Can't authorize as different user in cyradm and sieveshell

[Andrew Morgan via Info-cyrus]

Maybe there is something wrong with your saslauthd parameters or PAM 
config?


Here is what I use:

saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5

# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service

authsufficient  pam_ldap.so
authrequiredpam_unix.so

account sufficient  pam_ldap.so
account requiredpam_unix.so


(pretty simple!)

In your original email, you showed that you could authenticate as the 
target user successfully.  Can you connect to sieve as the admin user (no 
proxy-auth)?


Thanks,
Andy


On Mon, 21 Nov 2016, Michael Ulitskiy wrote:


Andrew,

Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:

root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify 
envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}

S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0

while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN 
no mechanism available

the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no 
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?

Thanks,
Michael

On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:

This works for me under v2.4.18.  I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).

Against a frontend:

# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



Against a backend:

# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



My imapd.conf settings:

admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1


Have you tried using the "sivtest" program?  It will show you the protocol
handshakes, which might help.  Here is an example for me:

# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}

S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.


Andy

On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:


Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup 
or may be that feature isn't functional at all?
Thanks in advance,

Michael

On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus 
wrote:

Hello,

I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.

imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
sasl_mech_list: PLAIN
allowplaintext: yes

here's what i do:

root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost
connecting to localhost
Please enter your password:
unable to connect to server at /usr/bin/sieveshell line 191,  line 1.

here's the log:
Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 
'proxyadmin' granted access
Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN 
no mechanism available
Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting

as you can see user proxyadmin authenticated successfully, but then something 
(authorization?) went wrong
and it says "PLAIN no mechanism available".
this only happens if i try to authorize as different user. if i don't 
everything works fine:

root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com 
localhost
connecting to localhost
Please enter your password:




log:
Nov 17 18:24:11 

Re: Can't authorize as different user in cyradm and sieveshell

[Andrew Morgan via Info-cyrus]

I'm using Debian packages for sasl.  Here is what libsasl2-modules 
includes:


/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25

But in my imapd.conf, I'm not specifying an auxprop plugins:

# grep sasl /etc/imapd.conf
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
#sasl_maximum_layer: 256
sasl_pwcheck_method: saslauthd

Since we are using saslauthd, we don't use auxprop plugins, I think...

Andy

On Mon, 21 Nov 2016, Michael Ulitskiy wrote:


I'm trying to read the code and it seems that it tries to lookup authorization 
id
in auxprop plugin. since I don't have any auxprop plugins that returns 
SASL_NOMECH and results
in the error I'm seeing.

By any chance do you have any auxprop plugin defined?

On Monday, November 21, 2016 10:07:23 AM Andrew Morgan wrote:

Maybe there is something wrong with your saslauthd parameters or PAM
config?

Here is what I use:

saslauthd -a pam -c -t 300 -m /var/run/saslauthd -n 5

# cat /etc/pam.d/sieve
# PAM configuration file for Cyrus IMAP service

authsufficient  pam_ldap.so
authrequiredpam_unix.so

account sufficient  pam_ldap.so
account requiredpam_unix.so


(pretty simple!)

In your original email, you showed that you could authenticate as the
target user successfully.  Can you connect to sieve as the admin user (no
proxy-auth)?

Thanks,
Andy


On Mon, 21 Nov 2016, Michael Ulitskiy wrote:


Andrew,

Thanks for the reply. It's good to know it works for someone.
I've tried to downgrade cyrus to 2.4.18, but that didn't help.
sivtest doesn't provide much clue:

root@rway-imap-vm:~# sivtest -a proxyadmin -u t...@virtualcrap.com localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify 
envelope imap4flags relational regex subaddress copy"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {48+}

S: NO "Authentication Error"
Authentication failed. generic failure
Security strength factor: 0

while log is saying:
Nov 21 12:01:57 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 
'proxyadmin' granted access
Nov 21 12:01:57 rway-imap-vm sieve[21483]: badlogin: localhost[127.0.0.1] PLAIN 
no mechanism available

the same happens if I use admin user.
i also tried to change to sasl_pwcheck_method to 'alwaystrue' to make sure no 
authentication problems stand in the way, but that also didn't help.
I'm at loss now. Anymore troubleshooting clues?

Thanks,
Michael

On Sunday, November 20, 2016 07:34:58 PM Andrew Morgan wrote:

This works for me under v2.4.18.  I'm able to run sieveshell against a
frontend or backend authenticating as a cyrus "admins" user or a
"proxyservers" user (on the backend).

Against a frontend:

# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



Against a backend:

# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



My imapd.conf settings:

admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1


Have you tried using the "sivtest" program?  It will show you the protocol
handshakes, which might help.  Here is an example for me:

# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags
notify envelope body relational regex subaddress copy"
S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}

S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.


Andy

On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:


Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup 
or may be that feature isn't functional at all?
Thanks in advance,

Michael

On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus 
wrote:

Hello,

I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.

imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue

Re: Can't authorize as different user in cyradm and sieveshell

[Andrew Morgan via Info-cyrus]

This works for me under v2.4.18.  I'm able to run sieveshell against a 
frontend or backend authenticating as a cyrus "admins" user or a 
"proxyservers" user (on the backend).


Against a frontend:

# sieveshell -u morgan -a cyrus imap.onid.oregonstate.edu
connecting to imap.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



Against a backend:

# sieveshell -u morgan -a cyr_proxy cyrus-be1.onid.oregonstate.edu
connecting to cyrus-be1.onid.oregonstate.edu
Please enter your password:

list

onid-web
real  <- active script

quit



My imapd.conf settings:

admins: cyrus
allowplaintext: 0
sasl_mech_list: PLAIN
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sieve_allowreferrals: 0
sieve_allowplaintext: 1


Have you tried using the "sivtest" program?  It will show you the protocol 
handshakes, which might help.  Here is an example for me:


# sivtest -u morgan -a cyrus localhost
S: "IMPLEMENTATION" "Cyrus timsieved (Murder) v2.4.18"
S: "SASL" "PLAIN"
S: "SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags 
notify envelope body relational regex subaddress copy"

S: "STARTTLS"
S: "UNAUTHENTICATE"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {28+}

S: OK
Authenticated.
Security strength factor: 0
C: LOGOUT
OK "Logout Complete"
Connection closed.


Andy

On Sun, 20 Nov 2016, Michael Ulitskiy via Info-cyrus wrote:


Since nobody answered, I guess, nobody has any idea.
I wonder if anybody uses this feature and it works for you?
I mean I'd like to know if that's just me and something is wrong with my setup 
or may be that feature isn't functional at all?
Thanks in advance,

Michael

On Thursday, November 17, 2016 06:30:18 PM Michael Ulitskiy via Info-cyrus 
wrote:

Hello,

I'm playing with cyrus-imap 2.5.10 and cyrus-sasl 2.1.26.
i'm trying to use sieveshell to setup users sieve scripts, but since
i don't know users passwords i want to use a special user for authentication
and authorize as the target user.
Here's what I have.

imapd.conf:
admins: mailadmin
proxyservers: proxyadmin
sasl_pwcheck_method: saslauthd
#sasl_pwcheck_method: alwaystrue
sasl_mech_list: PLAIN
allowplaintext: yes

here's what i do:

root@rway-imap-vm:~# sieveshell -a proxyadmin -u t...@virtualcrap.com localhost
connecting to localhost
Please enter your password:
unable to connect to server at /usr/bin/sieveshell line 191,  line 1.

here's the log:
Nov 17 18:24:44 rway-imap-vm sieve[2256]: TLS is available.
Nov 17 18:24:46 rway-imap-vm saslauthd[1169]: pam_userdb(sieve:auth): user 
'proxyadmin' granted access
Nov 17 18:24:46 rway-imap-vm sieve[2256]: badlogin: localhost [127.0.0.1] PLAIN 
no mechanism available
Nov 17 18:24:46 rway-imap-vm sieve[2256]: Lost connection to client -- exiting

as you can see user proxyadmin authenticated successfully, but then something 
(authorization?) went wrong
and it says "PLAIN no mechanism available".
this only happens if i try to authorize as different user. if i don't 
everything works fine:

root@rway-imap-vm:~# sieveshell -a t...@virtualcrap.com -u t...@virtualcrap.com 
localhost
connecting to localhost
Please enter your password:




log:
Nov 17 18:24:11 rway-imap-vm sieve[2247]: TLS is available.
Nov 17 18:24:15 rway-imap-vm saslauthd[1167]: pam_userdb(sieve:auth): user 
't...@virtualcrap.com' granted access
Nov 17 18:24:15 rway-imap-vm sieve[2247]: login: localhost [127.0.0.1] 
t...@virtualcrap.com PLAIN User logged in

the same happends to cyradm:
root@rway-imap-vm:~# cyradm --user=proxyadmin --authz=t...@virtualcrap.com 
--auth=plain localhost
Password:
IMAP Password:

log:
Nov 17 18:26:27 rway-imap-vm saslauthd[1166]: pam_userdb(imap:auth): user 
'proxyadmin' granted access
Nov 17 18:26:27 rway-imap-vm imap[2277]: badlogin: localhost [127.0.0.1] PLAIN 
[SASL(-4): no mechanism available: Unable to find a callback: 32773]

but ok without trying to authorize as different user:
root@rway-imap-vm:~# cyradm --user=t...@virtualcrap.com --auth=plain localhost
Password:
localhost>
Nov 17 18:27:31 rway-imap-vm saslauthd[1167]: pam_userdb(imap:auth): user 
't...@virtualcrap.com' granted access
Nov 17 18:27:31 rway-imap-vm imap[2276]: login: localhost [127.0.0.1] 
t...@virtualcrap.com PLAIN User logged in 
SESSIONID=

Can somebody tell me what I am doing wrong?
Thanks a lot,

Michael


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: 2.4.17 --> 2.5.3 Delayed expunge?

[Andrew Morgan via Info-cyrus]

On Thu, 13 Oct 2016, Sergey via Info-cyrus wrote:


On Wednesday 12 October 2016, Sergey via Info-cyrus wrote:


I'm wrong, "expunge_mode: immediate" works. I was expecting
quick delete, but it is slow: about 30 seconds or more.


and a lot time for big mailboxes: some minutes.


If I remember correctly, this "lazy" delete of message files is a 
performance optimization so that IMAP clients don't have to wait for the 
deletion to happen.  Also, expunged messages don't count against the 
mailbox quota.


Andy

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus