Re: Cyrus imap 2.3.11-xx with postfix 2.9.4
Hi is portmap/rpcbind and ypbind running, look like problem of RPC and because of them is the ypbind not runing correctly. can you verify the functionality of ypages by : id username ypcat passwd |grep username getent passwd username this should resolve the username and verify functionality of ypages Cheers Kleo On Wed, 25 Nov 2015, Josef Karliak via Info-cyrus wrote: Good morning, we had some issue tomorow's morning - some users couldn't login to an email system. We use ypages for distributing passwd maps, authorizing daemon is saslauthd. Some users logged in, some not. "Unauthorized" users made a record to the syslog: Nov 24 08:01:23 email1 saslauthd[10396]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Nov 24 08:01:23 email1 saslauthd[10396]: do_auth : auth failure: [user=username] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Nov 24 08:01:23 email1 imap[26411]: badlogin: localhost [127.0.0.1] plaintext username SASL(-13): authentication failure: checkpass failed About this time +/- seconds I see in the mail log this complains of the postfix to the cyrus's lmtp: Nov 24 08:01:25 email1 postfix/lmtp[29859]: warning: 19535581B: non-LMTP response from email1.fnhk.cz[public/lmtp]: do_ypcall: clnt_call: RPC: Timed out Nov 24 08:01:25 email1 postfix/lmtp[29859]: warning: to prevent loss of mail, turn off command pipelining for public/lmtp with the lmtp_discard_lhlo_keyword_address_maps parameter Nov 24 08:01:50 email1 postfix/lmtp[29859]: warning: 19535581B: non-LMTP response from email1.fnhk.cz[public/lmtp]: do_ypcall: clnt_call: RPC: Timed out Nov 24 08:01:50 email1 postfix/lmtp[29859]: warning: to prevent loss of mail, turn off command pipelining for public/lmtp with the lmtp_discard_lhlo_keyword_address_maps parameter The username was in all 3 hosts maps, another users logged in, there is no complains about network connections. This worked fine for an years, but this issue happened twice within 2 weeks. An administrators of the ypages servers don't see any problem or logs about theirs server. What caused this issue ? What can I do to prevent it. Thanks and best regards J.Karliak -- ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir Klejchkleo_at_netbox.cz ... ... ... ... Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: user rename and uidvalidity value
Hi partly diskussed in: https://bugzilla.mozilla.org/show_bug.cgi?id=365651#c4 snip --- ftp://ftp.rfc-editor.org/in-notes/rfc3501.txt 6.3.5. RENAME Command The value of the highest-used unique identifier of the old mailbox name MUST be preserved so that a new mailbox created with the same name will not reuse the identifiers of the former incarnation, UNLESS the new incarnation has a different unique identifier validity value. See the description of the UID command for more detail. If IMAP server returns same unique identifier validity value after rename, IMAP server MUST preserve highest-used unique identifier. snip --- the problem is, where to store the old highest-used unique identifier for the same mailboxname, if reused ?? the logical solution is to generate new uidvalidity for renamed mailbox, that guarantees, that in case of existing previous mailbox with the same name, that the change to other content is recognized .. Cheers Kleo On Wed, 5 Nov 2014, Hamada, Ondrej wrote: Hi, Can you please explain to me, why is a new value of uidvalidity generated when a user is renamed in cyrus_imapd? Rename: A001 rename user/a@bbb.cmailto:user/a@bbb.com user/x...@bbb.com Before rename: A001 select inbox * OK [CLOSED] Ok * 3 EXISTS * 0 RECENT * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] Ok * OK [UNSEEN 2] Ok * OK [UIDVALIDITY 1415092196] Ok * OK [UIDNEXT 4] Ok * OK [HIGHESTMODSEQ 5] Ok * OK [URLMECH INTERNAL] Ok A001 OK [READ-WRITE] Completed After rename: A001 select inbox * 3 EXISTS * 0 RECENT * FLAGS (\Answered \Flagged \Draft \Deleted \Seen) * OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen \*)] Ok * OK [UNSEEN 2] Ok * OK [UIDVALIDITY 1415093437] Ok * OK [UIDNEXT 4] Ok * OK [HIGHESTMODSEQ 7] Ok * OK [URLMECH INTERNAL] Ok A001 OK [READ-WRITE] Completed Thank you in advance, Ondra This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you for understanding. -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: How to improve mail search from iPad and other mobile devices
Hi the performance hit with usage of incremental squatter update should not by so high as with full reindex. Cheers Kleo -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Hi, Quoting Sebastian Hagedorn haged...@uni-koeln.de: Hi, [...] Search for addresses and subject should in theory be reasonably fast because the results should mostly come from the cache. We also use squatter, which should help with the body searches. However, each mailbox is currently squatted roughly every 24 hours. With busy mailboxes I presume that leaves a large window where search will have to fall back to searching every message in that mailbox, right? AFAIK the index created by squatter is used to exclude mails that don't contain the search pattern, so an outdated index is still of use. Only the new messages and the files the index could not exclude will be searched. Running squatter more often will result in more IO traffic during the daytime. We are looking into using metapartitions to move all the relevant files to SSD to make access to cache and squat files faster, but that won't help with outdated squat files, right? Would it make sense to squat his mailboxes more often? Other suggestions? Cheers Sebastian -- .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:. .:.Regionales Rechenzentrum (RRZK).:. .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:. M.MengeTel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912 Zentrum für Datenverarbeitung mail: michael.me...@zdv.uni-tuebingen.de Wächterstraße 76 72074 Tübingen Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: How to block a dictionary attack
Hi i use in this way fail2ban (http://www.fail2ban.org/). and not only for imap ... fail2ban is confugurable for other net services too. Kleo On Mon, 12 Apr 2010, ram wrote: I am seeing this pattern now very often. Every weekend someone tries to gain unauthorized access to the my imap servers by trying random username / passwords Yesterday by afternoon someone had tried half a million times on my servers from 62.141.37.141. I have written to the abuse contact address ... not that I expect any reply anyway I would like to configure cyrus such a way that if there are 10 failed logins from an ip address in 10 minutes and no successful logins just block the IP address. ( Or inject the ip into my firewall ) Is there something similar already available Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Vladimir `KLEO' Klejch Kleo'at'netbox'dot'cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: make_sha1 and virtual domains
Hi is somebody using make_sha1 or make_md5 with virtual domains ??? How to use it ??? I'm fiddling with source but make_sha1 does not find mailboxes for given login in mailboxes.db. I think there is no functionality in source of make_sha1 or make_md5 for vitrual domains ??? Would it by posible to have virtualdomains functionality in all parts of cyrus source code ?? Zatim Kleo On Wed, 26 Aug 2009, Vladimir Klejch wrote: Hi Is there a way to use make_sha1 with virtualdomais ??? I see in source hardcoded adding of user. in beginning of supplied user to make mailboxname and i think, this cann't work with virtualdomains. I need this to check replication and have all mailboxes in more virtual domains. in imapd.conf is set : altnamespace: yes unixhierarchysep: yes virtdomains: userid guid_mode: sha1 sha1_dir: /var/spool/cyrus/sha1 ... and more Thanks Kleo -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
make_sha1 and virtual domains
Hi Is there a way to use make_sha1 with virtualdomais ??? I see in source hardcoded adding of user. in beginning of supplied user to make mailboxname and i think, this cann't work with virtualdomains. I need this to check replication and have all mailboxes in more virtual domains. in imapd.conf is set : altnamespace: yes unixhierarchysep: yes virtdomains: userid guid_mode: sha1 sha1_dir: /var/spool/cyrus/sha1 ... and more Thanks Kleo -- ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Announcing cyrus-user-map, a local recipient map generator for Postfix
On Tue, 10 Mar 2009, Farzad FARID wrote: Le 10.03.2009 09:59, Stefan Schmidt a écrit : Nice thing, but just out of curiosity, why don't you use postfix' recipient verification mechanism? In smtp_recipient_restrictions add reject_unverified_recipient at a reasonable position in these restrictions. Everything else automagically happens. Thanks for asking. In the Postfix Address Verification Howto (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) it says that: /A Postfix MTA verifies a sender or recipient address by probing the nearest MTA for that address, without actually delivering mail. The nearest MTA could be the Postfix MTA itself, or it could be a remote MTA (SMTP interruptus). Probe messages are like normal mail, except that they are never delivered, deferred or bounced; probe messages are always discarded./ This is a very heavyweight process, especially if we have the Cyrus database at hand :) So I think that looking up an entry in a hash map is much faster and doesn't involve any SMTP/LMTP connection. And if the Postfix relay and the Cyrus database are not on the same physical computer, and someone's interested, I can extend my little tool to use a network connection to fetch the user database. Best regards what about something like Postfix version of smmapd : http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg31479.html ... it is good solution, it has test for existention of mailbox and overquota .. i have fidled with it, but have not working solution, because there is some problem with unixhierarchysep and altnamespace , i think ... :-(( its about 1.5 years ago as tryed it ... -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication errors: missing subscription
Hi It's posible to see your checkreplication script ??? I'm searching for valuable solution of checking the replication and there is no documented solution , how to verify in sync state and workaround for misstates ... Thanks Kleo On Tue, 2 Sep 2008, Bron Gondwana wrote: Our Cyrus 2.3.12 + patches replication system has been running very reliably for months - to the point where the only issues our checkreplication script tends to find are either: a) cases where someone has reconstructed and not run quota -f afterwards, causing quota mismatches. (this is mostly the fault of bits of our code that need updating!) b) subscriptions missing on the replica. I have a suspicion that most of these could be avoided by the simple expedient of switching from putting individual subscription records into the sync log to copying the entire user.sub file. (I've also changed setseen_all to just overwrite the user.seen file rather than attempt some sort of merger. It's a replica, the master is right! This will break if you're using a different database type on the replica than the master of course - but that's why you shouldn't be sending binary formats over the wire in the first place. It's already going to break) Bron. -- ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Replication verification
Hi I have running two node back to back replication with 2.3.11 . The replication is running in both directions and with my small checks i didn't found any problem, the replication is runnig great. Now is the second server used only as replica of first server (hot-standby) and i'm searching for best practice , how to verify the replication, in best case continuously. I searchig for a posibility to use both server's in production as master-master. There are tools like nake_md5 and make_sha1, but the manpages document only howto config them, but not how to realy use them for replication check. Are there some scripts or methods, how to use them. Or are there other scenario how to efficiently verify replicated imap spool, quotas, annotations, acl's etc. ?? Kleo -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication verification
On Fri, 27 Jun 2008, David Carter wrote: On Fri, 27 Jun 2008, Vladimir Klejch wrote: I searchig for a posibility to use both server's in production as master-master. Afraid that replication in Cyrus doesn't support full master-master, only master/slave. UIDs in IMAP make full master-master rather involved. It is possible to run a mix of master and replica mailstores on a single system. It's not really full master-master. I configured both servers as master/slave in cross, with different sync_machineid ( for UID computation ) and guid_mode: sha1. I tested this scenario, and it's working great. Changes on one server are replicated to the other one, and this in both directions. There are tools like nake_md5 and make_sha1, but the manpages document only howto config them, but not how to realy use them for replication check. I download the md5 files to a single location and run a 50 line Perl script to spot mismatches. You are welcome to a copy of that script. Yeah ... cann you mail me a copy for inspiration ?? Thanks. To make sure that the replica is up to date I run sync_client in an extra verbose mode (-v -v) and check for unexpected updates. Unfortunately that code didn't make it it into the vanilla Cyrus tree because of the reorganisation required to run sync_server from master using prot streams for communication. It wouldn't take a huge amount of effort to add -v -v into standard Cyrus. it would by nice to have methods to check replication in the mainstream. :-)) I believe that Fastmail have an external test suite which does spot checks on the master and replica versions of each account. This is the opposite approach, and makes sense if you have a convenient IMAP client library. I think, that only spot check are good for quick replication test, but not for verification of replication status. -- _ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | OK # ##/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html