cyrus: cannot validate a user that exist on the /etc/passwd file
Hi to everybody:
I'm trying to setup a imap in a linuxbox. I have cyrus software
listening on ports pop3 and imap.
I use this rpm packages:
cyrus-sasl-1.5.24-17
cyrus-imapd-2.0.9-3
Here you have the contents of /etc/imap.conf
[ develop2 ] ~ # cat /etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
sasl_pwcheck_method: pam
Here the /etc/cyrus.conf
START {
# do not delete these entries!
mboxlist cmd="ctl_mboxlist -r"
deliver cmd="ctl_deliver -r"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="/usr/cyrus/bin/imapd" listen="imap" prefork=0
imaps cmd="/usr/cyrus/bin/imapd -s" listen="imaps" prefork=0
pop3 cmd="/usr/cyrus/bin/pop3d" listen="pop3" prefork=0
pop3s cmd="/usr/cyrus/bin/pop3d -s" listen="pop3s" prefork=0
sieve cmd="/usr/cyrus/bin/timsieved" listen="sieve" prefork=0
# at least one LMTP listener is required for proper delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="/usr/cyrus/bin/lmtpd" listen="/var/imap/socket/lmtp"
prefork=0
}
EVENTS {
# this is required
checkpointcmd="ctl_mboxlist -c" period=30
}
Well, after that, I launch the cyrus daemon:
[ develop2 ] ~ # ps -ax | grep cyrus
30464 pts/0S 0:00 /usr/cyrus/bin/master
Then, I make this test:
# telnet localhost 110
Trying 127.0.0.1...
Connected to develop2.iwith.org.
Escape character is '^]'.
+OK HOSTNAME Cyrus POP3 v2.0.9 server ready
user USER
+OK Name is a valid mailbox
pass HISPASSWD
-ERR Invalid login
Of course, the USER and PASSWD that I write are correct in the system.
By the way If I make the same test against IMAP port this is the
output from that I receive from the server:
[ develop2 ] # imtest -m login -a USER localhost
C: C01 CAPABILITY
S: * OK HOSTNAME Cyrus IMAP4 v2.0.9 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN USER {4}
+ go ahead
C:
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
This what I can see in the auth.log when I launch a pop3 session:
Jul 9 08:26:47 develop2 pop(pam_unix)[30142]: authentication failure;
logname= uid=76 euid=76 tty= ruser= rhost= user=USER
I have tried also to use "sasl_pwcheck_method: pam" instead passwd but
the problem persist.
Help please!!! and TIA.
Re: cyrus: cannot validate a user that exist on the /etc/passwd file
In the cyrus homepage I read this: SASL Library Please refer to the NEWS file for changes (or more details can be found in the ChangeLog). Documentation can be found in the doc subdirectory. The latest release is version 1.5.24. And the last version of the imap-cyrus server is: 2.0.15 Are they right ? If not, where I can get cyrus-sasl 1.5.27 ? Thanks for your help. On Mon, 9 Jul 2001, Artur Frysiak wrote: > On Mon, Jul 09, 2001 at 10:13:35AM -0100, David wrote: > > Hi to everybody: > > > > I'm trying to setup a imap in a linuxbox. I have cyrus software > > listening on ports pop3 and imap. > > > > I use this rpm packages: > > > > cyrus-sasl-1.5.24-17 > > cyrus-imapd-2.0.9-3 > > > > Here you have the contents of /etc/imap.conf > > > > [ develop2 ] ~ # cat /etc/imapd.conf > > configdirectory: /var/imap > > partition-default: /var/spool/imap > > admins: cyrus > > allowanonymouslogin: no > > sasl_pwcheck_method: pam > > If you want working pam_unix authentication you must use saslauthd from > cyrus-sasl 1.5.27. > > Regards >
Re: cyrus: cannot validate a user that exist on the /etc/passwd file(fwd)
And this one also: -- Forwarded message -- Subject: Re: cyrus: cannot validate a user that exist on the /etc/passwd file On Tue, 10 Jul 2001, Wolfgang Schäfer wrote: > hi david, > > David wrote: > > > > Thanks a lot for your answer Wolfgang. > > > > Let me point you in my actual situation: > > > > I have downloaded the latest version of imapd-cyrus: 2.0.15. (tgz format) > > I wanted to install the sasl libraries from tgz source, but I prefer to > > use the rpm that come with the distribution because I have a lot of > > dependences with other packages. These are the sasl-packages that I use: > > > > cyrus-sasl-devel-1.5.24-17 > > cyrus-sasl-1.5.24-17 > > > > Well After that I follow the instructions that comes with the tgz tarball: > > > > 1. configure --disable-sieve // if I don't do that, configure fails > > ... have you install tcl? this can be the error! > and then configure "--with-pwcheck_method=shadow" if you will use the > shadow method! I don't know what is tcl, but how I don't have configure switches, configure will generate a makefile that will build the binaries with tcl support, because I am not using this switch: --without-tcl. Regarding to the configure, well, so far I want to use the most easy pwcheck method (I think it's sasldb method), in this case I don't need configure switches, isn't it? By the way, in spite the problem would come from here, I suppose that the daemon most, at least, run properly until I make the validation process. Don't you reckon? Thanks for your help I have been working 3 days on this
Re: cyrus: cannot validate a user that exist on the /etc/passwd file(fwd)
I forget to send this email to the mailling list, so here you have it. -- Forwarded message -- Thanks a lot for your answer Wolfgang. Let me point you in my actual situation: I have downloaded the latest version of imapd-cyrus: 2.0.15. (tgz format) I wanted to install the sasl libraries from tgz source, but I prefer to use the rpm that come with the distribution because I have a lot of dependences with other packages. These are the sasl-packages that I use: cyrus-sasl-devel-1.5.24-17 cyrus-sasl-1.5.24-17 Well After that I follow the instructions that comes with the tgz tarball: 1. configure --disable-sieve // if I don't do that, configure fails 2. make depend 3. make all CFLAGS=-O 4. create an user id:cyrus, group: mail 5. add the syslog lines to set up the log files 6. create this /etc/imapd.conf configdirectory: /var/imap partition-default: /var/spool/imap admins: curtj abell sasl_pwcheck_method: passwd 7. setup to user cyrus.mail and permisions 750 this directories: /var/imap /var/spool/imap 8. I change to the user cyrus and run the tools/mkimap file that comes in the cyrus' tarball. (NOTE: of course this file have root.root attributes so I copy it to /tmp and change the owner to cyrus.mail). 9. Change attributes of this files: cd /var/imap chattr +S user quota user/* quota/* chattr +S /var/spool/imap /var/spool/imap/* 10. I remove the xinetd files regarding to imapd and pop3 11. Copy a "pre-builded" cyrus.conf file from cyrus' tarball: cp master/conf/normal.conf /etc/cyrus.conf 12. Finally I launch the master daemon as root: /usr/cyrus/bin/master And this is what I get from my /var/log/imapd.log: Jul 10 14:35:22 develop2 master[25508]: process started Jul 10 14:35:22 develop2 master[25509]: about to exec /usr/cyrus/bin/ctl_mboxlist Jul 10 14:35:22 develop2 master[25508]: process 25509 exited, status 75 Jul 10 14:35:22 develop2 master[25510]: about to exec /usr/cyrus/bin/ctl_deliver Jul 10 14:35:22 develop2 master[25508]: process 25510 exited, status 75 Jul 10 14:35:22 develop2 master[25508]: ready for work Jul 10 14:35:22 develop2 master[25511]: about to exec /usr/cyrus/bin/ctl_mboxlist Jul 10 14:35:22 develop2 master[25508]: process 25511 exited, status 75 Jul 10 14:35:22 develop2 master[25512]: about to exec /usr/cyrus/bin/ctl_deliver Jul 10 14:35:22 develop2 master[25508]: process 25512 exited, status 75 Directories and files form cyrus to up (/usr/cyrus && /usr/cyrus/bin) has this permisions: permisions: drwx-- user: cyrus.mail I say that because, I don't know why but the /usr/cyrus was of the user root, group root, so the master gave me errors when it was trying execute some files on the bin directory. Anyway, please, A little of help... thank you again.. I'll be waiting your news. On Tue, 10 Jul 2001, Wolfgang Schäfer wrote: > hi david, > > check your ./configure before compile time. > attached you can find my config.status files! > importand i think is to config sasl with: > ./configure --with-pwcheck_method=shadow --enable-plain \ > --disable-cram --disable-krb4 --disable-digest > ... or anybody other opinion! > > regard´s wolfgang > > > David wrote: > > > > I tested also using shadow, but didn't work. > > > > Any other idea? > > > > On Mon, 9 Jul 2001, Wolfgang Schäfer wrote: > > > > > in your imap.conf is a config error! > > > if you want to use shadow as auth method you should use: > > > > > > # The mechanism used by the server to verify plaintext > > > # passwords.Possible values also include "ker > > > # beros_v4", "passwd", and "shadow". > > > # sasl_pwcheck_method: PAM > > > sasl_pwcheck_method: shadow > > > > > > take al look at man imapd.conf ... it´s the docu > > > > > > regard wolfgang > > > > > > > > > David wrote: > > > > > > > > Hi to everybody: > > > > > > > > I'm trying to setup a imap in a linuxbox. I have cyrus software > > > > listening on ports pop3 and imap. > > > > > > > > I use this rpm packages: > > > > > > > > cyrus-sasl-1.5.24-17 > > > > cyrus-imapd-2.0.9-3 > > > > > > > > Here you have the contents of /etc/imap.conf > > > > > > > > [ develop2 ] ~ # cat /etc/imapd.conf > > > > configdirectory: /var/imap > > > > partition-default: /var/spool/imap > > > > admins: cyrus > > > > allowanonymouslogin: no > > > >
LDAP && imap (Invalid credentials)
Hi to everybody, I have a problem cyrus & Ldap.
Ok, here is the problem:
I have setuped correctly a LDAP database on a RH7.1 box (openldap-2.0.7).
On the LDAP database I have imported /etc/passwd and /etc/group. I've
modified /etc/pam.d/login to test if it is possible to validate against my
ldap, and it works OK.
Now, I want that my imap server (cyrus-imap) authentificates the users
using PAM. To accomplish I have modified this line on the /etc/imap.conf
file:
/etc/imap.conf:
sasl_pwcheck_method: pam
and this one:
/etc/pam.d/imap:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
accountrequired /lib/security/pam_stack.so service=system-auth
After that I try to see if it works ok:
[root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
C: C01 CAPABILITY
S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN drio {5}
+ go ahead
C:
L01 NO Login failed: authentication failure
Authentication failed. generic failure
Security strength factor: 0
This is the log output:
Jul 12 14:07:37 ipsilon imap(pam_unix)[3365]: authentication failure;
logname= uid=76 euid=76 tty= ruser= rhost= user=drio
Then I try to make the authentification using LDAP, so I comment the
other two lines and add on /etc/pam.d/imap file this ones:
authsufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
Now I tried again:
[root@ipsilon /etc]# /usr/bin/imtest -m login -a drio localhost
C: C01 CAPABILITY
S: * OK ipsilon Cyrus IMAP4 v2.0.12 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE AUTH=DIGEST-MD5 AUTH=CRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Password:
C: L01 LOGIN drio {4}
+ go ahead
C:
failure: prot layer failure
This is the log output:
Jul 12 14:16:55 ipsilon imapd[4219]: pam_ldap: error trying to bind as
user "uid=drio,ou=People,o=pruebas" (Invalid credentials)
By the way, It is more important for my validate the users using ldap
because I will do it in this way on the future.
I hope you'll will be able to tell what's the hell is going on here
One thing more, a curious thing:
###
### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
### in the login binary.
Jul 12 16:42:47 ipsilon slapd[4865]: daemon: conn=29 fd=7 connection from
IP=192.168.1.40:33600 (IP=0.0.0.0:389) accepted.
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 BIND dn="" method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=0 RESULT tag=97 err=0
text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SRCH base="o=pruebas"
scope=2 filter="(uid=drio)"
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=1 SEARCH RESULT tag=101
err=0 text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 BIND
dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=2 RESULT tag=97 err=0
text=
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 BIND dn="" method=128
Jul 12 16:42:47 ipsilon slapd[4865]: conn=29 op=3 RESULT tag=97 err=0
text=
Jul 12 16:42:58 ipsilon slapd[4865]: conn=29 op=4 UNBIND
Jul 12 16:42:58 ipsilon slapd[4865]: conn=-1 fd=7 closed
###
### /var/log/slapd.log: trace of a ldap query from the pam_ldap.so linked
### in the imapd binary.
Jul 12 16:43:56 ipsilon slapd[4865]: daemon: conn=30 fd=7 connection from
IP=192.168.1.40:33610 (IP=0.0.0.0:389) accepted.
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 BIND dn="" method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=0 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SRCH base="o=pruebas"
scope=2 filter="(uid=drio)"
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=1 SEARCH RESULT tag=101
err=0 text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 BIND
dn="UID=DRIO,OU=PEOPLE,O=PRUEBAS"
method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=2 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 BIND dn="" method=128
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=3 RESULT tag=97 err=0
text=
Jul 12 16:43:56 ipsilon slapd[4865]: conn=30 op=4 UNBIND
Jul 12 16:43:56 ipsilon slapd[4865]: conn=-1 fd=7 closed
it seems ok? the query is the same.
Thank you in advance.
open ssl vulnerability 17 March 2004 - v0.9.7d available
http://www.openssl.org/news/secadv_20040317.txt Version 0.9.7d now available to correct this vulnerability. http://www.openssl.org/source/ Regards and many thanks to this list for solid info. David --- Home Page: http://asg.web.cmu.edu/cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
High-Availability IMAP server
Hello, I have a 'pseudo' High Availability SMTP system consisting in two servers running cyrus 2.2.5. The main problem I have is that only one of the two nodes can access to the mailboxes in order to keep the integrity of the cyrus databases despite the filesystem (GFS) has support to allow to two different servers access in R/W mode. I've read about cyrus-murder which allows to distribute mailboxes along different servers but if the server that has the mailbox for [EMAIL PROTECTED] goes offline, this mailbox is not available. With maildir/mailbox format, there is no additional integrity mechanism so any server with R/W access to the filesystem can provide the mailbox via POP3/IMAP, etc. Is there any way to achieve this goal using cyrus? Which is the best approach to this scenario? Run daily imapsync via cron and a Load Balancer forward the requests to the active one? Any help would be appreciated. Regards, David Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Cyrus + LDAP + SASLauth problem. Rewrite login?
Hello, I would like to 'rewrite' or associate the [EMAIL PROTECTED] mailbox with [EMAIL PROTECTED] Due to postfix limitations, it can only accept mail for domain listed in mydomains (localhost for example). The problem is adding a domain to mydomains list implies a reload of postfix and the decrease of performance, besides the procedure is not as simple as creating the accounts in LDAP, I need to access to smtp servers. With a maildrop configuration like [EMAIL PROTECTED] -> [EMAIL PROTECTED] I would workaround this problem in postfix-side, but then I have the problem with the user login of the customers that should be user.domain.com (with virtdomains adding @localhost) but should be desiderable to use login [EMAIL PROTECTED] due to current configuration in qmail/qpopper server that we need to integrate. Thanks in advance, regards -- David Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Problem creating mailboxes
I'm having trouble getting cyrus installed and running. I've compiled and installed sasl (2.1.21) and imap (2.3.0). When I run cyradm -u mailadm localhost and create mailboxes it seems that cyradm quits on me unexpectedly: #cyradm -u mailadm localhost IMAP Password: localhost> lm localhost> cm info createmailbox: localhost> lm localhost> lm # I then go back in and run lm: #cyradm -u mailadm localhost IMAP Password: localhost> lm info (\Noselect \HasNoChildren) localhost> quit # Unfortunately, the info user can't log in to the mailbox most of the time. When they can, they can't create new folders or even view the Inbox. I also can't delete the mailbox: #cyradm -u mailadm localhost IMAP Password: localhost> lm info (\Noselect \HasNoChildren) localhost> dm info deletemailbox: Mailbox is currently reserved localhost> quit # In /var/adm/messages I get errors like this: master[11091]: [ID 387647 local6.error] process 11096 exited, signaled to death by 10 I seem to have done something quite wrong. What needs to be done to get this working? I'm running on Solaris 9. -Dave Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem creating mailboxes
>> localhost> cm info > >Shouldn't that be: > > localhost> cm user.info > >or user/info if you're using unixhierarchysep? Thanks, I turned off unixhierarchysep and tried using "cm user.info" instead. Unfortunately I still have the same issue. The cyradm app dies shortly after running the cm command and when I go back in the mailbox shows as /noselect /hasnochildren. #cyradm -u mailadm localhost Password: localhost> lm localhost> cm user.info createmailbox: localhost> lm localhost> lm # <--- This is where it crashes back to the command line Going back in: #cyradm -u mailadm localhost Password: localhost> lm user.info (\Noselect \HasNoChildren) localhost> quit # What would cause mailbox creation to fail? Should I be using something other than cyradm to create the mailboxes? -Dave Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem creating mailboxes
I noticed this error as well that appears when I run the "cm" command: Dec 19 09:18:52 messenger1 master[5730]: [ID 970914 local6.error] process 5740 exited, signaled to death by 10 So something is definitely crashing. I'm running Berkeley DB 4.4.16. Is that a problem? -Dave -Original Message- From: [EMAIL PROTECTED] Sent: Mon, 19 Dec 2005 09:10:36 -0600 (CST) Subject: Re: Problem creating mailboxes >> localhost> cm info > >Shouldn't that be: > > localhost> cm user.info > >or user/info if you're using unixhierarchysep? Thanks, I turned off unixhierarchysep and tried using "cm user.info" instead. Unfortunately I still have the same issue. The cyradm app dies shortly after running the cm command and when I go back in the mailbox shows as /noselect /hasnochildren. #cyradm -u mailadm localhost Password: localhost> lm localhost> cm user.info createmailbox: localhost> lm localhost> lm # <--- This is where it crashes back to the command line Going back in: #cyradm -u mailadm localhost Password: localhost> lm user.info (\Noselect \HasNoChildren) localhost> quit # What would cause mailbox creation to fail? Should I be using something other than cyradm to create the mailboxes? -Dave Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Problem creating mailboxes
Well, it's not DB 4.4.16. I just tried DB 3.3.11 and the same thing happens. -Dave -Original Message- From: [EMAIL PROTECTED] Sent: Mon, 19 Dec 2005 09:17:47 -0600 (CST) Subject: Re: Problem creating mailboxes I noticed this error as well that appears when I run the "cm" command: Dec 19 09:18:52 messenger1 master[5730]: [ID 970914 local6.error] process 5740 exited, signaled to death by 10 So something is definitely crashing. I'm running Berkeley DB 4.4.16. Is that a problem? -Dave -Original Message- From: [EMAIL PROTECTED] Sent: Mon, 19 Dec 2005 09:10:36 -0600 (CST) Subject: Re: Problem creating mailboxes >> localhost> cm info > >Shouldn't that be: > > localhost> cm user.info > >or user/info if you're using unixhierarchysep? Thanks, I turned off unixhierarchysep and tried using "cm user.info" instead. Unfortunately I still have the same issue. The cyradm app dies shortly after running the cm command and when I go back in the mailbox shows as /noselect /hasnochildren. #cyradm -u mailadm localhost Password: localhost> lm localhost> cm user.info createmailbox: localhost> lm localhost> lm # <--- This is where it crashes back to the command line Going back in: #cyradm -u mailadm localhost Password: localhost> lm user.info (\Noselect \HasNoChildren) localhost> quit # What would cause mailbox creation to fail? Should I be using something other than cyradm to create the mailboxes? -Dave Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
RE: Re: Problem creating mailboxes
Here's the last part of a truss on cyradm showing the crash. Any ideas on how
to fix this?
open("/dev/random", O_RDONLY) = 6
read(6, " i\b9BB9 Z\b", 6) = 6
close(6)= 0
times(0xFFBFF308) = 106022148
ioctl(1, TCGETA, 0xFFBFF12C)= 0
fstat64(1, 0xFFBFF048) = 0
write(1, " P a s s w o r d : ", 10)= 10
open("/dev/tty", O_RDONLY) = 6
fstat64(6, 0xFFBFF188) = 0
sigaction(SIGINT, 0xFFBFF220, 0xFFBFF2A0) = 0
ioctl(6, TCGETA, 0xFFBFF344)= 0
ioctl(6, TCSETAF, 0xFFBFF344) = 0
fstat64(2, 0xFFBFF030) = 0
write(2, 0xFF0DBE58, 0) = 0
read(6, 0xFF1BFD5C, 1) (sleeping...)
read(6, " J", 1)= 1
read(6, " e", 1)= 1
read(6, " x", 1)= 1
read(6, " 4", 1)= 1
read(6, " ~", 1)= 1
read(6, " M", 1)= 1
read(6, " o", 1)= 1
read(6, " r", 1)= 1
read(6, "\n", 1)= 1
ioctl(6, TCSETAW, 0xFFBFF344) = 0
write(2, "\n", 1) = 1
sigaction(SIGINT, 0xFFBFF220, 0xFFBFF2A0) = 0
close(6)= 0
write(4, " d X N l c m 5 h b W U 9".., 354) = 354
poll(0xFFBFE428, 1, -1) = 1
read(4, " + c n N w Y X V 0 a D".., 4096) = 60
fstat(5, 0xFFBFF170)= 0
time() = 1135026415
getpid()= 27957 [27956]
putmsg(5, 0xFFBFE828, 0xFFBFE81C, 0)= 0
open("/var/run/syslog_door", O_RDONLY) = 6
door_info(6, 0xFFBFE760)= 0
getpid()= 27957 [27956]
door_call(6, 0xFFBFE748)= 0
close(6)= 0
write(4, "\r\n", 2) = 2
poll(0xFFBFE428, 1, -1) = 1
read(4, " 3 O K S u c c e s s".., 4096) = 35
write(4, "\0\0\01F h # yA4 \ } 0 ,".., 35) = 35
poll(0xFFBFE728, 1, -1) = 1
read(4, "\0\0\0 PF2FACB GFEE9B102".., 4096) = 84
stat64("/usr/local/etc/cyradmrc.pl", 0x00125848) Err#2 ENOENT
stat64("//.cyradmrc.pl", 0x00125848)Err#2 ENOENT
stat64("/usr/local/lib/perl5/5.8.4/sun4-solaris/Term/Cap.pmc", 0xFFBFF7F0)
Err#2 ENOENT
open64("/usr/local/lib/perl5/5.8.4/sun4-solaris/Term/Cap.pm", O_RDONLY) Err#2
ENOENT
stat64("/usr/local/lib/perl5/5.8.4/Term/Cap.pmc", 0xFFBFF7F0) Err#2 ENOENT
open64("/usr/local/lib/perl5/5.8.4/Term/Cap.pm", O_RDONLY) = 6
brk(0x0035F960) = 0
brk(0x00361960) = 0
fstat64(6, 0xFFBFD028) = 0
brk(0x00361960) = 0
brk(0x00363960) = 0
fstat64(6, 0xFFBFCED0) = 0
ioctl(6, TCGETA, 0xFFBFCFB4)Err#25 ENOTTY
read(6, " p a c k a g e T e r m".., 8192) = 8192
brk(0x00363960) = 0
brk(0x00365960) = 0
getcontext(0xFFBFF4B0)
getcontext(0xFFBFF320)
getcontext(0xFFBFF4B0)
getcontext(0xFFBFF320)
getcontext(0xFFBFF4B0)
getcontext(0xFFBFF320)
getcontext(0xFFBFF4B0)
getcontext(0xFFBFF320)
brk(0x00365960) = 0
brk(0x00367960) = 0
read(6, " e ( $ _ = ~ s / \".., 8192) = 8192
brk(0x00367960) = 0
brk(0x00369960) = 0
brk(0x00369960) = 0
brk(0x0036B960) = 0
brk(0x0036B960) = 0
brk(0x0036D960) = 0
brk(0x0036D960) = 0
brk(0x0036F960) = 0
brk(0x0036F960) = 0
brk(0x00371960) = 0
brk(0x00371960) = 0
brk(0x00373960) = 0
brk(0x00373960) = 0
brk(0x00375960) = 0
brk(0x00375960) = 0
brk(0x00377960) = 0
read(6, " e n a r g s\n".., 8192) = 1020
fcntl(6, F_SETFD, 0x0001) = 0
stat64("//.termcap", 0x00125848)Err#2 ENOENT
stat64("/etc/termcap", 0x00125848) = 0
stat64("/usr/share/misc/termcap", 0x00125848) Err#2 ENOENT
open64("/etc/termcap", O_RDONLY)
Re: Legal Characters in mailbox names
cyrus-imapd-2.0.12 - imap/mboxname.c - line #187: I believe this is what you're looking for... #define GOODCHARS " +,-.0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~" -David Fuchs Barbara Greenwood wrote: >Hi, > >Does anyone know which characters, other than alphanumeric, are legal in >mailbox names with Cyrus v2.0.12 & later? > > > >Thanks, >Barbara >-- >Barbara Greenwood >Senior Developer >World Online UK, a Tiscali Company >Email: [EMAIL PROTECTED] >
Re: Patch to change dots to slashes.
I've attached it to this message. Just extract cyrus-imapd-2.0.14, cd to the directory, and run: "patch < /path/to/cyrus-imapd-2.0.14-DOTPATCH.diff" This is a later version of the original patch I released, it fixes a problem setting/parsing quota files. -David Fuchs - Original Message - From: Kevin J. Menard, Jr. <[EMAIL PROTECTED]> To: David Fuchs <[EMAIL PROTECTED]> Cc: Cyrus Info Mailing List <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, June 21, 2001 5:47 PM Subject: Re: Patch to change dots to slashes. > Hey David, > > > Wednesday, February 14, 2001, 6:47:52 PM, you wrote: > > DF> Attached are two patch-files that will change the Netnews dot delimiter > DF> to a slash in Cyrus. I created these patches from the sources for > DF> 2.0.11 (you shouldn't need 2.0.11 to apply it though). The first file > DF> (imappatch) needs to be run in the IMAP directory of the Cyrus sources. > DF> The second file (libpatch) needs to be run in the lib directory of the > DF> Cyrus sources. > > DF> User mailboxes will act differently with the patch applied. Dots are > DF> now allowed in usernames, but not slashes. > > DF> Example of a mailbox listing: > > cyradm>> lm > DF> user/david.fuchs > DF> user/david.fuchs/subfolder > > DF> I've tested this patch with Microsoft Outlook Express and Pine as mail > DF> clients (POP3 and IMAP). Everything seems to work fine. I'm not a > DF> professional developer, so if there are any problems please mail me. > > DF> -David Fuchs > > Anyone have a patch for 2.0.14? > > -- > Kevin > > cyrus-imapd-2.0.14-DOTPATCH.diff
Re: inetd.conf equivilent on Linux 7?
...try "man inetd". There is an inetd.conf if you create one, but not until then. You also have to start inetd on your own (whether by rc.local or some other method). You may want to find a Linux User Group to join, there are quite a few of them around... -David Fuchs - Original Message - From: Curtis Martin <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 26, 2001 3:00 PM Subject: inetd.conf equivilent on Linux 7? > Hello, > > Does anybody know where or what the inetd.conf equivalent is on Linux? > > Curtis Martin > Network / Database Administrator > [EMAIL PROTECTED] > 310-414-6760 x224 > > >
sieve authentitcation problem
I have been hapily running cyrus-imapd 1.6.24 for some time. My mail server is a black box: the users have no local accounts; imapd.conf instructs cyrus to authenticate via PAM and /etc/pam.d/imap uses pam_ldap.so to get user data from an OpenLDAP database. It all works beautifully. I do not use the SASL database at all; it is completely empty. Now I want to get sieve scripts working. When I telnet mailserver sieve then timseived answers. But when I installsieve -u username mailserver and enter username's password, it barfs, saying Authentication failed with: "user not found" Authentication failed. Packet sniffing reveals that the LDAP database was never querried. What is going on? Why doesn't timsieved use PAM just like imapd? Do I need an /etc/pam.d/sieve entry? Must I need to use the SASL database? Help, please!
Re: imap 2.0.14 and sieve problems
I've seen this behaviour from several different MTA's. I thought that RFC1123 (Para 5.2.13) addressed this issue, but upon checking, I see that it refers to return-path. -Dave Pavel Levshin wrote: > > Hello Ken, > > Wednesday, July 11, 2001, 8:23:00 PM, you wrote: > > >> nw> Why is there no from address (I set the servername: in /etc/imapd.conf) and > >> The message is formated as a bounce. > KM> Technically speaking, it is an MDN (message disposition notification). > KM> The reason that there is no envelope from address, is that you don't > KM> want some idiot to reply to an MDN (prevent mail loops, etc). > > Then, some servers on the Net do not accept those mails. I've got this > error from remote MTA (IMail 5.05): > > >>> MAIL From:<> SIZE=726 > <<< 501 bogus mail from > > Which RFC states this behaviour, as explained by you? I want to be > prepared for questions from my users. :) > > WBR, Pavel mailto:[EMAIL PROTECTED]icq:52216261
Re: phantom mailbox
I recreated your situation on my own system... but had no trouble... cyradm -u cyrus localhost Please enter your password: IMAP Password: (Why it asks for two passwords I don't know... =] ) localhost> cm user1 user.chrispyuser.dfuser1 localhost> sam user1 cyrus all localhost> dm user1 localhost> lm user.chrispyuser.df localhost> exit A suggestion would be to dump the mailboxes DB to a textfile, remove the offending line, and then reconstruct the mailboxes DB. Example: su cyrus -c "/path/to/ctl_mboxlist -d >mbox.out" vi mbox.out >>>remove the line and write changes<<< su cyrus -c "/path/to/ctl_mboxlist -u /user1 Hope that helps... I'm not sure why your original attempts at setting the ACL and removing the entry didn't work... hmmm... -David Fuchs - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 23, 2001 12:57 PM Subject: phantom mailbox > i stupidly did the following: > > cyradm -user cyrus localhost > localhost> cm user1 > > rather than > > localhost> cm user.user1 > > ls $partition-default: > user1 stage. user > > cyrus is my administrative account. > > localhost> dm user1 > deletemailbox: Permission denied > localhost> sam user1 cyrus all > setaclmailbox: cyrus:lrswipcda: System I/O error > > i tried rm -rf $partition-default/user1, but the malbox still shows up > when i > > localhost> lm > > i tried > > localhost> cm user.fakeuser > > # cp -R $partition-default/user/fakeuser $partition-default/ \ > mv $partition-default/fakeuser $partition-default/user1 > > to recreate the mailbox at the file system level, but i still can't remove > it. > > also, > > localhost> cm user1 > createmailbox: Mailbox already exists > > so what to do? > > i remember something like this on the list before, but when i searched the > archives, i only found reference to the reverse problem (that is, cyradm > not reporting the mailbox, but the mailbox existing). > > also, where are the ACLs for mailboxes kept? > > when i: > > # cat user/someuser/cyrus.header > Cyrus mailbox header > "The best thing about this system was that it had lots of goals." > --Jim Morris on Andrew > > > someuser lrswipcda > > as root can i just: > > # echo "anotheruser lrswipcda" >> $partition-default/user/someuser/cyrus.header > > to give anotheruser all rights to someuser's mailbox? > > thanks, > somecyrusadmin >
Re: Double login? (was phantom mailbox)
Yeah, I don't know. It's not the biggest deal, because it still works after the second prompt, but since we're on the topic... These are my details if you or anyone else can help solve this: FreeBSD 4.3 Cyrus SASL 1.5.24 ./configure \ --prefix=/usr/local/cyrus-sasl --enable-shared --enable-static --with-gnu-ld \ --with-dblib=berkeley --with-pwcheck=/usr/local/cyrus-sasl/pwcheck Cyrus IMAPd 2.0.14 ./configure \ --prefix=/usr/local/cyrus --with-cyrus-user=cyrus --with-cyrus-group=mail \ --with-cyrus-prefix=/usr/local/cyrus --with-sasl=/usr/local/cyrus-sasl \ --with-dbdir=/usr/local/BerkeleyDB.3.2 --with-auth=unix imapd.conf: admins:cyrus sasl_pwcheck_method:pwcheck I'm not using sasldb... perhaps that has something to do with it. My system uses DES crypt libs for the password file, but the passwords are stored as MD5. Perhaps the auth mechanism isn't even using pwcheck the first time around? -David Fuchs Kevin J. Menard, Jr. wrote: >Hey David, > > >Wednesday, July 25, 2001, 12:02:50 AM, you wrote: > >DF> I recreated your situation on my own system... but had no trouble... > >DF> cyradm -u cyrus localhost >DF> Please enter your password: >DF> IMAP Password: (Why it asks for two passwords I don't >DF> know... =] ) > >I could be wrong here, but the first pass through is for MD5 SASL passwords >or something. If that doesn't work, it falls back to a plaintext protocol, >which would be sending a LOGIN command to the IMAP server directly. I don't >know why the SASL passwd look up succeeds with LOGIN and not the other way, >but go figure :-P > >If you do cyradm -u cyrus -a login localhost, it should only prompt you >once. > >-- > Kevin >
signaled to death by 11 -- solved!?
I am faced with the same "signaled to death by 11" problem on RH 7.1 that has been reported in this list several times before. I think I understand the problem, but I need a little coaching to implement a solution. Here's the problem: whenever I login correctly, # telnet localhost imap Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK sartre.rprc.washington.edu Cyrus IMAP4 v2.0.16 server ready . login Connection closed by foreign host. the connection closes, and the spawned imapd process imapd[16162]: login: localhost.localdomain[127.0.0.1] plaintext imapd[16192]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown error imapd[16192]: pam_ldap: _set_ssl_options failed master[16154]: process 16192 exited, signaled to death by 11 dies ignominiously. I am using sasl_pwcheck_method: PAM and pam_ldap to authenticate against an OpenLDAP database. Note that pam_ldap complains that it has been passed an option LDAP_OPT_X_TLS_REQUIRE_CERT with which it is unfamiliar My guess is that the LDAP_OPT_X_TLS_REQUIRE_CERT option is the problem. Needless to say, that means the the previously touted explanations regarding Berkley DB linking problems are red herrings. So... how can I get cyrus-imap not to require TLS for a plaintext login? I realize the cyrus team thinks they are doing me a favour by requiring this, but there really needs to be a simple way to disable it in configuration files. Also, imapd certainly shouldn't be comiting suicide just because a PAM module doesn't understand its request for some exceedingly obscure LDAP_OPT_X option. Additional information of dubious use, follows.. If I login with an incorrect password, # telnet localhost imap Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK sartre.rprc.washington.edu Cyrus IMAP4 v2.0.16 server ready . login . NO Login failed: authentication failure the authentication fails, but nobody dies. If I use another PAM module instead of pam_ldap, for example the trivial pam_permit, which always returns success, it all works. I (and, of course, everyone else in the world) can login successfully, and nobody dies! However, lest you think that a hopelessly buggy pam_ldap is the problem, you should know that the selfsame pam_ldap is working fine with about 42 other services I offer (login, netatalk, passwd, samba, ssh, ...) including an old cyrus-imapd-1.6.24 installation on another machine. The relevant version numbers are cyrus-imapd-2.0.16 (compiled from source) cyrus-sasl-1.5.24 (from cyrus.sasl-1.5.24-17.i386.rpm) Berkely DB 3.3.1 (from db3-3.1.17-7.i386.rpm) pam_ldap-122 (compiled from source) in case that helps anyone.
Re: signaled to death by 11 -- solved!?
> BTW, what is the fastest route? > imap -> sasl -> pam-ldap -> ldap server > imap -> sasl -> ldap server The fastest route to me seems to be: imap -> pam_ldap -> ldap sever Can we PLEASE produce a version of cyrus-imap imap WITHOUT SASL? PAM may be a smidgeon less flexible, but it is simplier, more widely used and supports many more authentication methods. Eliminating SASL might make life harder for the (guestimated) 10% of cyrus-imap sites that really use it, but it would make life immeasurably easier for the remaining 90% who spend countless hours just trying to circumvent it! Seriously, can someone who knows the code comment on how difficult it would be to replace SASL with another mechanism?
Re: signaled to death by 11 -- solved!?
> What's wrong with having both PAM and SASL in the implementation? And > isn't this the case? I'm still using Cyrus IMAP 2.0.13 so maybe PAM > has been removed since, but I would be surprised. PAM has never been in the distribution. SASL is in the distribution and PAM is supported by SASL. That sounds fine in theory, but in practice it appears that SASL's PAM support has some problems.
Re: signaled to death by 11 -- solved!?
I have spent more time investigating the interaction of pam_ldap and SASL, and have narrowed down the problem considerably, but still not quite "got it". The TLS options seem also to be the wrong direction; I can eliminate TLS/SSL and the problem persists. By inserting lots of debug code, I have found out where in pam_ldap the problem lives. When SASL calls pam_authenticate, the pam_sm_authenticate subroutine in pam_ldap.c gets run. This routine calls pam_get_user and pam_get_item to obtain the username and password from imapd; do problem occurs here and it gets the right username and password. It then calls a routine named _do_authentication to check these against the ldap database. Now when _do_authentication is run against a correct password, it returns success and pam_ldap returns success, but imapd dies. If I comment out the call to _do_authentication and just return success, imapd does not die. So it would seem the problem lies with _do_authentication. But here is the wierd part -- as far as I can tell, _do_authentication does not interact with imapd or the SASL library at all; it contains only LDAP library calls to interact with the LDAP server! And remember, this interaction doesn't generate any errors, but rather runs flawlessly and returns success. It seems, though, that a side-effect of this interaction is to screw up the imapd so badly that it dies with a "signaled to death by 11". ??? I do not understand! ? Can anyone explain to me how this might happen? Does OpenLDAP interact with SASL somehow? I will also forward this to the pam_ldap list.
Reality Check
Does ANYONE have the following configuration working? cyrus-imapd-2.0.x authenticating via LDAP using sasl_pwcheck_method: PAM and the pam_ldap module If so, please chime in to say on what system and how you got it to work. I can't imagine this configuration is obscure: LDAP is the preemininent large-scale directory server, cyrus-imapd the preemininent large-scale imap server, and PAM the preeminent authentication system. If everyone is having the problems I am, this is a disaster for cyrus-imapd.
OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x
I and quite a few other users of the cyrus-imapd system have found a problem which occurs exclusively when we authenticate using the PAM module pam_ldap linked against the OpenLDAP 2.0.x libraries. I am writing to ask whether this bug and any potential solutions are known to the wider OpenLDAP and pam_ldap communities. The basic problem is that, with the authentication scheme mentioned, imapd segfaults when pam_ldap returns success. Like anyone presented with this problem, I initially presumed the problem lay with cyrus-imapd (or with the cyrus-sasl library it uses). More careful investigation tends to case suspicion elsewhere: 1) The problem does not occur with any other PAM module, or with a patch which allows SASL to authenticate via LDAP directly. That would tend to cast suspicion on pam_ldap, but... 2) pam_ldap works fine with dozens of other applications. That would tend to cast suspicion on cyrus-imapd or the cyrus-sasl library. Hmm, we seem to be going in circles here. 3) By commenting out sections of pam_ldap, printing debug messages, etc, I found that the problem occurs only when the _do_authenticate subroutine in pam_ldap.c is executed. There is no PAM code in that subroutine, only calls to OpenLDAP routines! This is very wierd: the PAM exchange between cyrus-imapd and pam_ldap runs without a hitch; the LDAP exchange between pam_ldap and my OpenLDAP server also runs without a hitch. Yet the latter (not the former!) exchange seems to have the side-effect of killing the cyrus-imapd server. 4) The above behaviour occurs even when the OpenLDAP server is on a different machine, so it can't be the server that is causing the side-effect. The side effect must be the fault of the client LDAP libraries. Or of cyrus-imapd/sasl for being susceptible to the side-effect. 5) This conclusion is strengthened by the observation (due to Phillip Sacha) that when pam_ldap is linked against OpenLDAP 1.x or Netscape-LDAP libraries, the problem goes away... even when authenticating against an OpenLDAP 2.0.x server. This would seem to lay guilt on OpenLDAP libraries rather then cyrus-imapd/sasl. Finally, two more incidental observations: a) Entering a wrong password does not kill imapd. Furthermore, if I first enter a wrong password, then a right password, I can log in without killing imapd. pam_ldap seems to cache some info during a session, and it's not having to look up that info a second time prevents the side-effect. This may provide a clue as to which OpenLDAP APIs are at fault. b) Several people (eg Norbert Sendetzky) have reported that the precompiled pam_ldap binary distributed by RedHat does work. Use of ldd reveals that it is linked against the OpenLDAP 1.2.x client libraries. Can any usrers and/or devs provide more detailed observations which would allow us to identify the guily party and file a clear bug?
Re: Reality Check
Phillip Sacha, thanks so much for pointing out that pam_ldap works when linked gainst the OpenLDAP 1.x libraries. Norbert Sendetzky also point out that Red Hat's precompiled pam_ldap also works, and ldd reveals that to be linked against libldap.so.1 and liblber.so.1 -- the OpenLDAP 1.x libraries. My question is how to compile pam_ldap against the 1.x libraries. I have the 1.x shared objects liblber.so.1 and libldap.so.1 present on my RH installation from the openldap12 rpm, but my libldap.a and liblber.a development libraries are from 2.x. I believe the -lldap -llber command line options will therefore link against the 2.x libraries. I don't suppose you know a way to link directly to shared objects? Assuming not, how can I download the 1.x development libraries and get pam_ldap to compile against them without clobbering the 2.x libraries? -- I still want other projects to link against them. Thanks for your help.
SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)
First off, thanks to you, Lawrence, and the many others who helped clarify why OpenLDAP 2.0.x + pam_ldap + cyrus-imaps-2.0.x won't play together out-of-the-box. For those just tuning in to this thread, it's because the SASL routines are (1) used both by cyrus-imapd and OpenLDAP and (2) not re-entrant, so memory gets deallocated by one while the other is still trying to use it. Poof -- core dump. CMU people, please don't take the following personally; your work is impressive and appreciated. But some things about it are less than useful off the CMU campus, and I think SASL is one of them. My reasoning is simple: A non-re-entrant security layer is contradiction in terms. Security layers are designed to be ubiquitous -- if SASL works out as planned, every application involved in authentication will link to it. Problems like these would be a dime a dozen (which is one reason SASL will not become ubiquitous). I think for most applications PAM is a much better alternative. It is inherently simpler. It can support ticket systems by using Kerberos. It can support access restrictions based on time-of-day, IP-address, and such, which (correct me if I'm wrong) SASL cannot. If is far more widely used and easily understood. One PAM critic on this list said that PAM is easy to misconfigure, which is true, but if we were all held back by stuff like that we'd be using Macs. The philosophy of Unix is to give you enough rope to hang yourself... and then a bit more for good measure. Of course, one can always claim that SASL doesn't hurt anything, since it can call PAM. But my experience has proven the falacy of the doctrine of harmless layers. It turns out to be even more difficult than planned for me to avoid the re-entrancy problem, because the LDAP encyption of OpenLDAP 2.0.x gets broken when compiled --without-cyrus-sasl, and OpenLDAP 1.x doesn't have any encryption, and I need my LDAP communications encrypted (which is why the sasl-ldap patch also isn't an option). Which leads me to repeat my earilier question: how hard would it be to replace SASL with PAM, thus producing, IMHO, a more useful imap server for sites other than CMU. Basically this comes down to the question: how many calls to SASL library APIs are there in cyrus-imapd? 10? 100? 1000? If it's less than 100 I'd give it a try myself. Thanks for listening, David
Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)
Please educate me, I do not understand. > Please use pwcheck. Your problems will go away. The pwcheck distributed with cyrus-sasl is not useful to me. My users are not in /etc/passwd -- they are ONLY in an LDAP database. Even a pwcheck daemon that uses LDAP is only useful to me it does LDAP-SSL -- I need password traffic encyrpted over the network. pam_ldap does this nicely, so any pwcheck daemon that did all this would basically be re-implementing the functionality of pam_ldap. Can you kindly point me to a pwcheck daemon that just calls PAM? > PAM does not do network authentication. PAM does not solve the > problems under consideration. What do you mean by "network authentication"? If you mean a ticket system so that users need only authenticte themselves once, it most certainly does, via Kerberos. If you mean certifying the identity of the client and server machines, pam_ldap and OpenLDAP can do that. What exactly is the problem under consideration that (given the appropriate modules) PAM doesn't solve?
Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap +cyrus-imapd-2.0.x)
note there are (or were) limits on the size of usernames and passwords that pwcheck can deal with. David Lang On Fri, 10 Aug 2001, Jeremy Howard wrote: > Date: Fri, 10 Aug 2001 05:59:54 +1000 > From: Jeremy Howard <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], Marco Colombo <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + > cyrus-imapd-2.0.x) > > Devdas Bhagat wrote: > > The problem with the current design of imapd is that it assumes that > > SASL will be available locally in some form, ignoring that it may not > > be available there. > > Do the pwcheck daemons provide support for this? > > Yes. The pwcheck 'API' is this simple: > - SASL sends username\0password\0 over a socket > - The daemon sends back 'OK\0' or 'Incorrect password\0' > > How the daemon decides on what response to return is completely open. For > instance, my pwcheck daemon contacts a MySQL server on a remote machine to > check the credentials. > >
turning off AUTH=CRAM-MD5
Cyrus-imapd (1.6.24) insists on advertising AUTH=CRAM-MD5, even though this is a lie. This is (I think) one of the (many bad) side-effects of SASL -- because of SASL cyrus advertises this AUTH, but in fact my sasldb is utterly empty (all authentication is via PAM) and so any client that takes cyrus up on the offer gets told the user doesn't exist. So... how can I get cyrus to stop advertising AUTH=CRAM-MD5?
Re: turning off AUTH=CRAM-MD5
Also if you have already installed SASL you will need to go to the directory it gets installed into and delete the authentications libraries that you don't want to use. it doesn't matter what you disable at compile time. if there is something in the directory the cyrus (and other SASL enabled stuff) will insist on trying to use it. David Lang On Mon, 20 Aug 2001, Amos Gouaux wrote: > Date: Mon, 20 Aug 2001 00:33:16 -0500 > From: Amos Gouaux <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: turning off AUTH=CRAM-MD5 > > >>>>> On Sun, 19 Aug 2001 21:51:33 -0700, > >>>>> David Wright <[EMAIL PROTECTED]> (dw) writes: > > dw> Cyrus-imapd (1.6.24) insists on advertising AUTH=CRAM-MD5, even > dw> though this is a lie. This is (I think) one of the (many bad) > dw> side-effects of SASL -- because of SASL cyrus advertises this AUTH, > dw> but in fact my sasldb is utterly empty (all authentication is via > dw> PAM) and so any client that takes cyrus up on the offer gets told > dw> the user doesn't exist. > > dw> So... how can I get cyrus to stop advertising AUTH=CRAM-MD5? > > Configure cyrus-sasl accordingly. Use the various --disable-* > options to configure. See --help for details. > > -- > Amos >
Re: limit of file descriptors
linux 2.0 and 2.2 have a FD limit ~512, this can be bumped up to 4092 with a source code edit, but cannot be pushed above that. 2.4 defaults to a much larger number (based on ram I think, on my 512M machines it's 8K) and can be bumped up to 32K or 64K (don't remember which at the moment) in a boot script David Lang On Thu, 6 Sep 2001, Jeremy Howard wrote: > Date: Thu, 6 Sep 2001 22:08:50 +1000 > From: Jeremy Howard <[EMAIL PROTECTED]> > To: Lawrence Greenfield <[EMAIL PROTECTED]>, > Horst Lederhaas <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > Subject: Re: limit of file descriptors > > Lawrence Greenfield wrote: > >From: "Jeremy Howard" <[EMAIL PROTECTED]> > >Date: Sat, 25 Aug 2001 08:15:42 +1000 > > > >Lawrence Greenfield wrote: > >> This message is usually harmless. > >> > >> Some systems limit how many file descriptors a process can use, and > >> the 'master' process tries bumping it up to be infinite. If it > fails, > >> it usually means that there's no default limit. > >> > >I too get this message, under Linux kernel 2.4.8. But I'm pretty sure > that > >Linux has an FD limit (1024 FDs according to `ulimit -a`). Do I have to > do > >something special to let Cyrus increase FDs under Linux? > > > > As long as root invokes master, there shouldn't be anything else. > > > Strange... I am on linux kernel 2.2.19 and root is invoking master. But I'm > still getting this error. I'm running 2.0.16. > > It's no big deal yet because I'm not hitting the limit, but I'm curious > now... What else could be causing the problem? How should I go about > debugging this one? > >
Re: netscape to cyrus
Darin Perusich wrote: > > let me rephrase. > > i want to move existing messages that are in $HOME/nsmail without any > user intervention. i used a modified bsd2cyrus to create all the empty > subfolders on the cyrus server. > > i did the drag-n-drop move for myself but there are about 80 or 90 users > that need to have there messages pushed into the server. if it comes > down to it that's what i'll do but but i'd rather not, to time > consuming. I had problems with user-side migration with the version of Cyrus I was using (the APPEND command would hang in some circumstances), so I hacked up some Perl to parse the Netscape local mail format and put the mail (carefully) in a Cyrus store via IMAP. The code is at http://gadbois.home.texas.net/src/netscape-to-imap.pl. You will definitely need to modify it to suit your purposes. --David Gadbois
Re: Cyrus and very large folders
I was running cyrus as my company mailserver for a while, I saw things start to slowdown when there were more then ~7K messages in one folder (and start to be significant when it got to more then ~20K messages/folder). This was on linux 2.0.x on a pentium 200 with 64MB ram serving ~200 users. it's a problem, but it's far less of a problem then attempting to parse a unix mail file to get the message you need, that starts to slow down significantly at <1000 messages (on a much faster linux box) David Lang On Mon, 22 Oct 2001, Amos Gouaux wrote: > Date: Mon, 22 Oct 2001 09:03:16 -0500 > From: Amos Gouaux <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Cyrus and very large folders > > >>>>> On Sun, 21 Oct 2001 23:24:30 -0700, > >>>>> Jurgen Botz <[EMAIL PROTECTED]> (jb) writes: > > jb> At one point in the past I used Netscape Messaging Server (now iPlanet) > jb> and it had this problem at versions less than 4.x. With a few hundred > jb> users, many of whom had mailboxes with a few thousand messages in them, > jb> opening a mailbox was painfully slow. The problem is that normal Unix > > Well, my inbox currently has 3568 messages in it and PINE pops it > open in a jiffy. You need to keep in mind that Cyrus caches things > like the headers. See the four "cyrus.*" files in each folder. > > In fact, I typically use the auto-expire capabilities in Gnus > (news/mail reader for Emacs/XEmacs) and rarely ever manually delete > a message. I could not do this if Cyrus didn't handle large folders > well. > > jb> Has anyone who uses Cyrus in a large organization environment found > jb> this to be a problem? > > How do you define "large"? ;-) I think if you spread your message > store across spindles, you should be okay. > > > -- > Amos >
Re: mailbox migration
This morning, I just finished completing exactly what you are doing (except we use FreeBSD on both systems) by migrating from 1.5.19 to 2.0.14. Here is a quick guide (I wrote everything down...): Copy the 'mailboxes' file from the old Cyrus 1.5.19 to the new machine somewhere. Run the command: su -c "/path/to/cyrus-2.0.14/bin/ctl_mboxlist -u < /path/to/old/cyrus/mailboxes" This command creates a mailboxes.db with the information from the old mailboxes file. I created a dot-patch (user/ instead of user.) a while ago for my customers, which means I had to edit the 'mailboxes' file and replace all dots with slashes before I could import it into Cyrus 2.0.14. You can safely skip any modifications to the 'mailboxes' file. Tar up your mailstore on the old server. ie: tar -zcvf cyrus-mboxes.tar.gz /path/to/cyrus-1.5.19_partitions Tar up your quotas if you have them. ie: tar -zcvf cyrus-quotas.tar.gz /path/to/cyrus-1.5.19/quota ftp or scp the cyrus-mboxes.tar.gz and cyrus-quotas.tar.gz to the new server. Untar the mailstore to the proper location, and ensure that your new imapd.conf correctly reflects the old partition scheme. The partition scheme must be identical, or you're going to find yourself making changes to the mailboxes.db and quotas. Untar the quotas to the proper location ie: the imapd.conf's /quota . Reconstruct your mailbox headers and quotas for to ensure integrity. su -c "/path/to/cyrus-2.0.14/bin/reconstruct" su -c "/path/to/cyrus-2.0.14/bin/quota -f" Start the 'master' process... Cross your fingers and test some mailboxes! Hope that helps! -David Fuchs Jesse Ahrens wrote: [EMAIL PROTECTED]"> Hi, I have to admit a fair amount of greenness in this so bear with me. I'm trying to migrate the mailboxes from a solaris 7 box running Cyrus IMAP 1.5.19 to a FreeBSD 4.4 box running Cyrus 2.0.14. If anyone has a guide or a URL to do this I'd be extremely grateful for any knowledge anyone can lend. Thanks in advance. Jesse Ahrens Unix Systems Administrator Meridian Advertising 4850 G St. Omaha, NE 68117 402-733-6400 x266
imapd hangs
I am running a locally compiled cyrus 2.0.16 on a Red Hat 7.1 system.
Twice now one of my users (only one, but this one happens to be my
boss!) has observed a wierd, transient failure mode: in this mode, imapd
hangs on any attempt to write to a folder. Here is an example, caught by
ethereal:
000c LIST "" inbox.Sent
* LIST () "." "inbox.Sent"
000c OK Completed (0.000 secs 2 calls)
000d APPEND inbox.Sent {353}
That's it -- no word from imapd ever again. Here, for reference, is how
it's supposed to look:
0006 LIST "" inbox.Sent
* LIST () "." "inbox.Sent"
0006 OK Completed (0.000 secs 2 calls)
0007 APPEND inbox.Sent {355}
+ go ahead
Date: Mon, 26 Nov 2001 22:25:29 -0800 (PST)...
0007 OK [APPENDUID 1001546367 273] Completed
But in the hanging mode, the client never gets a "+ go ahead" from
imapd. Once this behaviour starts, it occurs for any imapd process that
my boss creates until the cyrus master process is killed and restarted.
It does not occur for other users' imapd processes, even while it is
occuring for my boss's. Mail delivered via lmtp continues to arrive
normally in my boss's inbox, even while this is occuring. The last time
this occured (about 10 days ago), I reconstructed my boss's mailboxes
and assumed that was that, but today it happened again.
My boss uses the same clients (netscape and pine) as most of my other
users. The only thing unusual about his account is its size: 246 MB
distributed over 299 folders (we have no quotas). I am wondering if
sometimes an operation on a large file or directory might time out and
leave cyrus in an inconsistent state.
One last piece of information: when setting up cyrus, I chose to ignore
the documentation's advice to set the user, quota, and partition
directories to update synchronously. The documentation implies that the
only consequence of this is possible data loss during a hard shutdown,
and since that has never happened to us (our server has a UPS and we a
re in a hospital with its own emergency power) I choose to accept that
risk. I am now wondering if asynchronicity might have additional
consequences.
That's the story. Any ideas? Can anyone suggest a way to get more
information out of cyrus, e.g. an strace or ltrace of a running imapd
process so I can see what it is doing when it dies?
Configuring Cipher Strength
For SSL/TLS connections, is there some way to tell cyrus-imap what sorts of encryption to allow? Apache's mod_ssl, for example, has the SSLCipherSuite directive, which I use thusly: SSLCipherSuite HIGH:+MEDIUM:-LOW:-EXP:-ADH:-NULL The touble with simply allowing all ciphers supported by OpenSSL is that OpenSSL has support (as it should) for some weak algorithms and some old algorithms now known to be broken.
selecting ciphers for imapd SSL/TLS
A while back I wrote to the list asking about how by specify the SSL/TLS cipher algorithms that cyrus imapd should accept (by analogy with the SSLCipherSuite directive from Apache's mod_ssl). I didn't receive a reply (which is fine) so now I want to verify: is it true that there is no way to specify which cipher algorithms cyrus imapd should accept? I think this should be considered a rather large security hole. I believe OpenSSL will even negotiate down to the NULL cipher (i.e. no encryption) if a client claims that is all it will accept.
sieve vacation implementation details
Hi, I just have some simple questions about the sieve vacation implementation. I'm using sieve from the cyrus 2.0.16 release. 1) Where does it store the list of who the message has been sent to? 2) How is the start/end date stored? If I deactivate a script with a vacation rule, then reactivate it, does the vacation restart with the current date, or create another instance, or get ignored? 3) Does sieve have an "include" capabilty? So my default script could include other scripts? I'm asking because I'm setting up a quick stop-gap php page to allow users to set and unset vacation messages, without wiping out any existing sieve rules, until I can get a full blown sieve front end for them. Thanks for any help. -david
RE: Intermittent mailbox lockups
I'm using a software raid5 and raid1 setup with a 2.4.17 kernel without problems. I'd probably look at db3 being the cause of locking mailboxes before troubleshooting raid issues. We're using the debian 3.2.9 db3 package. -david -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of julesa Sent: Friday, February 15, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: Intermittent mailbox lockups We've been living with this problem for some time, but it seems to be occurring more often as we add users. It's still very intermittent, it hits about three users a week. What happens is one of their mailboxes just locks up and will not accept any new mail. Killing the master and restarting it has no effect, but reconstruct -r user.[uid] fixes the problem. We've upgraded from 2.0.15-HIERSEP to 2.1.1 and still have the problem. We're using the RedHat db3 RPM version 3.1.17-5. We are also running the Linus 2.4.3 kernel and using software RAID to mirror the message store filesystem. I'm starting to suspect the problem's related to the kernel, or perhaps to using Linux' software RAID. I should probably upgrade the kernel anyway (to RedHat's 2.4.9 release, I'm thinking), but I'm wondering if this problem will remain if I don't move the filesystem to a non-mirrored drive. Is anyone else using the Linux kernel RAID with a Cyrus message store? Any experiences, good or bad?
Re: script to create users
On 02/19/2002 12:08 PM, Steven M Bloomfield wrote: > What I would really like is something where I could write my own script to > create users and set passwords - preferably in PHP. That way I can have a > sign-up process on a website. We had the same problem and ended up writing expect-scripts that were called via exec() from within php. It's not very pretty but it works. > My ideal solution would be to have a MySQL database containing all user > information for cyrus - does anyone know if there's any documentation > explaining how to set this up? Am I on the right track if I use pam_php > would that allow me to use MySQL database to store user information. > How would cyrus know that the user information is in a MySQL database? That's exactly what we're using. There is no problem in telling Cyrus to use pam. And there's a pam_mysql module which you can use. I have a small installation sheet, the documentation of the last server I installed. If you wish, I can send it to you. It's not a full blown documentation but it might have some information to get you started. Cheers, David -- ++ http://www.serverart.com ++ "Everything takes longer than you expect, even when you take ++ into account Hofstadters law." - Hofstadter's Law
Re: webmail
You might have a look at TWIG ( http://twig.screwdriver.net ) We've been using it over two years and it's highly modular and can very easily be extended to add support for quotas, multiple domains and the like. It also supports various DBs, mailservers, authentication mechanisms. For a preview of what the product could look like, go to: http://mail.serverart.com Cheers, David On 02/22/2002 02:12 PM, Steve Wright wrote: > Can someone recommend me a good webmail package ? > At somepoint in the near future I will need to setup webmail on our > production servers & after seeing the security squirrelmail offers I think it > will be very hard to make a case for it. > > I know of imp, mulberry & silkymail but have not used any of these packages. > What I would really like is people who have webmail running to tell me what > they feel the pros & cons are with the packages they are using. > > With Thanks, > Steve. > -- ++ http://www.serverart.com ++ "Everything takes longer than you expect, even when you take ++ into account Hofstadters law." - Hofstadter's Law
RE: A few emails escaping Sieve
I'm not following. How is this bypassing sieve? I've got a similar rule:
if anyof (address :all :contains ["To", "Cc", "Bcc"] "info-cyrus" ) {
fileinto "INBOX.cyrus-info";}
which is also failing to catch these messages. Is it that sieve can't parse
the header properly, because of the unbalanced ">", so it does nothing? Why
does sieve care about a stray closing brace? I could guess the problems of
an unclosed "<", but I would think a random ">" would be ignored. Any
insight into this?
Thanks,
-david
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Simon Matter
Sent: Friday, February 22, 2002 8:27 AM
To: Christopher Wong
Cc: [EMAIL PROTECTED]
Subject: Re: A few emails escaping Sieve
Christopher Wong schrieb:
>
> On Fri, 22 Feb 2002, Christopher Wong wrote:
> > I am using Cyrus-IMAP 2.0.16 with Sieve enabled, and managing it with
> > websieve. For this mailing list, I set up the following rule using
> > websieve (as displayed by the "current rules" page):
> >
> > IF 'To' contains 'info-cyrus' OR field: 'CC' contains 'info-cyrus' THEN
> > File Into 'INBOX.Cyrus-IMAP'
> >
> > This rule works most of the time. What puzzles me is that some emails do
> > not get filtered. That is, instead of getting filed into the Cyrus-IMAP
> > mailbox, occasional emails get past Sieve and end up in my INBOX. Here
is
> > one recent email that got past it:
>
> On second thought, I think I should include the full headers. One of the
> unfiltered emails' headers follow below. One thing different between the
> unfiltered emails and other emails on the list is the presence of a
> Received line prefixed by a ">" coming from the sauter-bc.com domain.
> Could this be messing up Sieve? Does that prefix belong in the headers?
It seems that lizard.webland.de is the culprit, a host where we are
sending mail to via UUCP. I don't have access to this machine
unfortunately.
-Simon
>
> Chris
>
> -
> >From [EMAIL PROTECTED] Fri Feb 22 11:12:07 2002
> Return-Path: <[EMAIL PROTECTED]>
> X-Sieve: cmu-sieve 2.0
> Received: from ui.csports.com (ui.csports.com [207.180.74.4])
> by lfps.csports.com (Postfix) with ESMTP id 07A2CDBF1
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002 07:43:37 -0500
(EST)
> Received: by ui.csports.com (Postfix)
> id D9490102E2; Fri, 22 Feb 2002 07:43:36 -0500 (EST)
> Delivered-To: [EMAIL PROTECTED]
> Received: from lists2.andrew.cmu.edu (LISTS2.ANDREW.CMU.EDU
[128.2.10.216])
> by ui.csports.com (Postfix) with ESMTP id A6040102B2
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002 07:43:36 -0500 (EST)
> Received: (from postman@localhost)
> by lists2.andrew.cmu.edu (8.12.0.Beta16/8.12.2.Beta3) id
> g1MCXCk4023451
> for info-cyrus-list; Fri, 22 Feb 2002 07:33:12 -0500 (EST)
> Received: from mx.de.kpnqwest.net (mx.de.kpnqwest.net [193.141.40.5])
> by lists2.andrew.cmu.edu (8.12.0.Beta16/8.12.2.Beta3) with ESMTP
id
> g1MCX9iB023447
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002
07:33:09 -0500 (EST)
> Received: from lizard.webland.de (lizard.webland.de [194.122.76.201])
> by mx.de.kpnqwest.net (Postfix (mx14)) with ESMTP id 4947EC28E
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002 13:33:09
+0100 (MET)
> (envelope-from [EMAIL PROTECTED])
> Received: (from uucp@localhost)
> by lizard.webland.de (8.8.8/8.8.7) id NAA02968
> for [EMAIL PROTECTED]; Fri, 22 Feb 2002 13:33:09
+0100 (MET)
> >Received: from mobile.sauter-bc.com (unknown [10.1.6.21])
> by basel1.sauter-bc.com (Postfix) with ESMTP id B880A57306
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002 13:32:32
+0100 (CET)
> Received: from ch.sauter-bc.com (support.cad.sba [10.1.200.117])
> by mobile.sauter-bc.com (Postfix) with ESMTP id A8C3B25835
> for <[EMAIL PROTECTED]>; Fri, 22 Feb 2002 13:32:32
+0100 (CET)
> Message-ID: <[EMAIL PROTECTED]>
> Date: Fri, 22 Feb 2002 13:32:32 +0100
> From: Simon Matter <[EMAIL PROTECTED]>
> Organization: Sauter AG, Basel
> X-Mailer: Mozilla 4.77 [de] (X11; U; Linux 2.2.19-6.2.12 i686)
> X-Accept-Language: de-CH, en
> MIME-Version: 1.0
> To: info-cyrus <[EMAIL PROTECTED]>
> Subject: howto use the skiplist backend
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset=us-ascii
> Sender: [EMAIL PROTECTED]
> Precedence: bulk
Re: Unknown user problem.
you do this type of username mapping in sendmail (or equivalent) not in cyrus. in sendmail look at the virtusertable feture and with it you can set the type of mapping you are describing. now you may be able to do something like this in sieve, I haven't looked, but other then that there is no way to do the user mapping at this layer. David Lang On Sun, 24 Feb 2002, Chris Gilbert wrote: > Hi, > > I've just setup a system running cyrus for my own use (it's installed and > seems to be running fine 8). > > However I've got a problem with unknown users. Having come from picking up > mail via POP and I'm now switching to imap, I could could create new accounts > on the fly, as they all turned up in the same POP box on my isp's server. > Basically anything to @paradox.demon.co.uk would get to me, so I took > advantage of this. > > The problem is I can't see an easy way to allow unknown user mails to turn up > in a mailbox somewhere, rather than get bounced back to the sender. Does > anyone know of a way to do this in sendmail or cyrus? > > Note I've only just joined the list, but I did check the archives and > couldn't see anything relevant (most posts to do with unknown users were to > do with making sure the mails were bounced) > > Thanks, > Chris > > >
Re: Too many users with Cyrus IMAP
what you have run into is a limit in the ext2/3 fs on the max number of
directory entries you can have.
there are patches out there for cyrus to create a second tier of
directories rather then having all mailboxes in the user directory you
have user/a user/b user/c etc (or in your case /1 /2 /3 etc) to avoid not
only these problems, but also the problem that ext2/3 does sequential
seaches through the directory so with this many entries you will already
be very slow.
also take a look at reiserfs and XFS as possible candidates for you to use
for your mailboxes, both of them have very different structures that are
designed to handle the large numbers of directories problem better.
David Lang
On Sun, 24 Feb 2002, Andres Maduro wrote:
> Date: Sun, 24 Feb 2002 23:16:06 -0800
> From: Andres Maduro <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Too many users with Cyrus IMAP
>
> Hi,
>
> I have installed Cyrus 2.0.16 on Red Hat 7.2 with the standard SASL
> cyrus-sasl-1.5. I have been able to use it successfully and create perl web
> administration tools for managing mailboxes.
>
> I am currently doing a stress test, I need to be able to handle more than
> 100 thousand users on this server. I modified Cyrus Imap code so it can
> accept numeric accounts which I need as I am creating emails for a cellular
> company ([EMAIL PROTECTED]). I made a perl script to create 10
> accounts. I am using ext3 filesystem under linux. After the user number
> 31948 was created, no more accounts where created. Examining the imapd.log,
> I found that it was complaining about "too many links error", see below
> extract from imapd.log:
>
> Feb 24 22:45:54 mail imapd[22212]: abort_txn: aborting txn 2147683085
> Feb 24 22:45:54 mail imapd[22212]: myfetch: starting txn 2147683086
> Feb 24 22:45:54 mail imapd[22212]: myfetch: reusing txn 2147683086
> Feb 24 22:45:54 mail imapd[22212]: mystore: reusing txn 2147683086
> Feb 24 22:45:54 mail imapd[22212]: IOERROR: creating directory
> /var/spool/imap/user/0132123: Too many links
>
> Any help is greatly appreciated.
>
> It would be nice if we could split /var/spool/imap/user on several
> partitions, is this possible ? What options do I have ?
>
> Following I will show several configurations files I am using:
>
> /etc/imapd.conf -
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: cyrus root apache andres
> sasl_pwcheck_method: sasldb
> #sasl_auto_transition: yes
> sendmail: /usr/sbin/sendmail
> --
>
> /etc/cyrus.conf -
> # standard standalone server implementation
>
> START {
> # do not delete these entries!
> mboxlist cmd="ctl_mboxlist -r"
> deliver cmd="ctl_deliver -r"
>
> # this is only necessary if using idled for IMAP IDLE
> # idledcmd="idled"
> }
>
> # UNIX sockets start with a slash and are put into /var/imap/socket
> SERVICES {
> # add or remove based on preferences
> imap cmd="imapd" listen="imap" prefork=0
> imaps cmd="imapd -s" listen="imaps" prefork=0
> pop3 cmd="pop3d" listen="pop3" prefork=0
> pop3s cmd="pop3d -s" listen="pop3s" prefork=0
> sieve cmd="timsieved" listen="sieve" prefork=0
>
> # at least one LMTP is required for delivery
> # lmtp cmd="lmtpd" listen="lmtp" prefork=0
> lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
> }
>
> EVENTS {
> # this is required
> checkpointcmd="ctl_mboxlist -c" period=30
>
> # this is only necessary if using duplicate delivery suppression
> delprune cmd="ctl_deliver -E 3" period=1440
> }
>
>
> Best regards,
> Andres Maduro
>
Re: Too many users with Cyrus IMAP
On Mon, 25 Feb 2002, Andres Maduro wrote: > When I installed Cyrus Imap I follow the installation instructions by the > book. Does any one know if you have to set the partition directories to > update synchronouslysome when using Ext3 or ReiserFS ? Since both of these are journaling file systems I think you will be able to get away without needing to do the sync trick for the mailboxes themselves. if you need to do anything you may want to make the journal syncronous to avoid the possibility that you accept the mail and crash before the journal gets written to disk. David Lang
Re: How to reset Cyrus-Imap
On 02/26/2002 12:06 PM, Alain Barthelemy wrote: > Is there a command to reinitialise the whole system and reset the > mailboxes database? The command you're looking for is: reconstruct -m But if you've got a 2.x version of cyrus, you've got a little problem as nobody has (re-)implemented that function yet. (Yes, I've got a similar situation and will have to downgrade to 1.6.24) Cheers, David -- ++ http://www.serverart.com ++ "Everything takes longer than you expect, even when you take ++ into account Hofstadters law." - Hofstadter's Law
Re: Which module in cyrus provides return receipt ?
Hi Ted! :-) > I was wondering which module in Cyrus provides return receipt ? Return receipt is traditionally provided by the mail client (outlook, netscape, pine, eudora), not the mail server. Unlike return recepit from the post office, which is a service the transport agent provides the sender, it is a service the receipient may choose to provide the sender. The only systems I know that can be configured to provide "enforced" return receipt are corporate end-to-end solutions like Exchange.
Re: PHP Interface/Web GUI
There is a tool to manage cyrus via php: http://freshmeat.net/projects/php-cyradm/ I've tried the 1.x version once and it looked quite good. Cheers, DafDaf Ah, yeah. And there was a thread about web-interfaces for IMAP servers a couple of weeks ago. Just search the archives. Birger Toedtmann wrote: > Chong, Arthur schrieb am Thu, Mar 14, 2002 at 01:07:45PM -0600: > >> >>Does anyone have an idea about how far PHP4 >>support is for cyrus-imapd-2.1.3. >> >>Most of the software is for imap-2001a >>Washington U. stuff. > > > Not _for_ imap-2001a, they _use_ this library which defines many IMAP > functions. > > So all those web apps (IMP,TWIG,Aeromail etc.) will work with cyrus > as well. But I don't know of any PHP app that is able to directly > administrate cyrus imapd mailboxes (apart from one that is able to > control SASL db files, there does not seem to be one either). > > > Regards, > > Birger -- >> http://www.serverart.comhttp://mail.serverart.org >> Minds are like parachutes... they work best when open.
Re: PHP Interface/Web GUI
On Sunday 17 Mar 2002 10:17 pm, you wrote: > Steven M Bloomfield said: > > www.squirrelmail.org is a web based e-mail client written in PHP > > Works fine connecting to Cyrus. > > Use websieve for web gui interface. > > squirrelmail doesn't work fine with cyrus... It works FANTASTICALLY with > cyrus!! :-) > > There is also a sieve plugin for squirrelmail. It's not 100% yet, but it's > pretty close to the mark. > > squirrelmail, cyrus, cyrus-sasl set up for PAM and the PAM_SMB module is a > truly awesome replacement for an Exchange server. Now if only someone would > make it possible for Outlook to store non-mail folders (that is, contacts > and schedule stuff) on cyrus... :-) I think there is a company that have just done that. You may want to take a look at www.bynari.net. and no I don't work for them and haven't tried it. David Mulcahy
Re: Signaled to Death by 11 - Again
>>Anything look familiar or obvious? Suggestions? Familiar, anyway. Looks like the old SASL re-entrancy problem to be. Try rebuilding your OpenLDAP libs --without-sasl and linking pam_ldap to them.
Re: Signaled to Death by 11 - Again
>>Anything look familiar or obvious? Suggestions? Look familiar, anyway. It looks like the inevitable SASL reentrancy problem. Try rebuilding your LDAP libs --without-sasl and then linking pam_ldap to the new libs.
RE: multiple cyruses via SAN
I know I've seen snippets about this run across this list, but does anybody have a step-by-step for switching from Berkeley DB to skiplist in cyrus 2.0.16 ? -david -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeremy Howard Sent: Wednesday, March 20, 2002 7:33 PM To: Amos Gouaux Cc: [EMAIL PROTECTED] Subject: Re: multiple cyruses via SAN Amos Gouaux wrote: ><...> > >Though, I will say >this: we recently switched to skiplist for mailboxes.db and at least >so far, it beats the pants off of Berkeley DB. > Ditto. We switched to skiplist last week (from BDB3), and the performance improvement is amazing! Plus of course, no more deadlocks... Oh, and the upgrade process couldn't have been simpler. :-)
RE: disable duplicate removal
I ran into the same annoyance. I have a public folder that is subscribed to different mailing lists, and when a message was sent to multiple lists, it would only show up once. My realization was that I could use sieve to copy the single mail that did get through to multiple folders with names corresponding to the list names. The headers are mostly the same for the mail sent to multiple lists, so why do I care if I received it from the correct list or not? The subject may be different, but the the "Reply All" still works. -david -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mathieu Arnold Sent: Friday, March 22, 2002 12:01 AM To: [EMAIL PROTECTED] Subject: disable duplicate removal Hi How should I do to have all the duplicate mails sent and not discarded ? it's really annoying to get mails only once when messages are posted on many mailing lists, and they appears on only one. I believe that it's the "-e" flag to deliver, which is not documented in the man page I have, and that removing it would do, but I'm using lmtp to deliver my mails, and I can't get a clue of how I could get all the mails and not only the one cyrus want's me to have. -- Mathieu Arnold
Re: Cyrus and IMP
what hardware do you use to support this load? David Lang On Sun, 24 Mar 2002, Nick Ustinov wrote: > Date: Sun, 24 Mar 2002 11:52:32 +0200 > From: Nick Ustinov <[EMAIL PROTECTED]> > To: Jonas Jacobsson <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Cyrus and IMP > > We are running cyrus 2.1.0 with imp 3.0 in a production environment. The > system has about 150,000 user accounts and over 600,000 cyrus mailboxes. > Apache server load is 50-100 reqs/second. Everything works excellent, > basically I don't even look after it -- it just works :) > > Nick > > > > Hi all, > > > > I'm a rather new Linux user and I have just started up > > my own server. The machine is right now running Debian 2.2 (potato), > > Exim, courier-imap and imp 2.2. > > > > My question is if anyone else on this list is running > > IMP (pref. 3.0) with Cyrus 1.5.19 or above? > > > > My goal is to upgrade to the much improved IMP version 3.0 > > and it depends on that other programs be upgraded first. Potato > > includes a version of Cyrus that is reported to work with IMP 3. > > So by switching to Cyrus would mean one program less to upgrade > > manually. > > > > Thanks in advance for any tips or tricks. > > > > /jonas, Sweden. > > > > > > > > > > Sincerely, > Nick > > > > --- > This message contains no viruses. > Guaranteed by Kaspersky Anti-Virus. > www.antivirus.lv >
RE: Connecting to imap using Outlook
D. you tell outlook that you have an IMAP server that you want it to connect to and it works (at least it works as well as outlook ever works ;-) you will have to look in your outlook documentation for where the option is to tell it where your mail servers are. David Lang On 26 Mar 2002, Chris Picton wrote: > Date: 26 Mar 2002 15:57:13 +0200 > From: Chris Picton <[EMAIL PROTECTED]> > To: OCNS Consulting <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: RE: Connecting to imap using Outlook > > On Tue, 2002-03-26 at 15:47, OCNS Consulting wrote: > > Chris: > > > > Did you search the List Archive? I think there have been discussions on > > this topic. > > I have searched google a lot, but not found anything. Thats why I came > to the list. Maybe I'm using the wrong search terms on google :( > > Chris > > > > > > RB > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Picton > > Sent: Tuesday, March 26, 2002 8:33 AM > > To: Chris Picton > > Cc: [EMAIL PROTECTED] > > Subject: Re: Connecting to imap using Outlook > > > > > > I am curious. Does nobody reply because: > > > > a) Nobody wants to be associated with a Microsoft product? > > b) It can't be done? > > c) It can be done but nobody knows how? > > d) It can be done, somebody knows, but is feeling lazy? > > > > :) > > > > Cheers > > Chris > > > > On Wed, 2002-03-20 at 12:32, Chris Picton wrote: > > > Hi > > > > > > I have set up a cyrus-imapd server on redhat 7.2 > > > I have the following versions: > > > cyrus-sasl-md5-1.5.24-23 > > > cyrus-sasl-1.5.24-23 > > > cyrus-sasl-plain-1.5.24-23 > > > cyrus-imapd-2.0.16-5rm > > > cyrus-imapd-utils-2.0.16-5rm > > > > > > Everything is working fine from evolution (CRAM-MD5/DIGEST-MD5/PLAIN and > > > ssl). However, I can't use secure password authentication from > > > outlook. I get the following error: > > > > > > Your 'Inbox' folder was not polled for its unread count. CRAM-MD5 > > > authentication failed. None of the authentication methods supported by > > > your IMAP server (if any) are supported on this computer. Account: > > > 'biology.wits.ac.za', Server: 'biology.wits.ac.za', Protocol: IMAP, > > > Server Response: '', Port: 143, Secure(SSL): No, Error Number: > > > 0x800CCCDF > > > > > > I get the same error if I include the realm in the username or not. > > > > > > My logs say: > > > Mar 20 12:33:16 biology master[7517]: about to exec /usr/cyrus/bin/imapd > > > Mar 20 12:33:16 biology service-imap[7517]: executed > > > Mar 20 12:33:16 biology imapd[7517]: accepted connection > > > Mar 20 12:33:16 biology master[7025]: process 7517 exited, status 0 > > > > > > > > > Does anybody know what the problem is, and how to fix it? > > > > > > Regards > > > -- > > > Chris Picton > > > Tangent Systems > > > [EMAIL PROTECTED] > > > > > > > > > __ > > -- > > Chris Picton > > Tangent Systems > > [EMAIL PROTECTED] > > > > > > __ > -- > Chris Picton > Tangent Systems > [EMAIL PROTECTED] > > > __ >
Re: Connecting to imap using Outlook
have you attempted to configure SASL to just do plain passwords, it's likly that outlook can't do anythign more sophisticated. David Lang On 26 Mar 2002, Chris Picton wrote: > Date: 26 Mar 2002 15:32:44 +0200 > From: Chris Picton <[EMAIL PROTECTED]> > To: Chris Picton <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Connecting to imap using Outlook > > I am curious. Does nobody reply because: > > a) Nobody wants to be associated with a Microsoft product? > b) It can't be done? > c) It can be done but nobody knows how? > d) It can be done, somebody knows, but is feeling lazy? > > :) > > Cheers > Chris > > On Wed, 2002-03-20 at 12:32, Chris Picton wrote: > > Hi > > > > I have set up a cyrus-imapd server on redhat 7.2 > > I have the following versions: > > cyrus-sasl-md5-1.5.24-23 > > cyrus-sasl-1.5.24-23 > > cyrus-sasl-plain-1.5.24-23 > > cyrus-imapd-2.0.16-5rm > > cyrus-imapd-utils-2.0.16-5rm > > > > Everything is working fine from evolution (CRAM-MD5/DIGEST-MD5/PLAIN and > > ssl). However, I can't use secure password authentication from > > outlook. I get the following error: > > > > Your 'Inbox' folder was not polled for its unread count. CRAM-MD5 > > authentication failed. None of the authentication methods supported by > > your IMAP server (if any) are supported on this computer. Account: > > 'biology.wits.ac.za', Server: 'biology.wits.ac.za', Protocol: IMAP, > > Server Response: '', Port: 143, Secure(SSL): No, Error Number: > > 0x800CCCDF > > > > I get the same error if I include the realm in the username or not. > > > > My logs say: > > Mar 20 12:33:16 biology master[7517]: about to exec /usr/cyrus/bin/imapd > > Mar 20 12:33:16 biology service-imap[7517]: executed > > Mar 20 12:33:16 biology imapd[7517]: accepted connection > > Mar 20 12:33:16 biology master[7025]: process 7517 exited, status 0 > > > > > > Does anybody know what the problem is, and how to fix it? > > > > Regards > > -- > > Chris Picton > > Tangent Systems > > [EMAIL PROTECTED] > > > > > > __ > -- > Chris Picton > Tangent Systems > [EMAIL PROTECTED] > > > __ >
Re: Connecting to imap using Outlook
the IMAP support in outlook is rather primitive (or was the last time I had to make it work) so I wouldn't be surprised if you are just stuck with LOGIN. sorry I can't help more David Lang On 26 Mar 2002, Chris Picton wrote: > I have sasl set up to do LOGIN PLAIN DIGEST-MD5 and CRAM-MD5 > > I have tested DIGEST-MD5, CRAM-MD5 and PLAIN using Evolution. Outlook > works with LOGIN, and attempts CRAM-MD5 for 'Secure Password > Authentication', but fails. > > Cheers > Chris > > On Tue, 2002-03-26 at 16:19, David Lang wrote: > > have you attempted to configure SASL to just do plain passwords, it's > > likly that outlook can't do anythign more sophisticated. > > > > David Lang > > > > On 26 Mar 2002, Chris Picton wrote: > > > > > Date: 26 Mar 2002 15:32:44 +0200 > > > From: Chris Picton <[EMAIL PROTECTED]> > > > To: Chris Picton <[EMAIL PROTECTED]> > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: Connecting to imap using Outlook > > > > > > I am curious. Does nobody reply because: > > > > > > a) Nobody wants to be associated with a Microsoft product? > > > b) It can't be done? > > > c) It can be done but nobody knows how? > > > d) It can be done, somebody knows, but is feeling lazy? > > > > > > :) > > > > > > Cheers > > > Chris > > > > > > On Wed, 2002-03-20 at 12:32, Chris Picton wrote: > > > > Hi > > > > > > > > I have set up a cyrus-imapd server on redhat 7.2 > > > > I have the following versions: > > > > cyrus-sasl-md5-1.5.24-23 > > > > cyrus-sasl-1.5.24-23 > > > > cyrus-sasl-plain-1.5.24-23 > > > > cyrus-imapd-2.0.16-5rm > > > > cyrus-imapd-utils-2.0.16-5rm > > > > > > > > Everything is working fine from evolution (CRAM-MD5/DIGEST-MD5/PLAIN and > > > > ssl). However, I can't use secure password authentication from > > > > outlook. I get the following error: > > > > > > > > Your 'Inbox' folder was not polled for its unread count. CRAM-MD5 > > > > authentication failed. None of the authentication methods supported by > > > > your IMAP server (if any) are supported on this computer. Account: > > > > 'biology.wits.ac.za', Server: 'biology.wits.ac.za', Protocol: IMAP, > > > > Server Response: '', Port: 143, Secure(SSL): No, Error Number: > > > > 0x800CCCDF > > > > > > > > I get the same error if I include the realm in the username or not. > > > > > > > > My logs say: > > > > Mar 20 12:33:16 biology master[7517]: about to exec /usr/cyrus/bin/imapd > > > > Mar 20 12:33:16 biology service-imap[7517]: executed > > > > Mar 20 12:33:16 biology imapd[7517]: accepted connection > > > > Mar 20 12:33:16 biology master[7025]: process 7517 exited, status 0 > > > > > > > > > > > > Does anybody know what the problem is, and how to fix it? > > > > > > > > Regards > > > > -- > > > > Chris Picton > > > > Tangent Systems > > > > [EMAIL PROTECTED] > > > > > > > > > > > > __ > > > -- > > > Chris Picton > > > Tangent Systems > > > [EMAIL PROTECTED] > > > > > > > > > __ > > > > -- > Chris Picton > Tangent Systems > [EMAIL PROTECTED] > > > __ >
RE: Connecting to imap using Outlook
1. get a cert that is valid (otherwise you are vunerable to man-in-the-middle attacks anyway, and it's a bad idea to get users used to ignoring security warnings) 2. if they can disable SSL can't they disable 'secure passwords' and cause it to revert to plain logins anyway? David Lang On 26 Mar 2002, Chris Picton wrote: > Date: 26 Mar 2002 17:08:52 +0200 > From: Chris Picton <[EMAIL PROTECTED]> > To: Clifford Thurber <[EMAIL PROTECTED]> > Cc: T Churchward <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > Subject: RE: Connecting to imap using Outlook > > On Tue, 2002-03-26 at 16:48, Clifford Thurber wrote: > > But as long as you enable TLS/SSL I don't see why this would matter? Am I > > missing something here? > > Thanks > > > > At 02:35 PM 3/26/2002 +, T Churchward wrote: > > >correctly the only way I could get Outlook to successfully > > >connect was using plain text passwords . Yeah, I agree, not an ideal > > >solution! > > Because a luser would find that if they disable SSL, they don't get an > extra popup saying that the certificate can't be validated. So they > would disable SSL to get rid of the popup. They probably don't care > much about password security, but I do > > Also, I would like a server that works for all clients :) > > -- > Chris Picton > Tangent Systems > [EMAIL PROTECTED] > > > __ >
Re: removing banners from cyrus
as far as I've seen eliminating version banners causes more problems becouse it makes it harder for the sysadmins to check what version is running (you can try to keep records, but we all know that records don't always agree with reality) so you end up being more likly to be running a bad version then if you could check. David Lang On 2 Apr 2002, Jim Levie wrote: > Date: 02 Apr 2002 13:59:18 -0600 > From: Jim Levie <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: removing banners from cyrus > > On Tue, 2002-04-02 at 13:26, Ken Murchison wrote: > > > > > > Clifford Thurber wrote: > > > > > > Ken I am just interested in suppresing platform/version information when > > > someone telnet to port 143. Just one more layer of security. > > > > But by doing this, you're implying that there is a security hole in the > > Cyrus server which can be exploited if the hacker discovers the > > vendor/version info. Is there some known security hole in Cyrus that > > isn't in other servers. Even if there is, I don't think that the lack > > of info in the banner is going to stop a hacker from trying the exploit > > anyway. Furthermore, a good hacker intent on finding Cyrus servers > > could also detect them by look for known response strings from commands, > > etc. > > > Ah yes, the old "security through obscurity" game. From what I've seen > eliminating the server type and version has no affect on whether a > cracker can exploit any weakness that an application has. And that's > because the vast majority of attacks aren't done in what one would > consider an intelligent manner. The attacker doesn't examine services to > figure out if they are vulnerable or not. He/she simply runs a script > that attempts to exploit all known vulnerabilities. So hiding the fact > that you are running a certain version of Sendmail, or Cyrus, or > whatever doesn't generally help. The attack scripts that I've recovered > from cracked boxes (that were then used to try to crack other boxes) > just had a big list of things to try. > -- > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > Jim Levie email: > [EMAIL PROTECTED] > Dynetics Inc, Huntsville, Al Ph.256.964.4337 > The opinions expressed above are just that... >
Cyrus IMAPd v2.1.3 and sasl_checkapop()
Hello, I'm having some trouble compiling Cyrus IMAPd v2.1.3 on a FreeBSD-4.5 box. I receive an error when running `configure', the last few lines of the `configure' output follow: checking for dlopen... yes checking for sasl/sasl.h... yes checking for sasl/saslutil.h... yes checking for prop_get in -lsasl2... yes checking for perl5... perl5 checking for MD5Init... no checking for MD5Init in -lmd... yes checking for sasl_checkapop in -lsasl2... no configure: error: libsasl2 without working sasl_checkapop. Cannot continue. I receive the same error when configuring Cyrus IMAPd versions 2.1.1, 2.1.2, and 2.1.3 - I've been compiling (well, configuring) against a successful compile of Cyrus SASL 2.1.2 libs. I'm not sure if this helps, but an `nm' (or `objdump -t') on the libsasl2 shared object infers that the function 'sasl_checkapop' exists: % nm /usr/local/cyrus-sasl/lib/libsasl2.so.2 | grep sasl_checkapop c5cc T sasl_checkapop As you can see by the output from `configure', the script is able to properly determine the existence of other symbol table entries in libsasl2.so.2 (such as the prop_get function). My configure statements follow: Cyrus-SASL (v2.1.2): ./configure --prefix=/usr/local/cyrus-sasl \ --with-pwcheck=/usr/local/cyrus-sasl/pwcheck \ --with-saslauthd=/usr/local/cyrus-sasl/saslauthd \ --with-dblib=berkeley \ --with-bdb-libdir=/usr/local/BerkeleyDB.3.2/lib \ --with-bdb-incdir=/usr/local/BerkeleyDB.3.2/include \ --enable-krb4=no Cyrus-IMAPd (v2.1.3): ./configure --prefix=/usr/local/cyrus \ --with-cyrus-prefix=/usr/local/cyrus \ --with-cyrus-user=cyrus \ --with-cyrus-group=mail \ --with-dbdir=/usr/local/BerkeleyDB.3.2 \ --with-auth=unix \ --with-sasl=/usr/local/cyrus-sasl Any insight into this issue would be greatly appreciated. Thanks! David Fuchs
Re: Cyrus IMAPd v2.1.3 and sasl_checkapop()
Awesome, thanks everyone! On Wed, 2002-04-03 at 11:37, Rob Siemborski wrote: > On 3 Apr 2002, David Fuchs wrote: > > > Any insight into this issue would be greatly appreciated. > > It's a bug in the configure script which I have fixed in CVS (the correct > LDFLAGS were not being given to the sasl_checkapop test). > > -Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Rob Siemborski * Andrew Systems Group * Cyert Hall 235 * 412-268-7456 > Research Systems Programmer * /usr/contributed Gatekeeper > > -- David Fuchs Systems Administrator / Software Developer UNIServe Online ~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~ "The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company." ~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~\~/~
Trouble configuring/compiling Cyrus
Hello, I sent a message a little while ago, when I couldn't `configure' Cyrus due to a sasl_checkapop issue in the configure script. Rob Siemborski pointed out what the problem was, and he fixed it in CVS. Rather than grabbing the CVS, I fixed it in the configure script manually and tried compiling. `configure' worked, and I ran `make' - this is part of the error I received (on FreeBSD 4.5, BDB 3.2, Cyrus SASL 2.1.2): ### Making all in /u/devel/install/cyrus/cyrus-imapd-2.1.3/sieve gcc -c -I. -I.. -I. -I./../lib -I/usr/local/BerkeleyDB.3.2/include -I/usr/local/include -I/usr/local/cyrus-sasl/include -DHAVE_CONFIG_H -I. -I. -Wall -g -O2 sieve.c In file included from ../config.h:259, from ./sieve.y:30: /usr/include/sys/socket.h:52: syntax error before `sa_family_t' /usr/include/sys/socket.h:52: warning: data definition has no type or storage class /usr/include/sys/socket.h:163: syntax error before `u_char' /usr/include/sys/socket.h:174: syntax error before `u_short' /usr/include/sys/socket.h:188: syntax error before `u_char' /usr/include/sys/socket.h:190: `int64_t' undeclared here (not in a function) So, rather than modifying anything else (I'm confident it was missing the `sys/types.h' header - req'd by the FreeBSD sockets implementation) I decided to grab the CVS instead. When I retrieved the CVS for the Cyrus-IMAP head and ran `sh ./SMakefile.sh' followed by my configure statement, I get this in my output from `configure': checking for db_create in -ldb-3.3... no checking for db_create in -ldb3.3... no checking for db_create in -ldb-3.2... yes checking "duplicate db" database backend... db3_nosync checking "mboxlist" database backend... db3 checking "seen state" database backend... flat checking "subscription" database backend... flat checking "TLS cache" database backend... db3_nosync ./configure: line 4990: syntax error near unexpected token `yes:no' ./configure: line 4990: ` yes:no' I've got M4 v1.4, autoconf v2.53, and automake/aclocal v1.6 installed. There were some simple warnings, but no errors reported when running the SMakefile script. Perhaps I did something wrong when I checked out the CVS, and generated the configure script? As things are right now, I'm going to work with the released v2.1.3, and add the appropriate header to get past the socket.h errors - perhaps someone can patch this in CVS? Thanks, -David Fuchs
Compiling Cyrus-IMAP-2.1.3 (cvs), and fdatasync()
Hello, I have run into another bump in the road when compiling Cyrus 2.1.3 (CVS) on FreeBSD 4.5. I think I'm almost there, however. Here is the latest issue I've encountered: It seems that I'm missing a library that contains a required function called fdatasync(). `configure' checks for the existence of this function in -lrt, but doesn't find it (I have no librt.so). I take it this library is a third-party addition to Cyrus? Where should I be retrieving it, and which version does Cyrus-IMAP-2.1.3 require? gcc -L/usr/local/BerkeleyDB.3.2/lib -R/usr/local/BerkeleyDB.3.2/lib -L/usr/local/BerkeleyDB.3.2/lib -L/usr/local/lib -R/usr/local/lib -Wall -g -O2 -o imapd ../master/service.o pushstats.o backend.o imapd.o index.o tls.o version.o libimap.a ../acap/libacap.a ../lib/libcyrus.a -L/usr/local/cyrus-sasl/lib -R/usr/local/cyrus-sasl/lib -lsasl2 -lssl -lcrypto -lfl -ldb-3.2 -lmd -lcom_err -lwrap ../lib/libcyrus.a(cyrusdb_skiplist.o): In function `mycommit': /u/devel/install/cyrus/cyrus-imapd-2.1.3-CVS/lib/cyrusdb_skiplist.c:1265: undefined reference to `fdatasync' /u/devel/install/cyrus/cyrus-imapd-2.1.3-CVS/lib/cyrusdb_skiplist.c:1275: undefined reference to `fdatasync' ../lib/libcyrus.a(cyrusdb_skiplist.o): In function `mycheckpoint': /u/devel/install/cyrus/cyrus-imapd-2.1.3-CVS/lib/cyrusdb_skiplist.c(.text+0x285c): undefined reference to `fdatasync' ../lib/libcyrus.a(cyrusdb_skiplist.o): In function `recovery': /u/devel/install/cyrus/cyrus-imapd-2.1.3-CVS/lib/cyrusdb_skiplist.c(.text+0x38e1): undefined reference to `fdatasync' /u/devel/install/cyrus/cyrus-imapd-2.1.3-CVS/lib/cyrusdb_skiplist.c(.text+0x3949): undefined reference to `fdatasync' Thanks! -David Fuchs
cyrus-imap make errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i am attempting to build cyrus-imapd-2.0.16 according to the instructions at http://www.linuxdoc.org/HOWTO/Cyrus-IMAP-6.html#ss6.5 make depend works just fine, but when i try to run make all CFLAGS=-O it returns cyrusdb_db3.c cyrusdb_db3.c:44:16: db.h: No such file or directory make[1]: *** [cyrusdb_db3.o] Error 1 make[1]: Leaving directory `/root/cyrus-imapd-2.0.16/lib' make: *** [all] Error 1 i haven't been able to find anything on the web about this, i was hoping one of you would be able to help me. tia -david -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPLCIuNemHuGGnm+XEQJo4QCgs+re/PMKjYsCE2Fw2BarsyPDKg8Anj3t 4P6aQdoUZlQnReVBBQLXrtIs =fG5a -END PGP SIGNATURE-
Re: cyrus-imap make errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i am attempting to install cyrus-imapd-2.0.16 from source. i am using make-3.79.1-8, gcc-2.96-98, and glibc-2.2.4-19.3. this is being done on a redhat 7.2 system with the 2.4.7-10 kernel. - - Original Message - From: "Scott M Likens" <[EMAIL PROTECTED]> To: "David Goodrich" <[EMAIL PROTECTED]> Sent: Monday, April 08, 2002 2:56 AM Subject: Re: cyrus-imap make errors > > > --On Sunday, April 07, 2002 11:22 PM -0500 David Goodrich > <[EMAIL PROTECTED]> wrote: > > > thanks to Luc de Louw i got a bit further along (i was missing the > > db-devel packages), but it still fails on > > make all CFLAGS=-O > > > > > > collect2: ld returned 1 exit status > > make[2]: *** [blib/arch/auto/Cyrus/IMAP/IMAP.so] Error 1 > > make[2]: Leaving directory `/root/cyrus-imapd-2.0.16/perl/imap' > > make[1]: *** [all] Error 1 > > make[1]: Leaving directory `/root/cyrus-imapd-2.0.16/perl' > > make: *** [all] Error 1 > > > > wayy to vague for me to tell you anything. > > > which leads me to believe that i need perl or something, but i /have/ perl > > installed. > > > > > > [root@ cyrus-imapd-2.0.16]# rpm -qa | grep perl > > perl-Digest-MD5-2.13-1 > > perl-HTML-Parser-3.25-2 > > perl-MIME-Base64-2.12-6 > > perl-Storable-0.6.11-6 > > perl-libwww-perl-5.53-3 > > perl-XML-Grove-0.46alpha-3 > > perl-libxml-perl-0.07-5 > > perl-XML-Dumper-0.4-5 > > perl-NDBM_File-1.75-26.72.3 > > perl-CPAN-1.59_54-26.72.3 > > perl-DateManip-5.39-5 > > perl-HTML-Tagset-3.03-3 > > perl-libnet-1.0703-6 > > perl-Parse-Yapp-1.04-3 > > perl-URI-1.12-5 > > perl-XML-Encoding-1.01-2 > > perl-XML-Parser-2.30-7 > > perl-libxml-enno-1.02-5 > > perl-XML-Twig-2.02-2 > > perl-DB_File-1.75-26.72.3 > > perl-5.6.1-26.72.3 > > perl-CGI-2.752-26.72.3 > > > > Unfortunatly if you want me to help you really have to tell me more. Like > what version of glibc, what version of autoconf/automake libtool, what > version of sasl / imap are you trying to compile? ie 2.1.2 2.1.3 CVS, etc. > > > -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPLFWXdemHuGGnm+XEQLGfACfVLaJbHlYIM76fm9UNvt5mHYgDbQAoNnv J5ju3sYC+41/+suraCGPxBGX =uxIA -END PGP SIGNATURE-
Re: LDAP accounts for Cyrus patch questions
Since there is such as SASL love-fest going on here, allow me to chime in with my dissenting viewpoint. SASL adds nothing but an annoying dependency to LDAP. No, I take that back, it also adds a security hole. Challenge-response mechanisms have absolutely no advantage over straight password transmittion across an SSL/TLS encrypted line. In fact, if they run in cleartext, they have a few disadvantages: (1) No server certificate authentication. (2) If you watch challenge-response a few times, you can get a good deal of the way toward decrypting the password. Furthermore, in order to support multiple authentication mechanisms, SASL must store password essentially in cleartext (i.e. not in a hased form). That means if anyone ever gets access to your sasldb, you are hosed. Not true for an LDAP database, stores passwords in hashed form. The only advantage of a security layer is flexibility: allowing authentication via arbitrary backeds (LDAP, SQL, passwd, shadow, kerberos). While SASL makes this possible in theory, I have not had good experiences in trying to make use of this flexibility -- there is very little in the way of widely-distributed, well-tested, well-supported, drop-in code to do all this stuff. Finally, Birger, what's "really creative" about by self write by anonymous auth by * none ?
Re: LDAP accounts for Cyrus patch questions
>>Finally, Birger, what's "really creative" about >> >> by self write >> by anonymous auth >> by * none >> >>? > > So how do we get these toys together if one > > 1. is going to protect user information based on "by self write" - you > first have to see what "self" is! - and > > 2. has, to faciliate 1., authenticate someone based on user information > > which will always result in a request loop? Umm, I don't know whether what you said went completely over my head or whether what I said went completely over your head. The ACLs that I wrote are literal (the characters s-e-l-f appear in slapd.conf) and work as advertised. When you bind to LDAP, you specify your dn and userPassword. That tells ldap who "self" is, and if the userPassword matches, it believes you. No "request loop" occurs. End of story. Of course, in this non-SASL scenario, you loose flexibility in the ways you can authenticate yourself to the LDAP server. But someone using this scenario has already bought the philosophy that the LDAP server will be the password store, so he hasn't lost anyting. (Anyone wanting an even more serious security backend could use Kerberos without SASL, too.) Once you accept LDAP as a backend, you can use a security layer (e.g. SASL or PAM) to allow other applications to authenticate off it.
Re: LDAP accounts for Cyrus patch questions
> Putting the password over the wire is always a bad idea. If there were no downside to challenge-response, I'd agree. But if the price is storing my passwords unhashed, I'm not willing to pay it. All my sites use MD5 or SHA hashing, which OpenLDAP supports. > Maybe I'm a dork for buying into Kerb, but hey, I'm sold, sue me. Sasl > seems like the best way to abstract kerb out to LDAP, cyrus, etc. Kerberos is the gold standard, I can't disagree there. But if Kerberos abstraction is your only metric for a security layer, why not just have everyone compile in libkrb and forget about the security layer alltogether? :-) > To be fair, I said that. Apologies, Birger.
Re: Error message when deleting
> When I attemp to delete a message from the client I receive the message > that The IMAP copy failed. It sounds like you have a client that deletes by moving to a Trash folder, and you don't have a Trash folder. Make sure the client is configured so that delete means "mark message as deleted."
can I use sieve for this?
I am looking at implementing a read-only (as far as the users are concerned, messages get posted through other means) web based message system by useing a modified webmail client and cyrus (via LMTP from the message generator server). Idealy I would like to set something up on the cyrus server that would send out a 'your got a message' mail when a message is put into a mailbox, but then not send another message until the person logs in. I can watch syslog to find when they login, is there any way to use sieve to detect a new message? (I seem to remember something about sieve haveing a unix domain socket it could work with for output-only stuff, but don't see anything about it on the sieve page). am I making a mistake in thinking of sieve at all? should I just implement this with a syslog watcher that looks for the lmtp delivery and the imap login instead? if I can't do the one message until they check it I need to at least be able to throttle the messages to one per (whatever time period). David Lang
Re: cyrus imap playing nicely with pam and Spam assassin
> I'm trying to make Cyrus IMAP work with Pam for authentication. > sasl_pwcheck_method: saslauthd You want: sasl_pwcheck_method: PAM Go on from there, and come back when you encounter the SASL re-entrancy bug.
Re: cyrus imap playing nicely with pam and Spam assassin
> SASLv2... Sorry! Rob is of course right wrt SASLv2.
Re: cyrus, mysql, is anyone out there?
Hello, Dustin ! I just wanted to let you know, that you're not alone. I've been using cyrus+mysql for more than two years now. And I can tell you that it is still confusing if I setup a new box and try to install the various packages and patches that are needed in such a setup. However right now I'm using the following constellation on our primary mx: RedHat 6.2 MySQL-3.23.43-1 postfix-1.1.2-1 cyrus-imapd-sql-1.6.24-7 cyrus-sasl-1.5.21-8 On the backup mx, I use: RedHat 7.1 mysql-3.23.36-1 postfix-1.1.3-1 cyrus-imapd-2.0.16-4 cyrus-sasl-1.5.24-17 pam_mysql-0.4.7-1 Both machines work very nice. The first one uses a patched version of cyrus-imapd that authenticates against a MySQL database. Unfortunately the maintainer switched to qmail and this package is now unsupported. The constellation on the second server is indeed *very* cool since it uses PAM to authenticate. However it also has its drawbacks as the 2.x version of cyrus doesn't have a reconstruct -m command anymore, I cannot use my old rsync-scripts to hold both servers in sync As I said, I just wanted to let you know that there are more people using cyrus-mysql. And as I've seen, there were numerous threads on this subject in this mailinglist, as it seems to be a very confusing story . But I guess you've already searched the archives. Cheers, David On 05/02/2002 04:58 AM, Dustin Puryear wrote: > Correction. The second fetchmail resulted in: > > May 1 18:58:17 freebsd pop3d[89249]: badlogin: localhost[::1] plaintext > dom0001 cannot select MySQL database > > As well as the first one! So, this seems to be a cyrus/mysql issue. > > Regards, Dustin > > At 09:48 PM 5/1/2002 -0500, you wrote: > >> Okay, one final try. Is anyone in the world that happens to be on this >> list using mysql with cyrus? I can't be the only one. If you do exist, >> and I'm happy to see that you do, I have cyrus compiled with mysql >> support. Unfortunately, when I try to auth against Cyrus via POP3 or >> whatever I get an error that Cyrus can't select the mysql database. >> >> I have imapd.conf with: >> >> sasl_pwcheck_method: mysql >> sasl_mysqluser: mail >> sasl_mysqlpasswd: secret >> sasl_mysqlhost: localhost >> sasl_mysqldatabase: mail >> sasl_mysqltable: accountuser >> sasl_mysqluidcol: username >> sasl_mysqlpwcol: password >> >> I've also verified that this information is correct: >> >> freebsd# mysql -u mail -psecret \ >> ? -e 'select username,password from accountuser' mail >> +--+--+ >> | username | password | >> +--+--+ >> | 0001 | password | >> | dom0001 | password | >> +--+--+ >> >> I didn't make any modifications to pam. Should this just work? If I >> try to check my mail using: >> >> freebsd# cat .fetchmailrc >> poll localhost protocol pop3 username "dom0001" password "password" >> >> With fetchmail I get: >> >> May 1 18:50:11 freebsd pop3d[89212]: badlogin: localhost[::1] >> CRAM-MD5 no secret in database >> May 1 18:50:11 freebsd pop3d[89212]: badlogin: localhost[::1] >> plaintext dom0001 cannot select MySQL database >> >> The first line appears to be pop3d reporting that there is no md5 >> entry in the sasl database. Also, notice the 'select MySQL database' >> issue. (The fetchmail output is at the bottom of this mail, it's a bit >> long.) Now, if I force password authentication I get: >> >> freebsd# fetchmail --auth=password -vvv -c >> fetchmail: 5.9.6 querying localhost (protocol POP3) at Wed May 1 >> 18:53:08 2002: poll started >> fetchmail: POP3< +OK <[EMAIL PROTECTED]> >> Cyrus POP3 v2.0.16 server ready >> fetchmail: POP3> USER dom0001 >> fetchmail: POP3< +OK Name is a valid mailbox >> fetchmail: POP3> PASS * >> fetchmail: POP3< -ERR Invalid login >> fetchmail: Invalid login >> fetchmail: Authorization failure on dom0001@localhost >> fetchmail: POP3> QUIT >> fetchmail: POP3< +OK >> fetchmail: 5.9.6 querying localhost (protocol POP3) at Wed May 1 >> 18:53:11 2002: poll completed >> fetchmail: normal termination, status 3 >> >> But no errors via syslog. >> >> In the first attempt, fetchmail reports: >> >> freebsd# fetchmail -vvv -c >> fetchmail: 5.9.6 querying localhost (protocol POP3) at Wed May 1 >> 18:50:08 2002: poll started >> fetchmail: POP3< +OK <[EMAIL PROTECTED]> >> Cyrus POP3 v2.0.16 server ready >> fetchmail: POP3> CAPA >> fetchmail: P
2.0 to 2.1 migration procedure
I'm about to try out imapd-2.1.4 (as packaged by Henrique for Debian). I am currently running imapd-2.0.16 (custom-compiled) on a different machine. Can somone point me to tips for how to migrate my users and their mail? Do I just need to copy over the mailbox directory hierarchy and run reconstruct? Or do I also need to import and/or reconstruct the metadata?
Re: Migrate From 2.0 to 2.1.4
> doc/install-upgrade.html This information assumes you are upgrading on one box. My situation (and I suspect it is the situation of most production systems) is having 2.1 set up clean (i.e. no mail or metadata) on a second machine, and now I want to get all the mail from my 2.0 machine to it, without upgrading the 2.0 machine. This insures that falling back to the old server is trivial, in case the upgrade fails. The documentation doesn't discuss at all how to transfer mailstores between machines. I think this is what Patrick and I both want to know.
Cyrus Config
Greetings, I am attempting to migrate from a Courier-IMAP based system to a Cyrus IMAP based implimentation, however I am running into several authentication related problems. Ideally I would like to use PAM authentication, however I have yet been able to find documentation which would specify how to compile for that sucessfully, and secondly is there any utility available to migrate standard maildirs to Cyrus' native format, or does that need to be a manual process? Thanks, David Chait
PAM Authentication
Greetings,
I am currently attempting to make Cyrus authenticate via a PAM library
(like our Courier-IMAP system did), but have yet been able to accomplish
this. The following is my imapd.conf file and cyrus.conf file. The MTA I am
using is Postfix, but that seems to be functional.
Cheers,
David
Imapd
configdirectory: /var/imap
partition-default: /home/mail
admins: root cyrus
#srvtab: /var/imap/srvtab
allowanonymouslogin: no
sasl_pwcheck_method: pwcheck
Cyrus
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idledcmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=0
# pop3scmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp"
prefork=1
}
EVENTS {
# this is required
checkpointcmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" period=1440
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" period=1440
}
RE: PAM Authentication
May 15 20:41:43 bonmaildev saslauthd[19131]: AUTHFAIL: user=dchait
service=imap realm= [PAM auth error]
This is what I received using the saslauthd -a pam option (pam didn't
work at all). Any ideas? I can't seem to find a reference for this error
anywhere.
-Original Message-
From: Michael Bacon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 15, 2002 6:08 PM
To: Ken Murchison; David Chait
Cc: [EMAIL PROTECTED]
Subject: Re: PAM Authentication
Or, if you're in 2.0,
sasl_pwcheck_method: pam
should work fine.
Michael
--On Wednesday, May 15, 2002 1:50 PM -0400 Ken Murchison
<[EMAIL PROTECTED]>
wrote:
> What version of Cyrus? Assuming that you are using v2.1.x, set
>
> sasl_pwcheck_method: saslauthd
>
> and start saslauthd with the '-a pam' option.
>
>
>
> David Chait wrote:
>>
>> Greetings,
>> I am currently attempting to make Cyrus authenticate via a
PAM
>> library (like our Courier-IMAP system did), but have yet been
>> able to accomplish this. The following is my imapd.conf file and
>> cyrus.conf file. The MTA I am using is Postfix, but that seems to be
>> functional.
>>
>> Cheers,
>> David
>>
>> Imapd
>>
>> configdirectory: /var/imap
>> partition-default: /home/mail
>> admins: root cyrus
>> # srvtab: /var/imap/srvtab
>> allowanonymouslogin: no
>> sasl_pwcheck_method: pwcheck
>>
>> Cyrus
>>
>> # standard standalone server implementation
>>
>> START {
>> # do not delete this entry!
>> recover cmd="ctl_cyrusdb -r"
>>
>> # this is only necessary if using idled for IMAP IDLE
>> # idledcmd="idled"
>> }
>>
>> # UNIX sockets start with a slash and are put into /var/imap/socket
>> SERVICES {
>> # add or remove based on preferences
>> imap cmd="imapd" listen="imap" prefork=0
>> imaps cmd="imapd -s" listen="imaps" prefork=0
>> # pop3 cmd="pop3d" listen="pop3" prefork=0
>> # pop3scmd="pop3d -s" listen="pop3s" prefork=0
>> sieve cmd="timsieved" listen="sieve" prefork=0
>>
>> # at least one LMTP is required for delivery
>> # lmtp cmd="lmtpd" listen="lmtp" prefork=0
>> lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
>>
>> # this is only necessary if using notifications
>> # notify cmd="notifyd" listen="/var/imap/socket/notify"
>> # proto="udp"
>> prefork=1
>> }
>>
>> EVENTS {
>> # this is required
>> checkpointcmd="ctl_cyrusdb -c" period=30
>>
>> # this is only necessary if using duplicate delivery suppression
>> delprune cmd="ctl_deliver -E 3" period=1440
>>
>> # this is only necessary if caching TLS sessions
>> tlsprune cmd="tls_prune" period=1440
>> }
>
> --
> Kenneth Murchison Oceana Matrix Ltd.
> Software Engineer 21 Princeton Place
> 716-662-8973 x26 Orchard Park, NY 14127
> --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
>
>
Re: unixhierarchy/altnamespace & IMAP folders, bug?
> When I use the unixhierarchy/altnamespace options in imapd.conf I can't > create sub-folders in the main inbox but I can create folders outside the > main inbox and then create subfolders in those. When I turn > unixhierarchy/altnamespace off then I can create subfolders in the main > inbox but not outside of it. > I'm pretty new to imap... is this correct behaviour? Yes. Under "normal circumstances" (altnamespace off), only the INBOX (and its subfolders) belong to the user, so he cannot create any folders outside it. Trouble is, this differes from the UW IMAP server, which allows personal folders outside the INBOX hierarchy, and many people had got used to that behaviour. Altnamespace placates these people by making subfolders of the INBOX look like seperate top-level folders. Of couse, as a side-effect, INBOX becomes something special which cannot have subfolders. I prefert to train my users in the Cyrus way of thinking and leave the altnamespace off.
imapd timeout
Using 2.0.16 on Linux 2.2.19. I am having trouble with imapd daemons hanging around for a long time. I currently (21 May) have some imapd daemons that have been hanging around for over two weeks (4 May). It is just possible that a couple users have been sending keep-alives that long, but I have a lot more than a couple. I don't set any timeout parameter in imapd.conf, so according to man imapd.conf, it should default to 30 minutes. Is this not true? Does cyrus perhaps "recycle" imapd processes rather than killing them and starting new ones? If so, what is the logic behind this? (Unix forking is remarkably fast, and starting fresh each time seems much safer/cleaner.) Do I perhaps need to set some /proc/sys/net/ TCP timeout parameter? All help is appreciated.
Re: imapd timeout
> Cyrus does recycle processes. Unix forking is amazingly slow compared > to not forking and on servers that receive many connections a second > this performance tweak is vital. That explains it; thanks for the explanation. (Still, even 10 forks/second seems entirely do-able. While I don't dispute the principle, I'd think you'd need to get closer to 100 forks/second before forking bottlenecks would become as important as disk I/O bottlenecks.)
Re: imapd timeout
the cost of forking can vary greatly depending on the OS. David Lang On Tue, 21 May 2002, Lawrence Greenfield wrote: > Date: Tue, 21 May 2002 22:38:43 -0400 > From: Lawrence Greenfield <[EMAIL PROTECTED]> > To: David Wright <[EMAIL PROTECTED]> > Cc: Cyrus-Info <[EMAIL PROTECTED]> > Subject: Re: imapd timeout > >Date: Tue, 21 May 2002 19:32:44 -0700 >From: David Wright <[EMAIL PROTECTED]> >Cc: Cyrus-Info <[EMAIL PROTECTED]> > >> Cyrus does recycle processes. Unix forking is amazingly slow compared >> to not forking and on servers that receive many connections a second >> this performance tweak is vital. > >That explains it; thanks for the explanation. > >(Still, even 10 forks/second seems entirely do-able. While I don't >dispute the principle, I'd think you'd need to get closer to 100 >forks/second before forking bottlenecks would become as important as >disk I/O bottlenecks.) > > Unfortunately, experience doesn't agree with your estimate. > > Larry > >
Re: cyrus imap without sasl
> Because we think that there is no need to use SASL library in the > middle of the way to authenticate via PAM+mysql. Isnt it a better > performance issue? Or we are completely wrong? It's true, there isn't a need, meaning Cyrus could have been designed to use PAM directly as a security layer and not used SASL. On the other hand, there is a need, because Cyrus wasn't designed that way. Cyrus-IMAP has no idea how to authenticate via PAM. It only knows how to use SASL. (Fortunately, saslauthd knows how to use PAM.) PAM and SASL are not anywhere near API-compatible, which means you can't just "drop in" libpam as a replacement for libsasl. Personally, I think SASL is a pain in the ass. But its problems are not performance-related. In fact, since saslauthd acts as a connection pool to your authentication datastore, you can probably authenticate more imapd sessions per second via saslauthd -a pam than you could if PAM were linked directly into imapd.
Re: multiple ssl certificates (for one service)
not all browsers accept *.domain certs so be careful the problem with different certs is that SSL hands out the cert as soon as the connection is established, before the sender tells you anything. TLS has an option to have the client tell the server what it's trying to connect to so that the server can hand back the proper cert, but this has almost no support currently and is the part of the TLS spec that isn't compatable with SSL. David Lang On Wed, 25 Sep 2002, twk wrote: > Date: Wed, 25 Sep 2002 09:45:50 -0400 > From: twk <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: multiple ssl certificates (for one service) > > > > Samuel Hug wrote: > > > Hi, > > > > is there a possibility to use more than one server certificate? The > > problem is that the mailserver has multiple domain names. The domain > > names don't specify different services as pop or imap, therefore > > tls_pop3 and tls_imap... wouldn't help me. > > > > Anybody got a hint? > > > > > Thawte has wild card certificates...so you can get a cert for *.moritzi.ch and > the cert is recognized for all servers whose domain name ends in ".moritzi.ch". > > If the domains are completely different, I don't know what you can do. > > Cheers, > Tom > > > > > -- > Tom Karchesemail : [EMAIL PROTECTED] > Web Systems Administrator phone : 919.515.5508 > NCSU Information Technology >
Strange Eudora Problem
Greetings all Cyrusites, We have been seeing some really odd behavior with regards to Eudora clients (Outlook/OE seem not to do this), Eudora users seem to corrupt their mailboxes quite often. Requireing a reconstruct of the cyrus.* files to fix functionality. This is really hindering us, has anyone else seen this? Thanks, David RH 7.2 Cyrus 2.1.4
Cyradm not working on new install
Greetings all, For some reason on a new install of cyrus, whenever I type cyradm, nothing really seems to happen, simply a new commpand prompt appears. At first I was getting the perl path error as previously stated yesterday, however I corrected for this, and now...nothing. I cannot use the RPM's for various reasons hence a packaged install isn't the answer. Any ideas? -David
Re: Distributed File Systems
Lawrence, If Cyrus does not opperate properly within an AFS environment, what does CMU use as a storage solution? I can only assume it's not directly attached storage considering the sheer mass of data involved. - Original Message - From: "Lawrence Greenfield" <[EMAIL PROTECTED]> To: "Josh Huber" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, October 21, 2002 10:18 AM Subject: Re: Distributed File Systems >Date: Mon, 21 Oct 2002 11:28:41 -0400 >From: Josh Huber <[EMAIL PROTECTED]> > >"David Chait" <[EMAIL PROTECTED]> writes: > >> Both CODA and AFS were developed at CMU, and I would be very >> interrested in hearing their thoughts as well. > >Indeed, does someone have an answer for this question? Everyone seems >to be avoiding it :) > >Can Cyrus handle storing mailboxes to an AFS drive? > > No. CMU's previous e-mail system, AMS, leveraged AFS extensively for > storage (and transit) purposes. For various reasons it didn't scale > particularly well and led to CMU's interest in IMAP. > > Cyrus was designed to use a local filesystem with Unix semantics and a > working mmap()/write() combination. AFS doesn't provide these > semantics so won't work correctly. > > Larry > >
database types
Henrique, who maintains the Debian cyrus-imap packages (and does a very good job of it) just changed the MBOX and SEEN databases to use skiplist (from db3 and flat). I had never thought about this issue before. Can someone explain what advantages and disadvantages one has from the different database types? And what is a skiplist anyway? I'm familiar with flat files and the sleepycat databases, but I've never heard of a skiplist.
Cyradm not working on new install
Greetings all, For some reason on a new install of cyrus, whenever I type cyradm, nothing really seems to happen, simply a new commpand prompt appears. At first I was getting the perl path error as previously stated yesterday, however I corrected for this, and now...nothing. I cannot use the RPM's for various reasons hence a packaged install isn't the answer. Any ideas? -David
Re: squatter running longer than 24 hours
On Mon, 22 Oct 2007, Rob Mueller wrote: >> squatter would really benefit from incremental updates. At the moment a >> single new message in a mailbox containing 20k messages causes it to read >> in all the existing messages in order to regenerate the index. > > We spoke to Ken about this ages back, and even offered to pay for the work > to make it happen, but it was just around the time CMU hired him, so it > never actually happened pity. It would be nice to be able to dedicate a > couple of weeks to rummage around in there and actually make it happen... postgres has full-text search capabilities at acceptable performance on very large databases, their code is BSD so anything relavent coudl be merged into cyrus. it may be worth someone looking into their logic. David Lang Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backup advice
Nikos Gatsis wrote: > I had to be more specific. > I need advices for backing up cyrus emails... > > Thank you The individual emails are merely text files on a Unix file system, you can back them up with pretty much any Unix backup tool, though don't ignore the advice to export the databases at regular intervals so that they will be picked up by those backups. -David Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LARGE single-system Cyrus installs?
On Sun, 11 Nov 2007, Bron Gondwana wrote: >> 250,000 mailboxes, 1,000 concurrent users, 60 million emails, 500k >> deliveries/day. For us, backups are the worst thing, followed by >> reiserfs's use of BLK, followed by the need to use a ton of disks to >> keep up with the i/o. > > For us backups are hardly a blip on the radar :) The joy of writing > your own custom backup system that knows more about Cyrus internals than > just about anything else. It starts with some stat calls, and if any of > the cyrus.header, cyrus.index or cyrus.expunge files have changed then > it will lock them all then stream them all to the backup server. Cyrus is pretty ideal for fast incremental updates to a backup system: hence replication. You shouldn't need to lock anything with delayed expunge, delayed delete and fast rename in place. -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication: sync_client -r dies
On Mon, 12 Nov 2007, Bron Gondwana wrote: >> It seems to me that the replication code ought to be a bit more robust >> than this when a replica goes down or loses network connectivity. Is >> the 2.3.10 code any better than 2.3.9 in the way this kind of situation >> is handled? > > I believe David Carter has been working on some stuff for this which is > lined up to go in soon. The autorestart stuff is already in 2.3.10. It was Ken's work, based on a suggestion on my part. -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Replication: does it work in both directions?
On Sun, 11 Nov 2007, Rich Wales wrote: > So, I would have replication set up going both directions between my two > servers, but the sets of users handled in each direction would be > disjoint. Each user would be assigned to one IMAP server (the master > for their mailbox collection), and the other server would be their > replica and act as their backup. We do this. It is quite useful to be able to bounce users back and forth between the two machines in a pair so that servers can be maintained (patches, O/S upgrades, whatever) without any user visible downtime. Three caveats: 1) It won't work with shared mailboxes. 2) I'm not running the same replication code as the rest of you (though replication in 2.3 is based on an old version of my code). I seem to remember Ken raising an objection when this last discussed a year or two back now. The objection may just have just been (1). 3) Sanity checks are good: USER dpc22 NO IMAP_INVALID_USER Attempt to update master for dpc22 -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple skiplist bugs found, patches attached
On Tue, 13 Nov 2007, Simon Matter wrote: > I didn't have much troubles with skiplist over the years and it has been > a blessing since moving away from BDB. But I did have a few issues with > broken skiplist files so your patches are very welcome. I have included > the patches in my private rpm packages to try how they work. Do you > recommend both for general consumption? It is certainly very easy to break mailboxes.db using cyr_dbtool. Kudos to Bron for tracking down the problems. -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Just in case it is of general interest: ZFS mirroring was the culprit in our case
On Tue, 13 Nov 2007, Pascal Gienger wrote: > Our latency problems went away like a miracle when we detached one half > of the mirror (so it is no more a mirror). > > Read-Rates are doubled (not per device, the total read rate!), latency > is cut off. No more latency problems. > > When attaching the volume again, resilvering puts the system to a halt - > reads and writes do block for seconds (!). Definitely of interest to those of us keeping one eye on ZFS. Thanks. Can someone else running ZFS confirm this behaviour? -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: LARGE single-system Cyrus installs?
On Tue, 13 Nov 2007, Bron Gondwana wrote: > If you're planning to lift a consistent copy of a .index file, you need > to lock it for the duration of reading it (read lock at least). mailbox_lock_index() blocks flag updates (but this doesn't seem to be something that imapd worries about when FETCHing data). You don't need to worry about expunge or append events once the mailbox is open. > But since I would like a consistent snapshot of the mailbox state, I > lock the cyrus.header and then the cyrus.index and then (if it's there) > the cyrus.expunge. That means no sneaky process could (for example) > delete the mailbox and create another one with the same name while I was > busy downloading the last file - giving me totally bogus data. chdir() into the mailbox data directory: with delayed delete and fast rename it shouldn't matter if the mailbox is replaced under your feet. That's the way replication worked on my 2.1 systems, prior to split-meta. (Locking isn't a big deal, but safe concurrent access is always nice). -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Deleting top-level mailbox with 'delete_mode: delayed'
On Tue, 13 Nov 2007, Bron Gondwana wrote: > I have "delete_mode: immediate" on the replica and "delete_mode: > delayed" on the master. sync_server doesn't pay any attention to delete_mode, so the option shouldn't have any effect on the replica. -- David Carter Email: [EMAIL PROTECTED] University Computing Service,Phone: (01223) 334502 New Museums Site, Pembroke Street, Fax: (01223) 334679 Cambridge UK. CB2 3QH. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
