does xfer require murder?

Patrick Radtke phr2101 at columbia.edu
Tue Apr 18 13:45:36 EDT 2006 

what happens if you use cyradm to log into the second host from the  
first host using the proxy username and password?

I think xfer is going to connect on the imap port of the 2nd machine.

Is syslog in the debug level? if not, that might give you a better hint.

It seems that its the connection from the 1st to second server that's  
tripping you up .

Do the two servers use the same source for authentication verification?

-Patrick
On Apr 18, 2006, at 1:29 PM, Perry Brown wrote:

> PLease if anyone has any suggestions. I've been banging my head  
> against a desk on this one.
>
> perry
>
>>
>>
>> I thought nscd might have been tripping me up so I tried by IP  
>> address with the same results. Also thought it may be an issue  
>> with a firewall between these 2 hosts blocking a port so I tried 2  
>> other cyrus servers that do not have a FW between them with the  
>> same result (anyone know what port(s) xfer uses?).
>>
>> Any suggestions?
>>
>> Thank you
>> Perry
>>
>>
>>> I set up imapd.conf how I think it should be and restarted cyrus  
>>> (even rebooted hosts). I log into the source server cyradm:
>>> sudo cyradm --user cyrus --server server1.sub1.domain.amazon.com  
>>> --auth plain
>>>
>>> Run the xfer
>>> server1.sub1.domain.com> xfer user.vbperry server2.sub2.domain.com
>>
>>> And get:
>>> xfermailbox: Server(s) unavailable to complete operation
>>>
>>> This is in log on source:
>>> Apr 14 15:08:15 server1 imap[3434]: couldn't authenticate to  
>>> backend server: generic failure
>>> Apr 14 15:08:15 server1 imap[3434]: Could not move mailbox:  
>>> user.vbperry, Initial backend connect failed
>>>
>>> This is on destination server:
>>> Apr 14 15:08:15 server2 imap[3022]: accepted connection
>>> Apr 14 15:08:15 server2 master[3125]: about to exec /opt/mail/ 
>>> cyrus-imapd/bin/imapd
>>> Apr 14 15:08:15 server2 imap[3125]: executed
>>>
>>> This is what the imapd.conf looks like on both servers.
>>> defaultpartition: imap1
>>> configdirectory: /var/imap
>>> partition-imap1: /var/spool/imap1
>>> admins: cyrus support
>>> srvtab: /var/imap/srvtab
>>> quotawarn: 85
>>> popminpoll: 0
>>> autocreatequota: 30000
>>> sasl_pwcheck_method: saslauthd
>>> lmtp_over_quota_perm_failure: 1
>>> allowusermoves: yes
>>> proxy_authname: cyrus
>>> proxy_password: password
>>>
>>> The systems are in different subdomains sub1.domain.com and  
>>> sub2.domain.com and when I tried to do the hostname_password  
>>> option it did not like dot's in the name so I did short names and  
>>> added the sub#.domain.com to the resolv.conf so each host could  
>>> ping by short name. I still got the error from above so I changed  
>>> the imapd.conf entry servername_password to proxy_password since  
>>> the cyrus account has the same password on both servers and still  
>>> got the error above.
>>>
>>>
>>> Any ideas what I am missing?
>>>
>>> Thank you
>>> Perry
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Perry Brown wrote:
>>>>> Thank you for the reply. Some follow up questions. (sorry to be  
>>>>> so dense I'm making this change on production servers so wanted  
>>>>> to make sure I've got it right).
>>>>>
>>>>>
>>>>> SASL is running as: /usr/sbin/saslauthd -m /var/run/saslauthd - 
>>>>> a pam
>>>>>
>>>>> Our pam.d configs for both imap and pop look like
>>>>> auth       required     /lib/security/pam_stack.so  
>>>>> service=system-auth
>>>>> account    required     /lib/security/pam_stack.so  
>>>>> service=system-auth
>>>>>
>>>>>
>>>>> Looking at the install-murder doc I should set up all the boxes  
>>>>> like they where frontends? (I pasted in what I think will only  
>>>>> apply to my set up from install-murder).
>>>>>
>>>>>
>>>>>
>>>>> Additional backend configuration
>>>>> If your authentication system requires usernames, passwords,  
>>>>> etc, to authenticate (e.g. it isn't Kerberos), then you will  
>>>>> also need to specify proxy_authname (and friends) in the  
>>>>> backend imapd.confs as well. This is so that the backends can  
>>>>> authenticate to eachother to facilitate maibox moves. (Backend  
>>>>> machines will need to be full admins).
>>>>>
>>>>> In short I just need to set up a common user account in the OS  
>>>>> on each box and define the user as proxy_authname: and put the  
>>>>> password for that account listed as host1_password: and  
>>>>> host2_password etc....
>>>>
>>>> Correct.
>>>>
>>>>
>>>>> Do I need to add this proxy_authname to imapd.conf admins: as  
>>>>> well for the full admins requirement?
>>>>
>>>> Yes.
>>>>
>>>>
>>>>>
>>>>> Perry Brown wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> We are running cyrus-imap 2.2.8 and sasl 2.1.15. We have two  
>>>>>> RHEL 3 servers with about 4800 users split between them.
>>>>>>
>>>>>> I am looking to migrate the users to 2 new RHEL3 hosts with  
>>>>>> the same cyrus-imap and sasl versions. I added the  
>>>>>> allowusermoves to imapd.conf restarted cyrus and tried to do a  
>>>>>> test move.
>>>>>>
>>>>>>
>>>>>> host1.domain.com> xfer user/ host2.domain.com
>>>>>> xfermailbox: Mailbox does not exist
>>>>>>
>>>>>>
>>>>>> Both cyrus-imap and cyrus-sasl where compiled with --enable- 
>>>>>> murder (least that is what my notes say is there a way to  
>>>>>> verify?), but it looks like murder has not been set up with a  
>>>>>> master or imapd.conf file changes.
>>>>>>
>>>>>> Question, Is it possible to xfer a mailbox without configuring  
>>>>>> murder?
>>>>>
>>>>> Yes and no.  You don't need mupdate, but the backends need to  
>>>>> know how
>>>>> to authenticate to each other.  Look at install-murder.html and  
>>>>> take a
>>>>> look at the stuff regarding authentication.  Also note that you  
>>>>> can't
>>>>> XFER the entire user/ hierarchy with one command, you have to  
>>>>> do it one
>>>>> user at a time.  Assuming that you're using unixhierachysep,  
>>>>> you would do:
>>>>>
>>>>> xfer user/vbperry host2
>>>>>
>>>>>
>>>>> ----
>>>>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>>>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>>>>
>>>>
>>>>
>>>> --
>>>> Kenneth Murchison
>>>> Systems Programmer
>>>> Project Cyrus Developer/Maintainer
>>>> Carnegie Mellon University
>>>
>>>
>>> ----
>>> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>
>>
>
>
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list