Re: postfix + sieve problem
> On Tue, 05 Jun 2001 12:23:56 +0100, > Patrick Gaherty <[EMAIL PROTECTED]> (pg) writes: pg> I'm having problems getting sieve and postifx to play nicely pg> together. I'm using cyrus-imapd-2.0.14 and postfix-20010202. From pg> reading around it would seem to be a problem with lmtp, but I'm not pg> sure where/how to enable it. At the moment my configuration is: You may want to get a newer release/snapshot of Postfix. I think the recent one resolved some issues with cached connections. pg> postfix - main.cf pg> mailbox_transport = cyrus See the LMTP_README file that's in the Postfix source directory. Oops. Need to send some updates for that one, but at least it's a start. Basically you really want to use the LMTP service instead of the 'cyrus' service that's in master.cf. That 'cyrus' service was put in there way before the Cyrus 2.X development. -- Amos
Re: Sieve Vacation
Sendmail can do LMTP delivery. You'll have to ask a Sendmail user (it's been a while for me) for details > On Fri, 8 Jun 2001 14:56:23 +0200 , > Stefano Coatti <[EMAIL PROTECTED]> (sc) writes: sc> Sigh, I can't install Postfix in place of sendmail so I've to abandon the sc> feature vacation message with Cyrus. sc> Thank you very much again.
Re: ANN: Alternate namespace for Cyrus IMAP
> On Thu, 07 Jun 2001 20:45:22 -0400, > Ken Murchison <[EMAIL PROTECTED]> (km) writes: km> I took a look at this and it IS doable (I actually hacked some code), km> but it makes the LIST/LSUB code uglier than it already is. For this km> reason, and the fact that Larry and I both feel that most users won't be km> sharing their INBOXes, I'm not going to implement this right now. I'm not even sure at this point if we'll deploy this new namespaces provision as I haven't had a chance to play with it yet. However, it would have to happen that we're starting to create a few shared INBOXes. ;-) Currently, we're using the "bb." prefix as shared folders to mirror some internal lists, and the "archive." prefix to mirror a few external lists (like this one). However, for pseudo-users, or what I sometimes refer to as "managed" (yeah, right) shared folders, I've started using the prefix "user.". An example of this might be "user.helpdesk". There are a couple of reasons why I've been experimenting with shared folders that begin with "user.": - It means that folks can easily use "+detail" aliasing. So using the example of "helpdesk", I could funnel mail into "helpdesk+amos" or "helpdesk+call09892320". - Can use Sieve for this shared folder. One cheesy application might be to abuse vacation to act as a 'thankyou' auto-responder. - Sometimes when we created a "bb." folder as the pseudo-user for some group on campus, we've heard responses like "we don't want everybody to have access to this!". While it's true that user education can help here, one benefit of placing such specialty folders under "user." is that it clearly identifies these as being different than the mailing lists / news groups shared folders. However, like I said, at this point I'm not sure if we'll be deploying this namespaces thing or not. Frankly, and perhaps I'm just too far removed from the user support people to know any better, but I'm not aware that we've had any problems with the current behavior. Though, I suppose when word of this feature gets around, that might change. ;-) -- Amos
Re: postfix+cyrus error
> On Sat, 16 Jun 2001 17:49:54 +0200, > tarjei <[EMAIL PROTECTED]> (t) writes: t> I think this is is an issue user and group issues: t> make sure cyrus is compiled with the --user = cyrus and --group = mail options also, t> make sure bot postfix and cyrus is memeber of the mail group. Postfix prefers to use user/group that is not used by other apps. Otherwise, it will complain. -- Amos
Re: none
> On Fri, 15 Jun 2001 18:16:34 GMT, > goldcst <[EMAIL PROTECTED]> (g) writes: g>May 6 10:26:58 tifa postfix/pipe[8634]: g> fatal: request to use mail system owner group id 12 This is your clue. The docs for Cyrus say to install with group "mail". Generally I just create another group, "cyrus", and install with that. Seems to be the simplest way to resolve this, and I'm not sure why Cyrus would ever need to be in group mail anyway. -- Amos
lmtp-auth
lmtpd.c (2.0.14): /* ok, is auth_identity an admin? * for now only admins can do lmtp from another machine */ Why's that? So the auth that's presented to lmtpd can't be used for posting access via the ACL's? -- Amos
Re: postfix+cyrus error.
Postfix does not care to allow other programs to work in it's user/group space. To avoid this, when I compile Cyrus I just do: ./configure --with-cyrus-user=cyrus --with-cyrus-group=cyrus Alternatively, you can fiddle with the user=cyrus:mail setting in master.cf, but I forget which way that should be. The cyrus/postfix archives have more. > On Mon, 18 Jun 2001 16:42:15 -0600, > Goldcoast POP3 server <[EMAIL PROTECTED]> (gps) writes: gps> Hello we are receiveing the same error when we made the owner's changes to both postfix and cyrus gps> (owner=postfix,cyrus; group=mail) gps> any suggestion. help please. gps> gps> Jun 18 16:40:53 mail postfix/pipe[957]: fatal: request to use mail system owner group id 12 gps> Jun 18 16:40:54 mail postfix/local[937]: warning: end of input while receiving string data from service gps> private/cyrus gps> Jun 18 16:40:54 mail postfix/local[937]: warning: private/cyrus: malformed response gps> Jun 18 16:40:54 mail postfix/master[913]: warning: process /usr/libexec/postfix/pipe pid 949 exit status gps> 1 gps> Jun 18 16:40:54 mail postfix/master[913]: warning: /usr/libexec/postfix/pipe: bad command startup -- gps> throttling gps> Jun 18 16:40:54 mail postfix/master[913]: warning: process /usr/libexec/postfix/pipe pid 954 exit status gps> 1 gps> Jun 18 16:40:54 mail postfix/local[950]: warning: end of input while receiving string data from service gps> private/cyrus gps> Jun 18 16:40:54 mail postfix/local[950]: warning: private/cyrus: malformed response gps> Jun 18 16:40:54 mail postfix/master[913]: warning: process /usr/libexec/postfix/pipe pid 956 exit status gps> 1 gps> Jun 18 16:40:54 mail postfix/local[948]: warning: end of input while receiving string data from service gps> private/cyrus gps> Jun 18 16:40:54 mail postfix/local[948]: warning: private/cyrus: malformed response gps> Jun 18 16:40:54 mail postfix/master[913]: warning: process /usr/libexec/postfix/pipe pid 957 exit status gps> 1 gps> Jun 18 16:40:54 mail postfix/local[951]: warning: end of input while receiving string data from service gps> private/cyrus gps> Jun 18 16:40:54 mail postfix/local[951]: warning: private/cyrus: malformed response -- Amos
Re: New install: cyradm Perl error
Well, I know Tcl isn't as popular, but we sure didn't see these kinds of errors before. :-P I know, what about a Ruby extension? Combined with readline support, that would make a pretty darn convenient interactive utility. :-P -- Amos
Re: mailboxes.db DBERROR's?
> On Thu, 28 Jun 2001 07:46:51 -0700, > Derek Spencer <[EMAIL PROTECTED]> (ds) writes: ds> Ok, to be more exact: ds> Solaris 7 (sparc) ds> cyrus 2.0.14 ds> cyrus-sasl 1.5.24 ds> Berkeley DB 3.2.9 ds> Postfix 20010228-pl03 I don't know if it would help or not, but you do have this box fully patched (recommended patches), right? Personally, I've seen more weirdness with 7 than I have with 8, especially when it comes to some of the kernel and libthread patches that have come out. I know both iPlanet Directory Server and Calendar Server require a certain set of Solaris patches, and since they're both based (at least to some extent) on Berkeley DB, I'd be sure your box is at a similar patch level -- Amos
Re: sasldb-error
> On Fri, 29 Jun 2001 08:44:21 +0200, > Christoph Krempe <[EMAIL PROTECTED]> (ck) writes: ck> I did so, too. ck> The error is not "permission denied", but ck> "unable to open Berkeley db /etc/sasldb: Invalid argument". I'm by no means a Berkeley db expert, but I have noticed that often this error message will occur if you have a version mismatch (db files of one version while the utility is compiled with another). That reminds me, with the mailboxes file being a db, what would one need to do to upgrade to a newer version of Berkeley db? I guess recreate the entire thing? Or is there some kind of Berkeley db upgrade command? -- Amos
Re: imap 2.0.14 and sieve problems
> On Wed, 11 Jul 2001 09:25:08 -, > Nico Weichbrod <[EMAIL PROTECTED]> (nw) writes: nw> Why is there no from address (I set the servername: in /etc/imapd.conf) and The message is formated as a bounce. nw> what mean insufficient privileges to change uid, and why cyrus want to use nw> procmail (it should sendmail:/usr/lib/sendmail in /etc/imapd.conf )? Sendmail is calling procmail. Check your Sendmail configs. -- Amos
Re: Re[2]: imap 2.0.14 and sieve problems
> On Wed, 18 Jul 2001 18:06:32 +0400, > Pavel Levshin <[EMAIL PROTECTED]> (pl) writes: pl> Then, some servers on the Net do not accept those mails. I've got this pl> error from remote MTA (IMail 5.05): MAIL From:<> SIZE=726 pl> <<< 501 bogus mail from pl> Which RFC states this behaviour, as explained by you? I want to be pl> prepared for questions from my users. :) See http://www.rfc-ignorant.org/ -- Amos
Re: Vacation Sieve
> On Fri, 20 Jul 2001 16:13:20 -0400, > Chris Audley <[EMAIL PROTECTED]> (ca) writes: ca> Why is this? None of the MTAs I've tested are case sensitive in the ca> local-part ca> of the address. I regularly recieve mail to my account in a mix of cases ca> and it ca> comes through fine. I can't remember how Sendmail handles this, but I think it is the same. That is with Postfix, everything before "+detail" is case insensitive. The "+detail" part IS case sensitive. So you have to be careful if you're shoveling mail directly into a folder. >From memory, haven't verified this -- Amos
Re: Berkeley DB release 3.3.11 is now available
Does this new Berk DB offer significant improvements for Cyrus? Anything with this release that Cyrus will be able to take advantage of at some point? -- Amos
Re: vacation syntax
> On Thu, 26 Jul 2001 09:03:16 -, > Nico Weichbrod <[EMAIL PROTECTED]> (nw) writes: nw> Hi, nw> is there any way to format the message-body so i can use paragraphs in my nw> vacation reply text. Unix syntax like '\n' do not work. The entire text is in nw> only one line of the reply message. What can i do? A string can span lines: require "vacation"; vacation :days 7 :addresses "[EMAIL PROTECTED]" " I will be out of the office from 5/10/2000 to 6/10/2000. " ; or better yet: require "vacation"; vacation :days 7 :addresses "[EMAIL PROTECTED]" text: I will be out of the office from 5/10/2000 to 6/10/2000. . ; -- Amos
sieveshell
On a Solaris 8 box I notice that the user's password is echoed when using sieveshell. Also, when quickly browsing through this script, I notice the use of $acapserver. Does that mean ACAP must be install and running before sieveshell can be used? -- Amos
Re: sieveshell
km> Hmm. Can't help you on this one, some type of perlism. Oh, I also noticed that sieveshell doesn't do STARTTLS like installsieve did. Is that something that can be enabled? Or perhaps that hasn't been implemented yet? -- Amos
Re: SirCam and sieve
> On Sun, 29 Jul 2001 10:36:43 -0700, > Nick Sayer <[EMAIL PROTECTED]> (ns) writes: ns> Is there no way for the sieve to match on lines in the body? This ns> would be the next extension I would like to see. But this would not be global. Seems to me it would be much better to have the MTA handle this before it even reaches this stage. -- Amos
Re: Duplicate deliver and sieve (cyrus-1.6.22)
> On Wed, 1 Aug 2001 00:12:49 +0200, > Terje Elde <[EMAIL PROTECTED]> (te) writes: te> Also let me note that there seem to be a limitation in postfix. You can't te> remap a + expanded username in the virtual file, which is fair enough I How do you mean? -- Amos
Re: Sendmail -> Procmail -> Deliver -> Cyrus
> On Tue, 31 Jul 2001 18:06:18 -0500, > Mobeen Azhar <[EMAIL PROTECTED]> (ma) writes: ma> procmail does not do lmtp delivery and I could not get cyrus' deliver to You might want to visit http://www.procmail.org. -- Amos
Re: Sendmail -> Procmail -> Deliver -> Cyrus
> On Tue, 31 Jul 2001 19:12:58 -0500, > Mobeen Azhar <[EMAIL PROTECTED]> (ma) writes: ma> also says that it is not enabled by default and I cannot find any ma> mention of it in the man pages or the docs/readmes that came with the Need to edit config.h. -- Amos
Re: Sendmail -> Procmail -> Deliver -> Cyrus
I posted a followup, but I didn't see it. Anyway, after further looking at it, I'm afraid it is strictly a LMTP server and not a LMTP client. It seems to be provided so that Sendmail can talk LMTP to procmail, probably so that the enveloper sender info isn't lost. So, you're back to all the overhead of using the deliver command to act as a LMTP client for you, unless you're willing to use Sieve. >>>>> On Wed, 1 Aug 2001 08:31:24 -0500, >>>>> Mobeen Azhar <[EMAIL PROTECTED]> (ma) writes: ma> Thanks again Amos, I saw the piece on config.h to enable it. How does ma> one get procmail to perform lmtp delivery from inside of a recipe? Is ma> there anything special to tell procmail to deliver messages using ma> procmail or does it use lmtp when you deliver messages from inside of ma> recipes once the option is turned on in config.h? ma> --Moby ma> -Original Message- ma> From: [EMAIL PROTECTED] ma> [mailto:[EMAIL PROTECTED]] On Behalf Of Amos Gouaux ma> Sent: Tuesday, July 31, 2001 22:19 PM ma> To: [EMAIL PROTECTED] ma> Subject: Re: Sendmail -> Procmail -> Deliver -> Cyrus >>>>> On Tue, 31 Jul 2001 19:12:58 -0500, >>>>> Mobeen Azhar <[EMAIL PROTECTED]> (ma) writes: ma> also says that it is not enabled by default and I cannot find any ma> mention of it in the man pages or the docs/readmes that came with ma> the ma> Need to edit config.h. ma> -- ma> Amos -- Amos
Re: Duplicate deliver and sieve (cyrus-1.6.22)
> On Wed, 1 Aug 2001 15:43:15 +0200, > Terje Elde <[EMAIL PROTECTED]> (te) writes: te> [EMAIL PROTECTED] [EMAIL PROTECTED] Well, I've got a whole ton of these in our virtual maps and they work just peachy. You might want to double check that '+' is the 'recipient_delimiter'. -- Amos
Re: Sendmail -> Procmail -> Deliver -> Cyrus
In that case, why not take a look at the internal filtering capabilities of Sendmail (milter?). > On Wed, 1 Aug 2001 09:32:12 -0500, > Mobeen Azhar <[EMAIL PROTECTED]> (ma) writes: ma> I was getting the same feeling. I am using sieve for per user filtering ma> right now, but I need a method of having global filters (filters that ma> apply to everyone's mail, such as for virus elimination). I am going to ma> do battle with deliver and see if I can get that to work.
Re: Outlook Express: altnamespace issue
> On Thu, 2 Aug 2001 14:51:29 +0400 (MSD),
> Konstantin Kunshchikov <[EMAIL PROTECTED]> (kk) writes:
cyradm> cm test
>From our experience, you also have to have at least the `lr' ACLs on
that "test" folder as well. Its mere existence is not sufficient.
kk> Since OE exists one should fix its problems. I think that proper
Oh, did they release the source code for it? ;-)
kk> patch for AltNamespace would be simple to make(may be #ifdef OE?)
This seems to be the big difference between the old namespace and
the alt namespace.
1.6.25
. namespace
* NAMESPACE (("INBOX." ".")) (("user." ".")) (("" "."))
. OK Completed
. list "" "bb"
* LIST () "." bb
. OK Completed
. getacl "bb"
* ACL bb anyone lr
. OK Completed
2.0.15-HIERSEP-r2
. namespace
* NAMESPACE (("" ".")) (("Other_Users." ".")) (("Shared_Folders." "."))
. OK Completed
. list "" "Shared_Folders"
* LIST (\HasChildren \Noselect) "." "Shared_Folders"
. OK Completed (0.010 secs 2 calls)
. getacl "Shared_Folders"
. NO Invalid mailbox name
This all makes sense this "Shared_Folders" is a true namespace,
while "bb" isn't. Personally, I don't think Cyrus should violate
the RFC because a client is brain dead. From RFC2060:
\Noselect It is not possible to use this name as a selectable
mailbox.
Use Office XP, complain to Microsoft, or don't use the altnamespace
option.
--
Amos
Re: Reality Check
> On Sun, 05 Aug 2001 21:44:07 -0700, > David Wright <[EMAIL PROTECTED]> (dw) writes: dw> Does ANYONE have the following configuration working? dw> cyrus-imapd-2.0.x authenticating via LDAP using sasl_pwcheck_method: dw> PAM and the pam_ldap module On a test Solaris 8 box I've got recent CVS pull using LDAP auth via pwcheck. This is via the pam_unix in Solaris that knows how to lookup things via LDAP. Didn't really plan it that way since I was in a hurry to get this box going, but seems to be working fine sure enough. -- Amos
Re: Reality Check
> On Mon, 6 Aug 2001 08:40:36 -0400 (EDT), > Alex Pilosov <[EMAIL PROTECTED]> (ap) writes: ap> Don't get me wrong. I love cyrus. Its been working (1.5.19) without a ap> hitch for 2 years supporting 3000 mailboxes or so. But, LDAP and PAM are a ap> cause for serious headache, and I'd recommend against using them... If it is sufficient for you, dandy! Though, I think many on this list are grappling with a far larger userbase than 3000. We're also finding ourselves in a situation in which we *have* to deploy the altnamespace. It's either that or migrate everybody off of Cyrus and onto something else, and I want to keep Cyrus, dammit! Besides, aside from the stupidity of LookOut Express, it seems like most of the clients we've tried actually work a bit more effortlessly with the altnamespace. As an example, with PINE 4.33 pre-altnamespace you had to explicitly path the default-fcc and postponed-folder settings, but with altnamespace that's no longer the case. Both Netscape and Mulberry automatically found "Other Users" and "Shared Folders", which in the past required a bit more work. So not all upgrades are a drag. I'm not even all that pissed that we're forced to go to altnamespace. Just wish we had more time to do it. But hey, can't get everything in life. -- Amos
Re: persistant instances of imapd
> On Mon, 6 Aug 2001 11:15:55 -0400, > Paul Graham <[EMAIL PROTECTED]> (pg) writes: pg> Aug 6 10:41:42 mailhub.acsu.buffalo.edu imapd[25973]: DBERROR db3: 2793 lockers pg> Aug 6 10:56:41 mailhub.acsu.buffalo.edu imapd[10690]: DBERROR db3: 2794 lockers pg> Aug 6 11:10:03 mailhub.acsu.buffalo.edu imapd[5943]: DBERROR db3: 2795 lockers On our test box I was seeing some of these and was getting alarmed. Then I realized that what was happening is that during some of my tests to relocate an inbox via the IMAP protocol, I had a client hitting that same folder as well--D'OH! I wonder if some of those idle sessions are conflicting with newer sessions. Oh, Berkeley DB does use threads, so make absolutely sure you've got all the latest Solaris kernel and libthread recommended patches installed. So far, I think I'd have to say that I've seen the thread stability be a bit better with Solaris 8 fully patched. -- Amos
Re: saslpasswd and /dev/random
I don't know if it would even relate at all, but I noticed on the openssl list some comments about /dev/random blocking. I got the impression that using prngd might actually be better(?) faster(?) than using /dev/random on some systems. Openssl 0.9.7 when released will even be able to automatically find the prngd socket on most systems. I guess you could try that route and see how it goes. You should be able to get prngd from: ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/prngd/ -- Amos
Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap +cyrus-imapd-2.0.x)
> On Wed, 08 Aug 2001 02:11:28 -0700, > David Wright <[EMAIL PROTECTED]> (dw) writes: dw> The pwcheck distributed with cyrus-sasl is not useful to me. My dw> users are not in /etc/passwd -- they are ONLY in an LDAP Configure your name switch so that getpwnam/getspnam lookups go out through LDAP. If you've already got pam_ldap, then that's trivial. The advantage to this is that your admin user, typically "cyrus", does not have to be in LDAP too. So you don't want these folks to login? Okay, either use tcpwrappers to block access and/or some PAM module that restricts access (we do both). dw> network. pam_ldap does this nicely, so any pwcheck daemon that did dw> all this would basically be re-implementing the functionality of dw> pam_ldap. Can you kindly point me to a pwcheck daemon that just dw> calls PAM? /etc/imapd.conf: sasl_pwcheck_method: pwcheck /usr/local/lib/sasl/Cyrus.conf: pwcheck_method: pwcheck Then just configure your nsswitch to use ldap. The above is from a Solaris system, but from the PAM stuff I've dealt with on Linux, I think this should be pretty similar. This is the nsswitch.conf we've got on a Redhat box: passwd: files ldap group: files ldap -- Amos
Re: All mail silently dropped!
> On Wed, 8 Aug 2001 16:37:34 +0200, > Björn Törnqvist <[EMAIL PROTECTED]> (bt) writes: bt> Hi, I have postfix -> cyris-imap setup on the same computer. bt> When I mail a user on the host (echo hello | mail bt) postfix displays this in it's log: bt> Aug 8 16:28:40 managerzone postfix/qmgr[71481]: 5C06D9B11: from=<[EMAIL PROTECTED]>, size=786, nrcpt=1 (queue active) bt> Aug 8 16:28:40 managerzone postfix/local[80148]: 5C06D9B11: to=<[EMAIL PROTECTED]>, relay=local, delay=0, status=sent (mailbox) How do you have Postfix configured (postconf -n)? localhost> lam INBOX bt> anyone p that shouldn't be necessary if it's a "user.bt" folder. -- Amos
Re: SASL and SHADOW
> On Thu, 09 Aug 2001 08:40:58 -0500, > Tyrone Vaughn <[EMAIL PROTECTED]> (tv) writes: tv> I have done six implementations of Cyrus (2.0.11 - 2.0.16) and in each tv> one I have the same problem. No user, other than cyrus, can tv> authenticate unless I make the shadow file 444 verses it original 400. Check the list archives and search for pwcheck. This has been hammered to death recently. http://asg.web.cmu.edu/archive/mailbox.php3?mailbox=archive.info-cyrus -- Amos
Re: Sourceforge (was Re: Cyrus documentation)
> On Fri, 10 Aug 2001 12:49:11 +1000, > Jeremy Howard <[EMAIL PROTECTED]> (jh) writes: jh> I think it would add lots. Not just for a documentation project, but for the jh> whole Cyrus project. It would make it more of a community project rather jh> than a CMU project, which means more people getting more jh> involved. Funny. I thought it *was* a CMU project, and that CMU is just nice enough to allow folks outside of CMU to use it. It is not copyleft or public domain source. It is something they developed--correct me if I'm wrong--to replace an entirely non-standards communications system they were using. I'm just bloody grateful that CMU is sophisticated enough to allow others to use this well developed code, I think something folks sometimes forget. Believe me, being able to release code like this that is developed by university staff is no small feat! I think the authors of the O'Reilly IMAP book are planning an update in a year or so. Right now they're involved in other commitments, including raising a new child. ;-) -- Amos
Re: new cyradm
> On Sun, 12 Aug 2001 09:04:17 -0400, > Ken Murchison <[EMAIL PROTECTED]> (km) writes: km> themselves with :^) Amos' idea has consistent, expected results, where km> full regex could do some wacky stuff depending on what the user types. Well, to be honest I was being semi-smartass. I didn't type it, but what popped into my mind with "glob", "recursion" and what not was "rm -r". ;-) One just can't escape those days sometimes. I guess another notion that was floating around was some concern about keeping at least somewhat orthogonal with IMAP. With the Tcl cyradm you could do "lm folder.%" and it was just what the IMAP list would do, same for "lm folder.*". If you do something really weird with regex and globs, I'd possibly come up with a separate command, like search or something? Anyway, some kind of ability to manipulate folder hierarchies would be convenient. Even in Tcl this could be a pain at times with all the monkeying you had to do with folders with spaces in them. -- Amos
Re: different conf files of on same.
> On Sun, 12 Aug 2001 16:19:20 +0200,
> Tarjei Huse <[EMAIL PROTECTED]> (th) writes:
th> Hi All.
th> Pardon me, but new cyradm?
th> I this a new cyradm for 2.0x? or +??
2.x (actually a recent CVS pull of cyrus-imapd). In 1.x the cyradm
interactive utility was a Tcl extension. With 2.x it is a Perl
script. Just adjusting to changes.
th> Now, I want a setup where
th> - localhost may use imap (for squirrelmail)
th> and everyone else uses pops or imaps, and also that local users
th> connects using the local networkcard and
th> - local users are denyed the use of pop.
th> I am thinking of changing my cyrus.conf file to look something like this:
th> SERVICES {
th> # add or remove based on preferences
th> imap cmd="/usr/cyrus/bin/imapd" listen="localhost:imap" prefork=0
th> imaps cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
th> # pop3 cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
th> pop3s cmd="/usr/cyrus/bin/pop3d -s" listen="195.204.129.18:pop3s"
prefork=0
th> sieve cmd="/usr/cyrus/bin/timsieved" listen="sieve" prefork=0
th> What I am wondering about, is the imaps line. How can I say: "bind to these two
interfaces ip1,ip2"? is is listen=(192.168.1.2,195.204.129.18):imaps os should I have
to imaps:
th> imaps cmd="/usr/cyrus/bin/imapd -s" listen="192.168.1.2:imaps" prefork=0
th> imaps cmd="/usr/cyrus/bin/imapd -s" listen="195.204.129.18:imaps"
prefork=0
The code I submitted a while ago for binding to an address is rather
simple, and can only take a single address.
Um, I think you can have two if the first identifier ("imaps") is
unique, right Ken? So maybe this would work?
imaps1 cmd="/usr/cyrus/bin/imapd -s" listen="192.168.1.2:imaps" prefork=0
imaps2 cmd="/usr/cyrus/bin/imapd -s" listen="195.204.129.18:imaps" prefork=0
This first identifier is used with tcpwrappers lookups, if you
configured to use that software. You could then make use of that to
do some access controlling as well. For example we block pop access
from the labs so that students won't accidentally suck their entire
inbox down to the local PC where it will only get wiped and lost
forever later on.
--
Amos
getting used to db
Are these nothing to worry much about? DBERROR: error closing: DB_INCOMPLETE: Cache flush was unable to complete DBERROR: error closing mailboxes: cyrusdb error They sound kind ominous. At least things seem to be chugging along. -- Amos
Re: new cyradm
> On Mon, 13 Aug 2001 12:35:18 +0100, > Cillian Sharkey <[EMAIL PROTECTED]> (cs) writes: cs> One thing that wouldn't go amiss would be readline support, if it's installed. cs> I imagine it'd be easy enough to add in. Oh it's already there, with the appropriate perl modules installed. I believe the install docs indicated what's necessary. -- Amos
Re: Verisign cert?
>>>>> On Sat, 11 Aug 2001 10:38:57 -0500, >>>>> Amos Gouaux <[EMAIL PROTECTED]> (ag) writes: ag> Has anybody installed a Verisign cert for SSL/TLS? Is this ag> possible? We're planning on doing this so that there aren't client ag> headaches with a locally signed cert. I've gotten a bit further, now that I've had some time to tinker with it. This is what I've got so far /etc/imapd.conf: # pem file of server key tls_key_file: /usr/local/ssl/certs/server.pem # cert from verisign tls_cert_file: /usr/local/ssl/certs/server-cert.cer # this is from the certs directory of openssl-0.9.6b tls_ca_path: /usr/local/ssl/certs tls_ca_file: /usr/local/ssl/certs/vsignss.pem Though, I *still* have to use "/ssl/novalidate-cert" with PINE. I think it is because of the following: depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 >From what I've gathered so far is that I need some way to specify the "certificate chain". I believe this is the related info, from the mod_ssl FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC39: That is because Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and the server certificate (which you installed in the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then configure this certificate with the SSLCertificateChainFile directive in the server. This makes sure the intermediate CA certificate is send to the browser and this way fills the gap in the certificate chain. So I wonder if imapd.conf needs to have a setting for this chain file??? -- Amos
Re: Verisign cert?
> On Sun, 19 Aug 2001 16:23:26 -0400, > Lawrence Greenfield <[EMAIL PROTECTED]> (lg) writes: lg> openssl x509 -in -hash lg> At the top of the output, you'll see something like: lg> d6e6472d lg> Link "d6e6472d.0" to the actual cert file. If I do this instead of using tls_ca_file, using the same cert (vsignss.pem) that's included with openssl, I get the same results: depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 I also posted a similar query on the openssl list and this is what Lutz Jaenicke <[EMAIL PROTECTED]> had to say: This error message tells you, that the chain is complete (the verification process reaches the root CA chain and finds it to be sel signed). However the verification cannot succeed, as the root CA certificate must be available as a local copy for verification purposes. From the API point of view, this is achieved by loading it using SSL_CTX_load_verify_locations() Now I'm getting really confused because it looks to me that Cyrus is calling SSL_CTX_load_verify_locations appropriately, from what little I know of these libraries. Also, I no longer see "TLS engine: cannot load CA data" in the logs, so seems to me this cert is getting loaded. Regarding Eudora 5.1, using STARTTLS fails, but using the "Required, Alternate Port" setting works. Playing with imtest (am I doing this right?) I get: $ imtest -t "" -m plain localhost C: C01 CAPABILITY S: * OK andromeda Cyrus IMAP4 v2.1.0pre server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS X-NETSCAPE S: C01 OK Completed S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain SSL_connect error -1 SSL session removed TLS negotiation failed! C: C01 CAPABILITY S: 01S: * BAD Invalid tag This looks kinda like what chirs charter is experiencing, maybe? -- Amos
Re: turning off AUTH=CRAM-MD5
> On Sun, 19 Aug 2001 21:51:33 -0700, > David Wright <[EMAIL PROTECTED]> (dw) writes: dw> Cyrus-imapd (1.6.24) insists on advertising AUTH=CRAM-MD5, even dw> though this is a lie. This is (I think) one of the (many bad) dw> side-effects of SASL -- because of SASL cyrus advertises this AUTH, dw> but in fact my sasldb is utterly empty (all authentication is via dw> PAM) and so any client that takes cyrus up on the offer gets told dw> the user doesn't exist. dw> So... how can I get cyrus to stop advertising AUTH=CRAM-MD5? Configure cyrus-sasl accordingly. Use the various --disable-* options to configure. See --help for details. -- Amos
Re: Verisign cert?
> On Mon, 20 Aug 2001 01:09:04 -0400, > Lawrence Greenfield <[EMAIL PROTECTED]> (lg) writes: lg> I don't know why SSL_connect is failing. You have TLS working for you lg> with a self-signed certificate? I'll give that a try tomorrow. -- Amos
Re: Cyrus LMTP daemon tries to authenticate to sendmail
> On Thu, 23 Aug 2001 15:43:42 -0500 (CDT), > mills <[EMAIL PROTECTED]> (m) writes: m> I'm using sendmail-8.12.0.Beta16 with cyrus-imapd-2.0.16. m> Every time sendmail delivers a message to the LMTP daemon, it m> logs an error message like this: m> Aug 23 15:29:59 setup16 sm-mta[331]: [ID 702911 mail.warning] AUTH=client, relay=localhost [(null)], authinfo failed m> Apparently, the LMTP daemon is attempting to authenticate to m> sendmail, and sendmail is seeing invalid information. When I posted m> this question to comp.mail.sendmail, Claus Assmann suggested that m> I turn off AUTH support in the LMTP daemon. m> Is there a way to do this with Cyrus lmtpd? Use the `-a' flag. But if you do, use tcpwrappers or bind it to a protected IP or both to make sure joe blow on the net can shove mail down that pipe. -- Amos
Re: Problem with Sieve & Vacation message
> On Mon, 27 Aug 2001 15:22:16 +0200, > Atif Ghaffar <[EMAIL PROTECTED]> (ag) writes: ag> I prefer the first one, but it has one drawback. ag> Vacation replies will be sent to group addresses , example info@company, ag> sales@company etc. If it's a mailing list done with relatively rational software, then in most cases the response should only go to the list admin, right? I'm torn about this one myself. On one hand I see why :addresses is done. Too many times I've seen the flood of vacation messages that can slam a list. The openssl-users list had a particularly nasty batch of these not long ago. On the other hand, with our Cyrus server receiving incoming mail via LMTP on a private network to the MTA router, we too have to fiddle with this :addresses setting quite a bit, and with the number of aliases folks sometimes get, this can be a real headache. At least Sieve doesn't reply to all the addresses in all the headers, but instead only to the envelope sender. It seems like these vacation mechanisms that cause such a mess blast a response to every address it can find in the header. So maybe having an imapd.conf flag to loosen the restriction on vacation wouldn't be t catastrophic? On the other hand, Sieve is now an RFC, and while the vacation extension is currently a draft and not yet an RFC, perhaps it is far enough along that offering some kind of option would violate that specification. Ugh. -- Amos
Re: NIS+, Cyrus-IMAP, PAM and SASL
> On Tue, 28 Aug 2001 13:12:37 -0400, > Benjamin Bacon <[EMAIL PROTECTED]> (bb) writes: bb> I started setting up Cyrus IMAP server a few weeks ago and I had bb> to take a break to setup a several NIS+ domains. Now the bb> machine that I am planning on being the IMAP server is a NIS+ bb> client. The problem I have run into is that I am not able to bb> authenticate any users through imtest. I think this is because bb> of NIS+. Here is the errors I am getting in the imapd.log bb> file. Oh my, I sure hope you either have terribly fast NIS+ servers and/or a really, really small population. I originally had our Cyrus server use NIS+ and it blew up in my face so horribly. At the time our Cyrus server was only partially populated too, maybe something like 5K users? I'd think twice about going this route. bb> Aug 28 13:00:00 regprod8 imapd[7849]: accepted connection bb> Aug 28 13:00:05 regprod8 imapd[7849]: authdes_refresh: keyserv(1m) is unable to encrypt session key bb> Aug 28 13:00:05 regprod8 imapd[7849]: User ben needs Secure RPC credentials to login. Typically this has meant that the persons DES credentials were not complete or not in sync with their password. bb> Unfortunately I am new to both NIS+ and Cyrus IMAP so i may be bb> missing something importent. I have a few ideas what might be bb> wrong but if anyone out there has seen this problem let me know! That's a lot to byte off at once. ;-) -- Amos
imspd via stunnel?
Has anybody gotten imspd to work via stunnel? Without it can connect just fine. With it, get server identifier string, but then it hangs and doesn't respond to input -- Amos
Re: imspd via stunnel?
> On Fri, 07 Sep 2001 19:07:28 -0400, > Michael T Bacon <[EMAIL PROTECTED]> (mtb) writes: mtb> correctly, try "openssl s_client -crlf -connect mtb> imsp.somewhere.com:imsps" or whatever. If you're not using openssl to mtb> test it, chances are you're running into the same CR/LF problem, because that's exactly it! Thanks. This was driving me nuts. I don't know if the person got it resolved or not, but looking in the archive I noticed someone asking about pwcheck with imspd. In case that's still an unresolved issue, I discovered that you need to have: /usr/local/lib/sasl/imspd.conf (or something as such depending on how things are compiled) containing: pwcheck_method: saslauthd (or change that to pwcheck if you're using that.) -- Amos
Re: Bug&patch: cyrus-imapd-2.0.16 not setting process gids
> On Mon, 10 Sep 2001 16:31:49 +0200 (CEST), > Tarjei Huse <[EMAIL PROTECTED]> (th) writes: th> - cyrus-imapd-2.0.16 doesn't set process ids correctly; th> it only sets uid, not gid, neither supplementary gids th> - detected by [EMAIL PROTECTED] (Cheng-Jih Chen), when trying the th> "chgrp shadow /etc/shadow; chmod g+s /etc/shadow; add cyrus to shadow th> group" th> trick to let cyrus to read /etc/shadow Gee, so much work. Just use pwcheck, or better yet saslauthd. -- Amos
Re: Bug&patch: cyrus-imapd-2.0.16 not setting process gids
> On Mon, 10 Sep 2001 11:41:39 -0400, > Christopher Wong <[EMAIL PROTECTED]> (cw) writes: cw> BTW, the "chgrp shadow" trick still works in 2.0.16 if you do a "chmod cw> g+s /usr/cyrus/bin/imapd" after making sure that executable belongs to cw> group shadow. Seems to me the more permissions that are granted to user cyrus, the more you loose any benefit of the Cyrus software running as non-root. -- Amos
Re: Bug&patch: cyrus-imapd-2.0.16 not setting process gids
> On Mon, 10 Sep 2001 12:29:17 -0400, > Christopher Wong <[EMAIL PROTECTED]> (cw) writes: cw> The "shadow" method gives "shadow" privileges to a Cyrus daemon. The cw> pwcheck method requires root privilege for the pwcheck daemon. I would cw> suggest that there is a qualitative difference between the mere ability cw> to read /etc/shadow and full root privileges. True, but the cyrus user is potentially more exposed to the outside environment than pwcheck/saslauthd. These daemons are after all listening on a UNIX domain socket, not an INET socket. -- Amos
Re: Hooking a custom handler to replace Sieve?
My thoughts are less ambitious. What I'd like is for the MTA to do the spam/whatever filtering, and if the message was considered to be spam, the MTA would just add a header to the message. If the user wanted to, have some formula Sieve script that simply saves mail containing that header into a specially named folder. Then periodically use ipurge to clean out that folder for the user. -- Amos
Re: FAQ: What is saslauthd?
> On Tue, 11 Sep 2001 17:56:08 -0400, > Christopher Wong <[EMAIL PROTECTED]> (cw) writes: cw> Thanks. Does it slow down retries in the case of unsuccessful attempts? What about other SASL methods? Do they slow down and/or lock out repeated guessing attacks? Don't know. I imagine adding something like this to saslauthd wouldn't be too difficult, but would that be more of a task of imapd/popd? cw> On the other hand, if forking is unlimited then a user might use cw> saslauthd to guess numerous passwords in parallel. Consequently, cw> slowing down retries may not be enough. Could you explain how saslauthd cw> addresses these issues? Well, they do have to connect in via imapd/popd first, right? I believe there has already been a request put out to allow for setting instance limits for the various services. Perhaps that up-front upper limit would be sufficient. -- Amos
Re: IMSP with SSL?
> On Wed, 12 Sep 2001 09:50:31 -0500, > Avi Schwartz <[EMAIL PROTECTED]> (as) writes: as> I built and installed the cyrus IMSP server and I was wondering what as> do I have to do to be able to connect to it via SSL. Is there even as> a way to do so? Use stunnel (http://www.stunnel.org). Supposing the following: pemfile=/var/imap/stunnel.pem stunnel=/usr/local/sbin/stunnel imspd=/usr/local/cyrus/bin/imspd Usage would be something along the lines of: $stunnel -p $pemfile -d 906 -l $imspd -- imspd At least that's been working with Mulberry. -- Amos
Re: Cyrus and performance
> On Thu, 13 Sep 2001 16:13:37 +0300 (EEST), > Leena Heino <[EMAIL PROTECTED]> (lh) writes: lh> We have about 11000 users on our mailserver and the server seems to be lh> running out of resources ie. it seems to slow down when a lot of users lh> (ie. 500-1000 imapd process are running in the system) are simultaneously lh> reading their mail. We currently have aroud 23000 users on our system, and are seeing about 1200-1300 simultaneous sessions during peak of the day. This is on a Sun E250 with dual 400MHz processors and about 1GB of RAM (we're now working on getting that raised to 2GB). Storage is on a Sun A3500 controller and some trays. We created a bunch of RAID5 (hardware) LUNs and striped them together using Veritas Volume Manager. This is then a Veritas Filesystem. This box does NOT run the main MTA (Postfix), but instead receives incoming mail strictly via LMTP on a private network to the MTA router. Obviously Postfix is on that box for stuff like Sieve vacation responses, but the important thing is that the main MTA queue (HIGH I/O) is on a different box. This is with a Cyrus CVS snag since 2.0.16 and Cyrus SASL CVS snag since 1.5.27 (beta?). Overall this hasn't been doing too poorly, though we really need to get more memory. In your case, try to work on the I/O as much as possible. Some arrangement of hardware RAID would probably help. You might also split stuff off into different disks, like have the mail folders storage space on one set of drives and /var/imap on another. -- Amos
Re: IMSP and address synchronization support (was Re: WebmailClient)
> On Fri, 14 Sep 2001 19:29:43 -0400, > Cyrus Daboo <[EMAIL PROTECTED]> (cd) writes: cd> In an ideal world, ACAP, the successor protocol to IMSP, would be cd> available, and that would deal with these types of issues. However, cd> the ACAP effort is all but dead, leaving IMSP as the only viable cd> remote address book and preferences protocol in use. I wonder, what ever happened to ACAP? I thought Eudora was another client that was going to support it. Did they back out? I guess you could always store address book info in the IMAP server somehow. I notice PINE is fiddling with ways to store the .pinerc on the IMAP server. -- Amos
Re: Eudora and ssl/tls and cyrus
> On Thu, 27 Sep 2001 01:05:53 -0400, > Nick Simicich <[EMAIL PROTECTED]> (ns) writes: ns> I did some searches in the archives. If there is anything similar, ns> searching on Eudora and ssl or tls didn't find it. Eudora will not ns> complete TLS negotiation with Cyrus. Are you attempting to use the 'alternate port' configuration, or the 'starttls' configuration? I ask because we were able to get the 'alternate port' configuration to work, but not the other. Turns out that Eudora actually tries to do 'startssl' instead of 'starttls'. (No, 'startssl' doesn't exist.) If this sounds like it might be your situation, either use the 'alternate port' or make a small change to the Cyrus code (I forget exactly where) so that it will tolerate this non-standard 'startssl'. I understand this has been reported to Eudora. -- Amos
Re: LMTPD signaled to death by 11 - neverending story [the end]
> On Mon, 1 Oct 2001 05:56:08 +0200, > Szymon Juraszczyk <[EMAIL PROTECTED]> (sj) writes: sj> I spent a few days figuring out why this beast was crashing. And all sj> because lots of people still are unaware of elementary secure programing sj> issues, hence they make trivial mistakes such as sprintf()-ing variable sj> length string into a fixed size buffer. Sigh... Looks like this was contributed to CMU. Wait, did you use the --with-notify option to configure? If so, what did you specify it as? -- Amos
Re: lmtpd locking continued
> On Mon, 1 Oct 2001 13:22:27 +0200 , > Nick Ustinov <[EMAIL PROTECTED]> (nu) writes: nu> And that's the place, where lmtpd freezes: nu> Oct 1 14:27:09 satan lmtpd[5687]: duplicate_check: nu> <[EMAIL PROTECTED]> user.bforce 0 You should probably indicate what version of Cyrus you're using. At one point you mention 2.1.0pre, but don't specify when you pulled this from CVS. -- Amos
Re: Delivering to an IMAPD on another server.
> On Mon, 1 Oct 2001 17:56:59 -0400 (EDT), > Steven J Sobol <[EMAIL PROTECTED]> (sjs) writes: sjs> NOT ready to put exim on the production server. :) So, I need a way to sjs> deliver from dev.nstc.com (my development box) to mail.nstc.com. Is LMTP sjs> the way to go? If so, does 1.6.19 work with LMTP -- I need to be able to I'm pretty sure it does. Yeah, was using that before jumping into 2.x not too long ago. Though, I think I was running 1.6.24, or maybe even the non released beta 1.6.25. See if deliver supports the '-l' option. If so, it should be able to talk LMTP. Before going to 2.x, I had an entry like this in inetd.conf: lmtp stream tcp nowait cyrus /usr/sbin/tcpd /usr/local/cyrus/bin/deliver -e -l The tcpd binary is from the tcp_wrappers package. Then in your /etc/hosts.allow make sure your lmtp server above can only be accessed by dev.nstc.com. Then configure your exim to deliver via LMTP over a TCP socket. -- Amos
Re: Cyrus and very large folders
> On Sun, 21 Oct 2001 23:24:30 -0700, > Jurgen Botz <[EMAIL PROTECTED]> (jb) writes: jb> At one point in the past I used Netscape Messaging Server (now iPlanet) jb> and it had this problem at versions less than 4.x. With a few hundred jb> users, many of whom had mailboxes with a few thousand messages in them, jb> opening a mailbox was painfully slow. The problem is that normal Unix Well, my inbox currently has 3568 messages in it and PINE pops it open in a jiffy. You need to keep in mind that Cyrus caches things like the headers. See the four "cyrus.*" files in each folder. In fact, I typically use the auto-expire capabilities in Gnus (news/mail reader for Emacs/XEmacs) and rarely ever manually delete a message. I could not do this if Cyrus didn't handle large folders well. jb> Has anyone who uses Cyrus in a large organization environment found jb> this to be a problem? How do you define "large"? ;-) I think if you spread your message store across spindles, you should be okay. -- Amos
reconstruct -r user.something broke?
>From a CVS pull of just a couple of hours ago, when I try to use 'reconstruct -r' I always get: -r: Mailbox does not exist Could this be a result of: altnamespace: yes (Haven't altered default for unixhierarchysep.) -- Amos
Re: master and hosts.allow
> On Mon, 29 Oct 2001 11:13:18 +0330, > Fatemeh Taj <[EMAIL PROTECTED]> (ft) writes: ft> Cyrus 2.0.16 is installed and woks. But the problem is that it ft> can't work when such configuration is in hosts.allow: ft> All : Local ft> pop3d: xxx.xxx.xxx.0/255.255.255.0 ft> imapd: xxx.xxx.xxx.0/255.255.255.0 ^ Are these names consistent with what's in your cyrus.conf for the service names? -- Amos
Re: RFC: Second attempt at sieving for public folders
> On 08 Nov 2001 18:22:35 +, > Ian Castle <[EMAIL PROTECTED]> (ic) writes: ic> 8. Summary ic> I think this is a good solution because: ic> - No new concepts are introduced, it is rather a clarification of ic> existing ones ic> - Backwards compatibility is preserved ic> - You get some nice cool features - sieving on public folders, having ic> different scripts for different folders - including your own sub ic> folders, different people can maintain different folders ic> - Shouldn't have any particular performance implications. What about all the stats looking for the script? Could that be a problem? If so, could a db be used as a Sieve script index, like the mailboxes.db? -- Amos
Re: No NFS? Ok, how about GFS/GPFS
> On Thu, 08 Nov 2001 16:20:18 -0800, > Neil Bortnak <[EMAIL PROTECTED]> (nb) writes: nb> I'm not planning on implementing this but could you run a single tier nb> cluster of IMAP servers which share the same read-write storage on a SAN nb> using GFS or GPFS as a shared filesystem? Can this fix the problems that nb> one would have with NFS (locking and network load)? That way all the nb> "front-end" servers wouldn't need "back-end" servers at all. While not free, I was also wondering about QFS in a SAN arrangement. (While working on our ScholarPAC renewals I noticed that this QFS is now offered on the EDU price list.) -- Amos
Re: Sieving mail sent to shared/public folders
> On 05 Nov 2001 14:39:44 +, > Ian Castle <[EMAIL PROTECTED]> (ic) writes: ic> I have quite a large number of shared/public folders to which mail is ic> sent/posted directly using the [EMAIL PROTECTED] convention. ic> I want to sieve mail sent to these folders (to remove spam and other ic> nasties). ic> Currently (2.0.16 and CVS HEAD) only mail sent to a user's folders is ic> sieved. ic> The relevant file is imap/lmtpd.c, in the function deliver(). What I'm ic> thinking of doing is modifying this function, so that in the case of a ic> post to a public folder it will find the script for the pseudo user "bb" ic> (or rather the value of the BB string) (sieveusehomddir is false). ic> My plan is to add the code to sieve the email for "case 1 shared mailbox ic> resource" in the source. From my cursory look at the source, I can't see ic> any obvious issues with doing this (thinking about security - ic> mydata.authuser, mydata.authstate etc). ic> However, before embarking on this, I was wondering if any one more ic> knowledgeable than me had any comments about this (it seems like a ic> fairly obvious thing to want to do - so I suspect that there are some ic> "gotchas" that are not obvious to me - or it has already been done). Ken and I kicked around this issue not too long ago. We've got a ton of non-users folders as well and were wondering if Sieve might be usable for these. Though, we're using the altnamespace so no longer using "bb." prefix. Yet another wrinkle? I forget where we ended up with this. Ken? -- Amos
Re: Sieving mail sent to shared/public folders
> On Mon, 05 Nov 2001 11:02:59 -0500, > Ken Murchison <[EMAIL PROTECTED]> (km) writes: km> I don't really remember where we left off. I *think* that Ian's idea is km> what we were talking about -- checking sieveusehomedir==false and if km> postuser!="" using postuser as the owner of the script. When again is postuser==""? Would this be the case if lmtpd -a is used? -- Amos
Re: RFC: Sieving mail delivered directly to shared/public folders
> On Wed, 7 Nov 2001 21:12:48 -, > Ian Castle <[EMAIL PROTECTED]> (ic) writes: ic> Oh dear. I can see a whole new imap function coming on - ". SIEVE folder ic> script"... Actually, in one of my more perverse moments I actually wondered about storing the sieve scripts in the same directory as the intended IMAP folder. It's got to stat that directory anyway ic> Given that sievesystemscripts == /var/lib/sieve/system ic> So.. call sieve_find_script( anyone, "some.interesting.folder" ) ic> if the directory /var/lib/sieve/some exists then look for the directory ic> /var/lib/sieve/some/interesting, if that exists look for the directory ic> /var/lib/some/interesting/folder. ic> so it would try /var/lib/sieve/some/interesting/folder/default, then ic> /var/lib/sieve/some/interesting/default, then /var/lib/sieve/some/default ic> and finally ic> /var/lib/sieve/default. ic> A handy side effect of simply checking the directory, rather than for the ic> presence of the file "default" would be that if default did not exist then ic> no script would be run... so you could have a script applying only to some ic> folders in the middle of the hierarchy... not above, and not below. Interesting ic> I'll code that up if you like an you can try it ;-). That's why we've got a prototype box. ;-) Though, it is running a CVS pull (2.1pre). -- Amos
Re: RFC: Sieving mail delivered directly to shared/public folders
> On Wed, 7 Nov 2001 17:22:08 -0500, > Lawrence Greenfield <[EMAIL PROTECTED]> (lg) writes: lg> The other thing to consider is how to keep the Cyrus black-box lg> approach. Non-administrators should be able to modify these Sieve lg> scripts and name them appropriately. lg> Magic directories just don't cut it. This was a puzzle to me too. Along the tangent of placing the script within the folder itself, I wondered if maybe those with the 'a' ACL might be allowed to modify the script. Though, who knows how they would even get to it. -- Amos
Re: upgrade help
> On Fri, 9 Nov 2001 08:29:53 -0500, > Kiarna Boyd <[EMAIL PROTECTED]> (kb) writes: kb> I have a E220 R my predessesor bought sitting in a box, I have kb> to dig it out and see what it has for Oh gee, if you've got that, crack open the box. I would imagine that would be sufficient, even if it only had one processor. You just might need to get an external array for storage since this only holds two disks. kb> Memory and disks. What do you suggest for nscd settings? kb> Using top nscd? For your install base I'd be somewhat surprised that you'd have to alter nscd all that much. You could raise the passwd entry by some prime number. On our E250 looks like I've got: suggested-size passwd 701 Just run this command periodically to see how you're doing: /usr/sbin/nscd -g If the hit rate isn't so swell, try bumping up the suggested-size. Oh, on a more personally note, I've seen some spooky things with some of the Solaris 7 patches, particularly the kernel and libthread patches. While I know many folks are using this release, personally I have a bit more faith with Solaris 8 And I guess while I'm at it, my first inclination would be to move Sendmail to a different host, then wire (reverse-pair) a direct connection between the hosts. Both MTA work and Cyrus are heavy I/O hogs and running them separately has worked well for us (though we happen to be using Postfix, but all MTA are going to suck I/O.) Hell, if you did that, you might even be able to get by with a Netra T1 AC200 for the Sendmail host. Unlike the X1, this box uses SCSI drives and has at least 1 PCI slot. The EDU price on this is pretty reasonable. Then again, your numbers indicated you were more CPU bound than I/O bound, so maybe this would just be overkill. -- Amos
Re: RFC: Sieving mail delivered directly to shared/public folders
> On Fri, 9 Nov 2001 08:10:35 -, > Ian Castle <[EMAIL PROTECTED]> (ic) writes: ic> Well, the mechanism/interface is there. Allow "activate" to apply to more ic> than one script. ic> One way would be to have a subdirectory called "default" with symlinks to ic> all the active scripts in the directory. ic> The symlinks could be prefixed with a number "0001_myscript.script" ic> "0002_mysecondscript" to allow ordering. You could introduce "up down" ic> commands, or just let activate remove things from the list and append to the ic> bottom. A bit clumsy without a gui. Or simply let the file names determine ic> the order. Okay, this is getting a little scary. ;-) ic> A second way would mean be to extend sieve with an "include" statement. So ic> you would have "default" being include "[script1,script2,script3]"; But include from where? If we had a script in 'user.billybob.lists.info-cyrus', then maybe have: include ["user.billybob/default"] ??? Ugh, this is scary too. ic> Anyway, this is perhaps orthogonal to the problem I am particularly ic> interested in which is apply scripts to different folders - i.e. mapping ic> scripts to the folder name space rather than the username space. I'd agree with that. Just being able to bind a script to a folder would be a *huge* win, IMHO. ic> So rather than thinking that "this script applies to this user" I am ic> suggesting that we think "this script applies to this folder". Obviously, if ic> the folder is "user.fred" then the statements are synonymous. However, we ic> can use the second way to, obviously, refer to more than just folders of the ic> category "user.something". If you can set 'anyone p' to a folder, seems like you should be able to bind a script to that folder -- Amos
Re: RFC: Second attempt at sieving for public folders
> On Fri, 9 Nov 2001 08:59:34 -0500, > Lawrence Greenfield <[EMAIL PROTECTED]> (lg) writes: lg> If we're going to worry about Sieve performance, we really should look lg> into compiling scripts to a byte-code. Currently we run lex/yacc on a lg> script on _every delivery_. This is pretty painful, and is memory lg> inefficient as well as time inefficient. lg> It should be relatively easy to compile the scripts to a bytecode we lg> could just mmap() and run through very quickly, but not easy enough lg> that I can write it out in one day. :^) Okay, I'm sold. Something to fiddle with later -- Amos
Re: upgrade help
> On Fri, 9 Nov 2001 11:13:25 -0500, > Kiarna Boyd <[EMAIL PROTECTED]> (kb) writes: kb> I think I have to use the E220r for its intend purpose..sigh... kb> (How many production servers can one girl rebuild in a month?) Well, at least you won't have to worry about an upgrade for a rather long time. kb> Thanks for the /usr/sbin/nscd -g from it I have: kb> 98% passwd cache hit rate That's fine. kb> 50 % group cache hit rate kb> 60 % hosts cache hit rate It depends on how often these are hit. Check them over time. I forget the general rule, but anything over 93% should be peachy. -- Amos
Re: RFC: Sieving mail delivered directly to shared/public folders
> On 09 Nov 2001 16:48:43 +, > Ian Castle <[EMAIL PROTECTED]> (ic) writes: ic> ... An alternative approach might be to implement the "redirect" feature ic> in sieve. So that 'fileinto "some.folder"' wouldn't do any extra It's already there. See RFC3028: 4.3. Action redirect Syntax: redirect The "redirect" action is used to send the message to another user at a supplied address, as a mail forwarding feature does. The "redirect" action makes no changes to the message body or existing headers, but it may add new headers. The "redirect" modifies the envelope recipient. [...] Example: redirect "[EMAIL PROTECTED]"; Seems like that should cover it, right? -- Amos
Re: RFC: Sieving mail delivered directly to shared/public folders
> On Fri, 9 Nov 2001 09:35:29 -0800 (PST), > Nick Sayer <[EMAIL PROTECTED]> (ns) writes: ns> It seems to me that this could be far more easily done by creating a pseudo- ns> user. Have this user be the target of the alias and his sieve script will ns> be run. That sieve script can have nothing but fileinto directives to ns> populate the public folders. This pseudo-user does not even have to have an ns> INBOX, I don't think. Or if it does, then it will be perpetually empty if ns> your sieve script is written correctly. :-) And that's the catch, or at least one of them. Locally, we've kicked this idea around somewhat. If there is a problem with the script, as per the RFC the mail will drop into the inbox. This means we pretty much have to give that folder admin access to both areas. Well, if you do that, what's the point of the shared folder? Of course if you move all the non-user shared folders under "user.", then you've pretty much lost the advantages of having different namespaces. On one hand I can see an argument for having a "user." corresponding folder to represent the admin or moderator of the shared folder area. However, this would be pretty convoluted and complicated to explain to folks, I suspect. If at the beginning of the script you could define the "inbox", then perhaps this might be more feasible. Though, that would break the RFC. What if this define had a typo in it. Mail bounces? Perhaps as a last resort it would drop back to the real default. Oh, my head hurts. -- Amos
Re: How to setup mail forward in cyrus postfix setup.
> On Tue, 20 Nov 2001 16:15:51 -0500, > Richmond Dyes <[EMAIL PROTECTED]> (rd) writes: rd> I have Cyrus 2.0.9 and postfix running. everything is working fine, but rd> I am trying to figure out how to set up mil aliases in it to forward an rd> info user to me the system administrator. any ideas? This has been discussed some on postfix-users. Actually, it comes up from time to time. Depending on how you're channeling mail to Cyrus, you might need to use a virtual map for some of the redirecting. -- Amos
Re: "Right Way" to track mailing-lists
> On Tue, 20 Nov 2001 18:36:59 +0100, > Terje Elde <[EMAIL PROTECTED]> (te) writes: te> With the 1.6 series all I had to do was to call deliver such that it would te> deliver a message to the correct folder. With the 2.x series there are te> advantages to using lmtp for deliveries instead, avoiding the extra fork of te> the deliver process. So I'm wondering if there's any RightWay (tm) way to te> deliver mailing list messages to a shared folder? I don't know if I've ever seen a manifesto as to the RightWay for doing this. This is the current hack we've arranged. Before we switched to the altnamespace we had all our shared folders under a "bb." prefix. Now we've moved all these folders up a level. To send mail to such a folder, just put a "+" before the address. If you don't like that, see the "postuser" setting in imapd.conf. (When we adjusted to the altnamespace I overlooked this "postuser" setting, otherwise we might have used it.) Suppose we created a Listar (or now eCartis) list of mylist. If we created a shared folder for it, it would be "mylist". So the cyradm command would just be: cm mylist shared In this example "shared" might be a partition for this folder. Continuing, allow posting to it: sam mylist anyone p If you're using LMTP-AUTH then you might be able to do something better here, but this opens another can of worms because not all MTA will pass the AUTH from SMTP over to LMTP. Anyway, if you want this folder to get the mail from the list, just add it to the list. Since we use Listar, the users entry might be: +mylist@domain : |PROTECTED|HIDDEN| Some lists we auto-generate on a daily basis so our code skips over entries that are listed as PROTECTED. Actually, some of the features of Listar is part of the reason we chose it as it made it easy to manipulate for out environment. If you want to block direct email to the shared folder and only allow the mail from the list, you might have to do something tricky. When we were using Sendmail a couple of years back this was really problematic because the maps applied to both port 25 mail and local mail. One of the reasons why I liked Postfix is because blocks on port 25 do not necessarily apply to blocks on local "client" mail. Consequently, we can block incoming mail to the address "+mylist@domain" and yet Listar can still direct mail to that address. Well, I said it was a hack, but at least it seems to have worked out fairly well. Now if only we could get Sieve scripts to work on shared folders. :-P (Actually, I wouldn't use Sieve for these folders that mirror a list, but it would still be nice to have. We have plenty of shared folders were this would be really handy.) -- Amos
Re: "Right Way" to track mailing-lists
> On Wed, 21 Nov 2001 21:46:18 +0100, > Terje Elde <[EMAIL PROTECTED]> (te) writes: te> Only limitation is that without sieve filtering I'm left without the ability te> to properly filter mailing lists administered elsewhere which I subcribe to as te> a regular user to archive for public use at my site. Not to be rude, but... so? We do the same as well, including traffic from this list. In most cases I purge these out periodically so they don't get too cluttered. That has been sufficient. The new ipurge should make this even easier. Speaking of ipurge--it would be nifty if you could give it a flag to ignore certain messages. Perhaps ignore messages that are marked "special". Now that would be incredibly cool. Even if Sieve for shared folders was available, I'd be concerned that processing Sieve for such archives might hit some pretty serious performance bottlenecks. te> I could always stack a procmail in front of this, but then I'm back to an Yuck. :-) -- Amos
Re: What File Types does Cyrus use?
> On Thu, 22 Nov 2001 17:13:19 +1100, > Jeremy Howard <[EMAIL PROTECTED]> (jh) writes: jh> I'm sure we all understand the dangers of hacking at internal structures. jh> There's also performance benefits associated with this. It's up to solution jh> developers to decide whether that trade-off makes sense in their particular jh> case, and would be based on benchmarking and analysis of the level of jh> maintenance required if internal structures change. While I guess it's always possible, I'd be somewhat surprised if going through the protocol is really that much of a bottle neck. -- Amos
sieveshell
I haven't had much time to look into this myself but, from a fairly
recent CVS pull, I notice that one's password is echoed when using
sieveshell. Perhaps some of the logic in Cyrus::IMAP::authenticate
could be used?
I notice the sieveshell script has the following:
my $tmpfile = "/tmp/sieveshell.tmp";
Perhaps this should be a bit more careful to avoid possible
collisions? Maybe append the $$ or something?
This sieveshell uses STARTTLS, right? I think it does since the
sieve server won't allow connections otherwise, right?
I notice all the perl scripts have something like:
#! /bin/sh
exec perl -x -S $0 ${1+"$@"} # -*-perl-*-
#!perl -w
I was wondering, if someone uses the --with-perl configure option,
should that setting replace the perl strings in the script header
above? In other words, suppose --with-perl=/usr/local/bin/perl is
used, perhaps this should be the result?
#! /bin/sh
exec /usr/local/bin/perl -x -S $0 ${1+"$@"} # -*-perl-*-
#!/usr/local/bin/perl -w
Lastly, I was wondering if perhaps a '-I' could be put in the header
for some of these scripts, especially the cyradm script. We see
lots of questions regarding this with each new release. Perhaps a
'-I' could be added such that it contained the path of where these
Perl modules will eventually reside?
--
Amos
Re: Eudora and ssl/tls and cyrus
No, it won't use TLS/SSL session on authentication mechanism. It will connect to port 993 and use SSL for the entire session. >>>>> On Thu, 27 Sep 2001 17:22:23 +0200 (CEST), >>>>> rj45 <[EMAIL PROTECTED]> (r) writes: r> I never could make eudora works with cyrus TLS/SSL r> you say if I use alternate port it will work?? r> it will begin a TLS/SSL session on authentication mechanism?? r> thanks r> Rick r> On Thu, 27 Sep 2001, Amos Gouaux wrote: >> >>>>> On Thu, 27 Sep 2001 01:05:53 -0400, >> >>>>> Nick Simicich <[EMAIL PROTECTED]> (ns) writes: >> ns> I did some searches in the archives. If there is anything similar, ns> searching on Eudora and ssl or tls didn't find it. Eudora will not ns> complete TLS negotiation with Cyrus. >> >> Are you attempting to use the 'alternate port' configuration, or the >> 'starttls' configuration? I ask because we were able to get the >> 'alternate port' configuration to work, but not the other. Turns >> out that Eudora actually tries to do 'startssl' instead of >> 'starttls'. (No, 'startssl' doesn't exist.) >> >> If this sounds like it might be your situation, either use the >> 'alternate port' or make a small change to the Cyrus code (I forget >> exactly where) so that it will tolerate this non-standard >> 'startssl'. I understand this has been reported to Eudora. >> >> -- >> Amos >> >> -- Amos
Re: Re[2]: quota question
> On Tue, 27 Nov 2001 12:58:40 -0500, > Kevin J Menard, <[EMAIL PROTECTED]> (kjm) writes: kjm> Or for virtual domains. If I want to give a domain 25 MB of mail storage, kjm> and they make as many accounts as they want, but the total mail usage for kjm> all those accounts can't go above 25 MB. That sort of thing. Perhaps not terribly dynamic, but you could use different cyrus partitions, possibly mapped to different filesystem partitions. Probably for this to work without too much hassle you'd need to use some kind of RAID solution so that each of these partitions can be placed on a separate LUN. -- Amos
sieveshell -u ... -a non-admin-user ?
I've gotten a request at our site that I'm passing on to the list. Any possibility that non-admin users might be able to edit another user's Sieve scripts, as in: sieveshell -u user1 -a user2 server Perhaps user2 would be able to edit the Sieve script for user1 if user2 had the "a" ACL on "user.user1"? Actually, this is somewhat related to the recent discussion regarding non-user folders being allowed to have Sieve scripts. A particular group was very eager to have Sieve capability for their private bulletin board. Since currently this is not available, I created a "user." folder for this bulletin board and granted the leader of this group the "a" ACL to this folder. Of course this is of limited use because this group leader still can't edit the Sieve script. -- Amos
Re: Hardware Architecture for Cyrus-Imap
> On Tue, 09 Oct 2001 13:37:43 +0300, > Nikos Voutsinas <[EMAIL PROTECTED]> (nv) writes: nv> We would appreciate if any member of the list nv> could provide us with a sort description of an nv> already implemented example of SUN servers running nv> cyrus imap that deals with ~30K or more mail nv> accounts, per single system (Server+Storage) You should check the list archives as this has been discussed fairly thoroughly in the past. I think it's at: http://asg.web.cmu.edu/archive/ -- Amos
Re: LMTP question
> On Wed, 17 Oct 2001 17:28:21 +0530, > Devdas Bhagat <[EMAIL PROTECTED]> (db) writes: db> Get postfix to authenticate itself to LMTP, or configure lmtpd to db> accept mails without prior authentication (the second is easier). Or you could include the '-a' option, but if you do be sure to bind it to the loop back IP (127.0.0.1) or an IP on a private network not accessible by users. db> If it is localhost only, I would suggest delivering over the unix socket db> instead of an inet socket. Yes, this would be simpler. -- Amos
Re: sieveshell -u ... -a non-admin-user ?
>>>>> On Thu, 29 Nov 2001 14:01:27 -0600,
>>>>> Amos Gouaux <[EMAIL PROTECTED]> (ag) writes:
ag> I've gotten a request at our site that I'm passing on to the list.
ag> Any possibility that non-admin users might be able to edit another
ag> user's Sieve scripts, as in:
ag> sieveshell -u user1 -a user2 server
ag> Perhaps user2 would be able to edit the Sieve script for user1 if
ag> user2 had the "a" ACL on "user.user1"?
Well, since there were no responses, I decided to dig into this a
bit and see what kind of mess I could create. I discovered that
imapd.c supported the imapd.conf loginuseacl setting, but
timsieved.c didn't. So I attempted a hack to see if it could.
Below is the result. Haven't tested this very much, and didn't have
the time to really look into things too thoroughly, but it at least
seems to work.
Thoughts?
Amos
*** ../../default/sparc_sun_solaris2.8/timsieved/Makefile.inSun Oct 14 08:58:17
2001
--- timsieved/Makefile.in Fri Nov 30 17:59:41 2001
***
*** 52,58
CYRUS_GROUP=@cyrus_group@
DEFS = @DEFS@ @LOCALDEFS@
! CPPFLAGS = -I. -I.. -I../sieve/ -I$(srcdir) -I$(srcdir)/../sieve -I$(srcdir)/../imap
-I$(srcdir)/../lib @COM_ERR_CPPFLAGS@ @CPPFLAGS@ @SASLFLAGS@
CFLAGS = @CFLAGS@
LDFLAGS = @LDFLAGS@
--- 52,59
CYRUS_GROUP=@cyrus_group@
DEFS = @DEFS@ @LOCALDEFS@
! #CPPFLAGS = -I. -I.. -I../sieve/ -I$(srcdir) -I$(srcdir)/../sieve
-I$(srcdir)/../imap -I$(srcdir)/../lib @COM_ERR_CPPFLAGS@ @CPPFLAGS@ @SASLFLAGS@
! CPPFLAGS = -I. -I.. -I../sieve/ -I$(srcdir) -I$(srcdir)/../sieve -I$(srcdir)/../imap
-I$(srcdir)/../acap -I$(srcdir)/../lib @COM_ERR_CPPFLAGS@ @CPPFLAGS@ @SASLFLAGS@
CFLAGS = @CFLAGS@
LDFLAGS = @LDFLAGS@
***
*** 70,76
IMAP_COM_ERR_LIBS = @IMAP_COM_ERR_LIBS@
LIB_WRAP = @LIB_WRAP@
LIBS = $(IMAP_COM_ERR_LIBS)
! DEPLIBS=../sieve/libsieve.a ../imap/libimap.a ../lib/libcyrus.a @DEPLIBS@
PURIFY=/usr/local/bin/purify
PUREOPT=-best-effort
--- 71,78
IMAP_COM_ERR_LIBS = @IMAP_COM_ERR_LIBS@
LIB_WRAP = @LIB_WRAP@
LIBS = $(IMAP_COM_ERR_LIBS)
! #DEPLIBS=../sieve/libsieve.a ../imap/libimap.a ../lib/libcyrus.a @DEPLIBS@
! DEPLIBS=../sieve/libsieve.a ../imap/libimap.a ../acap/libacap.a ../lib/libcyrus.a
@DEPLIBS@
PURIFY=/usr/local/bin/purify
PUREOPT=-best-effort
*** ../../default/sparc_sun_solaris2.8/timsieved/timsieved.cSun Oct 14 08:58:18
2001
--- timsieved/timsieved.c Fri Nov 30 18:57:02 2001
***
*** 80,85
--- 80,87
#include "mystring.h"
#include "auth.h"
+ #include "acl.h"
+ #include "mboxlist.h"
sasl_conn_t *sieved_saslconn; /* the sasl connection context */
***
*** 128,133
--- 130,177
exit(EC_TEMPFAIL);
}
+ /* XXX Following routine stolen from imapd.c, at least
+ * initially. Don't exactly know what preparation
+ * is needed in order to use mboxlist_lookup.
+ */
+ /*
+ * acl_ok() checks to see if the the inbox for 'user' grants the 'a'
+ * right to the principal 'auth_identity'. Returns 1 if so, 0 if not.
+ */
+ static int acl_ok(user, auth_identity)
+ const char *user;
+ const char *auth_identity;
+ {
+ char *acl;
+ char inboxname[1024];
+ int r;
+ struct auth_state *authstate;
+
+ if (strchr(user, '.') || strlen(user)+6 >= sizeof(inboxname)) return 0;
+
+ strcpy(inboxname, "user.");
+ strcat(inboxname, user);
+
+ /* not sure if need this... */
+ mboxlist_init(0);
+ mboxlist_open(NULL);
+
+ if (!(authstate = auth_newstate(auth_identity, (char *)0)) ||
+ mboxlist_lookup(inboxname, (char **)0, &acl, NULL)) {
+ r = 0; /* Failed so assume no proxy access */
+ }
+ else {
+ r = (cyrus_acl_myrights(authstate, acl) & ACL_ADMIN) != 0;
+ }
+
+ /* matching closes... */
+ mboxlist_close();
+ mboxlist_done();
+
+ if (authstate) auth_freestate(authstate);
+ return r;
+ }
+
/* should we allow users to proxy? return SASL_OK if yes,
SASL_BADAUTH otherwise */
static int mysasl_authproc(void *context,
***
*** 182,198
/* ok, is auth_identity an admin? */
sieved_userisadmin = authisa(sieved_authstate, "sieve", "admins");
- /* we want to authenticate as a different user: ok if we're an admin or
- a proxy server */
if (strcmp(canon_authuser, canon_requser)) {
! if (sieved_userisadmin || authisa(sieved_authstate, "sieve",
! "proxyservers")) {
sieved_userisadmin = 0; /* no longer admin */
auth_freestate(sieved_authstate);
sieved_authstate = auth_newstate(canon_requser, NULL);
} else {
!
db-4.0.14
Looks like there's a new release for Berkeley DB -- Amos
Re: db-4.0.14
> On Thu, 6 Dec 2001 10:40:13 +1100, > Jeremy Howard <[EMAIL PROTECTED]> (jh) writes: jh> Any great new enhancements? Any experience using it with Cyrus and/or jh> Postfix? Not I. Not yet. However, I did notice... + Support for group commit, to speed up write-intensive high-concurrency workloads. hmmm could this be a win for Cyrus? Dunno. -- Amos
Re: Cyrus 2.1.0-SASL No Pam authentication
> On Sat, 08 Dec 2001 01:42:17 -0500, > Vincent Stoessel <[EMAIL PROTECTED]> (vs) writes: vs> It sound like a very well designed change I will defintely be playing with this vs> one, I am tired of creating users on the system for mail accts. This saslauthd also has much better logging than the old pwcheck. -- Amos
Re: Webmail for Cyrus Imap ?
> On Thu, 13 Dec 2001 00:14:23 +0100, > Simon Josefsson <[EMAIL PROTECTED]> (sj) writes: sj> This was a interesting thread, and I was happy to see that at least sj> one suggestion, Jawmail, supported WAP, but it caused my stock RedHat sj> 7.1 Apache/PHP build to crash when I ran "install.php"... So, are sj> there any other IMAP interfaces with WML support? Any experiences? While this thread can at times be exhaustingly familiar, I must admit that I saw some interesting stuff this time around too. I also took a look at this Jawmail. I also thought it was cool that it offered a Sieve interface. -- Amos
Re: sieveshell DIGEST-MD5 authentication failure
> On Fri, 14 Dec 2001 10:57:49 -0500 (EST), > Rob Siemborski <[EMAIL PROTECTED]> (rs) writes: rs> I suspect that the user you are running as is not an admin in the cyrus rs> configuration file. (e.g. if sieveshell isn't given an authentication rs> name, it tries to authenticate as whatever the userid is that is running rs> the process). In this case, assuming you are running the process as rs> userid 'ikait', it is trying to authenticate as user 'ikait' but then rs> authorize as 'mailadmin'. In general, only admins and proxyservers are rs> allowed to authorize to a different user. rs> I *suspect* the command you want is: rs> sieveshell -u mailadmin -a mailadmin localhost Actually, that is why I posted a patch not too long ago. All I did was apply to timsieved the same ACL check that imapd can use (via the loginuseacl setting). I was going to update this patch to 2.1.0 beta, but haven't gotten to it yet. -- Amos
Re: lmtpd: how to send auth ?
> On Sun, 16 Dec 2001 22:02:26 +1100,
> Jeremy Howard <[EMAIL PROTECTED]> (jh) writes:
jh> I just remembered something. IIRC, if you use a Unix socket rather than a
jh> TCP socket, LMTP doesn't make you authenticate. I dunno if you'll have to
jh> patch Net::LMTP to use a Unix socket--if so it's a simple module and I'm
jh> sure you'll have no trouble.
You can pass the '-a' option to pre-authenticate it. BUT if you do,
make sure to either bind that server to a private interface or
compile Cyrus 2.X with tcp-wrappers then use /etc/host.{allow,deny}
to protect the lmtpd server.
--
Amos
Re: Support
> On Mon, 17 Dec 2001 13:19:33 +, > Craig Skinner <[EMAIL PROTECTED]> (cs) writes: >> p.s I tried contacting cyrusoft a bunch of times but cs> nobody got back to me. cs> What a big surprise!! cs> 3 of us have got the same help from silkymail lately.. I think IETF might have had something to do with it. -- Amos
Re: Using Cyrus-IMAP with Pine
> On Mon, 17 Dec 2001 12:59:51 -0500 (EST),
> Christopher Wong <[EMAIL PROTECTED]> (cw) writes:
cw> folder-collections="My Alias" {imaphost}inbox.[]
If you use altnamespace, you can drop the "inbox." portion.
cw> Right now, Pine seems happy. But if I try to change to a different folder
cw> by hitting TAB to autocomplete the folder name, Pine appends a dot
cw> ("foldername."), and this fouls up the folder selection.
Uh, hit the backspace key once to remove the trailing ".", then hit
return. If that's not acceptable, ask the PINE developers about it.
BTW, pine-4.43 is out.
--
Amos
Re: Netscape: Copying message to Sent folder: permission denied
> On Fri, 21 Dec 2001 08:43:28 -0800, > Dan de Haan <[EMAIL PROTECTED]> (ddh) writes: >> In my experience netscape usually thinks that you meant Sent and not >> INBOX.Sent and fixes your preferences but it works anyway >> because it looks >> for INBOX.Sent if Sent isn't found. What can be a big problem ddh> This is exactly what has happened to my system, but I am unable to delete ddh> the folders that teh root user created (permission denied). I tried ddh> deleteing the folders on the disk, but they still show and are causing ddh> problem with some MUA's. How do I get rid of them? I have to admit, the altnamespace is nice in this regard. From what we've experienced, after the initial shock of adjustment, I think most of the clients we use/support handle folders more easily with altnamespace set. -- Amos
Re: DBERRORs
> On Wed, 2 Jan 2002 15:06:06 -0600, > Connie S Fensky <[EMAIL PROTECTED]> (csf) writes: csf> Jan 2 12:31:12 frank imapd[7168]: DBERROR: error closing: DB_INCOMPLETE: csf> Cache flush csf> was unable to complete I don't think this is too terrible. csf> Jan 2 12:31:12 frank imapd[7168]: DBERROR: error closing mailboxes: cyrusdb csf> error csf> ... csf> Jan 2 14:28:25 frank imapd[9572]: DBERROR: opening /var/imap/mailboxes.db: csf> Not enough csf> space However, this looks like a different story. Is your system running out of memory? Maybe add more RAM and/or swap? csf> Jan 2 14:28:25 frank imapd[9572]: DBERROR: opening /var/imap/mailboxes.db: csf> cyrusdb er csf> ror csf> Jan 2 14:28:47 frank imapd[6942]: DBERROR db3: Unable to allocate 8387 csf> bytes from mpo csf> ol shared region: Not enough space I don't know for sure, but this looks like memory limitation -- Amos
Re: DBERRORs
You said you had to increase the number of processes per user. Perhaps the stack size per user also needs increasing? > On Thu, 3 Jan 2002 08:39:53 -0600, > cfensky (c) writes: c> Thanks for the input, but I've already checked that--we haven't used our c> swap yet, and we rarely go over 30% of our memory. We also seem to get a c> very high and narrow spike on load whenever one of these errors is being c> written (of course, that is hard to correlate, since my load graph doesn't c> have time on it), so maybe it is an I/O thing.
Re: Cyrus 2.1.0-SASL No Pam authentication
> On Sat, 08 Dec 2001 10:43:17 -0500, > Ken Murchison <[EMAIL PROTECTED]> (km) writes: km> I think that this is because the preformatted saslauthd.8 in the km> distribution hasn't been updated from the saslauthd.mdoc source. If you km> have the mdoc macros, just run: km> nroff -mdoc saslauthd.mdoc > saslauthd.8 km> make install And if you don't? Looks like cyrus-sasl from CVS runs this by default in the 'install' target, and on a Solaris system without mdoc macros it blows up. So this means, unless I'm mistaken, saslauthd.8 is blown away. -- Amos
Re: couldn't connect to lmtpd
> On Sat, 05 Jan 2002 23:29:42 +0100,
> Jan Kümmel <[EMAIL PROTECTED]> (jk) writes:
jk> the mail does not get delivered and the following line is appended to
jk> my /var/log/imapd.log:
jk> connect(/var/imap/socket/lmtp) failed: Permission denied
Unless told otherwise, Postfix runs commands as user "nobody".
jk> The same happens if I use procmail between postfix and deliver. If I start
jk> procmail from the shell, it works. If procmail is started from postfix, it
jk> doesn't. I am sure, deliver is executed as user jan (checked it again by
Are you sure about that? Cyrus support programs run as user "cyrus".
jk> calling a wrapper script). If I specify
jk> mailbox_transport = cyrus
jk> in main.cf having the following in master.cf, it works
jk> cyrus unix - n n - - pipe
jk> flags=R user=cyrus argv=/usr/cyrus/bin/deliver -e -m
jk> ${extension} ${user}
jk> But why? Can someone explain what is happening?
Because you specifically told Postfix to connect to the deliver
program as user "cyrus", not the default user "nobody".
--
Amos
Re: couldn't connect to lmtpd
> On Sun, 06 Jan 2002 13:00:46 +0100, > Jan Kümmel <[EMAIL PROTECTED]> (jk) writes: jk> Are you sure? I called a script (as mailbox_command) from postfix jk> that does the following: jk>echo $LOGNAME > /tmp/foo jk> After sending a mail, /tmp/foo contained the recipient's name and jk> was owned by the recipient, not by nobody. jk> Also, nobody could never have delivered mail in my former (uw) jk> configuration because INBOX was in $HOME/mail which had permissions jk> 700. But it worked, so I am pretty sure it runs as the recipient, jk> like the documentation says, with one exception: root as nobody. Oh yeah, you're right about that. -- Amos
Re: couldn't connect to lmtpd
> On Sun, 06 Jan 2002 13:31:32 +0100, > Jan Kümmel <[EMAIL PROTECTED]> (jk) writes: jk> oops, I made some *stupid* mistake: during my tries to find the jk> error, I put user jan into mail group (and forgot to remove it Ah, that explains it. jk> again), that's why he can deliver mail, no other user can do that jk> (besides cyrus). I will have to find another way for putting jk> procmail between postfix and cyrus. But the only reason I need jk> procmail is for using spamassassin, which expects a mail on stdin jk> and outputs the filtered mail on stdout. Is there some other way to jk> use such a stdin-stdout-filter with postfix and cyrus? Well, this is why I want to see the policyd thing that folks have chatted about on postfix-users. What I'd like to see is something like spamassassin that's run via this policyd framework that would be used by Postfix, but instead of bouncing the mail like most spam traps, it would just add some magic header to the message. Then all the user would have to do is check for that header in their Sieve script. They could either reject that mail or save it into a SPAM folder. Then we could use that nifty ipurge command to periodically blow away the contents of that SPAM folder. -- Amos
Re: Still problem compiling perl module on Cyrus IMAPD 2.1.0
> On Sun, 6 Jan 2002 03:13:17 -0700, > Irwan Hadi <[EMAIL PROTECTED]> (ih) writes: ih> Still the same although I already added those in Makefile.PL I feel your pain. I'm having a horrible time with 2.1 out of CVS. I think there are problems with cmulocal/sasl2.m4, but I haven't narrowed it down yet. If I explicitly tell configure where sasl is with something like this: --with-sasl=/usr/local Then it seems as if -lsasl2 is not added to LIB_DYN_SASL, which is used to build SASL_LIB. Furthermore, it seems that this autoconf code could benefit from the use of andrew_runpath_switch. This variable already determines that -R is desirable for the linker, but the sasl2 autoconf stuff doesn't make use of this. Since we have the SASL libs under /usr/local (at least via sym links--don't ask), I left off the --with-sasl configure switch to see what that would do. Okay, looks like when compiling managesieve.so and IMAP.so the -lsasl2 parameter is now being supplied. Ah, the difference between this compile and the previous is that now -lsasl2 is provided, before only -L/usr/local/lib was provided. So there is a problem with using the --with-sasl configure switch. Though, because the logic for andrew_runpath_switch isn't being used, I suspect this will still blow up with unresolved references. (Yeah, I can use crle that now exists on Solaris 8, but I hate to rely exclusively on that because if for some reason someone forgets to set that, everything will blow up horribly. Besides, using -R is more efficient for loading since a search is not needed.) While I'm on this, is there any way on this fair planet to get the cyradm script to go into some place other than INST_SCRIPT (/usr/local/bin)? Since cyradm is more an administrative command, I would prefer to put it some place like /usr/local/sbin. I thought I'd be clever (fat chance!) and just define INST_SCRIPT on the gmake command like during "gmake install". However, what ends up happening is that cyradm goes into BOTH, what I specified on the command line and the default value for INST_SCRIPT. Geez Louise. Oh, and there's one other small issue that I came across: I had to change sieve/md5.c as follows: *** md5.c._orig Tue Jan 4 22:51:51 2000 --- md5.c Sun Jan 6 00:28:43 2002 *** *** 29,37 #include #include ! #include "md5global.h" #include "md5.h" ! #include "hmac-md5.h" /* Constants for MD5Transform routine. */ --- 29,37 #include #include ! #include "sasl/md5global.h" #include "md5.h" ! #include "sasl/hmac-md5.h" /* Constants for MD5Transform routine. */ Though, I don't know if this gets back to the problems with the --with-sasl configure switch or not. Since I haven't noticed other reports about this problem perhaps it is just something stupid that I'm doing. -- Amos
