Thanks for that Vladislav, it was very helpful. :-)
I have managed to get exim to use the defined cyrus_delivery transport
attempting to deliver a received mail but it is baulking on the SSL cert.
From /var/log/mail.err :
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: unable to get private key
from '/etc/ssl/private/ssl-cert-snakeoil.key'
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: TLS server engine: cannot
load cert/key data, may be a cert/key mismatch?
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: [lmtpd] error initializing TLS
I have run
root@blmail:~# bash /usr/share/doc/exim4-base/examples/exim-gencert
--force
and confirm the permissions on the cert file:
root@blmail:~# ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root root 916 Feb 12 12:41 ssl-cert-snakeoil.key
What process/user should have access to this key? Is it simply the
wrong owner/group?
I can access cyrus and 'see' mailboxes, create them etc:
root@blmail:~# cyradm --user cyrus --auth login localhost
IMAP Password:
localhost> lm
user.hire (\HasChildren) user.hire.Trash (\HasNoChildren)
user.hire.Drafts (\HasNoChildren) user.hire.test (\HasNoChildren)
user.hire.Sent (\HasNoChildren) user.paul (\HasNoChildren)
but I believe this is using saslauth LOGIN so maybe it's not using the
SSL anyway?
When I attempt to send mail to an account on there I get the following
in /var/log/exim4/mainlog :
2014-02-12 14:58:46 1WDilR-0000ul-Rh DKIM: d=gmail.com s=20120113
c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Debug: SAEximRunCond expand
returned: '0'
2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Action: Not running SA
because SAEximRunCond expanded to false (Message-Id:
1WDilR-0000ul-Rh). From <pauloro...@gmail.com>
(host=mail-oa0-f53.google.com [209.85.219.53]) for
h...@chemainus.mjbrownloos.com
2014-02-12 14:58:46 1WDilR-0000ul-Rh <= pauloro...@gmail.com
H=mail-oa0-f53.google.com [209.85.219.53] P=esmtps
X=TLS1.0:RSA_ARCFOUR_SHA1:128 S=30551
id=capxx1o6m5xkrazv97zkrnppmlgv1s98tvnec4qund0pwggb...@mail.gmail.com
2014-02-12 14:58:46 1WDilR-0000ul-Rh ==
h...@chemainus.mjbrownloos.com R=local_user T=cyrus_delivery defer
(-45): SMTP error from remote mail server after MAIL
FROM:<pauloro...@gmail.com> SIZE=32614: host 127.0.0.1 [127.0.0.1]:
430 Authentication required
I'll come back to the Spamassassin issue later (unless of course it's
related!)
So I seem to be getting confused about when the SSL is used. Ideally I'd
like to use SSL and authentication for SMTP and IMAP. Is it that the
LMTP needs authentication and it's not? I did use in /etc/cyrus.conf
lmtp cmd="lmtpd" -a listen="localhost:lmtp" prefork=0
maxchild=20
I feel like I'm close, but still not fully understanding the
relationship between exim and cyrus regards lmtp and saslauth. Have I
mixed things up here?
Hoping for more of the excellent help I've received thus far.
*
Paul O'Rorke*
Tracker Software Products
p...@tracker-software.com <mailto:paul.oro...@tracker-software.com>
On 2/11/2014 12:56 AM, Vladislav Kurz wrote:
On Monday 10 of February 2014 23:13:42 Paul O'Rorke wrote:
> Hi again Cyrus list,
>
> still trying to find a definitive resource to use to get this mail
> server up and running. Does anyone know of a good howto for setting up
> Debian/Exim/Cyrus? I think this is the combination I want to move from
> the Centos/Exim/Dovecote box I inherited but I must confess to really
> struggling here.
Here are the most important snippets of my Debian/exim/cyrus config
for sasldb authentication, exim split config. Based on squeeze, so be
careful there might be small changes in wheezy. Changes noted as a
diff file.
/etc/exim4/conf.d/main/00_exim4-config_localmacros: (new file)
+ LOCAL_DELIVERY = cyrus_delivery
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:
# Insist that any other recipient address that we accept is either in
one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for
relaying.
require
message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check will
# do local part verification for both local and remote domains.
# Callout is needed to do the check via LMTP.
# This is important to avoid backscatter bounces.
# If you act as backup MX, you might need to adjust.
require
- verify = recipient
+ verify = recipient/callout
/etc/exim4/conf.d/router/900_exim4-config_local_user:
# There are no local users in /etc/passwd. Check is done by callout in
ACL.
# Also there is no harm in having a mailbox named root.
local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
domains = +local_domains
- check_local_user
- local_parts = ! root
transport = LOCAL_DELIVERY
cannot_route_message = Unknown user
/etc/exim4/conf.d/transport/30_exim4-config_cyrus_delivery:
+ # LMTP over TCP/IP, allows callout verification, needs `lmtpd -a`
+ cyrus_delivery:
+ driver = smtp
+ protocol = lmtp
+ hosts = 127.0.0.1
+ allow_localhost
/etc/exim4/conf.d/auth/30_exim4-config_examples
Uncomment all examples where driver = cyrus_sasl. Set server realm to
full hostname, or check what is behind @ in sasldblistusers2. NTLM and
MD5 authentication can be allowd even over unencrypted connections.
/etc/imapd.conf
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
/etc/cyrus.conf
lmtp cmd="lmtpd -a" listen="localhost:lmtp" prefork=0 maxchild=20
#lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 ...
/etc/services
lmtp 24/tcp
--- eof ---
I have omitted lots of other changes I do to exim config, as they are
not related to exim-cyrus integration.
--
Best Regards
Vladislav Kurz
=== WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
=== www.webstep.net ======= vladislav.k...@webstep.net ===
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
