Delivery to Shared Folders via authenticated SMTP then LMTP

Andy Bennett andyjpb at ashurst.eu.org
Tue Apr 21 06:13:22 EDT 2009 

Hi,

I'm having problems getting delivering messages via exim to Shared 
Folders under cyrus.

I've googled around and futzed with configuration options for an entire 
afternoon and not got very far so I'm wondering if anyone here can help me.

First, here's a few words about my configuration.

I'm running a Debian etch server with the cyrus-2.2 (2.2.13-10) packages 
installed. I'm using exim 4.63 as my MTA.

Exim's set up to relay outgoing mail via authenticated SMTP and incoming 
mail for a few domains.

SMTP authentication uses the same database as the cyrus IMAP server.
Here's how my plaintext exim authenticator works:
server_condition = ${if 
saslauthd{{${local_part:$2}}{$3}{smtpauth}{${domain:$2}}}{1}{0}}

I'm using cyrus in "virtdomains: userid" mode.

I'm doing delivery to cyrus over authenticated LMTP via a socket.

I'm running lmtp like this:
lmtp            cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20

I have "lmtp_admins: exim" in /etc/imapd.conf

Exim is authenticating to the LMTP server with CRAM-MD5 as user exim.

Delivery works for users in all domains.

I have no "postuser:" setting in /etc/imapd.conf so I'm assuming that 
it's default and I can address shared folders with the "+xxx at domain" 
address.


I have created the following shared folders in cyradm:

shared.test at ashurst.eu.org (\HasNoChildren)
shared at ashurst.eu.org (\HasChildren)

...and here are the permissions:

shared at ashurst.eu.org:
   anyone lrs
shared.test at ashurst.eu.org:
   exim lrswipcda
   andyjpb at ashurst.eu.org lrswipcda
   anyone lrs


I can insert and delete messages in shared.test via IMAP when I'm 
authenticaed as andyjpb at ashurst.eu.org

Whatever permissions I give to andyjpb at ashurst.eu.org I can't do insert 
or delete messages in shared via IMAP when I'm authenticated as 
andyjpb at ashurst.eu.org
Are top level folders special?



With the ACLs above, I ran a test.

Sending messages to any user at any domain that I have set up, from 
anywhere, works fine.

I connected to my SMTP server, authenticated as andyjpb at ashurst.eu.org 
and sent a message to "+shared.test at ashurst.eu.org".

If the mailbox does not exist I get a message saying so.

If the mailbox does exist (as configured above) then I get a different 
error message, so I'm pretty happy that I've got the correct eMail 
address for the mailbox I created...

The message was accepted by exim and then immediately bounced.
... I don't do local part checking at RCPT time in submission mode.

Anyway, I switched on the Cyrus session logging for the exim user and 
here's what I got. It includes the error message that was sent in the 
bounce message.

-----

---------- exim Mon Apr 20 22:57:35 2009

 >1240264655>235 Authenticated!
<1240264655<MAIL FROM:<andyjpb at ashurst.eu.org> SIZE=2523
RCPT TO:<+shared.test at ashurst.eu.org>
DATA
 >1240264655>250 2.1.0 ok
550-You do not have permission to post a message to this mailbox.
550-Please contact the owner of this mailbox in order to submit
550-your message, or postmaster if you believe you
550-received this message in error.
550 5.7.1 Permission denied
503 5.5.1 No recipients
<1240264655<QUIT
 >1240264655>221 2.0.0 bye

-----

The log then continues with the successful delivery of the bounce 
message to andyjpb at ashurst.eu.org

The bounce message doesn't contain the "503 5.5.1 No recipients" line: 
it stops at "550 5.7.1 Permission denied"



So...

It looks like exim is authenticating as the exim user, which is in 
lmtp_admins. I also tried putting exim in admins and it didn't change 
anything.
Is there anyway of getting more information about who was authenticated 
and who was authorised?
Here's what I get in syslog:
-----
verify_user(ashurst.eu.org!shared.test) failed: Permission denied
-----



Here's the ACL that's on andyjpb at ashurst.eu.org's INBOX:

andyjpb at ashurst.eu.org lrswipcda


...so exim doesn't have 'p' rights there but it can still deliver mail 
there.

exim isn't in a domain: all the other users are. I'm not sure if that is 
an issue when using Cyrus in "virtdomains: user_id" mode, and I haven't 
got exim configured to connect to lmtp as a different user depending on 
the domain.

RCPT TO: in the error looks like the correct mailbox. MAIL FROM: is a 
user that has 'p' permission on the mailbox.

I don't see an AUTH line tho... I'm authenticating as exim who should be 
able to authorise as andyjpb at ashurst.eu.org. How can I be sure that that 
is happening? If it's not then as exim has 'p' rights on the mailbox it 
should be able to post as itself anyway.
I haven't done anything special in exim as the documentation led me to 
believe that the authentication automatically falls through.


If I give "anyone" 'p' rights then messages are delivered without errors.



As a last ditch attempt, I just reconfigured exim to use PLAIN rather 
than CRAM-MD5 when authenticating to LMTP so that I could explicitly 
send the exim authenticated sender along to LMTP.
Here's the authentication details I used:
-----
   client_send = $authenticated_sender^exim^<PASSWORD>
-----

I think that should send the exim authenticated sender along as the 
authorisation and exim and <PASSWORD> along as the authentication.




Does anyone have any idea what I am doing incorrectly or whether I 
should be doing something that am not?



Many thanks for your time.




Regards,
@ndy

-- 
andyjpb at ashurst.eu.org
http://www.ashurst.eu.org/
http://www.gonumber.com/andyjpb
0x7EBA75FF

More information about the Info-cyrus mailing list