Re[2]: Cyrus+PAM+RADIUS

[Pavel A Crasotin]

BT> Pavel A Crasotin schrieb am Fri, Jan 18, 2002 at 09:28:11AM +0300:
>> Hi
>> 
>> I've installed cyrus-imapd-2.0.16 with cyrus-sasl-1.5.27
>> on FreeBSD 4.4-STABLE from the ports.
>> I would like to authorize mail users with RADIUS.
>> So I've configured
>> 
>> imapd.conf:
>> sasl_pwcheck_method: PAM
>> 
>> /etc/pam.conf:
>> imapauthrequiredpam_radius.so   try_first_pass
>> pop3authrequiredpam_radius.so   try_first_pass
>> 
>> and tried to auth but it failed. Neither Cyrus nor PAM dont writes in log
>> anything essential.
>> 
>> pwcheck and sasldb methods work fine.
>> 
>> Does anyone has an ideas what's wrong?

BT> What does your radius service say?  Are there requests in its logs?  Does it 
BT> get any auth packets (tcpdump)?

BT> Are you sure to enable access for radius?  In my servers, one has to fill
BT> in dedicated values into /etc/raddb/clients (the systems questioning the
BT> cistron-radiusd).  As I write this: how does pam authenticate as a client 
BT> to the radius server (if needed), it has no data for this, eh?

I'm using RADIATOR. It is configured and works fine.
With qpopper+PAM, for example.

I've made some tests.
tcpdump started as
tcpdump host radiushost

POP3:
# telnet localhost pop3
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK <[EMAIL PROTECTED]> Cyrus POP3 v2.0.16 server ready
user test
+OK Name is a valid mailbox
pass test
-ERR Invalid login
quit
+OK
Connection closed by foreign host.

tcpdump does't catch any packet

IMAP:
# imtest -m login -a test localhost
C: C01 CAPABILITY
S: * OK localhost.domain.ru Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMI
C_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE
AUTH=DIGEST-MD5 AUTH=CRAM-MD5
S: C01 OK Completed
Password: test
C: L01 LOGIN test {4}
+ go ahead
C: 
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.

And tcpdump shows:
# tcpdump host radiushost
tcpdump: listening on pcn0
12:02:39.785085 localhost.domain.ru.hiq > radiushost.1645:  rad-access-req 73 [
id 149] Attr[  User{test} Pass [|radius]
12:02:39.817945 radiushost.1645 > localhost.domain.ru.hiq:  rad-access-accept 2
0 [id 149] (DF)

And RADIATOR says user test has passed auth.


BT> Regards,

BT> - Birger

With respect,
Pavel A Crasotin

OJSC SeverTransCom
40/13 Sobinova, Yaroslavl, 15, Russia
Tel/Fax: +7 (0852) 47-71-70, 47-69-49
 +7 (0852) 72-17-28, 72-17-38

Re: vacation auto responders

[Ken Murchison]

Scott Russell wrote:
> 
> Okay, I've got the sieve stuff from 2.1.x CVS build under 2.0.16 and
> everything seems to be running fine. A few test scripts I setup worked
> as expected.
> 
> With the vacation setup, what will it NOT respond to. I've some of this
> listed in the draft but I'm looking for a full list. I would also like
> to know if the list of don't-reply-conditions is configurable.
> 
> My first concern is that vacation NOT respond to mail with headers of
> Precedence: Bulk. I know Mailman uses this and we have a lot of mailman lists
> here. :)

The Sieve draft (as you've noticed) and the CMU implementation only
check for automated system type sender addresses (does Mailman use
something other than those listed in the draft?).  Dealing with other
headers would be touchy at best, because somebody will always complain
that we have it wrong.  Making it configurable is a possibility, but
this can be easily done within the script itself:

if not header "Precedence" "Bulk" {
vacation "gone fishing";
}

Ken
-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

[no subject]

[Robert B. Gault]

I am currently in the process of setting up mail
services.  I am trying to decide
which IMAP server to run, either Cyrus or UW.

 

I intend to run the server on a PIII 700 w/ 256meg RAM w/
Red Hat 7.2.  There will be
approximately 100 users of the system. 
I will need to be able to offer web client access.  I would like to provide mailbox sharing.  However I would like to be able to do procmail type filtering.  A major concern of mine is DR.  

 

My questions are: 
How difficult is the server to initially setup?  Are there any known problems w/ running
it on Red Hat?  Do I need more
processor power or memory to run the server efficiently?  How different is sieve from procmail?  Can
anyone suggest any web based clients? 
Am I nuts for trying to do this w/ Cyrus?

 

Thanks for any advice in advance. 


 

Rob Gault

[EMAIL PROTECTED]

Re: vacation auto responders

[Scott Russell]

On Fri, Jan 18, 2002 at 09:41:31AM -0500, Ken Murchison wrote:
> 
> 
> Scott Russell wrote:
> > 
> > Okay, I've got the sieve stuff from 2.1.x CVS build under 2.0.16 and
> > everything seems to be running fine. A few test scripts I setup worked
> > as expected.
> > 
> > With the vacation setup, what will it NOT respond to. I've some of this
> > listed in the draft but I'm looking for a full list. I would also like
> > to know if the list of don't-reply-conditions is configurable.
> > 
> > My first concern is that vacation NOT respond to mail with headers of
> > Precedence: Bulk. I know Mailman uses this and we have a lot of mailman lists
> > here. :)
> 
> The Sieve draft (as you've noticed) and the CMU implementation only
> check for automated system type sender addresses (does Mailman use
> something other than those listed in the draft?).  

I think Mailman 2.0.8 may slip by those checks. I need to double check it
before I can say for sure. Some relevant headers from a Mailman list (I've
trimmed down the delivery path and what not as it doesn't make a difference
for sieve.)

>From [EMAIL PROTECTED]  Thu Jan 17 23:39:36 2002
Return-Path: <[EMAIL PROTECTED]>  
Received: from localhost (localhost.localdomain [127.0.0.1]) 
by bzimage.raleigh.ibm.com (8.11.6/8.11.6) with ESMTP id g0I4daG16874  

for ; Thu, 17 Jan 2002 23:39:36 -0500 
X-Sieve: CMU Sieve 2.0 

From: Scott Russell <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [ibm-linux-tech] IBM server raid 4L 
Message-ID: <[EMAIL PROTECTED]> 

Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.0.8
Precedence: bulk
Reply-To: [EMAIL PROTECTED]
List-Help:   
List-Post:  
List-Subscribe: ,

List-Id: Technical discussion of Linux issues   
List-Unsubscribe:
,  
  
List-Archive:   
Date: Thu, 17 Jan 2002 23:30:42 -0500

Since there is no -owner as majordomo does I think this slips by. 


> Dealing with other
> headers would be touchy at best, because somebody will always complain
> that we have it wrong.  Making it configurable is a possibility, 

I meantion the Precedence: bulk header because I thought it was an RFC mail
header. I could be wrong though. I agree that we shouldn't muck up the
vacation module with to much garbage. I do think that the guidelines used
by the BSD/Linux vacation binary work well though. The vacation binary
also supports the Precedence: header.

> but this can be easily done within the script itself:
> 
> if not header "Precedence" "Bulk" {
>   vacation "gone fishing";
> }
> 

Yup, that's what I was thinking about doing. I'll just setup a modified
version of the vacation template we used and include this.

-- 
Regards,
 Scott Russell ([EMAIL PROTECTED])
 Linux Technology Center, System Admin, RHCE.
 T/L 441-9289 / External 919-543-9289
 http://bzimage.raleigh.ibm.com/webcam

Re: vacation auto responders

[Ken Murchison]

Scott Russell wrote:
> 
> On Fri, Jan 18, 2002 at 09:41:31AM -0500, Ken Murchison wrote:
> >
> >
> > Scott Russell wrote:
> > >
> > > Okay, I've got the sieve stuff from 2.1.x CVS build under 2.0.16 and
> > > everything seems to be running fine. A few test scripts I setup worked
> > > as expected.
> > >
> > > With the vacation setup, what will it NOT respond to. I've some of this
> > > listed in the draft but I'm looking for a full list. I would also like
> > > to know if the list of don't-reply-conditions is configurable.
> > >
> > > My first concern is that vacation NOT respond to mail with headers of
> > > Precedence: Bulk. I know Mailman uses this and we have a lot of mailman lists
> > > here. :)
> >
> > The Sieve draft (as you've noticed) and the CMU implementation only
> > check for automated system type sender addresses (does Mailman use
> > something other than those listed in the draft?).

I also forgot that CMU Sieve checks for an Auto-Submitted header with a
keyword other than "no".

> > Dealing with other
> > headers would be touchy at best, because somebody will always complain
> > that we have it wrong.  Making it configurable is a possibility,
> 
> I meantion the Precedence: bulk header because I thought it was an RFC mail
> header. I could be wrong though. I agree that we shouldn't muck up the
> vacation module with to much garbage. I do think that the guidelines used
> by the BSD/Linux vacation binary work well though. The vacation binary
> also supports the Precedence: header.

Yeah.  I just checked out the vacation.c packaged with Sendmail, and it
checks for "Precedence: junk|bulk|list"

I also remember a discussion on the mta-filters list about checking for
headers that start with "List-".  I don't recall there ever being a
resolution to this.  And I don't think a new draft has come out since.

I'm going back on my previous statement, but perhaps both of these
checks are worthwhile adding to the CMU implementation.  Yes, you can do
this within the script itself, but expecting all users to do this is
probably too optimistic (a good GUI or template _could_ do it however).

Any reasons not to add these checks?

Ken
-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: vacation auto responders

[Ken Murchison]

Scott Russell wrote:
> 
> On Fri, Jan 18, 2002 at 10:49:26AM -0500, Ken Murchison wrote:
> >
> >
> > Scott Russell wrote:
> > >
> > > On Fri, Jan 18, 2002 at 09:41:31AM -0500, Ken Murchison wrote:
> > > >
> > > >
> > > > Scott Russell wrote:
> > > > > My first concern is that vacation NOT respond to mail with headers of
> > > > > Precedence: Bulk. I know Mailman uses this and we have a lot of mailman lists
> > > > > here. :)
> > > >
> > > > The Sieve draft (as you've noticed) and the CMU implementation only
> > > > check for automated system type sender addresses (does Mailman use
> > > > something other than those listed in the draft?).
> >
> > I also forgot that CMU Sieve checks for an Auto-Submitted header with a
> > keyword other than "no".
> >
> > > > Dealing with other
> > > > headers would be touchy at best, because somebody will always complain
> > > > that we have it wrong.  Making it configurable is a possibility,
> > >
> > > I meantion the Precedence: bulk header because I thought it was an RFC mail
> > > header. I could be wrong though. I agree that we shouldn't muck up the
> > > vacation module with to much garbage. I do think that the guidelines used
> > > by the BSD/Linux vacation binary work well though. The vacation binary
> > > also supports the Precedence: header.
> >
> > Yeah.  I just checked out the vacation.c packaged with Sendmail, and it
> > checks for "Precedence: junk|bulk|list"
> >
> > I also remember a discussion on the mta-filters list about checking for
> > headers that start with "List-".  I don't recall there ever being a
> > resolution to this.  And I don't think a new draft has come out since.
> >
> > I'm going back on my previous statement, but perhaps both of these
> > checks are worthwhile adding to the CMU implementation.  Yes, you can do
> > this within the script itself, but expecting all users to do this is
> > probably too optimistic (a good GUI or template _could_ do it however).
> >
> > Any reasons not to add these checks?
> >
> 
> I, obviously, vote for the Precedence: header checks. I'm not sure about the
> List- header check because I've never looked at it closely.
> 
> IMHO the sieve vacation module should mimic the vacation binary as closely
> as possible when it comes to sending replies. I think that people are used to
> the vacation binary rules and that having the sieve vacation module follow
> the same rules would provide a smooth transition from client side to server
> side vacation usage.

Agreed.  I'm going to add the Precedence header check momentarily.  We
are going to skip the List- header check because it would be difficult
to implement given the current cmu-sieve architecture, and this check
doesn't seem to be in wide use.

Ken
-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

BerkeleyDB 4.0

[OCNS Consulting]

Does the latest version of Cyrus IMAP 2.2.1 support BerkeleyDB 4.0?

RB
OCNS, Inc.
[EMAIL PROTECTED] 

Re: IMAPD 2.1.0 compilation with BerkeleyDB 4.0.14

[Amos Gouaux]

So, I thought I'd try BerkeleyDB 4.0.14 with cyrus-imapd out of
CVS.  I was curious to see how it would handle the existing 3.3.11
db files.  Unless I'm mistaken, it looks almost as if it
automatically converted/upgraded/whatever the db files to 4.0.14.
Is that true?  When I first started things up I got:

DBERROR db3: Program version 4.0.14 doesn't match environment version 3.3.11
done recovering cyrus databases

Then master said it was ready for work.  Everything appears to work.
So I guess so.  Cool.

-- 
Amos

RE: IMAPD 2.1.0 compilation with BerkeleyDB 4.0.14

[OCNS Consulting]

Do you use LDAP? If so, did you recompile LDAP to use SleepyCat 4.0?

RB

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Amos Gouaux
Sent: Friday, January 18, 2002 12:33 PM
To: [EMAIL PROTECTED]
Subject: Re: IMAPD 2.1.0 compilation with BerkeleyDB 4.0.14


So, I thought I'd try BerkeleyDB 4.0.14 with cyrus-imapd out of
CVS.  I was curious to see how it would handle the existing 3.3.11
db files.  Unless I'm mistaken, it looks almost as if it
automatically converted/upgraded/whatever the db files to 4.0.14.
Is that true?  When I first started things up I got:

DBERROR db3: Program version 4.0.14 doesn't match environment version 3.3.11
done recovering cyrus databases

Then master said it was ready for work.  Everything appears to work.
So I guess so.  Cool.

--
Amos

Re: IMAPD 2.1.0 compilation with BerkeleyDB 4.0.14

[Amos Gouaux]

> On Fri, 18 Jan 2002 13:15:22 -0500,
> OCNS Consulting <[EMAIL PROTECTED]> (oc) writes:

oc> Do you use LDAP? If so, did you recompile LDAP to use SleepyCat 4.0?

We do LDAP, but it's iPlanet DS.


-- 
Amos

Re: BerkeleyDB 4.0

[Ken Murchison]

Igor Brezac wrote:
> 
> On Fri, 18 Jan 2002, Ken Murchison wrote:
> 
> > The latest released verision (2.1.1) does not.  There is a patch for DB4
> > support in 2.1.1 on this list.  This patch has been applied to CVS, so
> > the next release (2.1.2) will have it.
> >
> 
> This is strange because configure tests for db-4.

We threw this check in there before DB4 was released, not knowing that
the txn API had (or was going to be) changed.

-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: BerkeleyDB 4.0

[Ken Murchison]

OCNS Consulting wrote:
> 
> Does the latest version of Cyrus IMAP 2.2.1 support BerkeleyDB 4.0?

The latest released verision (2.1.1) does not.  There is a patch for DB4
support in 2.1.1 on this list.  This patch has been applied to CVS, so
the next release (2.1.2) will have it.

Ken
-- 
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26  Orchard Park, NY 14127
--PGP Public Key--http://www.oceana.com/~ken/ksm.pgp

Re: BerkeleyDB 4.0

[Igor Brezac]

On Fri, 18 Jan 2002, Ken Murchison wrote:

> The latest released verision (2.1.1) does not.  There is a patch for DB4
> support in 2.1.1 on this list.  This patch has been applied to CVS, so
> the next release (2.1.2) will have it.
>

This is strange because configure tests for db-4.

-Igor

Re: BerkeleyDB 4.0

[Igor Brezac]

On Fri, 18 Jan 2002, Ken Murchison wrote:

> We threw this check in there before DB4 was released, not knowing that
> the txn API had (or was going to be) changed.
>

Will cyrus sasl 2.1.0 work with DB4?

-Igor

Re: BerkeleyDB 4.0

[Rob Siemborski]

On Fri, 18 Jan 2002, Igor Brezac wrote:

> Will cyrus sasl 2.1.0 work with DB4?

Cyrus SASL does not use the transaction API of DB4, so there shouldn't be
any problems with it.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 235 * 412-CMU-TREK
Research Systems Programmer * /usr/contributed Gatekeeper

Re: vacation auto responders

[Jeremy Howard]

Ken Murchison wrote:
> Agreed.  I'm going to add the Precedence header check momentarily.  We
> are going to skip the List- header check because it would be difficult
> to implement given the current cmu-sieve architecture, and this check
> doesn't seem to be in wide use.
>
Our system includes the following to test for lists:
---
my %list_headers = (
  'Mailing-List' => 1,
  'List-Unsubscribe' => 1,
  'List-Post' => 1,
  'Precedence' => 'bulk',
  'Precedence' => 'junk',
  'Precedence' => 'list'
);
---
An RHS of '1' means "header must exist" whereas any other RHS means "header
must have this value". These criteria seem to catch pretty much all lists
for us.