From michaels at crye-leike.com Mon Aug 3 18:46:49 2009 From: michaels at crye-leike.com (Michael Sims) Date: Mon, 3 Aug 2009 17:46:49 -0500 Subject: Need advice on building a Cyrus IMAP cluster Message-ID: Hi, My company has been a happy user of Cyrus IMAP for over 6 years now. But our existing email infrastructure is starting to age a bit and I've been assigned the task of upgrading it. Although we only have about 5,000 or so accounts, we have experienced some performance issues over the years (for various reasons that aren't the fault of Cyrus), as well as some reliability issues with some of our hardware. For that reason my boss wants our new email system to consist of a cluster of servers which can hopefully provide both high availability and load balancing. Since clustering is a new challenge for me as a sysadmin, I'm coming to the list for help. I've spent the last few days researching the list archives for various approaches. I've hesitated to start yet another thread on clustering, as this is a topic that I know has been well covered in the past, but it seems to me that this area evolves rapidly enough that some good might come from bringing it up again. It seems that creating an active/passive cluster for high availability is a relatively straightforward task. But what we'd really like to do is create an active/active cluster using a shared file system such as GFS or OCFS2 in conjunction with our EMC SAN. The main reason for this is ease of maintenance. Theoretically the cluster nodes should be mostly identical, which would make it easy to take a node down for maintenance with minimal to no disruption in service. And it seems to use the available hardware in a more efficient manner than that of a 2-node active/passive cluster where one node sits idle waiting for the other to fail. I've read many threads in the archives where people have attempted to create active/active clusters in testing, but have seen very few reports of such a setup being put into production. But then again it seems it's been about a year since it was seriously discussed here. So, here are my questions for anyone who can help me: (1) Is the goal of implementing an active/active Cyrus cluster using shared storage and a shared file system a realistic one? (2) If so, what recommendations do people have for the file system? GFS? OCFS2? something else? (3) I've seen the "replicated" option for "mupdate_config" mentioned multiple times on the list, and reading the documentation gives me the impression that it applies to what I want to do, but I'm not 100% sure on that. Can anyone confirm or deny this? (4) Assuming that pursuing the active/active approach is a bad idea, does anyone have alternate suggestions for the most efficient way to create a cluster that can provide BOTH high availability and load balancing? I've seen references to some setups where there are two nodes, with each being a master node for half of the mailboxes and a slave node for the other half, and able to take over service for all the mailboxes in the case of failure of the other node. But I can't seem to locate where I saw this setup described. If anyone has any pointers to that, or alternate suggestions, I'd appreciate it. Lastly, is there anyone out there doing consulting for this sort of work that someone could recommend? Thanks for reading! ________________________________________ Michael Sims Manager - Application Development Crye-Leike Information Technology ________________________________________ From dave64 at andrew.cmu.edu Mon Aug 3 20:21:19 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Mon, 03 Aug 2009 20:21:19 -0400 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: References: Message-ID: <4A777EFF.3040303@andrew.cmu.edu> Michael Sims wrote: ...snipped... > So, here are my questions for anyone who can help me: > > (1) Is the goal of implementing an active/active Cyrus cluster using shared > storage and a shared file system a realistic one? Yes. It has been done successfully. > (2) If so, what recommendations do people have for the file system? GFS? > OCFS2? something else? When I worked at the University of Pittsburgh, we set up a 4-node, active/active Cyrus IMAP cluster. It ran on Sun v440 servers running Solaris 8 using Veritas Cluster Filesystem. If you need additional details about that setup, pop me an e-mail. It's been over 4 years since I worked there, so I may be sketchy on details at this point. Pitt has since replaced their active/active Veritas cluster with an active/passive Sun cluster. I believe the Computer Science department here at Carnegie Mellon is in the midst of setting up an active/active Cyrus IMAP cluster. Since I don't work in that department, I don't have much in the way of details. I'm not sure whether Ray follows info-cyrus or not, but he can chime in. Though I have no experience with it, I seem to recall that someone attempted to use GFS with an active/active Cyrus cluster and it was a disaster. It was mentioned either on info-cyrus or in the Cyrus wiki. If google doesn't help you find this, I can try to remember where I read it. > (3) I've seen the "replicated" option for "mupdate_config" mentioned > multiple times on the list, and reading the documentation gives me the > impression that it applies to what I want to do, but I'm not 100% sure on > that. Can anyone confirm or deny this? As of Cyrus 2.3, the code supports the notion of application-level replication. It's near real-time replication of all the application data, but one copy of the data isn't live. This is more of an active/passive solution, since you have to do something to make cyrus aware of the 2nd copy of the data if you suffer some type of failure of the first copy. > (4) Assuming that pursuing the active/active approach is a bad idea, does > anyone have alternate suggestions for the most efficient way to create a > cluster that can provide BOTH high availability and load balancing? I've > seen references to some setups where there are two nodes, with each being a > master node for half of the mailboxes and a slave node for the other half, > and able to take over service for all the mailboxes in the case of failure > of the other node. But I can't seem to locate where I saw this setup > described. If anyone has any pointers to that, or alternate suggestions, > I'd appreciate it. We're doing pretty much what you describe. Each of our Cyrus mail backend servers acts as a replica for one of the other backend servers, so we always have 2 complete copies of our data. Unfortunately, in our case the failover would have to be accomplished completely manually and wouldn't be fast. It would, however, be much faster than restoring from backup tape in a disaster. University of Michigan is using replication and rsync such that they have 3 copies of their data spread across separate data centers. I'm told they can also fail over quite easily when necessary. If you're interested in doing something like this, you may get a few pointers from umich. Thanks, Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services From dave64 at andrew.cmu.edu Mon Aug 3 21:10:28 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Mon, 03 Aug 2009 21:10:28 -0400 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: <4A777EFF.3040303@andrew.cmu.edu> References: <4A777EFF.3040303@andrew.cmu.edu> Message-ID: <4A778A84.9000504@andrew.cmu.edu> Dave McMurtrie wrote: > Though I have no experience with it, I seem to recall that someone > attempted to use GFS with an active/active Cyrus cluster and it was a > disaster. It was mentioned either on info-cyrus or in the Cyrus wiki. > If google doesn't help you find this, I can try to remember where I read it. > Replying to myself: Close... It was GPFS, not GFS. Here's the info-cyrus post I was thinking of: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2004-February/008975.html A couple points that Mr. Ulmer makes are valid. When we first went into production with the active/active cluster at Pitt, it ground to a halt under heavy load because of mmap() usage. We ended up changing the map_refresh() code so it would MAP_PRIVATE instead of MAP_SHARED. This relieved the cluster of the burden of tracking the mmap() state across all of the nodes. Also, we did not use Berkeley DB or Skiplist for anything. All of our databases were flat. I think BDB may use shared memory, which definitely won't work across cluster nodes using only a distributed filesystem. If this is the case, BDB just can't be used. HTH, Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services From zhangweiwu at realss.com Mon Aug 3 22:14:49 2009 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Tue, 04 Aug 2009 10:14:49 +0800 Subject: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls Message-ID: <4A779999.2030706@realss.com> Hello. I am trying to help my users workaround an issue which was described here: https://bugzilla.mozilla.org/show_bug.cgi?id=437683 In short, cyrus imapd asked for tls client certificate, while user agent thunderbird prompts user to select one. Since our deployment does not require client certificate, and users have their email PGP certificate installed, whatever PGP certificate user selects must be wrong, thus user couldn't establish connection to imap server. Workarounds: 1. Disable TLS on server or client (bad, their email wouldn't be safe then); 2. Remove PGP certificate for our clients (bad, ditto); 3. Ask users to switch from Thunderbird to Outlook Express (bad, I feel sicker if they do); 4. Wait for Thunderbird to add an option to allow user to configure always not offer certificate to TLS server even if asked (bad, could be years' waiting); 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag (of openssl), that imapd server do not ask user for client certificate (the only solution that looks feasible); So 4 is the choice. Problem being I couldn't figure out how to configure it that way. I configured "tls_require_cert: false" which sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client to provide the certificate (instead of SSL_VERIFY_PEER which controls if asks the client to provide the certificate). So how do you suggest me handle the situation? Thanks a lot in advance! -- ???????????????? Real Softservice ?????100089 ?????238? ????406b? Beisihuan Zhong Road No. 238 Baiyan Building Unit 406B Tel: +86 (10) 8231 8580 http://www.realss.com From vova at edu.yar.ru Tue Aug 4 03:13:46 2009 From: vova at edu.yar.ru (Vladimir Vassiliev) Date: Tue, 4 Aug 2009 11:13:46 +0400 Subject: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls In-Reply-To: <4A779999.2030706@realss.com> References: <4A779999.2030706@realss.com> Message-ID: <200908041113.46917.vova@edu.yar.ru> You can try this: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642 On ??????? 04 ??????? 2009, Zhang Weiwu wrote: > Hello. > > I am trying to help my users workaround an issue which was described here: > https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server. > > Workarounds: > > 1. Disable TLS on server or client (bad, their email wouldn't be safe > then); > 2. Remove PGP certificate for our clients (bad, ditto); > 3. Ask users to switch from Thunderbird to Outlook Express (bad, I > feel sicker if they do); > 4. Wait for Thunderbird to add an option to allow user to configure > always not offer certificate to TLS server even if asked (bad, > could be years' waiting); > 5. Configure cyrus so that it does not turn on SSL_VERIFY_PEER flag > (of openssl), that imapd server do not ask user for client > certificate (the only solution that looks feasible); > > So 4 is the choice. Problem being I couldn't figure out how to configure > it that way. I configured "tls_require_cert: false" which sets > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which controls if requires the client > to provide the certificate (instead of SSL_VERIFY_PEER which controls if > asks the client to provide the certificate). > > So how do you suggest me handle the situation? Thanks a lot in advance! > -- Vladimir Vassiliev From Leena.Heino at uta.fi Tue Aug 4 03:30:48 2009 From: Leena.Heino at uta.fi (Leena Heino) Date: Tue, 4 Aug 2009 10:30:48 +0300 (EEST) Subject: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls In-Reply-To: <4A779999.2030706@realss.com> References: <4A779999.2030706@realss.com> Message-ID: On Tue, 4 Aug 2009, Zhang Weiwu wrote: > Hello. > > I am trying to help my users workaround an issue which was described here: > https://bugzilla.mozilla.org/show_bug.cgi?id=437683 > > In short, cyrus imapd asked for tls client certificate, while user agent > thunderbird prompts user to select one. Since our deployment does not > require client certificate, and users have their email PGP certificate > installed, whatever PGP certificate user selects must be wrong, thus > user couldn't establish connection to imap server. I've used patch like this to patch Cyrus IMAPD: Add to your imapd.conf: # Wheter to request client certificate with STARTTLS session. # ##tls_request_cert: 1 # Wheter to request client certificate with STARTTLS session. # imap_tls_request_cert: 0 pop3_tls_request_cert: 0 Patch: --- imap/tls.c.orig Fri Oct 28 17:51:18 2005 +++ imap/tls.c Thu Mar 2 12:45:28 2006 @@ -580,6 +580,7 @@ const char *s_cert_file; const char *s_key_file; int requirecert; + int requestcert; int timeout; if (tls_serverengine) @@ -684,8 +688,11 @@ SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); verify_depth = verifydepth; - if (askcert!=0) - verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + if (askcert!=0) { + requestcert = config_getswitch(IMAPOPT_TLS_REQUEST_CERT); + if (requestcert) + verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + } requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT); if (requirecert) --- lib/imapoptions Wed Feb 1 21:44:06 2006 +++ lib/imapoptions Thu Mar 2 12:45:28 2006 @@ -956,6 +956,9 @@ /* File containing the private key belonging to the server certificate. A value of "disabled" will disable SSL/TLS. */ +{ "tls_request_cert", 1, SWITCH } +/* Request a client certificate for ALL services (imap, pop3, lmtp, sieve). */ + { "tls_require_cert", 0, SWITCH } /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */ -- Leena Heino University of Tampere / Computer Centre ( liinu at uta.fi ) ( http://www.uta.fi/laitokset/tkk ) From nybbles2byte at gmail.com Tue Aug 4 06:58:35 2009 From: nybbles2byte at gmail.com (Nybbles2Byte) Date: Tue, 4 Aug 2009 03:58:35 -0700 Subject: How to use global admin & virtual domains? Message-ID: <18210044175.20090804035835@gmail.com> Hello , I'm trying to use global admins with virtual domains and I am not sure how it works. It works find with admins for specific domains. Part of the documentation says that every user has a domain when using virtual domains and part says use a user without a domain for a global domain. Could someone please tell/show me what I am missing here? ...and thank you! To see what I am experiencing, here's the results of two different ways of using cyradm I have tried: ------------------------------------------------------------------------ Scenario 1: >cyradm -u root cyradm> lm *@seowebsales.com listmailbox: no connection to server cyradm> Doesn't look up the SQL Database for authentication. ------------------------------------------------------------------------ Scenario 2: >cyradm -u root domain1.com Password: IMAP Password: Login failed: authentication failure at /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/Cyrus/IMAP/Admin.pm line 119 cyradm: cannot authenticate to server with as root Does try to authenticate. However, when watching the MySQL query log it chooses a virtual domain at random to try for the "realm" part of the query. If it happens to use the domain that I want to administrate, then it succeeds instead of fails as it did in the case above. ------------------------------------------------------------------------ Here is my imap.conf file: # Cyrus IMAPD 2.3.11 # Cyrus-SASL 2.1.22 # # Cyrus-SASL options # sasl_auxprop_plugin: sql sasl_log_level: 7 sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_sql_hostnames: localhost sasl_sql_user: cyrus sasl_sql_passwd: ************** sasl_sql_database: system_mail sasl_sql_select: SELECT `password` FROM `accounts` WHERE `user`='%u' AND `realm`='%r' AND `virtual` != 0 sasl_sql_insert: INSERT INTO `accounts` (`user`, `realm`, `password`) VALUES ('%u', '%r', '%v') sasl_sql_update: UPDATE `accounts` SET `user`='%u',`realm`='%r',`password`='%v' WHERE `user`='%u' AND `realm`='%r' # # Cyrus-IMAP Options # admins: cyrus root root at domain1.com root at domain2.com root at domain3.com allowplaintext: 1 altnamespace: 1 anyoneuseracl: 0 auth_mech: unix configdirectory: /var/lib/imap defaultdomain: localhost drachost: localhost dracinterval: 0 duplicatesuppression: 0 foolstupidclients: 1 hashimapspool: 1 improved_mboxlist_sort: 1 lmtp_downcase_rcpt: 1 lmtp_strict_quota: 1 logtimestamps: 1 partition-default: /var/mail/cyrus popsubfolders: 1 poptimeout: 10 sendmail: /usr/sbin/sendmail sievedir: /var/mail/sieve unixhierarchysep: 1 virtdomains: 1 -- Nybbles2Byte mailto:nybbles2byte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090804/46b8ff1b/attachment-0001.html From clarkp at mtmary.edu Tue Aug 4 14:23:43 2009 From: clarkp at mtmary.edu (Peter Clark) Date: Tue, 04 Aug 2009 13:23:43 -0500 Subject: imapd -U in cyrus.conf Message-ID: <4A787CAF.5020708@mtmary.edu> Hello all, Not really understanding the -U (reuses) flag, is there an advantage to using it? I imagine that there is in some specific instances so I better ask the question differently. When would it be advantageous to use the -U flag in cyrus.conf? ie: imap cmd="imapd -U 60" listen="imap" prefork=6 Thank you, Peter From dave64 at andrew.cmu.edu Tue Aug 4 14:38:47 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Tue, 04 Aug 2009 14:38:47 -0400 Subject: imapd -U in cyrus.conf In-Reply-To: <4A787CAF.5020708@mtmary.edu> References: <4A787CAF.5020708@mtmary.edu> Message-ID: <4A788037.7060307@andrew.cmu.edu> Peter Clark wrote: > Hello all, > > Not really understanding the -U (reuses) flag, is there an advantage to > using it? I imagine that there is in some specific instances so I better > ask the question differently. When would it be advantageous to use the > -U flag in cyrus.conf? > > ie: > imap cmd="imapd -U 60" listen="imap" prefork=6 If process creation is expensive on your system, it's good to reuse an existing imapd process as many times as possible to avoid the fork() overhead. If there's a bad memory leak in imapd, you'd want it to exit often and have a new one be spawned so you don't exhaust virtual memory on your system. hth, Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services From simon.matter at invoca.ch Tue Aug 4 14:45:18 2009 From: simon.matter at invoca.ch (Simon Matter) Date: Tue, 4 Aug 2009 20:45:18 +0200 Subject: imapd -U in cyrus.conf In-Reply-To: <4A788037.7060307@andrew.cmu.edu> References: <4A787CAF.5020708@mtmary.edu> <4A788037.7060307@andrew.cmu.edu> Message-ID: <97a7a91a7ba21ee6974ffec96f1f16c3.squirrel@webmail.bi.corp.invoca.ch> > Peter Clark wrote: >> Hello all, >> >> Not really understanding the -U (reuses) flag, is there an advantage to >> using it? I imagine that there is in some specific instances so I better >> ask the question differently. When would it be advantageous to use the >> -U flag in cyrus.conf? >> >> ie: >> imap cmd="imapd -U 60" listen="imap" prefork=6 > > If process creation is expensive on your system, it's good to reuse an > existing imapd process as many times as possible to avoid the fork() > overhead. I was just wondering whether there is a list somewhere on how expensive a fork() is on different platforms. I know it should be quite fast on Linux but some Unices make it expensive. I'm wondering which one are expensive these days. Regards, Simon From selsky at columbia.edu Tue Aug 4 14:48:03 2009 From: selsky at columbia.edu (Matt Selsky) Date: Tue, 4 Aug 2009 14:48:03 -0400 Subject: imapd -U in cyrus.conf In-Reply-To: <4A787CAF.5020708@mtmary.edu> References: <4A787CAF.5020708@mtmary.edu> Message-ID: <42C458C7-6177-4898-A32A-46EE0404A5D1@columbia.edu> On Aug 4, 2009, at 2:23 PM, Peter Clark wrote: > Not really understanding the -U (reuses) flag, is there an advantage > to > using it? I imagine that there is in some specific instances so I > better > ask the question differently. When would it be advantageous to use the > -U flag in cyrus.conf? > > ie: > imap cmd="imapd -U 60" listen="imap" prefork=6 We use the following on Linux, where fork() is cheap: imap cmd="imapd -U 1" listen="imap" proto="tcp4" On other platforms where fork() is more expensive, you'll want to set - U higher to save on fork() overhead. We also wanted to use -U 1 so we could be sure changes to imapd.conf would be used more quickly since there wouldn't be imapd procs hanging around with old settings. Cheers, -- Matt From michaels at crye-leike.com Tue Aug 4 17:36:12 2009 From: michaels at crye-leike.com (Michael Sims) Date: Tue, 4 Aug 2009 16:36:12 -0500 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: <4A777EFF.3040303@andrew.cmu.edu> Message-ID: Hi Dave, Thanks for taking the time to respond. Dave McMurtrie wrote: > When I worked at the University of Pittsburgh, we set up a 4-node, > active/active Cyrus IMAP cluster. It ran on Sun v440 servers running > Solaris 8 using Veritas Cluster Filesystem. If you need additional > details about that setup, pop me an e-mail. Yes, I've seen you talk about this in the archives. However, we will be using linux for various reasons so I'm limited to what is available for it. > I think BDB may use shared memory, which > definitely won't work across cluster nodes using only a distributed > filesystem. If this is the case, BDB just can't be used. Yeah, I've read enough in previous threads to know to not compile BDB support into Cyrus if I'm going to try to use it over a shared file system. > As of Cyrus 2.3, the code supports the notion of application-level > replication. It's near real-time replication of all the application > data, but one copy of the data isn't live. This is more of an > active/passive solution, since you have to do something to make cyrus > aware of the 2nd copy of the data if you suffer some type of failure > of > the first copy. Ah, I see, thanks for the clarification, that is helpful. Overall, my general feeling is that active/active is still a bit too bleeding edge for me to recommend it to my boss. I know that it has been done, but it seems to be relatively uncommon. I might try to toy around with it in a lab environment for kicks, but I think I'm going to lean towards an active/passive to be on the safe side. Thanks for your help, I really appreciate it. Michael Sims From dave64 at andrew.cmu.edu Tue Aug 4 20:28:24 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Tue, 04 Aug 2009 20:28:24 -0400 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: References: Message-ID: <4A78D228.5030405@andrew.cmu.edu> Michael Sims wrote: > Overall, my general feeling is that active/active is still a bit too > bleeding edge for me to recommend it to my boss. Bleeding edge? VMS had this figured out ages ago :) > I know that it has been > done, but it seems to be relatively uncommon. I might try to toy around > with it in a lab environment for kicks, but I think I'm going to lean > towards an active/passive to be on the safe side. That's probably a wise decision. To be honest, if I was the decision-maker back when we rolled out the Cyrus cluster at Pitt I never would have done it. The Cyrus guy at University of Pittsburgh (Ben Carter) is a ninja and the cluster was his idea. He was confident that it would work and it did. It performed extremely well and to my knowledge it never suffered an outage. Good luck with whatever solution you pursue. Thanks, Dave From robm at fastmail.fm Tue Aug 4 20:26:44 2009 From: robm at fastmail.fm (Rob Mueller) Date: Wed, 5 Aug 2009 10:26:44 +1000 Subject: imapd -U in cyrus.conf References: <4A787CAF.5020708@mtmary.edu> <42C458C7-6177-4898-A32A-46EE0404A5D1@columbia.edu> Message-ID: <9862C57E175E4547A408F36058A506A1@jem> > We also wanted to use -U 1 so we could be sure changes to imapd.conf > would be used more quickly since there wouldn't be imapd procs hanging > around with old settings. FYI, another way of doing this without forcing -U 1 is to touch the imapd executable file. The cyrus master notices if the executable file mod time on disk has changed, and when the user logs off or disconnects from the imapd, it'll terminate it. Rob From zhangweiwu at realss.com Tue Aug 4 22:47:40 2009 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Wed, 05 Aug 2009 10:47:40 +0800 Subject: how to configure: turn off SSL_VERIFY_PEER flag for imap/tls In-Reply-To: <200908041113.46917.vova@edu.yar.ru> References: <4A779999.2030706@realss.com> <200908041113.46917.vova@edu.yar.ru> Message-ID: <4A78F2CC.8080903@realss.com> Vladimir Vassiliev wrote: > You can try this: > https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642 > Thanks. I commented on that issue. From mulitskiy at acedsl.com Wed Aug 5 14:05:21 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Wed, 5 Aug 2009 14:05:21 -0400 Subject: authid translation using SASL sql auxprop Message-ID: <200908051405.21931.mulitskiy@acedsl.com> Hello, Is there a way in cyrus/sasl to transparently change user authid according to result of some sql query? I.e. I want that if user successfully authenticates as user 'john' to transparently change his authid to user 'jack' and so let him see user.jack as his INBOX. After initial reading of documentation I thought I could something like the following: sasl_sql_select: SELECT password as userPassword, mailbox as authid FROM emails WHERE username='%u' and domain='%r' I can do all kind of username/domain translation within sql domain (views/stored procedures/etc) so there's no problem to authenticate someone as someone else there, but how can I change the authid? Can it be done with Cyrus/SASL? Thanks, Michael From dwhite at olp.net Wed Aug 5 15:17:36 2009 From: dwhite at olp.net (Dan White) Date: Wed, 05 Aug 2009 14:17:36 -0500 Subject: authid translation using SASL sql auxprop In-Reply-To: <200908051405.21931.mulitskiy@acedsl.com> References: <200908051405.21931.mulitskiy@acedsl.com> Message-ID: <4A79DAD0.8010400@olp.net> Michael Ulitskiy wrote: > Hello, > > Is there a way in cyrus/sasl to transparently change user authid according to result of some sql query? > I.e. I want that if user successfully authenticates as user 'john' to transparently change his authid to user > 'jack' and so let him see user.jack as his INBOX. > After initial reading of documentation I thought I could something like the following: > > sasl_sql_select: SELECT password as userPassword, mailbox as authid FROM emails WHERE username='%u' and domain='%r' > > I can do all kind of username/domain translation within sql domain (views/stored procedures/etc) so there's no problem to > authenticate someone as someone else there, but how can I change the authid? Can it be done with Cyrus/SASL? > Thanks, > Michael, Cyrus SASL provides a canonicalization plugin hook to provide that service. The result of the canonicalization action determines what user id gets passed up to the calling application. Currently, there is only an LDAP canon_plugin, and it's only available in CVS. See 'doc/plugprog.html' in the source tree, and: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/~checkout~/src/sasl/doc/options.html?rev=1.33;content-type=text/html for ldapdb documentation. - Dan From nybbles2byte at gmail.com Wed Aug 5 16:27:55 2009 From: nybbles2byte at gmail.com (Nybbles2Byte) Date: Wed, 5 Aug 2009 13:27:55 -0700 Subject: Cyrus administration problem Message-ID: <891935403.20090805132755@gmail.com> Hello , I'm getting a little desperate here so I'm hoping someone can answer these two question for me. I originally asked them as "How to use global admin. & virtual domains?" but no-one responded and I have no answers myself, so please, even if this seems like a stupid question because I am missing the obvious, please let me know! In essence, I'm trying to use a global admin. with virtual domains and it doesn't seem to be working. With domain admins. there is no problem. From what I can see, part of the documentation says that with virtual hosting that every user must have a domain and another part says when using virtual domains use a user without a domain to create a global domain. Could someone please tell/show me what I am missing here in my attempts to make a global admin. work with virtual domains. To see what I am experiencing, here's the results of two different ways of using cyradm I have tried: ------------------------------------------------------------------------ Scenario 1: >cyradm -u root cyradm> lm *@seowebsales.com listmailbox: no connection to server cyradm> Doesn't look up the SQL Database for authentication hence the response "no connection to server". ------------------------------------------------------------------------ Scenario 2: >cyradm -u root domain1.com Password: IMAP Password: Login failed: authentication failure at /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/Cyrus/IMAP/Admin.pm line 119 cyradm: cannot authenticate to server with as root Here it does try to authenticate however, when watching the MySQL query log it chooses a virtual domain at random from the virtual domains from Apache or my local DNS server. If it happens to use the domain that I want to administrate, then it succeeds instead of fails as it did in the case above. ------------------------------------------------------------------------ Other than wanting to know how to get a global admin. working with virtual domains I would really appreciate someone helping me understand this issue of it randomly picking a virtual domain from Apache or my DNS (not sure which) to try and authenticate with. Thanks so much to anyone who sheds some light on this! Reggie. Here is my imap.conf file: # OS OpenSuSE 11.0 # Cyrus IMAPD 2.3.11 # Cyrus-SASL 2.1.22 # # Cyrus-SASL options # sasl_auxprop_plugin: sql sasl_log_level: 7 sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_sql_hostnames: localhost sasl_sql_user: cyrus sasl_sql_passwd: ************** sasl_sql_database: system_mail sasl_sql_select: SELECT `password` FROM `accounts` WHERE `user`='%u' AND `realm`='%r' AND `virtual` != 0 sasl_sql_insert: INSERT INTO `accounts` (`user`, `realm`, `password`) VALUES ('%u', '%r', '%v') sasl_sql_update: UPDATE `accounts` SET `user`='%u',`realm`='%r',`password`='%v' WHERE `user`='%u' AND `realm`='%r' # # Cyrus-IMAP Options # admins: cyrus root root at domain1.com root at domain2.com root at domain3.com allowplaintext: 1 altnamespace: 1 anyoneuseracl: 0 auth_mech: unix configdirectory: /var/lib/imap defaultdomain: localhost drachost: localhost dracinterval: 0 duplicatesuppression: 0 foolstupidclients: 1 hashimapspool: 1 improved_mboxlist_sort: 1 lmtp_downcase_rcpt: 1 lmtp_strict_quota: 1 logtimestamps: 1 partition-default: /var/mail/cyrus popsubfolders: 1 poptimeout: 10 sendmail: /usr/sbin/sendmail sievedir: /var/mail/sieve unixhierarchysep: 1 virtdomains: 1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090805/ef249766/attachment.html From reinaldoc at gmail.com Wed Aug 5 23:08:18 2009 From: reinaldoc at gmail.com (Reinaldo de Carvalho) Date: Thu, 6 Aug 2009 00:08:18 -0300 Subject: Cyrus administration problem In-Reply-To: <891935403.20090805132755@gmail.com> References: <891935403.20090805132755@gmail.com> Message-ID: <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> On Wed, Aug 5, 2009 at 5:27 PM, Nybbles2Byte wrote: > Hello , > > I'm getting a little desperate here so I'm hoping someone can answer these > two question for me. I originally asked them as "How to use global admin. & > virtual domains?" but no-one responded and I have no answers myself, so > please, even if this seems like a stupid question because I am missing the > obvious, please let me know! > With ldap beckhend the secret is sasl_ldap_default_realm (or ldap_default_realm in saslauthd.conf) this is the domain to no-domain user like "root" (login with no-domain user is the global admin). sasl_ldap_default_realm should be equal defaultdomain to work like a cham. ;) I don't know if sasl_sql_default_realm exist. -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) From nybbles2byte at gmail.com Thu Aug 6 00:08:45 2009 From: nybbles2byte at gmail.com (Nybbles2Byte) Date: Wed, 5 Aug 2009 21:08:45 -0700 Subject: Cyrus administration problem In-Reply-To: <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> References: <891935403.20090805132755@gmail.com> <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> Message-ID: <566719445.20090805210845@gmail.com> That was it! Well, close enough. I couldn't find any ldap_default_realm in the latest version but I was able to Google it and found someone else who has a similar question. The key in this version (downloaded a month ago) is to change "virtdomains: 1" to "virtdomains: userid". This prevents Cyrus from doing a reverse DNS and then it just uses the servers short name for the realm - consistently (instead of the randomness I was getting from the reverse DNS - although now that I think about it it was probably the DNS server handing out r-lookups in a round robin order). In any case, problem solved, thanks! Reggie Wednesday, August 5, 2009, 8:08:18 PM, you wrote: > On Wed, Aug 5, 2009 at 5:27 PM, > Nybbles2Byte wrote: >> Hello , >> I'm getting a little desperate here so I'm hoping someone can answer these >> two question for me. I originally asked them as "How to use global admin. & >> virtual domains?" but no-one responded and I have no answers myself, so >> please, even if this seems like a stupid question because I am missing the >> obvious, please let me know! > With ldap beckhend the secret is sasl_ldap_default_realm (or > ldap_default_realm in saslauthd.conf) this is the domain to no-domain > user like "root" (login with no-domain user is the global admin). > sasl_ldap_default_realm should be equal defaultdomain to work like a cham. ;) > I don't know if sasl_sql_default_realm exist. -- Nybbles2Byte mailto:nybbles2byte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090805/6b0acd37/attachment.html From nybbles2byte at gmail.com Thu Aug 6 14:34:41 2009 From: nybbles2byte at gmail.com (Nybbles2Byte) Date: Thu, 6 Aug 2009 11:34:41 -0700 Subject: Cyrus administration problem In-Reply-To: <4a5881460908061112x2972d961l96a6e0fe2ceb4610@mail.gmail.com> References: <891935403.20090805132755@gmail.com> <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> <566719445.20090805210845@gmail.com> <4a5881460908060424h7485219ag90522183f33a97a9@mail.gmail.com> <1045366812.20090806110920@gmail.com> <4a5881460908061112x2972d961l96a6e0fe2ceb4610@mail.gmail.com> Message-ID: <1459945171.20090806113441@gmail.com> Thanks but I am not sure how you are getting that conclusion from this wording in the manual. As far as I can see it almost (but not quite) the reverse of what you are saying. ---------------------------------------------------------------------------------- Configuring Virtual Domains Introduction Virtual domains is the practice of hosting a service for more than one domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes for multiple domains (e.g. test at example.com and test at example.net) on a single server or Murder. In order to accomplish this, Cyrus needs to know which domain to look in when a mailbox is accessed. There are two ways in which Cyrus can determine the domain: * Fully qualified userid - the client logs in with a userid containing the domain in which the user belongs (e.g test at example.com or test%example.net) * IP address - the server looks up the domain based on the IP address of the receiving interface (useful for servers with multiple NICs or using IP aliasing) Both of these methods are active if the virtdomains option is set to on (or yes, 1, true) and can be used in conjunction with one another. If the virtdomains option is set to userid, then only the first method is used. Note that a fully qualified userid takes precedence over a domain obtained from the IP address. ---------------------------------------------------------------------------------- Thursday, August 6, 2009, 11:12:24 AM, you wrote: > On Thu, Aug 6, 2009 at 3:09 PM, > Nybbles2Byte wrote: >> Avoiding DNS lookups that in my particular setup have no purpose is a good >> thing so I certainly want to keep this setting. However, if there is more >> that I can do to make the setup better, great! What man pages (man ???) and >> what should I be looking for? > virtdomains: 1 (don?t query DNS) > virtdomains: userid (do DNS query) >> Thursday, August 6, 2009, 4:24:22 AM, you wrote: >>> On Thu, Aug 6, 2009 at 1:08 AM, >>> Nybbles2Byte wrote: >>>> That was it! Well, close enough. I couldn't find any ldap_default_realm >>>> in >>>> the latest version but I was able to Google it and found someone else who >>>> has a similar question. >>>> The key in this version (downloaded a month ago) is to change >>>> "virtdomains: >>>> 1" to "virtdomains: userid". This prevents Cyrus from doing a reverse >>>> DNS >>>> and then it just uses the servers short name for the realm - consistently >>>> (instead of the randomness I was getting from the reverse DNS - although >>>> now >>>> that I think about it it was probably the DNS server handing out >>>> r-lookups >>>> in a round robin order). >>> I guess no. You really don?t need "virtdomains: userid" (read manpage >>> again). >>>>> With ldap beckhend the secret is sasl_ldap_default_realm (or >>>>> ldap_default_realm in saslauthd.conf) this is the domain to no-domain >>>>> user like "root" (login with no-domain user is the global admin). >>>>> sasl_ldap_default_realm should be equal defaultdomain to work like a >>>>> cham. >>>>> ;) >>>>> I don't know if sasl_sql_default_realm exist. >> -- >> Nybbles2Byte mailto:nybbles2byte at gmail.com -- Nybbles2Byte mailto:nybbles2byte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090806/7681188f/attachment.html From reinaldoc at gmail.com Thu Aug 6 16:25:13 2009 From: reinaldoc at gmail.com (Reinaldo de Carvalho) Date: Thu, 6 Aug 2009 17:25:13 -0300 Subject: Cyrus administration problem In-Reply-To: <1459945171.20090806113441@gmail.com> References: <891935403.20090805132755@gmail.com> <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> <566719445.20090805210845@gmail.com> <4a5881460908060424h7485219ag90522183f33a97a9@mail.gmail.com> <1045366812.20090806110920@gmail.com> <4a5881460908061112x2972d961l96a6e0fe2ceb4610@mail.gmail.com> <1459945171.20090806113441@gmail.com> Message-ID: <4a5881460908061325j29e74589j54faeb112cd88cc@mail.gmail.com> On Thu, Aug 6, 2009 at 3:34 PM, Nybbles2Byte wrote: > Thanks but I am not sure how you are getting that conclusion from this > wording in the manual. As far as I can see it almost (but not quite) the > reverse of what you are saying. > # man imapd.conf virtdomains: off Enable virtual domain support. If enabled, the user?s domain will be determined by splitting a fully qualified userid at the last ?@? or ?%? symbol. userid refer to "login" user not reverse DNS. fully qualified userid => johndoe at example.org (no dns lookup) unqualified userid => johndoe (no dns lookup if sasl_ldap_default_domain* or sasl_ldap_default_realm* and defaultdomain is set) * without sasl_ prefix at saslauthd.conf . With saslauthd.conf: ldap_default_realm: default.example.org ldap_filter: (&(objectClass=inetOrgPerson)(mail=%U@%d)) Login with unqualified userid root makes query to (&(objectClass=inetOrgPerson)(mail=root at default.example.org)) With "admins: root" root become global admin. This example is to salsauthd with LDAP backhend. > ---------------------------------------------------------------------------------- > Configuring Virtual Domains > Introduction > > Virtual domains is the practice of hosting a service for more than one > domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes > for multiple domains (e.g. test at example.com and test at example.net) on a > single server or Murder. > > In order to accomplish this, Cyrus needs to know which domain to look in > when a mailbox is accessed. There are two ways in which Cyrus can determine > the domain: > > * Fully qualified userid - the client logs in with a userid containing > the domain in which the user belongs (e.g test at example.com or > test%example.net) > * IP address - the server looks up the domain based on the IP address of > the receiving interface (useful for servers with multiple NICs or using IP > aliasing) > > Both of these methods are active if the virtdomains option is set to on (or > yes, 1, true) and can be used in conjunction with one another. If the > virtdomains option is set to userid, then only the first method is used. > Note that a fully qualified userid takes precedence over a domain obtained > from the IP address. > ---------------------------------------------------------------------------------- > -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) From nybbles2byte at gmail.com Thu Aug 6 16:49:11 2009 From: nybbles2byte at gmail.com (Nybbles2Byte) Date: Thu, 6 Aug 2009 13:49:11 -0700 Subject: Cyrus administration problem In-Reply-To: <4a5881460908061325j29e74589j54faeb112cd88cc@mail.gmail.com> References: <891935403.20090805132755@gmail.com> <4a5881460908052008n67adce8ctedbd4e354f3460c2@mail.gmail.com> <566719445.20090805210845@gmail.com> <4a5881460908060424h7485219ag90522183f33a97a9@mail.gmail.com> <1045366812.20090806110920@gmail.com> <4a5881460908061112x2972d961l96a6e0fe2ceb4610@mail.gmail.com> <1459945171.20090806113441@gmail.com> <4a5881460908061325j29e74589j54faeb112cd88cc@mail.gmail.com> Message-ID: <751072214.20090806134911@gmail.com> I get it, I know what you are saying but, perhaps this was just a typo but I was responding to this as you wrote it: virtdomains: 1 (don?t query DNS) virtdomains: userid (do DNS query) In fact, if you read the manual, the way it works is: virtdomains: 1 (do DNS query if no realm is specified in userid - see excerpt I included in previous email) virtdomains: userid (never do a DNS query, i.e.: only use userid - and the part that is not mentioned but I can see for myself in the queries - if no realm is specified in user id then use [the short] server name for the realm... and that gives me something consistent which is all I needed. As a bonus there is no chance of costly DNS lookups which there can be if I leave virtdomains set at 1.) I have yet to find ldap_default_realm in the html manual but perhaps it is only in the man pages (or I just haven't seen it even though it is there). In any case, I will certainly look further with your information provided but at it stands, the solution of changing virtdomains to userid was a good one for my needs. Thank you for your kind help. Reggie. Thursday, August 6, 2009, 1:25:13 PM, you wrote: > On Thu, Aug 6, 2009 at 3:34 PM, > Nybbles2Byte wrote: >> Thanks but I am not sure how you are getting that conclusion from this >> wording in the manual. As far as I can see it almost (but not quite) the >> reverse of what you are saying. > # man imapd.conf > virtdomains: off > Enable virtual domain support. If enabled, the user?s domain > will be determined by splitting a fully qualified userid at the last > ?@? or ?%? symbol. > userid refer to "login" user not reverse DNS. > fully qualified userid => johndoe at example.org (no dns lookup) > unqualified userid => johndoe (no dns lookup if > sasl_ldap_default_domain* or sasl_ldap_default_realm* and > defaultdomain is set) > * without sasl_ prefix at saslauthd.conf . > With saslauthd.conf: > ldap_default_realm: default.example.org > ldap_filter: (&(objectClass=inetOrgPerson)(mail=%U@%d)) > Login with unqualified userid root makes query to > (&(objectClass=inetOrgPerson)(mail=root at default.example.org)) > With "admins: root" root become global admin. > This example is to salsauthd with LDAP backhend. >> ---------------------------------------------------------------------------------- >> Configuring Virtual Domains >> Introduction >> Virtual domains is the practice of hosting a service for more than one >> domain on one server. Cyrus IMAP has the ability to host IMAP/POP mailboxes >> for multiple domains (e.g. test at example.com and test at example.net) on a >> single server or Murder. >> In order to accomplish this, Cyrus needs to know which domain to look in >> when a mailbox is accessed. There are two ways in which Cyrus can determine >> the domain: >> * Fully qualified userid - the client logs in with a userid containing >> the domain in which the user belongs (e.g test at example.com or >> test%example.net) >> * IP address - the server looks up the domain based on the IP address of >> the receiving interface (useful for servers with multiple NICs or using IP >> aliasing) >> Both of these methods are active if the virtdomains option is set to on (or >> yes, 1, true) and can be used in conjunction with one another. If the >> virtdomains option is set to userid, then only the first method is used. >> Note that a fully qualified userid takes precedence over a domain obtained >> from the IP address. >> ---------------------------------------------------------------------------------- -- Nybbles2Byte mailto:nybbles2byte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090806/6c86082c/attachment-0001.html From dbucherml at hsolutions.ch Thu Aug 6 19:04:24 2009 From: dbucherml at hsolutions.ch (Denis BUCHER) Date: Fri, 07 Aug 2009 01:04:24 +0200 Subject: Cyrus administration problem In-Reply-To: <891935403.20090805132755@gmail.com> References: <891935403.20090805132755@gmail.com> Message-ID: <4A7B6178.1030900@hsolutions.ch> Hello, Did you read by any chance my post date 31.07.2009 22:03 with subject "Re: Architectural mistake in cyrus ?" Denis Nybbles2Byte a ?crit : > Hello , > > I'm getting a little desperate here so I'm hoping someone can answer > these two question for me. I originally asked them as "How to use global > admin. & virtual domains?" but no-one responded and I have no answers > myself, so please, even if this seems like a stupid question because I > am missing the obvious, please let me know! > > In essence, I'm trying to use a global admin. with virtual domains and > it doesn't seem to be working. With domain admins. there is no problem. > > From what I can see, part of the documentation says that with virtual > hosting that every user must have a domain and another part says when > using virtual domains use a user without a domain to create a global domain. > > Could someone please tell/show me what I am missing here in my attempts > to make a global admin. work with virtual domains. > > To see what I am experiencing, here's the results of two different ways > of using cyradm I have tried: > > ------------------------------------------------------------------------ > *Scenario 1: > * >>cyradm -u root > cyradm> lm *@seowebsales.com > listmailbox: no connection to server > cyradm> > > Doesn't look up the SQL Database for authentication hence the response > "no connection to server". > > ------------------------------------------------------------------------ > *Scenario 2: > * >>cyradm -u root domain1.com > Password: > IMAP Password: > Login failed: authentication failure at > /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi/Cyrus/IMAP/Admin.pm > line 119 > cyradm: cannot authenticate to server with as root > > Here it does try to authenticate however, when watching the MySQL query > log it chooses a virtual domain at random from the virtual domains from > Apache or my local DNS server. If it happens to use the domain that I > want to administrate, then it succeeds instead of fails as it did in the > case above. > > ------------------------------------------------------------------------ > > Other than wanting to know how to get a global admin. working with > virtual domains I would really appreciate someone helping me understand > this issue of it randomly picking a virtual domain from Apache or my DNS > (not sure which) to try and authenticate with. > > Thanks so much to anyone who sheds some light on this! > > Reggie. > > > Here is my imap.conf file: > > # OS OpenSuSE 11.0 > # Cyrus IMAPD 2.3.11 > # Cyrus-SASL 2.1.22 > > # > # Cyrus-SASL options > # > sasl_auxprop_plugin: sql > sasl_log_level: 7 > sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > sasl_pwcheck_method: auxprop > sasl_sql_hostnames: localhost > sasl_sql_user: cyrus > sasl_sql_passwd: ************** > sasl_sql_database: system_mail > sasl_sql_select: SELECT `password` FROM `accounts` WHERE `user`='%u' AND > `realm`='%r' AND `virtual` != 0 > sasl_sql_insert: INSERT INTO `accounts` (`user`, `realm`, `password`) > VALUES ('%u', '%r', '%v') > sasl_sql_update: UPDATE `accounts` SET > `user`='%u',`realm`='%r',`password`='%v' WHERE `user`='%u' AND `realm`='%r' > > # > # Cyrus-IMAP Options > # > admins: cyrus root root at domain1.com root at domain2.com root at domain3.com > allowplaintext: 1 > altnamespace: 1 > anyoneuseracl: 0 > auth_mech: unix > configdirectory: /var/lib/imap > defaultdomain: localhost > drachost: localhost > dracinterval: 0 > duplicatesuppression: 0 > foolstupidclients: 1 > hashimapspool: 1 > improved_mboxlist_sort: 1 > lmtp_downcase_rcpt: 1 > lmtp_strict_quota: 1 > logtimestamps: 1 > partition-default: /var/mail/cyrus > popsubfolders: 1 > poptimeout: 10 > sendmail: /usr/sbin/sendmail > sievedir: /var/mail/sieve > unixhierarchysep: 1 > virtdomains: 1 > > > ------------------------------------------------------------------------ > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html From lucaszc at gmail.com Thu Aug 6 22:16:44 2009 From: lucaszc at gmail.com (Lucas Zinato Carraro) Date: Thu, 6 Aug 2009 23:16:44 -0300 Subject: Parameters password in Cleartext using ldap as backend for for authentication Message-ID: <916415860908061916q6e636dc6hd3986c38abc633f@mail.gmail.com> Hello, I have a mail cluster with cyrus murder (imap agreggator ) . In some machines "imapd.conf " has some passwords parameters in "clear text" ..... mail1_password: secret mail2_password: secret mupdate_password: topsecret ....... I use ldap as backend for cyrus sasl and I have "murder user" and "backends users" defined in ldap. Exist anyway to encrypt this parameters ?? In my architeture actually is inpossible to use kerberos :-( Thanks in advance Lucas Zinato Carraro DATAPREV -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090806/d06c6d96/attachment.html From reinaldoc at gmail.com Fri Aug 7 07:37:25 2009 From: reinaldoc at gmail.com (Reinaldo de Carvalho) Date: Fri, 7 Aug 2009 08:37:25 -0300 Subject: Parameters password in Cleartext using ldap as backend for for authentication In-Reply-To: <916415860908061916q6e636dc6hd3986c38abc633f@mail.gmail.com> References: <916415860908061916q6e636dc6hd3986c38abc633f@mail.gmail.com> Message-ID: <4a5881460908070437g23545eb5ra6a147b575a6ade9@mail.gmail.com> On Thu, Aug 6, 2009 at 11:16 PM, Lucas Zinato Carraro wrote: > Hello, > > I? have a mail cluster with? cyrus murder (imap agreggator ) . > > In some machines?? "imapd.conf "? has some passwords parameters? in? "clear > text" > > ..... > > mail1_password: secret > > mail2_password: secret > > mupdate_password: topsecret > ....... > > > I use ldap as backend for cyrus sasl > and I have "murder user" and "backends users" defined in ldap. > > Exist anyway to encrypt this parameters ?? > This is a chicken or the egg problem. > > In my architeture actually is inpossible to use kerberos :-( > > > Thanks in advance > Lucas Zinato Carraro > DATAPREV > -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) From andreas.moroder at sb-brixen.it Fri Aug 7 12:20:40 2009 From: andreas.moroder at sb-brixen.it (andreas.moroder at sb-brixen.it) Date: Fri, 07 Aug 2009 18:20:40 +0200 Subject: Detect if nntp support is enabled Message-ID: <20090807182040.11046jckxiftw0ow@webmail.sb-brixen.it> Hello, is there a way to detect if nntp support is enabled in cyrus ? Thanks Andreas From bhc at pitt.edu Fri Aug 7 13:51:39 2009 From: bhc at pitt.edu (Ben Carter) Date: Fri, 07 Aug 2009 13:51:39 -0400 Subject: Detect if nntp support is enabled In-Reply-To: <20090807182040.11046jckxiftw0ow@webmail.sb-brixen.it> References: <20090807182040.11046jckxiftw0ow@webmail.sb-brixen.it> Message-ID: <4A7C69AB.2010009@pitt.edu> andreas.moroder at sb-brixen.it wrote: > Hello, > > is there a way to detect if nntp support is enabled in cyrus ? > > Thanks > Andreas > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html telnet to port 119? Ben -- Ben Carter University of Pittsburgh/CSSD bhc at pitt.edu 412-624-6470 From derek at matmi.com Mon Aug 10 05:08:57 2009 From: derek at matmi.com (Derek Jones) Date: Mon, 10 Aug 2009 10:08:57 +0100 Subject: numerically named imap folders Message-ID: <13633_1249895341_n7A990jq005703_20CF78F1-F26D-44E8-9D12-98E3F1129C4A@matmi.com> Hi, I keep finding numerically named imap folders appearing like; 1249491130103 does anybody know why these appear and how to prevent them from being created or seen at the client? TIA Derek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090810/70d839bc/attachment.html From andreas.moroder at sb-brixen.it Tue Aug 11 08:54:22 2009 From: andreas.moroder at sb-brixen.it (andreas.moroder at sb-brixen.it) Date: Tue, 11 Aug 2009 14:54:22 +0200 Subject: Compress attachments Message-ID: <20090811145422.14905d4ntb7kn20w@titan> Hello, I found older (1998 ) posts about mailbox or attachment compression, but no answer to my question. Is it possible to configure cyrus the way that it compresses the attachments on the storage ( not for tranfer as in RFC 4978 ) ? I know that diskspace is cheap, but when you have to get back thousands of mailboxes from a backup, the smaller the files are the faster the restore is done. Thanks Andreas From D.J.Mayo at bath.ac.uk Wed Aug 12 05:42:19 2009 From: D.J.Mayo at bath.ac.uk (David Mayo) Date: Wed, 12 Aug 2009 10:42:19 +0100 Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine Message-ID: <4A828E7B.6090906@bath.ac.uk> We undertook the first stage of our IMAP server upgrade yesterday and introduced a front-end proxy running Cyrus 2.2 in front of our sole back-end server running Cyrus 2.2. Since the upgrade, when a Pine user sends an email, the email is sent fine however when Pine appends the message to the sent-mail mailbox it asks the user to reauthenticate. Looking at the telemetry, the proxy server is advertising MAILBOX-REFERRALS[1] and Pine is trying to use them[2] but isn't able to silently reauthenticate the user. Looking at the man pages for imapd.conf there is a useful feature proxyd_disable_mailbox_referrals however this was introduced in Cyrus 2.3. Does anyone have any suggestions as to how to stop the front-end proxy server from advertising MAILBOX-REFERRALS and/or for Pine to ignore such capabilities. Many thanks, Dave. David Mayo Networks/Systems Administrator University of Bath Computing Services, UK [1] * OK imaphost.bath.ac.uk Cyrus IMAP4 Murder v2.2.13 server ready 1 capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=GSSAPI SASL-IR 1 OK Completed [2] <1249984767<00000009 RLIST "" INBOX.sent-mail >1249984767>* LIST (\HasNoChildren) "." "INBOX.sent-mail" 00000009 OK Completed <1249984767<0000000a APPEND INBOX.sent-mail {335} >1249984767>0000000a NO [REFERRAL imap://;AUTH=*@imap-backend1.bath.ac.uk/INBOX.sent-m ail] Remote mailbox. From paul at vandervlis.nl Wed Aug 12 07:30:06 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Wed, 12 Aug 2009 13:30:06 +0200 Subject: How to test timsieved Message-ID: <4A82A7BE.3040903@vandervlis.nl> Hello, I am using a program called Ingo to manage my sieve-scripts. http://www.horde.org/ingo/ But it does not work anymore, when change a sieve script it says: -------- Changes saved. There was an error activating the script. The driver said: "Authentication Error" -------- The rest of the (web)mail server works fine. The driver is timsieved. How can I test timsieved directly, so without Ingo? I will add some things at the end of the mail what I have allready tried. I think sieve accepts plain passwords. With regards, Paul van der Vlis. paul at sigmund:/usr/lib/sasl2$ telnet localhost sieve Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. "IMPLEMENTATION" "Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1" "SASL" "PLAIN" "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational regex" OK paul at sigmund:/usr/lib/sasl2$ imtest -m login localhost S: * OK sigmund Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-5.1 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS ANNOTATEMORE S: C01 OK Completed Please enter your password: C: L01 LOGIN paul {6} S: + go ahead C: S: L01 OK User logged in Authenticated. Security strength factor: 0 -- http://www.vandervlis.nl/ From dave64 at andrew.cmu.edu Wed Aug 12 07:43:05 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Wed, 12 Aug 2009 07:43:05 -0400 Subject: How to test timsieved In-Reply-To: <4A82A7BE.3040903@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> Message-ID: <4A82AAC9.3020004@andrew.cmu.edu> Paul van der Vlis wrote: > Hello, > > I am using a program called Ingo to manage my sieve-scripts. > http://www.horde.org/ingo/ > > But it does not work anymore, when change a sieve script it says: > -------- > Changes saved. > There was an error activating the script. The driver said: > "Authentication Error" > -------- > The rest of the (web)mail server works fine. > > The driver is timsieved. How can I test timsieved directly, so without > Ingo? I will add some things at the end of the mail what I have > allready tried. I think sieve accepts plain passwords. Try sivtest. It still relies on you knowing enough about the protocol to know what you want to test, but it will take care of the connection and authentication parts for you. Thanks, Dave From Duncan.Gibb at SiriusIT.co.uk Wed Aug 12 08:26:35 2009 From: Duncan.Gibb at SiriusIT.co.uk (Duncan Gibb) Date: Wed, 12 Aug 2009 13:26:35 +0100 Subject: How to test timsieved In-Reply-To: <4A82A7BE.3040903@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> Message-ID: <4A82B4FB.9020100@SiriusIT.co.uk> Paul van der Vlis wrote: PvdV> How can I test timsieved directly, so without Ingo? For high-level functions, you can use sieveshell, which is in the cyrus-admin-2.2 package. > "IMPLEMENTATION" "Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1" In that case, I meant the "cyrus21-admin" package... Telnet should also work as low level tool. After connect your next input needs to be AUTHENTICATE "PLAIN" "xxxxxxxxx" where xxxxxxxxx is the base64 encoding of username\0username\0password for the credentials you're testing. For example if your username is "paul" and your password is "secret", you could do this: AUTHENTICATE "PLAIN" "cGF1bABwYXVsAHNlY3JldA==" If the server says "OK", try the LISTSCRIPTS command, and so on. Note that timsieved is very intolerant and will simply exit dropping the connection if you make a protocol error. Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ From wes at umich.edu Wed Aug 12 14:31:27 2009 From: wes at umich.edu (Wesley Craig) Date: Wed, 12 Aug 2009 14:31:27 -0400 Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine In-Reply-To: <4A828E7B.6090906@bath.ac.uk> References: <4A828E7B.6090906@bath.ac.uk> Message-ID: <877994A4-F4FF-4FF9-A8E2-107839EFA014@umich.edu> I suspect that backporting that functionality would be pretty easy. Have you looked for the commit that added it to 2.3? :wes On 12 Aug 2009, at 05:42, David Mayo wrote: > We undertook the first stage of our IMAP server upgrade yesterday and > introduced a front-end proxy running Cyrus 2.2 in front of our sole > back-end server running Cyrus 2.2. > > Since the upgrade, when a Pine user sends an email, the email is sent > fine however when Pine appends the message to the sent-mail mailbox it > asks the user to reauthenticate. Looking at the telemetry, the proxy > server is advertising MAILBOX-REFERRALS[1] and Pine is trying to use > them[2] but isn't able to silently reauthenticate the user. > > Looking at the man pages for imapd.conf there is a useful feature > proxyd_disable_mailbox_referrals however this was introduced in > Cyrus 2.3. > > Does anyone have any suggestions as to how to stop the front-end proxy > server from advertising MAILBOX-REFERRALS and/or for Pine to ignore > such > capabilities. From morgan at orst.edu Wed Aug 12 15:04:59 2009 From: morgan at orst.edu (Andrew Morgan) Date: Wed, 12 Aug 2009 12:04:59 -0700 (PDT) Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine In-Reply-To: <4A828E7B.6090906@bath.ac.uk> References: <4A828E7B.6090906@bath.ac.uk> Message-ID: On Wed, 12 Aug 2009, David Mayo wrote: > We undertook the first stage of our IMAP server upgrade yesterday and > introduced a front-end proxy running Cyrus 2.2 in front of our sole > back-end server running Cyrus 2.2. > > Since the upgrade, when a Pine user sends an email, the email is sent > fine however when Pine appends the message to the sent-mail mailbox it > asks the user to reauthenticate. Looking at the telemetry, the proxy > server is advertising MAILBOX-REFERRALS[1] and Pine is trying to use > them[2] but isn't able to silently reauthenticate the user. > > Looking at the man pages for imapd.conf there is a useful feature > proxyd_disable_mailbox_referrals however this was introduced in Cyrus 2.3. > > Does anyone have any suggestions as to how to stop the front-end proxy > server from advertising MAILBOX-REFERRALS and/or for Pine to ignore such > capabilities. This was originally a patch I obtained from the folks at Portland State University: http://oregonstate.edu/~morgan/cyrus/patches/imapd-disable-referrals.patch It does exactly what you want in cyrus 2.2. Andy From michaels at crye-leike.com Wed Aug 12 15:58:08 2009 From: michaels at crye-leike.com (Michael Sims) Date: Wed, 12 Aug 2009 14:58:08 -0500 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: <4A777EFF.3040303@andrew.cmu.edu> Message-ID: Hi Dave, Dave McMurtrie wrote: > As of Cyrus 2.3, the code supports the notion of application-level > replication. It's near real-time replication of all the application > data, but one copy of the data isn't live. This is more of an > active/passive solution, since you have to do something to make cyrus > aware of the 2nd copy of the data if you suffer some type of failure > of > the first copy. Quick question on this. If I setup an active/passive cluster and put the mail spool AND all of the application data on a SAN that both nodes have access to (not simultaneously, of course), doesn't that bypass the need for using "mupdate_config: replicated"? Thanks... Michael Sims From vbfox at ucdavis.edu Wed Aug 12 16:16:07 2009 From: vbfox at ucdavis.edu (Vincent Fox) Date: Wed, 12 Aug 2009 13:16:07 -0700 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: References: Message-ID: <4A832307.50202@ucdavis.edu> Michael Sims wrote: > > Quick question on this. If I setup an active/passive cluster and put the > mail spool AND all of the application data on a SAN that both nodes have > access to (not simultaneously, of course), doesn't that bypass the need for > using "mupdate_config: replicated"? Thanks... > This is the setup we run, works fine. At the time we installed we were leery of the Murder architecture anyhow with mupdate server as a single point of failure. There are some denigrate active/passive cluster as "wasteful" of hardware, but frankly hardware is cheap and usually the people who bring it up are BEAN-COUNTERS who will claim ignorance of decisions when the critical service is hosed. I find it difficult to conceive a modern system can be overwhelmed such that there's any meaningful benefit to active/active. I like the active/passive configuration because we can patch the idle node, then switch to it, and if patching broke something we switch back no big deal. Our mail store are ZFS on double-path SAN switches and we've had zero unexpected hardware downtimes despite various hardware failures. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090812/a4b46f1d/attachment.bin From ross at biostat.ucsf.edu Wed Aug 12 17:18:50 2009 From: ross at biostat.ucsf.edu (Ross Boylan) Date: Wed, 12 Aug 2009 14:18:50 -0700 Subject: migration, esp of .squat files Message-ID: <1250111930.8956.13.camel@corn.betterworld.us> Will rsync'ing squat file work, even if I'm going from 32 to 64 bit? I understand that BDB files need conversion and I think I know where they are. Could anyone give me a recipe for finding them? Are there any in /var/spool/cyrus (it looks like no)? I also understand that those are the only problem areas when shifting architectures; in particular skiplist will be OK. I hope someone will correct me if I'm wrong. I'm running Cyrus 2.2 on Debian Lenny, going from i386 to amd64 architecture. I think I could also delete and recreate the squat files, but that seems a bit more work. Also, I saw the recent discussion of imapsync vs rsync. Mostly, I'm a little nervous about some state getting lost if I do the imapsync route. Thanks. Ross Boylan From ross at biostat.ucsf.edu Wed Aug 12 17:38:35 2009 From: ross at biostat.ucsf.edu (Ross Boylan) Date: Wed, 12 Aug 2009 14:38:35 -0700 Subject: squatter Writing index update: No such file or directory Message-ID: <1250113115.8956.28.camel@corn.betterworld.us> # sudo -u cyrus squatter -v user.ross.R Indexing mailbox user.ross.R... Writing index update: No such file or directory Does anybody know what the error means, or what might be causing it? I have squatter set to run nightly, but for about a month its only done a few mailboxes and then stopped. I believe it is failing on the one shown above since that's consistent with the time stamps, the alphabetical order of directories, and the error shown above. That mailbox has the largest squat file by far: 171793 623216 -rw------- 1 cyrus mail 637546664 Jul 14 05:58 ./mail/r/user/ross/R/cyrus.squat However, that's only half of free space, if I've got my units right: # df . Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/big_container-var 14712376 13421392 1290984 92% /var The biggest file it succeeds on is 39784890 bytes (40MB); /tmp has about 278440 1k blocks (278MB). So if squatter is using /tmp, that might explain things. Ross Boylan From ross at biostat.ucsf.edu Wed Aug 12 17:48:04 2009 From: ross at biostat.ucsf.edu (Ross Boylan) Date: Wed, 12 Aug 2009 14:48:04 -0700 Subject: migration, esp of .squat files In-Reply-To: <1250111930.8956.13.camel@corn.betterworld.us> References: <1250111930.8956.13.camel@corn.betterworld.us> Message-ID: <1250113684.8956.31.camel@corn.betterworld.us> Also, I'm not sure about compiled sieve scripts being safe to move, and I don't know where they are on disk. On Wed, 2009-08-12 at 14:18 -0700, Ross Boylan wrote: > Will rsync'ing squat file work, even if I'm going from 32 to 64 bit? > > I understand that BDB files need conversion and I think I know where > they are. Could anyone give me a recipe for finding them? Are there > any in /var/spool/cyrus (it looks like no)? > > I also understand that those are the only problem areas when shifting > architectures; in particular skiplist will be OK. I hope someone will > correct me if I'm wrong. > > I'm running Cyrus 2.2 on Debian Lenny, going from i386 to amd64 > architecture. > > I think I could also delete and recreate the squat files, but that seems > a bit more work. > > Also, I saw the recent discussion of imapsync vs rsync. Mostly, I'm a > little nervous about some state getting lost if I do the imapsync route. > > Thanks. > Ross Boylan > From bally.zijn at gmail.com Wed Aug 12 21:52:13 2009 From: bally.zijn at gmail.com (brian) Date: Wed, 12 Aug 2009 21:52:13 -0400 Subject: IOERROR: fstating sieve script Message-ID: I've created a "vacation" script and activated it but there appears to be a problem implementing it. The reply is for several addresses and so I did not pass a --user to sieveshell. It has placed the defaultbc in /var/lib/imap/sieve/global. However, lmtp is looking for it in a directory for the particular address. maillog says: Aug 12 21:33:55 logi sieve[27866]: entered bc_action_emit with filelen: 16 Aug 12 21:35:49 logi lmtpunix[21521]: IOERROR: fstating sieve script /var/lib/imap/sieve/domain/q/VIRTUAL_DOMAIN/a/admin/defaultbc: No such file or directory Should I create the necessary directories and copy defaultbc into them? Or, do I need to invoke sieveshell for each user? # cat imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasldb_path: /etc/sasldb2 sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 defaultdomain: DOMAIN virtdomains: userid allowplaintext: 1 loginrealms: [several domains] tls_ca_file: /etc/pki/tls/certs/cacert.pem tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem tls_key_file: /etc/pki/cyrus-imapd/newkey.pem # cat cyrus.conf # standard standalone server implementation START { # do not delete this entry! recover cmd="ctl_cyrusdb -r" # this is only necessary if using idled for IMAP IDLE idled cmd="idled" } # UNIX sockets start with a slash and are put into /var/lib/imap/sockets SERVICES { # add or remove based on preferences imap cmd="imapd" listen="imap" prefork=5 imaps cmd="imapd -s" listen="imaps" prefork=1 pop3 cmd="pop3d" listen="pop3" prefork=3 pop3s cmd="pop3d -s" listen="pop3s" prefork=1 sieve cmd="timsieved" listen="sieve" prefork=0 # these are only necessary if receiving/exporting usenet via NNTP # nntp cmd="nntpd" listen="nntp" prefork=3 # nntps cmd="nntpd -s" listen="nntps" prefork=1 # at least one LMTP is required for delivery # lmtp cmd="lmtpd" listen="lmtp" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 # this is only necessary if using notifications # notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1 } EVENTS { # this is required checkpoint cmd="ctl_cyrusdb -c" period=30 # this is only necessary if using duplicate delivery suppression, # Sieve or NNTP delprune cmd="cyr_expire -E 3" at=0400 # this is only necessary if caching TLS sessions tlsprune cmd="tls_prune" at=0400 } From paul at vandervlis.nl Thu Aug 13 02:39:46 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Thu, 13 Aug 2009 08:39:46 +0200 Subject: How to test timsieved In-Reply-To: <4A82AAC9.3020004@andrew.cmu.edu> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> Message-ID: <4A83B532.8030500@vandervlis.nl> Dave McMurtrie schreef: > Paul van der Vlis wrote: >> Hello, >> >> I am using a program called Ingo to manage my sieve-scripts. >> http://www.horde.org/ingo/ >> >> But it does not work anymore, when change a sieve script it says: >> -------- >> Changes saved. >> There was an error activating the script. The driver said: >> "Authentication Error" >> -------- >> The rest of the (web)mail server works fine. >> >> The driver is timsieved. How can I test timsieved directly, so without >> Ingo? I will add some things at the end of the mail what I have >> allready tried. I think sieve accepts plain passwords. > > Try sivtest. It still relies on you knowing enough about the protocol > to know what you want to test, but it will take care of the connection > and authentication parts for you. Ah, looks-like the problem is in Sieve: -------- paul at sigmund:~$ sivtest -v localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1" S: "SASL" "PLAIN" S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational regex" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {16+} AHBhdWwAZXJ1NGJj S: NO "Authentication Error" Authentication failed. generic failure Security strength factor: 0 -------- Anybody here knows how to find-out why the authentication does not work? On another machine (with Cyrus 2.2) everything works fine. Thanks for you help! With regards, Paul van der Vlis. -- http://www.vandervlis.nl/ From Duncan.Gibb at SiriusIT.co.uk Thu Aug 13 05:18:33 2009 From: Duncan.Gibb at SiriusIT.co.uk (Duncan Gibb) Date: Thu, 13 Aug 2009 10:18:33 +0100 Subject: How to test timsieved In-Reply-To: <4A83B532.8030500@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> Message-ID: <4A83DA69.5000808@SiriusIT.co.uk> Paul van der Vlis wrote: > C: AUTHENTICATE "PLAIN" {16+} > AHBhdWwAZXJ1NGJj I hope you changed your password after you posted that ;-) > S: NO "Authentication Error" > Authentication failed. generic failure > Security strength factor: 0 PvdV> Anybody here knows how to find-out why the PvdV> authentication does not work? Assuming the Debian default logging config, have a look in /var/log/mail.log for lines containing both "sieve" and "badlogin". If that looks OK apart from "authentication failure", look at /var/log/auth.log. PvdV> On another machine (with Cyrus 2.2) everything works fine. Then you can use the two configurations to compare. Does IMAP authentication on the _same_ machine work? What settings are you using for (sieve_)allowplaintext and tls_*? What is your authentication backend? Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ From dave64 at andrew.cmu.edu Thu Aug 13 05:41:28 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Thu, 13 Aug 2009 05:41:28 -0400 Subject: Need advice on building a Cyrus IMAP cluster In-Reply-To: References: Message-ID: <4A83DFC8.80202@andrew.cmu.edu> Michael Sims wrote: > Hi Dave, > > Dave McMurtrie wrote: >> As of Cyrus 2.3, the code supports the notion of application-level >> replication. It's near real-time replication of all the application >> data, but one copy of the data isn't live. This is more of an >> active/passive solution, since you have to do something to make cyrus >> aware of the 2nd copy of the data if you suffer some type of failure >> of >> the first copy. > > Quick question on this. If I setup an active/passive cluster and put the > mail spool AND all of the application data on a SAN that both nodes have > access to (not simultaneously, of course), doesn't that bypass the need for > using "mupdate_config: replicated"? Thanks... What you're proposing is to set up an active/passive cluster that will cover you in the event of server hardware failure, and that's fine. You don't need to enable replication for this to work. Doing data replication will help you if you suffer a catastrophic data loss, as well. It's just a second copy of all your mail data, so think of it like an online backup. We do replication in addition to backups right now simply because the path to recovery would be much faster. Thanks, Dave From paul at vandervlis.nl Thu Aug 13 06:01:47 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Thu, 13 Aug 2009 12:01:47 +0200 Subject: How to test timsieved In-Reply-To: <4A83DA69.5000808@SiriusIT.co.uk> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> Message-ID: <4A83E48B.701@vandervlis.nl> Duncan Gibb schreef: > Paul van der Vlis wrote: > >> C: AUTHENTICATE "PLAIN" {16+} >> AHBhdWwAZXJ1NGJj > > I hope you changed your password after you posted that ;-) > >> S: NO "Authentication Error" >> Authentication failed. generic failure >> Security strength factor: 0 > > PvdV> Anybody here knows how to find-out why the > PvdV> authentication does not work? > > Assuming the Debian default logging config, have a look in > /var/log/mail.log for lines containing both "sieve" and "badlogin". Aug 13 11:27:40 sigmund cyrus/timsieved[16455]: badlogin: localhost[127.0.0.1] PLAIN authentication failure > If > that looks OK apart from "authentication failure", look at > /var/log/auth.log. Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM auth error] > PvdV> On another machine (with Cyrus 2.2) everything works fine. > > Then you can use the two configurations to compare. Yes, there is no big difference. > Does IMAP authentication on the _same_ machine work? Yes. > What settings are you using for (sieve_)allowplaintext and tls_*? I don't have a "sieve_allowplaintext", I have tried it with "yes", but it did not help. allowplaintext: yes I have the same problems with "tls_sieve_cert_file: disabled" or not, so I think the problem is not tls-related. > What is your authentication backend? saslauthd -> pam -> unix In the pam modules for both imap and sieve I have: @include common-auth @include common-account Thanks for your help. With regards, Paul van der Vlis. -- http://www.vandervlis.nl/ From dwhite at olp.net Thu Aug 13 09:58:50 2009 From: dwhite at olp.net (Dan White) Date: Thu, 13 Aug 2009 08:58:50 -0500 Subject: How to test timsieved In-Reply-To: <4A83E48B.701@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> Message-ID: <20090813135849.GA5345@dan.olp.net> On 13/08/09?12:01?+0200, Paul van der Vlis wrote: >Duncan Gibb schreef: >> Paul van der Vlis wrote: >> >>> C: AUTHENTICATE "PLAIN" {16+} >>> AHBhdWwAZXJ1NGJj >> >> I hope you changed your password after you posted that ;-) Let me echo that statement, since it looks like you're logging in as root! Your password is now publicly known. >Aug 13 11:27:40 sigmund cyrus/timsieved[16455]: badlogin: >localhost[127.0.0.1] PLAIN authentication failure > >Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth >failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM >auth error] > Try: testsaslauthd -u username -p password testsaslauthd -u username -p password -s sieve testsaslauthd -u username -p password -s imap Do you get different answers? If not, can you include the output of 'grep sasl /etc/imapd.conf'? (assuming there is no sensitive information), and the contents of your /etc/default/saslauthd? >> What is your authentication backend? > >saslauthd -> pam -> unix > >In the pam modules for both imap and sieve I have: >@include common-auth >@include common-account -- Dan White -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090813/70cc683b/attachment.bin From brong at fastmail.fm Thu Aug 13 10:37:12 2009 From: brong at fastmail.fm (Bron Gondwana) Date: Fri, 14 Aug 2009 00:37:12 +1000 Subject: How to test timsieved In-Reply-To: <4A83DA69.5000808@SiriusIT.co.uk> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> Message-ID: <20090813143712.GB6248@brong.net> On Thu, Aug 13, 2009 at 10:18:33AM +0100, Duncan Gibb wrote: > Paul van der Vlis wrote: > > > C: AUTHENTICATE "PLAIN" {16+} > > AHBhdWwAZXJ1NGJj > > I hope you changed your password after you posted that ;-) eru4bc - at least it's stronger than the average crappy passwords you see floating around. All lowercase though, and only one number... mine at least has an uppercase in there :) Bron ( just making the point that your password really was in the clear there, even if it looks obscured ) From paul at vandervlis.nl Thu Aug 13 10:56:39 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Thu, 13 Aug 2009 16:56:39 +0200 Subject: How to test timsieved In-Reply-To: <20090813135849.GA5345@dan.olp.net> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> Message-ID: <4A8429A7.4020405@vandervlis.nl> Dan White schreef: > On 13/08/09 12:01 +0200, Paul van der Vlis wrote: >> Duncan Gibb schreef: >>> Paul van der Vlis wrote: >>> >>>> C: AUTHENTICATE "PLAIN" {16+} >>>> AHBhdWwAZXJ1NGJj >>> >>> I hope you changed your password after you posted that ;-) > > Let me echo that statement, since it looks like you're logging in as root! > Your password is now publicly known. I did change the password (and it was not the root-password). >> Aug 13 11:27:40 sigmund cyrus/timsieved[16455]: badlogin: >> localhost[127.0.0.1] PLAIN authentication failure >> >> Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth >> failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM >> auth error] >> > > Try: > > testsaslauthd -u username -p password > testsaslauthd -u username -p password -s sieve > testsaslauthd -u username -p password -s imap > > Do you get different answers? No, they give all: 0: OK "Success." when I do it as root or as user cyrus. But when I execute "testsaslauthd" as another user, it fails with a "connect() : Permission denied". But this is also the case on the other machine what works correct. > If not, can you include the output of 'grep sasl /etc/imapd.conf'? > (assuming there is no sensitive information), and the contents of your > /etc/default/saslauthd? sasl_mech_list: PLAIN sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_pwcheck_method: saslauthd #sasl_auxprop_plugin: sasldb sasl_auto_transition: no /etc/default/saslauthd: START=yes MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 OPTIONS="-c" Maybe this is important: sigmund:~# ls -ld /var/run/saslauthd lrwxrwxrwx 1 root root 37 2009-07-22 14:01 /var/run/saslauthd -> /var/spool/postfix/var/run/saslauthd/ sigmund:~# ls -ld /var/spool/postfix/var/run/saslauthd/ drwx--x--- 2 root sasl 200 2009-07-22 14:02 /var/spool/postfix/var/run/saslauthd/ sigmund:~# ls -l /var/spool/postfix/var/run/saslauthd/ total 929 -rw------- 1 root root 0 2009-07-22 14:02 cache.flock -rw------- 1 root root 945152 2009-07-22 14:02 cache.mmap srwxrwxrwx 1 root root 0 2009-07-22 14:02 mux -rw------- 1 root root 0 2009-07-22 14:02 mux.accept -rw------- 1 root root 6 2009-07-22 14:02 saslauthd.pid Thanks for your help! With regards, Paul van der Vlis. -- http://www.vandervlis.nl/ From brong at fastmail.fm Thu Aug 13 11:41:11 2009 From: brong at fastmail.fm (Bron Gondwana) Date: Fri, 14 Aug 2009 01:41:11 +1000 Subject: How to test timsieved In-Reply-To: <20090813135849.GA5345@dan.olp.net> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> Message-ID: <20090813154111.GA25181@brong.net> On Thu, Aug 13, 2009 at 08:58:50AM -0500, Dan White wrote: > On 13/08/09?12:01?+0200, Paul van der Vlis wrote: > >Duncan Gibb schreef: > >>Paul van der Vlis wrote: > >> > >>>C: AUTHENTICATE "PLAIN" {16+} > >>>AHBhdWwAZXJ1NGJj > >> > >>I hope you changed your password after you posted that ;-) > > Let me echo that statement, since it looks like you're logging in as root! > Your password is now publicly known. How did you get that? That decodes to username "paul". > >Aug 13 11:27:40 sigmund cyrus/timsieved[16455]: badlogin: > >localhost[127.0.0.1] PLAIN authentication failure > > > >Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth > >failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM > >auth error] Oh yeah, this bit. Guess something's not configured correctly to talk with PAM. Bron. From dwhite at olp.net Thu Aug 13 11:51:16 2009 From: dwhite at olp.net (Dan White) Date: Thu, 13 Aug 2009 10:51:16 -0500 Subject: How to test timsieved In-Reply-To: <4A8429A7.4020405@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> <4A8429A7.4020405@vandervlis.nl> Message-ID: <20090813155116.GA9584@dan.olp.net> On 13/08/09?16:56?+0200, Paul van der Vlis wrote: >>> Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth >>> failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM >>> auth error] >>> >> >> testsaslauthd -u username -p password >> testsaslauthd -u username -p password -s sieve >> testsaslauthd -u username -p password -s imap >> >> Do you get different answers? > >No, they give all: 0: OK "Success." when I do it as root or as user cyrus. > >But when I execute "testsaslauthd" as another user, it fails with a >"connect() : Permission denied". >But this is also the case on the other machine what works correct. It looks like you're configured to allow members of the sasl group to access the saslauthd mux, so that error is to be expected. >sasl_mech_list: PLAIN >sasl_minimum_layer: 0 >#sasl_maximum_layer: 256 >sasl_pwcheck_method: saslauthd >#sasl_auxprop_plugin: sasldb >sasl_auto_transition: no > >/etc/default/saslauthd: >START=yes >MECHANISMS="pam" >MECH_OPTIONS="" >THREADS=5 >OPTIONS="-c" > >Maybe this is important: >sigmund:~# ls -ld /var/run/saslauthd >lrwxrwxrwx 1 root root 37 2009-07-22 14:01 /var/run/saslauthd -> >/var/spool/postfix/var/run/saslauthd/ >sigmund:~# ls -ld /var/spool/postfix/var/run/saslauthd/ >drwx--x--- 2 root sasl 200 2009-07-22 14:02 >/var/spool/postfix/var/run/saslauthd/ >sigmund:~# ls -l /var/spool/postfix/var/run/saslauthd/ >total 929 >-rw------- 1 root root 0 2009-07-22 14:02 cache.flock >-rw------- 1 root root 945152 2009-07-22 14:02 cache.mmap >srwxrwxrwx 1 root root 0 2009-07-22 14:02 mux >-rw------- 1 root root 0 2009-07-22 14:02 mux.accept >-rw------- 1 root root 6 2009-07-22 14:02 saslauthd.pid Looks fine. I wonder if timsieved is calling saslauthd with different options, like with a realm. I'd be curious what you're seeing when saslauthd is in debug mode. -- Dan White -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090813/976fad13/attachment.bin From blake at ispn.net Thu Aug 13 17:30:55 2009 From: blake at ispn.net (Blake Hudson) Date: Thu, 13 Aug 2009 16:30:55 -0500 Subject: Multiple instance Howto? Message-ID: <4A84860F.7070905@ispn.net> Is there a howto for setting up multiple cyrus instances? I have created two sets of: startup scripts cyrus.conf files (each process told to use the corresponding config file and IP) imapd.conf files /var/spool/imap directories /var/lib/imap directories I thought I had everything running fine (imap/pop works) until I tried to deliver mail to LMTP and found that if both instances were running that LMTP would refuse connections. If someone has a proven howto, I'd appreciate being able to review it. Thanks, --Blake From paul at vandervlis.nl Fri Aug 14 03:59:00 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Fri, 14 Aug 2009 09:59:00 +0200 Subject: How to test timsieved In-Reply-To: <20090813155116.GA9584@dan.olp.net> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> <4A8429A7.4020405@vandervlis.nl> <20090813155116.GA9584@dan.olp.net> Message-ID: <4A851944.8060709@vandervlis.nl> Dan White schreef: > On 13/08/09 16:56 +0200, Paul van der Vlis wrote: >>>> Aug 13 11:27:40 sigmund saslauthd[12960]: do_auth : auth >>>> failure: [user=root] [service=sieve] [realm=] [mech=pam] [reason=PAM >>>> auth error] >>>> >>> >>> testsaslauthd -u username -p password >>> testsaslauthd -u username -p password -s sieve >>> testsaslauthd -u username -p password -s imap >>> >>> Do you get different answers? >> >> No, they give all: 0: OK "Success." when I do it as root or as user >> cyrus. >> >> But when I execute "testsaslauthd" as another user, it fails with a >> "connect() : Permission denied". >> But this is also the case on the other machine what works correct. > > It looks like you're configured to allow members of the sasl group to > access the saslauthd mux, so that error is to be expected. > >> sasl_mech_list: PLAIN >> sasl_minimum_layer: 0 >> #sasl_maximum_layer: 256 >> sasl_pwcheck_method: saslauthd >> #sasl_auxprop_plugin: sasldb >> sasl_auto_transition: no >> >> /etc/default/saslauthd: >> START=yes >> MECHANISMS="pam" >> MECH_OPTIONS="" >> THREADS=5 >> OPTIONS="-c" >> >> Maybe this is important: >> sigmund:~# ls -ld /var/run/saslauthd >> lrwxrwxrwx 1 root root 37 2009-07-22 14:01 /var/run/saslauthd -> >> /var/spool/postfix/var/run/saslauthd/ >> sigmund:~# ls -ld /var/spool/postfix/var/run/saslauthd/ >> drwx--x--- 2 root sasl 200 2009-07-22 14:02 >> /var/spool/postfix/var/run/saslauthd/ >> sigmund:~# ls -l /var/spool/postfix/var/run/saslauthd/ >> total 929 >> -rw------- 1 root root 0 2009-07-22 14:02 cache.flock >> -rw------- 1 root root 945152 2009-07-22 14:02 cache.mmap >> srwxrwxrwx 1 root root 0 2009-07-22 14:02 mux >> -rw------- 1 root root 0 2009-07-22 14:02 mux.accept >> -rw------- 1 root root 6 2009-07-22 14:02 saslauthd.pid > > Looks fine. > > I wonder if timsieved is calling saslauthd with different options, > like with a realm. > > I'd be curious what you're seeing when saslauthd is in debug mode. I used the "-d" option in /etc/default/saslauthd and restarted saslauthd. In another terminal I tried sivtest, where the authentication was wrong. But, in the debug I see that the authentication was OK for saslauthd. --------- paul at sigmund:/root$ sivtest -v localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1" S: "SASL" "PLAIN" S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational regex" S: "STARTTLS" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {20+} AHBhdWwAZXJ1NGJjZw== S: NO "Authentication Error" Authentication failed. generic failure Security strength factor: 0 --------- ---------- sigmund:/etc/pam.d# /etc/init.d/saslauthd restart Restarting SASL Authentication Daemon: saslauthdsaslauthd[29778] :main : num_procs : 5 saslauthd[29778] :main : mech_option: NULL saslauthd[29778] :main : run_path : /var/run/saslauthd saslauthd[29778] :main : auth_mech : pam saslauthd[29778] :cache_alloc_mm : mmaped shared memory segment on file: /var/run/saslauthd/cache.mmap saslauthd[29778] :cache_init : bucket size: 92 bytes saslauthd[29778] :cache_init : stats size : 36 bytes saslauthd[29778] :cache_init : timeout : 28800 seconds saslauthd[29778] :cache_init : cache table: 944764 total bytes saslauthd[29778] :cache_init : cache table: 1711 slots saslauthd[29778] :cache_init : cache table: 10266 buckets saslauthd[29778] :cache_init_lock : flock file opened at /var/run/saslauthd/cache.flock saslauthd[29778] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[29778] :detach_tty : master pid is: 0 saslauthd[29778] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[29778] :main : using process model saslauthd[29779] :get_accept_lock : acquired accept lock saslauthd[29778] :have_baby : forked child: 29779 saslauthd[29778] :have_baby : forked child: 29780 saslauthd[29778] :have_baby : forked child: 29781 saslauthd[29778] :have_baby : forked child: 29782 saslauthd[29779] :rel_accept_lock : released accept lock saslauthd[29780] :get_accept_lock : acquired accept lock saslauthd[29779] :cache_get_rlock : attempting a read lock on slot: 1682 saslauthd[29779] :cache_lookup : [login=paul] [service=] [realm=sieve]: not found, update pending saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682 saslauthd[29779] :cache_get_wlock : attempting a write lock on slot: 1682 saslauthd[29779] :cache_commit : lookup committed saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682 saslauthd[29779] :do_auth : auth success: [user=paul] [service=sieve] [realm=] [mech=pam] saslauthd[29779] :do_request : response: OK ---------- With regards, Paul van der Vlis. -- http://www.vandervlis.nl/ From john at sml.citizen.co.jp Fri Aug 14 04:44:34 2009 From: john at sml.citizen.co.jp (John/SML) Date: Fri, 14 Aug 2009 16:44:34 +0800 Subject: Postfix + Cyrus error with GSSAPI/kerberos - Mailbox does not exist Message-ID: Hi, I am trying to setup a mail server using Postfix + Cyrus with virtual domains and GSSAPI/kerberos. I checked the log /var/log/mail.log and the incoming e-mail could be delivered to the mailbox successfully. The problem is that the Thunderbird mail client prompts an error "Mailbox does not exist" while checking inbox :- cyradm> lm user/nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp (\HasNoChildren) /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok/1. /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok/2. /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok/cyrus.cache /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok/cyrus.index /local/imap/domain/k/kdcsv01.auth.hk1.sml.citizen.co.jp/n/user/nicky^mok/cyrus.header === begin of mail.log === Aug 14 16:32:18 kdcsv01 cyrus/master[1552]: about to exec /usr/lib/cyrus/bin/imapd Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: executed Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: accepted connection Aug 14 16:32:19 kdcsv01 cyrus/imap[1552]: login: John.sml.citizen.co.jp [10.144.1.192] nicky.mok GSSAPI User logged in === end of mail.log === === begin of imapd.conf === configdirectory: /var/lib/cyrus defaultpartition: default partition-default: /local/imap partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: yes lmtp_downcase_rcpt: yes admins: cyrus john allowanonymouslogin: no popminpoll: 1 autocreatequota: 1 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes sasl_mech_list: gssapi pam virtdomains: yes defaultdomain: auth.hk1.sml.citizen.co.jp sasl_pwcheck_method: saslauthd sasl_auto_transition: no tls_cert_file: /etc/ldap/ssl/kdcsv01-cert.pem tls_key_file: /etc/ldap/ssl/kdcsv01-key.pem tls_ca_file: /etc/ldap/ssl/cacert.pem tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlemethod: poll idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus === end of imapd.conf === I hope someone could advise if there is any problem with my config. imapd.conf, such that Thunderbird could not check inbox. Thanks a lot. John Mok -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090814/4cdcb8d8/attachment.html From nina.pollak at wu.ac.at Fri Aug 14 05:04:48 2009 From: nina.pollak at wu.ac.at (Nina Pollak) Date: Fri, 14 Aug 2009 11:04:48 +0200 Subject: replica: sync error Message-ID: <4A8528B0.8010806@wu.ac.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, I have setuped a replica server in a murder environment. Before I started the sync_client in rolling replication mode, I made an initial sync with -u for usermode. Now the sync_client dies after few hours, with this entry in my log: Error in do_sync(): bailing out! sync_client[15378]: Processing sync log file /var/imap/sync/log-15377 failed: The remote Server(s) denied the operation Has anyone an idea what's going wrong? best regards, nina - -- Nina Pollak, System-Security WU IT-Services, Zentrale- und Internetservices Fingerprint: 7C3A 47E4 94D9 13FD EC0B 9924 5648 3E58 A783 21BD -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqFKLAACgkQVkg+WKeDIb2McQCgyVf+7Zt95LoQnzzFHVwMVWvk WXwAnR85SC5W2rvWQCVjAJwwnNeSQEVD =2OUi -----END PGP SIGNATURE----- From dwhite at olp.net Fri Aug 14 05:20:37 2009 From: dwhite at olp.net (Dan White) Date: Fri, 14 Aug 2009 04:20:37 -0500 Subject: Postfix + Cyrus error with GSSAPI/kerberos - Mailbox does not exist In-Reply-To: References: Message-ID: <20090814092037.GA5614@dan.olp.net> On 14/08/09?16:44?+0800, John/SML wrote: >Hi, > >I am trying to setup a mail server using Postfix + Cyrus with virtual >domains and GSSAPI/kerberos. I checked the log /var/log/mail.log and the >incoming e-mail could be delivered to the mailbox successfully. The >problem is that the Thunderbird mail client prompts an error "Mailbox does >not exist" while checking inbox :- >cyradm> lm >user/nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp (\HasNoChildren) > >=== begin of mail.log === > > Aug 14 16:32:18 kdcsv01 cyrus/master[1552]: about to exec >/usr/lib/cyrus/bin/imapd > Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: executed > Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: accepted connection > Aug 14 16:32:19 kdcsv01 cyrus/imap[1552]: login: John.sml.citizen.co.jp >[10.144.1.192] nicky.mok GSSAPI User logged in > >=== end of mail.log === > >=== begin of imapd.conf === > >sasl_mech_list: gssapi pam pam is not valid here, but it's not causing any breakage. >virtdomains: yes >defaultdomain: auth.hk1.sml.citizen.co.jp Your mailbox is nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp and your default domain is auth.hk1.sml.citizen.co.jp. What format is your kerberos principal (does it include kdcsv01?). -- Dan White -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090814/674897b2/attachment.bin From D.J.Mayo at bath.ac.uk Fri Aug 14 05:24:35 2009 From: D.J.Mayo at bath.ac.uk (David Mayo) Date: Fri, 14 Aug 2009 10:24:35 +0100 Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine In-Reply-To: References: <4A828E7B.6090906@bath.ac.uk> Message-ID: <4A852D53.806@bath.ac.uk> Andrew Morgan wrote: > On Wed, 12 Aug 2009, David Mayo wrote: > >> Does anyone have any suggestions as to how to stop the front-end proxy >> server from advertising MAILBOX-REFERRALS and/or for Pine to ignore such >> capabilities. > > This was originally a patch I obtained from the folks at Portland State > University: > > http://oregonstate.edu/~morgan/cyrus/patches/imapd-disable-referrals.patch > > It does exactly what you want in cyrus 2.2. Thanks very much for this! We applied this patch this morning and Pine is now behaving itself. On the down-side, our quota scripts using Cyrus::IMAP::Admin have stopped working as they are not being sent MAILBOX-REFERRALS in the CAPABILITY string. This means they are ignoring the referral sent to them by the server when they issue a GETQUOTA. Reading RFC 2193 Section 3, paragraph 1 this is understandable: IMAP4 servers that support this extension MUST list the keyword MAILBOX-REFERRALS in their CAPABILITY response. No client action is needed to invoke the MAILBOX-REFERRALS capability in a server. I feel like we've picked at the thread of a jumper and it's slowly unravelling here! Regards, Dave. David Mayo Networks/Systems Administrator University of Bath Computing Services, UK From dwhite at olp.net Fri Aug 14 05:54:44 2009 From: dwhite at olp.net (Dan White) Date: Fri, 14 Aug 2009 04:54:44 -0500 Subject: How to test timsieved In-Reply-To: <4A851944.8060709@vandervlis.nl> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> <4A8429A7.4020405@vandervlis.nl> <20090813155116.GA9584@dan.olp.net> <4A851944.8060709@vandervlis.nl> Message-ID: <20090814095444.GC5614@dan.olp.net> On 14/08/09?09:59?+0200, Paul van der Vlis wrote: >Dan White schreef: >I used the "-d" option in /etc/default/saslauthd and restarted saslauthd. > >In another terminal I tried sivtest, where the authentication was wrong. > >But, in the debug I see that the authentication was OK for saslauthd. > >--------- >paul at sigmund:/root$ sivtest -v localhost >S: "IMPLEMENTATION" "Cyrus timsieved v2.1.18-IPv6-Debian-2.1.18-5.1" >S: "SASL" "PLAIN" >S: "SIEVE" "fileinto reject envelope vacation imapflags notify >subaddress relational regex" >S: "STARTTLS" >S: OK >Please enter your password: >C: AUTHENTICATE "PLAIN" {20+} >AHBhdWwAZXJ1NGJjZw== >S: NO "Authentication Error" >Authentication failed. generic failure >Security strength factor: 0 >--------- > >---------- >sigmund:/etc/pam.d# /etc/init.d/saslauthd restart >Restarting SASL Authentication Daemon: saslauthdsaslauthd[29778] :main > : num_procs : 5 >saslauthd[29778] :main : mech_option: NULL >saslauthd[29778] :main : run_path : /var/run/saslauthd >saslauthd[29778] :main : auth_mech : pam >saslauthd[29778] :cache_alloc_mm : mmaped shared memory segment on >file: /var/run/saslauthd/cache.mmap >saslauthd[29778] :cache_init : bucket size: 92 bytes >saslauthd[29778] :cache_init : stats size : 36 bytes >saslauthd[29778] :cache_init : timeout : 28800 seconds >saslauthd[29778] :cache_init : cache table: 944764 total bytes >saslauthd[29778] :cache_init : cache table: 1711 slots >saslauthd[29778] :cache_init : cache table: 10266 buckets >saslauthd[29778] :cache_init_lock : flock file opened at >/var/run/saslauthd/cache.flock >saslauthd[29778] :ipc_init : using accept lock file: >/var/run/saslauthd/mux.accept >saslauthd[29778] :detach_tty : master pid is: 0 >saslauthd[29778] :ipc_init : listening on socket: >/var/run/saslauthd/mux >saslauthd[29778] :main : using process model >saslauthd[29779] :get_accept_lock : acquired accept lock >saslauthd[29778] :have_baby : forked child: 29779 >saslauthd[29778] :have_baby : forked child: 29780 >saslauthd[29778] :have_baby : forked child: 29781 >saslauthd[29778] :have_baby : forked child: 29782 >saslauthd[29779] :rel_accept_lock : released accept lock >saslauthd[29780] :get_accept_lock : acquired accept lock >saslauthd[29779] :cache_get_rlock : attempting a read lock on slot: 1682 >saslauthd[29779] :cache_lookup : [login=paul] [service=] >[realm=sieve]: not found, update pending >saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682 >saslauthd[29779] :cache_get_wlock : attempting a write lock on slot: 1682 >saslauthd[29779] :cache_commit : lookup committed >saslauthd[29779] :cache_un_lock : attempting to release lock on slot: 1682 >saslauthd[29779] :do_auth : auth success: [user=paul] >[service=sieve] [realm=] [mech=pam] >saslauthd[29779] :do_request : response: OK >---------- I just did some quick testing on my system and cannot authenticate to timsieved as a user who's mailbox does not exist. I have a mailbox for dwhite at olp.net, but not dwhite. Here's the results of a few tests: Works: imtest -a dwhite -m PLAIN localhost imtest -a dwhite at olp.net -m PLAIN localhost sivtest -a dwhite at olp.net -m PLAIN localhost Doesn't work: sivtest -a dwhite -m PLAIN localhost Based on that, I'm assuming that a mailbox for paul needs to exist to authenticate. Is that that the case? -- Dan White -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090814/3adc25ff/attachment.bin From paul at vandervlis.nl Fri Aug 14 06:20:12 2009 From: paul at vandervlis.nl (Paul van der Vlis) Date: Fri, 14 Aug 2009 12:20:12 +0200 Subject: How to test timsieved In-Reply-To: <20090814095444.GC5614@dan.olp.net> References: <4A82A7BE.3040903@vandervlis.nl> <4A82AAC9.3020004@andrew.cmu.edu> <4A83B532.8030500@vandervlis.nl> <4A83DA69.5000808@SiriusIT.co.uk> <4A83E48B.701@vandervlis.nl> <20090813135849.GA5345@dan.olp.net> <4A8429A7.4020405@vandervlis.nl> <20090813155116.GA9584@dan.olp.net> <4A851944.8060709@vandervlis.nl> <20090814095444.GC5614@dan.olp.net> Message-ID: <4A853A5C.40604@vandervlis.nl> Dan White schreef: > I just did some quick testing on my system and cannot authenticate to > timsieved as a user who's mailbox does not exist. > > I have a mailbox for dwhite at olp.net, but not dwhite. Here's the results of > a few tests: > > Works: > imtest -a dwhite -m PLAIN localhost > imtest -a dwhite at olp.net -m PLAIN localhost > sivtest -a dwhite at olp.net -m PLAIN localhost > > Doesn't work: > sivtest -a dwhite -m PLAIN localhost > > Based on that, I'm assuming that a mailbox for paul needs to exist to > authenticate. Is that that the case? Ah, that was the problem ;-) Mail for user paul on this machine is forwarded to somewhere else, so there is no mailbox for this user... When I did test it as another user, there was no problem. Only a wrong test. Many thanks for your help. With regards, Paul van der Vlis. -- http://www.vandervlis.nl/ From bally.zijn at gmail.com Fri Aug 14 11:50:57 2009 From: bally.zijn at gmail.com (brian) Date: Fri, 14 Aug 2009 11:50:57 -0400 Subject: IOERROR: fstating sieve script In-Reply-To: References: Message-ID: Anybody? I tried adding the directories under /var/lib/imap/sieve and copying the defaultbc to each. But I'm now getting the following in the log: sieve runtime error for ...: Vacation can not be used with Reject or Vacation On Wed, Aug 12, 2009 at 9:52 PM, brian wrote: > I've created a "vacation" script and activated it but there appears to > be a problem implementing it. The reply is for several addresses and > so I did not pass a --user to sieveshell. It has placed the defaultbc > in /var/lib/imap/sieve/global. However, lmtp is looking for it in a > directory for the particular address. > > maillog says: > Aug 12 21:33:55 logi sieve[27866]: entered bc_action_emit with filelen: 16 > Aug 12 21:35:49 logi lmtpunix[21521]: IOERROR: fstating sieve script > /var/lib/imap/sieve/domain/q/VIRTUAL_DOMAIN/a/admin/defaultbc: No such > file or directory > > Should I create the necessary directories and copy defaultbc into > them? Or, do I need to invoke sieveshell for each user? > > # cat imapd.conf > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > sasl_pwcheck_method: auxprop > sasl_auxprop_plugin: sasldb > sasldb_path: /etc/sasldb2 > sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 > defaultdomain: DOMAIN > virtdomains: userid > allowplaintext: 1 > loginrealms: [several domains] > tls_ca_file: /etc/pki/tls/certs/cacert.pem > tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem > tls_key_file: /etc/pki/cyrus-imapd/newkey.pem > > > # cat cyrus.conf > # standard standalone server implementation > > START { > ?# do not delete this entry! > ?recover ? ? ? cmd="ctl_cyrusdb -r" > > ?# this is only necessary if using idled for IMAP IDLE > ?idled ? ? ? ? cmd="idled" > } > > # UNIX sockets start with a slash and are put into /var/lib/imap/sockets > SERVICES { > ?# add or remove based on preferences > ?imap ? ? ? ? ?cmd="imapd" listen="imap" prefork=5 > ?imaps ? ? ? ? cmd="imapd -s" listen="imaps" prefork=1 > ?pop3 ? ? ? ? ?cmd="pop3d" listen="pop3" prefork=3 > ?pop3s ? ? ? ? cmd="pop3d -s" listen="pop3s" prefork=1 > ?sieve ? ? ? ? cmd="timsieved" listen="sieve" prefork=0 > > ?# these are only necessary if receiving/exporting usenet via NNTP > # ?nntp ? ? ? ? cmd="nntpd" listen="nntp" prefork=3 > # ?nntps ? ? ? ? ? ? ? ?cmd="nntpd -s" listen="nntps" prefork=1 > > ?# at least one LMTP is required for delivery > # ?lmtp ? ? ? ? cmd="lmtpd" listen="lmtp" prefork=0 > ?lmtpunix ? ? ?cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 > > ?# this is only necessary if using notifications > # ?notify ? ? ? cmd="notifyd" listen="/var/lib/imap/socket/notify" > proto="udp" prefork=1 > } > > EVENTS { > ?# this is required > ?checkpoint ? ?cmd="ctl_cyrusdb -c" period=30 > > ?# this is only necessary if using duplicate delivery suppression, > ?# Sieve or NNTP > ?delprune ? ? ?cmd="cyr_expire -E 3" at=0400 > > ?# this is only necessary if caching TLS sessions > ?tlsprune ? ? ?cmd="tls_prune" at=0400 > } > From john at sml.citizen.co.jp Fri Aug 14 12:45:42 2009 From: john at sml.citizen.co.jp (John/SML) Date: Sat, 15 Aug 2009 00:45:42 +0800 Subject: Postfix + Cyrus error with GSSAPI/kerberos - Mailbox does not exist Message-ID: Hi Dan, Thank you for your prompt reply. I have two servers (namely kdcsv01.auth.hk1.sml.citizen.co.jp and imapsv02.auth.hk1.sml.citizen.co.jp) for virtual domains of Postfix by looking up from LDAP database, such that the virtual_alias_maps will map user1 at auth.hk1.sml.citizen.co.jp to user1 at kdcsv01.auth.hk1.sml.citizen.co.jp, and user2 at auth.hk1.sml.citizen.co.jp to user2 at imapsv02.auth.hk1.sml.citizen.co.jp. The mail delivers to respective servers successfully. >Your mailbox is nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp and your default domain is >auth.hk1.sml.citizen.co.jp. > >What format is your kerberos principal (does it include kdcsv01?). No, the kerberos principal does not include "kdcsv01". The kerberos principals are all under the realm of "AUTH.HK1.SML.CITIZEN.CO.JP", e.g. nicky.mok at AUTH.HK1.SML.CITIZEN.CO.JP. Any thing wrong with that? Thanks a lot. John Mok Dan White 08/14/2009 05:20 PM To: John/SML cc: info-cyrus at lists.andrew.cmu.edu Subject: Re: Postfix + Cyrus error with GSSAPI/kerberos - Mailbox does not exist On 14/08/09?16:44?+0800, John/SML wrote: >Hi, > >I am trying to setup a mail server using Postfix + Cyrus with virtual >domains and GSSAPI/kerberos. I checked the log /var/log/mail.log and the >incoming e-mail could be delivered to the mailbox successfully. The >problem is that the Thunderbird mail client prompts an error "Mailbox does >not exist" while checking inbox :- >cyradm> lm >user/nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp (\HasNoChildren) > >=== begin of mail.log === > > Aug 14 16:32:18 kdcsv01 cyrus/master[1552]: about to exec >/usr/lib/cyrus/bin/imapd > Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: executed > Aug 14 16:32:18 kdcsv01 cyrus/imap[1552]: accepted connection > Aug 14 16:32:19 kdcsv01 cyrus/imap[1552]: login: John.sml.citizen.co.jp >[10.144.1.192] nicky.mok GSSAPI User logged in > >=== end of mail.log === > >=== begin of imapd.conf === > >sasl_mech_list: gssapi pam pam is not valid here, but it's not causing any breakage. >virtdomains: yes >defaultdomain: auth.hk1.sml.citizen.co.jp Your mailbox is nicky.mok at kdcsv01.auth.hk1.sml.citizen.co.jp and your default domain is auth.hk1.sml.citizen.co.jp. What format is your kerberos principal (does it include kdcsv01?). -- Dan White -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090815/fc145bcf/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 204 bytes Desc: not available Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090815/fc145bcf/attachment.obj From morgan at orst.edu Fri Aug 14 13:08:23 2009 From: morgan at orst.edu (Andrew Morgan) Date: Fri, 14 Aug 2009 10:08:23 -0700 (PDT) Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine In-Reply-To: <4A852D53.806@bath.ac.uk> References: <4A828E7B.6090906@bath.ac.uk> <4A852D53.806@bath.ac.uk> Message-ID: On Fri, 14 Aug 2009, David Mayo wrote: > > Andrew Morgan wrote: > >> On Wed, 12 Aug 2009, David Mayo wrote: >> >>> Does anyone have any suggestions as to how to stop the front-end proxy >>> server from advertising MAILBOX-REFERRALS and/or for Pine to ignore such >>> capabilities. >> >> This was originally a patch I obtained from the folks at Portland State >> University: >> >> http://oregonstate.edu/~morgan/cyrus/patches/imapd-disable-referrals.patch >> >> It does exactly what you want in cyrus 2.2. > > Thanks very much for this! We applied this patch this morning and Pine is now > behaving itself. > > On the down-side, our quota scripts using Cyrus::IMAP::Admin have stopped > working as they are not being sent MAILBOX-REFERRALS in the CAPABILITY > string. This means they are ignoring the referral sent to them by the server > when they issue a GETQUOTA. Reading RFC 2193 Section 3, paragraph 1 this is > understandable: > > IMAP4 servers that support this extension MUST list the keyword > MAILBOX-REFERRALS in their CAPABILITY response. No client action is > needed to invoke the MAILBOX-REFERRALS capability in a server. > > I feel like we've picked at the thread of a jumper and it's slowly > unravelling here! I'm using IMAP::Admin here for quota-related activities. However, my scripts first determine which backend the mailbox is on. Then they connect directly to the backend. That may be why I'm not seeing the problem you describe. I'm using Cyrus 2.3.14 here, with referrals disabled. This is what I see when running cyradm on a frontend: cyrus-fe1:/etc# cyradm --user cyrus localhost Password: localhost> lq user.morgan Password: STORAGE 185512/256000 (72.465625%) localhost> It appears that it is following a referral to the backend, because it prompts me for the password again. Andy From blake at ispn.net Fri Aug 14 13:20:55 2009 From: blake at ispn.net (Blake Hudson) Date: Fri, 14 Aug 2009 12:20:55 -0500 Subject: Multiple instance Howto? In-Reply-To: <4A84860F.7070905@ispn.net> References: <4A84860F.7070905@ispn.net> Message-ID: <4A859CF7.10204@ispn.net> -------- Original Message -------- Subject: Multiple instance Howto? From: Blake Hudson To: info-cyrus at lists.andrew.cmu.edu Date: Thursday, August 13, 2009 4:30:55 PM > Is there a howto for setting up multiple cyrus instances? > > > I have created two sets of: > startup scripts > cyrus.conf files (each process told to use the corresponding config file > and IP) > imapd.conf files > /var/spool/imap directories > /var/lib/imap directories > > > I thought I had everything running fine (imap/pop works) until I tried > to deliver mail to LMTP and found that if both instances were running > that LMTP would refuse connections. If someone has a proven howto, I'd > appreciate being able to review it. > > Thanks, > --Blake > > I had started cyrus-master with the -M and -C option, but forgot about -p (pid file). I think this was causing cyrus-master to step on the toes of the other instance. Everything seems to be working now. And for my own benefit, I created a copy of the cyrus-master executive for use with my second instance as it makes the init script and monitoring simpler. I would still appreciate some direction with someone that has more experience with running multiple instances (or installs) of cyrus on the same machine. --Blake From Duncan.Gibb at SiriusIT.co.uk Fri Aug 14 13:30:46 2009 From: Duncan.Gibb at SiriusIT.co.uk (Duncan Gibb) Date: Fri, 14 Aug 2009 18:30:46 +0100 Subject: IMAP proxy advertising MAILBOX-REFERRALS and confusing Pine In-Reply-To: References: <4A828E7B.6090906@bath.ac.uk> <4A852D53.806@bath.ac.uk> Message-ID: <4A859F46.1020302@SiriusIT.co.uk> Andrew Morgan wrote: DM> On the down-side, our quota scripts using Cyrus::IMAP::Admin have DM> stopped working as they are not being sent MAILBOX-REFERRALS in the DM> CAPABILITY string. AM> I'm using IMAP::Admin here for quota-related activities. However, AM> my scripts first determine which backend the mailbox is on. Then AM> they connect directly to the backend. That may be why I'm not AM> seeing the problem you describe. I'm using Cyrus 2.3.14 here, with AM> referrals disabled. This is what I see when running cyradm on a AM> frontend: > cyrus-fe1:/etc# cyradm --user cyrus localhost > Password: > localhost> lq user.morgan > Password: > STORAGE 185512/256000 (72.465625%) > localhost> AM> It appears that it is following a referral to the backend, because AM> it prompts me for the password again. Vanilla 2.3.14 will not proxy quota commands (so yes, you are following a referral and re-authenticating). Wes Craig has written a patch to fix this http://lists.andrew.cmu.edu/pipermail/cyrus-devel/2008-September/000939.html http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20080918/e5b2b120/attachment.obj which AFAIK has not yet gone in upstream. We use it in our 2.3.14 packages along with a bunch of other Murder-enhancing patches https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3133 Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ From bally.zijn at gmail.com Sat Aug 15 15:01:20 2009 From: bally.zijn at gmail.com (brian) Date: Sat, 15 Aug 2009 15:01:20 -0400 Subject: IOERROR: fstating sieve script In-Reply-To: References: Message-ID: On Fri, Aug 14, 2009 at 11:50 AM, brian wrote: > Anybody? > > I tried adding the directories under /var/lib/imap/sieve and copying > the defaultbc to each. But I'm now getting the following in the log: > > ?sieve runtime error for ...: Vacation can not be used with Reject or Vacation > I'll try a bit more information. I must be missing something crucial in setting up these vacation responders. The accounts in question are virtual domains. The mailboxes have been created under: /var/lib/imap/domain/LETTER/DOMAIN/user/LETTER/ I need 2 separate autoresponders. I created a single script: --- snip --- require ["vacation"]; vacation :days 1 :subject "Out of office reply" :addresses ["user_a at DOMAIN","user_b at DOMAIN","user_c at DOMAIN"] "msg here"; vacation :days 1 :subject "Out of office reply" :addresses ["user_d at DOMAIN"] "other msg here"; --- snip --- sieveshell placed the defaultbc inside /var/lib/imap/sieve/global/, which suggests that it will be evaluated for all mailboxes. I guess that's fine, though I only need it, obviously, for those mailboxes. In any case, it seems that sieve is ignoring the "global" dir and looking under: /var/lib/imap/sieve/domain/LETTER/DOMAIN/user/LETTER/ I removed the global dir and ran: sieveshell --authname=cyrus --user=user_a at DOMAIN localhost After put & activate, I see that the defaultbc, etc. have been placed under sieve/domain/LETTER/etc. However, when I send a mail to this address, I receieve no reply and the log shows: Aug 15 14:55:17 logi lmtpunix[32308]: sieve runtime error for user_a at DOMAIN id <4A87026C.6010305 at MY_DOMAIN>: Vacation can not be used with Reject or Vacation In bc_eval.c: res = do_vacation(actions, toaddr, fromaddr, xstrdup(subject), message, days, mime, handle); if (res == SIEVE_RUN_ERROR) *errmsg = "Vacation can not be used with Reject or Vacation"; This is an unhelpful error msg, IMHO. Does anyone understand what it means? From wes at umich.edu Sat Aug 15 23:05:42 2009 From: wes at umich.edu (Wesley Craig) Date: Sat, 15 Aug 2009 23:05:42 -0400 Subject: IOERROR: fstating sieve script In-Reply-To: References: Message-ID: On 15 Aug 2009, at 15:01, brian wrote: > In bc_eval.c: > > res = do_vacation(actions, toaddr, fromaddr, xstrdup(subject), > message, days, mime, handle); > > if (res == SIEVE_RUN_ERROR) > *errmsg = "Vacation can not be used with Reject or Vacation"; > > This is an unhelpful error msg, IMHO. Does anyone understand what > it means? Sure, just look at do_vacation(), it's pretty obvious: there's already a vacation or rejection action for this message, so adding the additional vacation action isn't allowed. The error suggests that you have several simultaneous vacation actions configured. Hope that helps you figure out the error... :wes From beyondgeek at gmail.com Sun Aug 16 19:02:04 2009 From: beyondgeek at gmail.com (John Duthie) Date: Mon, 17 Aug 2009 11:02:04 +1200 Subject: Cyrus Imap server Questions Message-ID: I am currently proving a Cyrus Imap / E-Groupware server will work at my company. (replacing FT gate, Competing against Exchange). We are almost at the stage where we will be getting hardware. I need advice on some points. Hardware. archival. ms outlook IMAP support Issues. The Site: ~50 Users , all accessing email all day (heavy usage can be assumed). IT Company/ Call center. Hardware: Single server Dual Xeon 2 core , 8 GB ram looking at a Intel SAS 256 MB RAID card with 2 Arrays 300 GB SAS - OS / and email and 1 TB SATA - Archival would using SATA for the /var/spool/imap folder limit performance much vs using SAS drives ? would raid5 using 3 or 4 1 TB drives be better than the sas raid 1 ? My test server. is a Dualcore E5200 @ 2.50GHz wwith 2GB ram and a 160 SATA drive. I get delays accessing my email in Outlook (1.5 Gb of email) , I suspect this delay is Outlook Outlook is unresponsive for 2-3 minutes at startup (when syncing) I also get a Message now and then about my connection being closed All of the users currently use Outlook. Outlook Auto Archive does not seem to work with IMAP I am 99% sure this is outlook is the problem, are there workarounds available ? (fairly sure I can convert a lot of people to Thunderbird etc , But the Managers like their Outlook!) Is there a way to Archive Older Messages on the server ? maybe ipurge not purging but moving emails ? ( we need to keep every email Archived for Legal reasons etc. ) (still don't know how to get Sendmail to archive all outgoing messages yet either) also: The RHEL5.3 cyrus rc script runs a database backup on shutdown and a restore on bootup - This is a bit dumb, when the backup progess crashed due to a misconfigeration (test server) and the server was Power reset. it the restored a broken backup and I lost the mailbox database .. - Not your fault but something to watch out for. If anyone out there has set-up a similar system and hit a Stumbling block Please let me know !! also if anyone needs a pam config for imap to authenticate against a egroupware mysql database I have it working. TIA John. From nic at onlight.com Sun Aug 16 19:22:21 2009 From: nic at onlight.com (Nic Bernstein) Date: Sun, 16 Aug 2009 18:22:21 -0500 Subject: Cyrus Imap server Questions In-Reply-To: References: Message-ID: <4A8894AD.6020404@onlight.com> If you need to do archival, I recommend that instead of using Sendmail, you look into using Postfix. It has an option "always_bcc" which can be used to send a copy of each message, internal as well as incoming and outgoing, to a particular mailbox. You can then either have that mailbox put into a separate partition. Or, if you need to be able to support legal discovery, such as for Sarbane Oxley compliance, you should look into using a database backed archival solution, such as with the catchmail.py script or dbmail. As for the Outlook performance issues, do your users have Outlook configured for "offline" mode support? If so, that may be the cause of the problems. Unless these users are using portable computers there is no real need for this mode to be employed. As far as you hardware choices, they seem reasonable. I have systems with hundreds of users working off of SATA arrays quite happily, though for a modern system I would use SAS. You didn't mention which operating system you are using. If you haven't yet chosen, I would recommend looking into one which supports ZFS, which would mean Solaris, OpenSolaris, NexentaOS or FreeBSD, for example. We have a server with 1500 users on similar hardware to your spec, running on FreeBSD with the mailstore in a ZFS volume with RAIDz2 and are quite happy with the performance. With ZFS RAIDz options you do not really need the RAID controller, and all the problems that go along with them. If you are more comfortable with Linux, which does not have ZFS support, then I recommend NexentaOS, which is the OpenSolaris kernel and core with the Ubuntu userland bolted on. You get the best of both worlds that way. Cheers, -nic On 08/16/2009 06:02 PM, John Duthie wrote: > I am currently proving a Cyrus Imap / E-Groupware server will work at > my company. > (replacing FT gate, Competing against Exchange). > > We are almost at the stage where we will be getting hardware. > > I need advice on some points. > > Hardware. > archival. > ms outlook IMAP support Issues. > > The Site: > ~50 Users , all accessing email all day (heavy usage can be assumed). > IT Company/ Call center. > > Hardware: > > Single server > Dual Xeon 2 core , 8 GB ram > looking at a Intel SAS 256 MB RAID card > with 2 Arrays > 300 GB SAS - OS / and email > and 1 TB SATA - Archival > > would using SATA for the /var/spool/imap folder limit performance much > vs using SAS drives ? > > would raid5 using 3 or 4 1 TB drives be better than the sas raid 1 ? > > > My test server. is a Dualcore E5200 @ 2.50GHz wwith 2GB ram and a > 160 SATA drive. > > I get delays accessing my email in Outlook (1.5 Gb of email) , I > suspect this delay is Outlook > Outlook is unresponsive for 2-3 minutes at startup (when syncing) > > I also get a Message now and then about my connection being closed > > All of the users currently use Outlook. > Outlook Auto Archive does not seem to work with IMAP > > I am 99% sure this is outlook is the problem, are there workarounds available ? > (fairly sure I can convert a lot of people to Thunderbird etc , But > the Managers like their Outlook!) > > > Is there a way to Archive Older Messages on the server ? > maybe ipurge not purging but moving emails ? > > ( we need to keep every email Archived for Legal reasons etc. ) > (still don't know how to get Sendmail to archive all outgoing messages > yet either) > > also: > The RHEL5.3 cyrus rc script runs a database backup on shutdown and a > restore on bootup - This is a bit dumb, when the backup progess > crashed due to a misconfigeration (test server) and the server was > Power reset. it the restored a broken backup and I lost the mailbox > database .. - Not your fault but something to watch out for. > > > If anyone out there has set-up a similar system and hit a Stumbling > block Please let me know !! > > also if anyone needs a pam config for imap to authenticate against a > egroupware mysql database I have it working. > > TIA > > John. > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > -- Nic Bernstein nic at onlight.com Onlight llc. www.onlight.com 219 N. Milwaukee St., Ste. 2A v. 414.272.4477 Milwaukee, Wisconsin 53202 f. 414.290.0335 From craigwhite at azapple.com Sun Aug 16 19:22:57 2009 From: craigwhite at azapple.com (Craig White) Date: Sun, 16 Aug 2009 16:22:57 -0700 Subject: Cyrus Imap server Questions In-Reply-To: References: Message-ID: <1250464977.23267.57.camel@lin-workstation.azapple.com> On Mon, 2009-08-17 at 11:02 +1200, John Duthie wrote: > I am currently proving a Cyrus Imap / E-Groupware server will work at > would using SATA for the /var/spool/imap folder limit performance much > vs using SAS drives ? ---- http://en.wikipedia.org/wiki/Serial_Attached_SCSI#SAS_vs_SATA ---- > would raid5 using 3 or 4 1 TB drives be better than the sas raid 1 ? ---- RAID5 is intended to sacrifice performance for larger storage. If performance is important, use RAID1 or even better, a 4 drive RAID 10 (RAID1 + RAID0) because performance should smoke. ---- > > My test server. is a Dualcore E5200 @ 2.50GHz wwith 2GB ram and a > 160 SATA drive. > > I get delays accessing my email in Outlook (1.5 Gb of email) , I > suspect this delay is Outlook > Outlook is unresponsive for 2-3 minutes at startup (when syncing) ---- I don't have this issue ---- > I also get a Message now and then about my connection being closed ---- rarely see this issue ---- > All of the users currently use Outlook. > Outlook Auto Archive does not seem to work with IMAP ---- It should...Outlook should automatically create archive.pst in $USER \Temporary Files\Application Data\Microsoft\Outlook - at least that's how it always works for me but that is not a Cyrus-imapd issue. ---- > I am 99% sure this is outlook is the problem, are there workarounds available ? > (fairly sure I can convert a lot of people to Thunderbird etc , But > the Managers like their Outlook!) ---- Outlook is a terrible IMAP client. This is not accidental. Outlook exists to drive people to Exchange Server and Microsoft deliberately cripples certain features in Outlook when using an IMAP server. Perhaps with the 'connector' and eGroupware you can get better behavior from Outlook. If you try setting up Outlook Express to the Cyrus IMAP server, you will see that Microsoft can provide a decent IMAP client but they deliberately break reasonable behavior in Outlook...your choice whether you use it or not. ---- > ( we need to keep every email Archived for Legal reasons etc. ) > (still don't know how to get Sendmail to archive all outgoing messages > yet either) ---- better suited to Sendmail lists ---- > also: > The RHEL5.3 cyrus rc script runs a database backup on shutdown and a > restore on bootup - This is a bit dumb, when the backup progess > crashed due to a misconfigeration (test server) and the server was > Power reset. it the restored a broken backup and I lost the mailbox > database .. - Not your fault but something to watch out for. ---- cyrus should checkpoint the db's on regular intervals Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From beyondgeek at gmail.com Sun Aug 16 19:58:51 2009 From: beyondgeek at gmail.com (John Duthie) Date: Mon, 17 Aug 2009 11:58:51 +1200 Subject: Cyrus Imap server Questions In-Reply-To: <4A8894AD.6020404@onlight.com> References: <4A8894AD.6020404@onlight.com> Message-ID: OS will be Redhat EL 5.3 (not exactly my first choice) looking at just using ext3fs, would this be a bad thing ? Where does one find this mysterious "offline" setting in outlook ? 2009/8/17 Nic Bernstein : > If you need to do archival, I recommend that instead of using Sendmail, you > look into using Postfix. ?It has an option "always_bcc" which can be used to > send a copy of each message, internal as well as incoming and outgoing, to a > particular mailbox. ?You can then either have that mailbox put into a > separate partition. ?Or, if you need to be able to support legal discovery, > such as for Sarbane Oxley compliance, you should look into using a database > backed archival solution, such as with the catchmail.py script or dbmail. > > As for the Outlook performance issues, do your users have Outlook configured > for "offline" mode support? ?If so, that may be the cause of the problems. > ?Unless these users are using portable computers there is no real need for > this mode to be employed. > > As far as you hardware choices, they seem reasonable. ?I have systems with > hundreds of users working off of SATA arrays quite happily, though for a > modern system I would use SAS. > You didn't mention which operating system you are using. ?If you haven't yet > chosen, I would recommend looking into one which supports ZFS, which would > mean Solaris, OpenSolaris, NexentaOS or FreeBSD, for example. ?We have a > server with 1500 users on similar hardware to your spec, running on FreeBSD > with the mailstore in a ZFS volume with RAIDz2 and are quite happy with the > performance. ?With ZFS RAIDz options you do not really need the RAID > controller, and all the problems that go along with them. > If you are more comfortable with Linux, which does not have ZFS support, > then I recommend NexentaOS, which is the OpenSolaris kernel and core with > the Ubuntu userland bolted on. ?You get the best of both worlds that way. > > Cheers, > ? -nic > > On 08/16/2009 06:02 PM, John Duthie wrote: >> >> I am currently proving a Cyrus Imap / E-Groupware server will work at >> my company. >> (replacing FT gate, Competing against Exchange). >> >> We are almost at the stage where we will be getting hardware. >> >> I need advice on some points. >> >> Hardware. >> archival. >> ms outlook IMAP support Issues. >> >> The Site: >> ~50 Users , all accessing email all day (heavy usage can be assumed). >> IT Company/ Call center. >> >> Hardware: >> >> Single server >> Dual Xeon 2 core , 8 GB ram >> looking at a Intel SAS 256 MB RAID card >> with 2 Arrays >> 300 GB SAS - OS / and email >> and 1 TB SATA - ?Archival >> >> would using SATA for the /var/spool/imap folder limit performance much >> vs using SAS drives ? >> >> would raid5 using 3 or 4 1 TB drives be better than the sas raid 1 ? >> >> >> My test server. ?is a Dualcore E5200 ?@ 2.50GHz wwith 2GB ram and a >> 160 SATA drive. >> >> I get delays accessing my email in Outlook (1.5 Gb of email) , I >> suspect this delay is Outlook >> Outlook is unresponsive for 2-3 minutes at startup (when syncing) >> >> I also get a Message now and then ?about my connection being closed >> >> All of the users currently use Outlook. >> Outlook Auto Archive does not seem to work with IMAP >> >> I am 99% sure this is outlook is the problem, are there workarounds >> available ? >> (fairly sure I can convert a lot of people to Thunderbird etc , But >> the Managers like their Outlook!) >> >> >> Is there a way to Archive Older Messages on the server ? >> maybe ipurge not purging but moving emails ? >> >> ( we need to keep every email Archived for Legal reasons etc. ) >> (still don't know how to get Sendmail to archive all outgoing messages >> yet either) >> >> also: >> The RHEL5.3 ?cyrus rc script ?runs a database backup on shutdown and a >> restore on bootup - This is a bit dumb, when the backup progess >> crashed due to a misconfigeration (test server) and the server was >> Power reset. ?it the restored a broken backup and I lost the mailbox >> database .. ?- Not your fault but something to watch out for. >> >> >> If anyone out there has set-up a similar system and hit a Stumbling >> block Please let me know !! >> >> also if anyone needs a pam config for imap to authenticate against a >> egroupware mysql database I have it working. >> >> TIA >> >> John. >> ---- >> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ >> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki >> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html >> > > > -- > Nic Bernstein ? ? ? ? ? ? ? ? ? ? ? ? ? ? nic at onlight.com > Onlight llc. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?www.onlight.com > 219 N. Milwaukee St., Ste. 2A ? ? ? ? ? ? v. 414.272.4477 > Milwaukee, Wisconsin ?53202 ? ? ? ? ? ? ? f. 414.290.0335 > > From brong at fastmail.fm Sun Aug 16 21:48:45 2009 From: brong at fastmail.fm (Bron Gondwana) Date: Mon, 17 Aug 2009 11:48:45 +1000 Subject: Multiple instance Howto? In-Reply-To: <4A859CF7.10204@ispn.net> References: <4A84860F.7070905@ispn.net> <4A859CF7.10204@ispn.net> Message-ID: <20090817014845.GD10171@brong.net> On Fri, Aug 14, 2009 at 12:20:55PM -0500, Blake Hudson wrote: > -------- Original Message -------- > Subject: Multiple instance Howto? > From: Blake Hudson > To: info-cyrus at lists.andrew.cmu.edu > Date: Thursday, August 13, 2009 4:30:55 PM > > Is there a howto for setting up multiple cyrus instances? > > > > > > I have created two sets of: > > startup scripts > > cyrus.conf files (each process told to use the corresponding config file > > and IP) > > imapd.conf files > > /var/spool/imap directories > > /var/lib/imap directories > > > > > > I thought I had everything running fine (imap/pop works) until I tried > > to deliver mail to LMTP and found that if both instances were running > > that LMTP would refuse connections. If someone has a proven howto, I'd > > appreciate being able to review it. > > > > Thanks, > > --Blake > > > > > > I had started cyrus-master with the -M and -C option, but forgot about > -p (pid file). I think this was causing cyrus-master to step on the toes > of the other instance. Everything seems to be working now. And for my > own benefit, I created a copy of the cyrus-master executive for use with > my second instance as it makes the init script and monitoring simpler. > > I would still appreciate some direction with someone that has more > experience with running multiple instances (or installs) of cyrus on the > same machine. Don't run a default instance, or even create the default config files (/etc/imapd.conf, /etc/cyrus.conf) - instead make sure EVERYTHING has explicit configuration specified, and you'll never wind up hitting the wrong set of configs! Similarly, don't use the default directories for the same reason - better to have everything in custom locations. We build all our configuration from template-toolkit master config files which are stored in change management (subversion) and updated with "make install". The "make install" phase actually places the files as $type-$config.conf.new and then the init script copies new configs into place on service startup, so you don't have to worry about a change that breaks things being rolled out and having to restart lots of services at once! This matters a lot to us because we have up to about 40 cyrus instances on a single machine in the biggest case! Our goal is to only have 300Gb of email per instance, so they can be restored from backup in a couple of hours if the worst happens. It also allows much easier phased rollout (because the init scripts can be updated to point to a whole new copy of the Cyrus binaries if needed, so we can update one store at a time. Yeah - my main advice boils down to: a) don't use the default locations for anything, or you'll wind up with one install being a second class citizen with more mistakes made on it. b) template and change control your configs. That's about it really :) Bron. From brong at fastmail.fm Sun Aug 16 21:50:13 2009 From: brong at fastmail.fm (Bron Gondwana) Date: Mon, 17 Aug 2009 11:50:13 +1000 Subject: replica: sync error In-Reply-To: <4A8528B0.8010806@wu.ac.at> References: <4A8528B0.8010806@wu.ac.at> Message-ID: <20090817015013.GE10171@brong.net> On Fri, Aug 14, 2009 at 11:04:48AM +0200, Nina Pollak wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi, > I have setuped a replica server in a murder environment. > Before I started the sync_client in rolling replication mode, I made an > initial sync with -u for usermode. > > Now the sync_client dies after few hours, with this entry in my log: > Error in do_sync(): bailing out! > sync_client[15378]: Processing sync log file /var/imap/sync/log-15377 > failed: The remote Server(s) denied the operation > > Has anyone an idea what's going wrong? Yeah, I've got some ideas, but I need more information? I suspect it's a folder rename to a sub directory, but it depends what version of Cyrus you're running (precisely) and the contents of that log file would probably help too. Logs from the replica might also help. Bron. From adrieder at sbox.tugraz.at Mon Aug 17 03:24:32 2009 From: adrieder at sbox.tugraz.at (Dietmar Rieder) Date: Mon, 17 Aug 2009 09:24:32 +0200 Subject: Cyrus Imap server Questions In-Reply-To: References: Message-ID: <4A8905B0.4050500@sbox.tugraz.at> John Duthie wrote: > > ( we need to keep every email Archived for Legal reasons etc. ) > (still don't know how to get Sendmail to archive all outgoing messages > yet either) I'd take a look at milter-bcc http://www.snertsoft.com/sendmail/milter-bcc/ that should do what you need. Didi From awilliam at whitemice.org Mon Aug 17 08:35:42 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 17 Aug 2009 08:35:42 -0400 Subject: Cyrus Imap server Questions In-Reply-To: <4A8894AD.6020404@onlight.com> References: <4A8894AD.6020404@onlight.com> Message-ID: <1250512542.5360.13.camel@linux-m3mt> On Sun, 2009-08-16 at 18:22 -0500, Nic Bernstein wrote: > If you need to do archival, I recommend that instead of using Sendmail, > you look into using Postfix. It has an option "always_bcc" which can be > used to send a copy of each message, internal as well as incoming and Ditto; with the caveat this it only sort of works. And if you ask how to make it work completely the lovely folks on the Postfix list will tell you that how to do so is just too obvious for them to bother answering the question - although while I wasted my time subscribed to that list I saw at least two other people ask the same question - and get the same wonderfully helpful answer. > outgoing, to a particular mailbox. You can then either have that > mailbox put into a separate partition. Yes, we archive all mail to a shared folder with restricted permissions. This is pretty easy to setup. Then cyr_expire messages out of that folder at a certain age. Only caveat [see above] is that you loose some information from the message such as BCC: This plus delayed expunge provides a nicely managed mailstore that also makes the auditors reasonably happy. > As far as you hardware choices, they seem reasonable. I have systems > with hundreds of users working off of SATA arrays quite happily, though > for a modern system I would use SAS. Ditto, for ~50 users I doubt you'd have a problem unless they are extreme users. > > Hardware: > > Single server > > Dual Xeon 2 core , 8 GB ram > > looking at a Intel SAS 256 MB RAID card > > with 2 Arrays > > 300 GB SAS - OS / and email > > and 1 TB SATA - Archival > > would using SATA for the /var/spool/imap folder limit performance much > > vs using SAS drives ? > > would raid5 using 3 or 4 1 TB drives be better than the sas raid 1 ? I wouldn't use RAID5, at least not for /var/lib/imap. /var/lib/imap [metadata] is more I/O intensive that /var/spool/imap [mail store]. Honestly, using RAID5 for /var/spool/imap probably wouldn't be a problem with a good battery-backed RAID card and a few hundred users. > > I get delays accessing my email in Outlook (1.5 Gb of email) , I > > suspect this delay is Outlook > > Outlook is unresponsive for 2-3 minutes at startup (when syncing) Look at the network traffic. I doubt this is Cyrus' fault. > > All of the users currently use Outlook. > > Outlook Auto Archive does not seem to work with IMAP Sorry, I don't know anything about Outlook Auto Archive. > > I am 99% sure this is outlook is the problem, are there workarounds available ? > > (fairly sure I can convert a lot of people to Thunderbird etc , But > > the Managers like their Outlook!) I'd stick with Outlook over TB. > > Is there a way to Archive Older Messages on the server ? Why are you archiving? If your MTA is archiving [for auditor/lawyer happiness] do you need the IMAP server to archive? > > If anyone out there has set-up a similar system and hit a Stumbling > > block Please let me know !! I run Cyrus on CentOS5.x for ~350 users. They use a mix of clients but not many Outlook users. I have a doc that covers some Cyrus stuff - - in the Cyrus chapter. -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From awilliam at whitemice.org Mon Aug 17 08:38:02 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 17 Aug 2009 08:38:02 -0400 Subject: Cyrus Imap server Questions In-Reply-To: <1250464977.23267.57.camel@lin-workstation.azapple.com> References: <1250464977.23267.57.camel@lin-workstation.azapple.com> Message-ID: <1250512682.5360.16.camel@linux-m3mt> > > I also get a Message now and then about my connection being closed Just 'connection closed' or specifically "word too long"? Enable session telemetry and try to recreate the issue. -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From awilliam at whitemice.org Mon Aug 17 08:40:19 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 17 Aug 2009 08:40:19 -0400 Subject: Cyrus Imap server Questions In-Reply-To: References: <4A8894AD.6020404@onlight.com> Message-ID: <1250512819.5360.19.camel@linux-m3mt> On Mon, 2009-08-17 at 11:58 +1200, John Duthie wrote: > OS will be Redhat EL 5.3 (not exactly my first choice) Works great here. It is a very nice plain-jane server OS. > looking at just using ext3fs, would this be a bad thing ? Works fine for us; ~350 users. > Where does one find this mysterious "offline" setting in outlook ? Sorry, no clue. Just a google-guess - -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From wangpenghui at gmail.com Mon Aug 17 10:40:52 2009 From: wangpenghui at gmail.com (Penghui Wang) Date: Mon, 17 Aug 2009 22:40:52 +0800 Subject: What's the message's UID in the message storage of cyrus imapd. Message-ID: Hi, In the document of cyrus imapd package, there are something describe the message files in the message storage. *message files * *There is one file per message, containing the message in RFC 822 format. Lines in the message are separated by CRLF, not just LF. The file name of each message is the message's UID followed by a dot (.). * I have googled for a while, but have got anything useful to explain what is the message's UID. Could someone pick me up? Thanks very much. Penghui Wang Xiamen China -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090817/9d51726f/attachment.html From adam at morrison-ind.com Mon Aug 17 10:50:01 2009 From: adam at morrison-ind.com (Adam Tauno Williams) Date: Mon, 17 Aug 2009 10:50:01 -0400 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: References: Message-ID: <1250520601.5360.27.camel@linux-m3mt> > In the document of cyrus imapd package, there are something describe > the message files in the message storage. > message files > There is one file per message, containing the message in RFC > 822 format. Lines in the message are separated by CRLF, not > just LF. The file name of each message is the message's UID > followed by a dot (.). > I have googled for a while, but have got anything useful to explain > what is the message's UID. A unique id; it appears to pretty much be a sequence number. It has no significance or relevance except as the id of the message AFAIK. > Could someone pick me up? -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From wangpenghui at gmail.com Mon Aug 17 11:05:47 2009 From: wangpenghui at gmail.com (Penghui Wang) Date: Mon, 17 Aug 2009 23:05:47 +0800 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: <1250520601.5360.27.camel@linux-m3mt> References: <1250520601.5360.27.camel@linux-m3mt> Message-ID: On Mon, Aug 17, 2009 at 10:50 PM, Adam Tauno Williams wrote: > > > > In the document of cyrus imapd package, there are something describe > > the message files in the message storage. > > message files > > There is one file per message, containing the message in RFC > > 822 format. Lines in the message are separated by CRLF, not > > just LF. The file name of each message is the message's UID > > followed by a dot (.). > > I have googled for a while, but have got anything useful to explain > > what is the message's UID. > > A unique id; it appears to pretty much be a sequence number. It has no > significance or relevance except as the id of the message AFAIK. > Thanks very much for your quick response. For instance, if i have two subfolder in the INBOX. Is it possible that the same UID of message appeared in both of the two folders. In another word, the sequence number based on folder or mail account? I wanna do some archiving operations on the filesystem level. So i have to deal with the message files stored in the mailboxes. Regards, Penghui Wang. > Could someone pick me up? -- > OpenGroupware developer: awilliam at whitemice.org > > OpenGroupare & Cyrus IMAPd documenation @ > > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090817/55bdda25/attachment-0001.html From vbfox at ucdavis.edu Mon Aug 17 11:10:33 2009 From: vbfox at ucdavis.edu (Vincent Fox) Date: Mon, 17 Aug 2009 08:10:33 -0700 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: References: Message-ID: <4A8972E9.1070103@ucdavis.edu> The UID is defined in RFC for IMAP as needing to be a unique number for that mailbox. That is all it is. You can dump message files into an account and as long as they are "#." and you index them they will be visible to IMAP clients. The UIDL is related/derived number returned by POP. We actually had to patch our Cyrus install so it would return same UIDL results for POP as the old UW server, so transition from UW to Cyrus would be smooth. From awilliam at whitemice.org Mon Aug 17 11:12:32 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 17 Aug 2009 11:12:32 -0400 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: References: <1250520601.5360.27.camel@linux-m3mt> Message-ID: <1250521952.5360.33.camel@linux-m3mt> > For instance, if i have two subfolder in the INBOX. Is it possible > that the same UID of message appeared in both of the two folders. > In another word, the sequence number based on folder or mail account? Folder, a believe the uniqueness of the UID is to the folder scope. I remember once seeing something about the ability to generate UUIDs [was that Cyrus or something else?] but I don't know how to turn that on/off. > I wanna do some archiving operations on the filesystem level. Ugh, I'd advise against it. Why not do them on the 'protocol' level? That certainly makes the archives easier to use. > So i have to deal with the message files stored in the mailboxes. -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From wangpenghui at gmail.com Mon Aug 17 11:36:21 2009 From: wangpenghui at gmail.com (Penghui Wang) Date: Mon, 17 Aug 2009 23:36:21 +0800 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: <1250521952.5360.33.camel@linux-m3mt> References: <1250520601.5360.27.camel@linux-m3mt> <1250521952.5360.33.camel@linux-m3mt> Message-ID: On Mon, Aug 17, 2009 at 11:12 PM, Adam Tauno Williams < awilliam at whitemice.org> wrote: > > > > For instance, if i have two subfolder in the INBOX. Is it possible > > that the same UID of message appeared in both of the two folders. > > In another word, the sequence number based on folder or mail account? > > Folder, a believe the uniqueness of the UID is to the folder scope. > > I remember once seeing something about the ability to generate UUIDs > [was that Cyrus or something else?] but I don't know how to turn that > on/off. > > > I wanna do some archiving operations on the filesystem level. > > Ugh, I'd advise against it. Why not do them on the 'protocol' level? > That certainly makes the archives easier to use. Thanks very much for your advice. If this task could handled in the protocol level. That should be great. Here are what i wanna do: Some mail clients has the feature to archive the messages by date. For instance, they could create a mail folder named by the month such as 2009-08 each month. I wanna do this operation on the server side. So i have to created the folder then find all the message in this month then move all of them to the new folder. But i am not sure the protocol operations if i don't know the password of every account. If i wanna do this via Perl, do you have some good idea? Regards, Penghui Wang > > > > So i have to deal with the message files stored in the mailboxes. > > -- > OpenGroupware developer: awilliam at whitemice.org > > OpenGroupare & Cyrus IMAPd documenation @ > > > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090817/c6ca15ab/attachment.html From simon.matter at invoca.ch Mon Aug 17 11:59:14 2009 From: simon.matter at invoca.ch (Simon Matter) Date: Mon, 17 Aug 2009 17:59:14 +0200 Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: References: <1250520601.5360.27.camel@linux-m3mt> <1250521952.5360.33.camel@linux-m3mt> Message-ID: > On Mon, Aug 17, 2009 at 11:12 PM, Adam Tauno Williams < > awilliam at whitemice.org> wrote: > >> >> >> > For instance, if i have two subfolder in the INBOX. Is it possible >> > that the same UID of message appeared in both of the two folders. >> > In another word, the sequence number based on folder or mail account? >> >> Folder, a believe the uniqueness of the UID is to the folder scope. >> >> I remember once seeing something about the ability to generate UUIDs >> [was that Cyrus or something else?] but I don't know how to turn that >> on/off. >> >> > I wanna do some archiving operations on the filesystem level. >> >> Ugh, I'd advise against it. Why not do them on the 'protocol' level? >> That certainly makes the archives easier to use. > > > Thanks very much for your advice. If this task could handled in the > protocol > level. That should be great. > > Here are what i wanna do: > Some mail clients has the feature to archive the messages by date. For > instance, they could create a mail folder named by the month such as > 2009-08 > each month. > I wanna do this operation on the server side. So i have to created the > folder then find all the message in this month then move all of them to > the > new folder. > > But i am not sure the protocol operations if i don't know the password of > every account. If i wanna do this via Perl, do you have some good idea? Check out the "proxyservers" option in imapd.conf. You can define users and groups that are allowed to proxy for other users. I think that's exactly what you need. Regards, Simon From morgan at orst.edu Mon Aug 17 12:55:35 2009 From: morgan at orst.edu (Andrew Morgan) Date: Mon, 17 Aug 2009 09:55:35 -0700 (PDT) Subject: What's the message's UID in the message storage of cyrus imapd. In-Reply-To: References: <1250520601.5360.27.camel@linux-m3mt> <1250521952.5360.33.camel@linux-m3mt> Message-ID: On Mon, 17 Aug 2009, Penghui Wang wrote: > Thanks very much for your advice. If this task could handled in the protocol > level. That should be great. > > Here are what i wanna do: > Some mail clients has the feature to archive the messages by date. For > instance, they could create a mail folder named by the month such as 2009-08 > each month. > I wanna do this operation on the server side. So i have to created the > folder then find all the message in this month then move all of them to the > new folder. > > But i am not sure the protocol operations if i don't know the password of > every account. If i wanna do this via Perl, do you have some good idea? You should be able to use the Mail::IMAPClient perl module to do this. You just need to construct an IMAP search that returns the results you want (either "search" or "since" functions), then use the results to copy the messages to your archive folder. Andy From flathill at netspring.co.jp Tue Aug 18 03:21:58 2009 From: flathill at netspring.co.jp (Seiichirou Hiraoka) Date: Tue, 18 Aug 2009 16:21:58 +0900 (JST) Subject: [HELP] IOERROR: opening cyrus.expunge: No such file or directory Message-ID: <20090818.162158.71130383.flathill@netspring.co.jp> Hello, I'm using Cyrus-IMAP on following environment. OS: Solaris10 SPARC Cyrus-IMAP: 2.3.9 Cyrus-SASL: 2.1.22 The following messages are rarely output and are troubled. IOERROR: opening /path/to/mail/spool/cyrus.expunge: No such file or directory In the case of most, I can't find directory /path/to/mail/spool itself... And there was an answer that nothing had any problem when I asked a user. I don't know why such problem happens. Because I offer it if there is necessary information, I am happy when I can have advice. Best regards! - flathill From john at sml.citizen.co.jp Tue Aug 18 06:14:45 2009 From: john at sml.citizen.co.jp (John/SML) Date: Tue, 18 Aug 2009 18:14:45 +0800 Subject: How to make sent folder same level as inbox Message-ID: Hi, I have successfully setup a running Cyrus IMAP 2.2 server. However, I found that the sent and trash folders were under Inbox :- user1 at domain.com | --inbox | - Sent - Trash How to configure Cyrus IMAP such that the folders are on the same level as inbox ? user1 at domain.com | --inbox -- Sent -- Trash Thanks a lot. John Mok -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090818/e35eeaea/attachment.html From awilliam at whitemice.org Tue Aug 18 06:27:17 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Tue, 18 Aug 2009 06:27:17 -0400 Subject: How to make sent folder same level as inbox In-Reply-To: References: Message-ID: <1250591237.5689.13.camel@linux-m3mt> On Tue, 2009-08-18 at 18:14 +0800, John/SML wrote: > I have successfully setup a running Cyrus IMAP 2.2 server. However, I > found that the sent and trash folders were under Inbox :- man imapd.conf ---- altnamespace: 0 Use the alternate IMAP namespace, where personal folders reside at the same level in the hierarchy as INBOX. -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From arbatovevgeniy at gmail.com Wed Aug 19 08:33:12 2009 From: arbatovevgeniy at gmail.com (Evgeniy Arbatov) Date: Wed, 19 Aug 2009 15:33:12 +0300 Subject: Ptloader configuration in Cyrus IMAP Message-ID: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> Dear list, I want to ask your advice on the use of ptloader for LDAP-based authorization in Cyrus IMAP. I configured my Cyrus IMAP to use ptloader: ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 pts_module: ldap ldap_filter: (uid=%U) ldap_base: dc=example,dc=com ldap_group_filter: (cn=%u) ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_method: attribute ldap_member_attribute: member ldap_member_base: ou=users,ou=people,dc=example,dc=com ldap_size_limit: 20 In the LDAP I have the following entries: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com uid: admins member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com uid: earbatov Via cyradm I add needed permissions for admins group: > sam user/postmaster admins lrswipkxte Then I successfully authenticate using earbatov UID, but shared folders are not visible in the Thunderbird. Moreover, I do not see any attempts of Cyrus IMAP to query LDAP for authorization information. I know that TLS is working for this LDAP connection. Can you tell where I am wrong? Thank you very much! Regards, Evgeniy From reinaldoc at gmail.com Wed Aug 19 08:45:04 2009 From: reinaldoc at gmail.com (Reinaldo de Carvalho) Date: Wed, 19 Aug 2009 09:45:04 -0300 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> Message-ID: <4a5881460908190545j7ea82c7buf9f5057957eee05a@mail.gmail.com> On Wed, Aug 19, 2009 at 9:33 AM, Evgeniy Arbatov wrote: > Via cyradm I add needed permissions for admins group: > >> sam user/postmaster admins lrswipkxte > > Then I successfully authenticate using earbatov UID, but shared > folders are not visible in the Thunderbird. > Do you subscribe mailbox? -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) From reinaldoc at gmail.com Wed Aug 19 09:25:05 2009 From: reinaldoc at gmail.com (Reinaldo de Carvalho) Date: Wed, 19 Aug 2009 10:25:05 -0300 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908190602m111b5458ia93b9292a15d9b2@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <4a5881460908190545j7ea82c7buf9f5057957eee05a@mail.gmail.com> <56c989d50908190602m111b5458ia93b9292a15d9b2@mail.gmail.com> Message-ID: <4a5881460908190625v168386e7uae359c1bc7c0c7e9@mail.gmail.com> On Wed, Aug 19, 2009 at 10:02 AM, Evgeniy Arbatov wrote: > On Wed, Aug 19, 2009 at 3:45 PM, Reinaldo de > Carvalho wrote: >> On Wed, Aug 19, 2009 at 9:33 AM, Evgeniy >> Arbatov wrote: >> >>> Via cyradm I add needed permissions for admins group: >>> >>>> sam user/postmaster admins lrswipkxte >>> >>> Then I successfully authenticate using earbatov UID, but shared >>> folders are not visible in the Thunderbird. >>> >> >> Do you subscribe mailbox? >> > > I can not yet subscribe in the Thunderbird, since I do not see the > mailbox in the subscription list. One more note: if I configure shared > access locally via cyradm interface, without using the ptloader and > LDAP - everything works as expected. > > Evgeniy > auth_mech: pts -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself) From Duncan.Gibb at SiriusIT.co.uk Wed Aug 19 10:03:20 2009 From: Duncan.Gibb at SiriusIT.co.uk (Duncan Gibb) Date: Wed, 19 Aug 2009 15:03:20 +0100 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> Message-ID: <4A8C0628.60401@SiriusIT.co.uk> Evgeniy Arbatov wrote: EA> pts_module: ldap This module is currently very difficult to configure, IMHO. I've posted previously that there's scope for a mini-project to make it behave more similarly to other LDAP-group-orientated things such as nss_ldap or saslauthd. EA> ldap_member_method: attribute This method doesn't work they way you might expect. It finds the user object and wants to see the names of the groups of which the user is a member in the named attribute of the user. For example: dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com cn: Evgeniy Arbatov ou: admins ou: othergroup ou: thirdgroup If you want to put the names of the members into the group objects, you probably need to use the filter method. > dn: cn=admins,ou=groups,ou=people,dc=example,dc=com > uid: admins > member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com I don't believe the current implementation supports this style of group membership (groupOfUniqueNames and similar). It's much more orientated towards posixGroup-style groups. Can you make your data look like dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberuid: earbatov memberuid: otherperson Then configure ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn EA> Via cyradm I add needed permissions for admins group: >>> sam user/postmaster admins lrswipkxte "group:admins" ? EA> Moreover, I do not see any attempts of Cyrus IMAP to query EA> LDAP for authorization information. I know that TLS is EA> working for this LDAP connection. The ptdump utility will show you the current state of the cache, eg: user: earbatov time: NNNNNN groups: 1 group: admins Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ From hans.moser at ofd-sth.niedersachsen.de Thu Aug 20 01:39:19 2009 From: hans.moser at ofd-sth.niedersachsen.de (Marc Patermann) Date: Thu, 20 Aug 2009 07:39:19 +0200 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> Message-ID: <4A8CE187.8040609@ofd-sth.niedersachsen.de> Evgeniy, Evgeniy Arbatov schrieb: > Dear list, > > I want to ask your advice on the use of ptloader for LDAP-based > authorization in Cyrus IMAP. > > I configured my Cyrus IMAP to use ptloader: > [...] > Can you tell where I am wrong? auth_mech: pts was mentioned before. Did you set ptloader_sock in imapd.conf? What does the log say about ptloader? Does it start? Does it get any data? Marc From hans.moser at ofd-sth.niedersachsen.de Thu Aug 20 01:43:47 2009 From: hans.moser at ofd-sth.niedersachsen.de (Marc Patermann) Date: Thu, 20 Aug 2009 07:43:47 +0200 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <4A8C0628.60401@SiriusIT.co.uk> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <4A8C0628.60401@SiriusIT.co.uk> Message-ID: <4A8CE293.8000205@ofd-sth.niedersachsen.de> Duncan, Duncan Gibb schrieb: > EA> pts_module: ldap > > This module is currently very difficult to configure, IMHO. That's true. :) But it's doable. > EA> ldap_member_method: attribute > > This method doesn't work they way you might expect. It finds the user > object and wants to see the names of the groups of which the user is a > member in the named attribute of the user. For example: > > dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com > cn: Evgeniy Arbatov > ou: admins > ou: othergroup > ou: thirdgroup > > If you want to put the names of the members into the group objects, you > probably need to use the filter method. > >> dn: cn=admins,ou=groups,ou=people,dc=example,dc=com >> uid: admins >> member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com > > I don't believe the current implementation supports this style of group > membership (groupOfUniqueNames and similar). It's much more orientated > towards posixGroup-style groups. It does IMHO. Here it ist my config: ldap_id: xxx ldap_sasl: 1 ldap_password: xxxx ldap_uri: ldap://tfas099.foo ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem ldap_base: ou=humans,ou=foo ldap_group_base: ou=gruppen,ou=humans,ou=foo ldap_group_filter: ou=%U ldap_member_attribute: member ldap_group_scope: sub ldap_member_method: attribute Marc From arbatovevgeniy at gmail.com Thu Aug 20 04:54:23 2009 From: arbatovevgeniy at gmail.com (Evgeniy Arbatov) Date: Thu, 20 Aug 2009 11:54:23 +0300 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <4A8CE293.8000205@ofd-sth.niedersachsen.de> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <4A8C0628.60401@SiriusIT.co.uk> <4A8CE293.8000205@ofd-sth.niedersachsen.de> Message-ID: <56c989d50908200154k119809c1p1fc17d99758740cd@mail.gmail.com> Thank you for your suggestions! They helped me a great deal. The situation is better now, in a sense that ptloader connects to LDAP and finds something. After corrections my imapd.conf: auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptsock ldap_uri: ldaps://ldap.example.com:636 ldap_sasl: 0 ldap_size_limit: 20 ldap_filter: (uid=%U) ldap_group_filter: (cn=%u) ldap_member_method: filter ldap_member_filter: (memberUid=%u) ldap_member_attribute: cn ldap_base: dc=example,dc=com ldap_group_base: ou=groups,ou=people,dc=example,dc=com ldap_member_base: ou=groups,ou=people,dc=example,dc=com The LDAP now looks as following: dn: cn=admins,ou=groups,ou=people,dc=example,dc=com cn: admins memberUid: earbatov memberUid: user I modified the permissions for the admins group: sam user/postmaster group:admins lrswipkxte The logs for ptloader now have: mail imaps[17540]: ptload(): pinging ptloader mail imaps[17540]: connected with no delay mail imaps[17540]: ptload(): connected mail imaps[17540]: timeout_select: sock = 17, rp = 0x0, wp = 0x4aa71af0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail ptloader[17538]: accepted connection mail imaps[17540]: ptload sent data mail imaps[17540]: timeout_select: sock = 17, rp = 0x4aa71b70, wp = 0x0, sec = 30 mail imaps[17540]: timeout_select exiting. r = 1; errno = 0 mail imaps[17540]: ptload read data back mail imaps[17540]: ptload(): empty response from ptloader server mail master[17508]: process 17538 exited, signaled to death by 11 mail master[17508]: service ptloader pid 17538 in READY state: terminated abnormally mail imaps[17540]: No data available at all from ptload() mail imaps[17540]: ptload completely failed: unable to canonify identifier: earbatov mail imaps[17540]: badlogin: net.example.com [192.168.0.78] plaintext earbatov invalid user mail master[17613]: about to exec /usr/lib/cyrus-imapd/ptloader mail ptloader[17613]: executed mail ptloader[17613]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ The LDAP logs show this: ldap slapd[30259]: conn=20 op=2 SRCH base="ou=groups,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(memberUid=earbatov)" ldap slapd[30259]: conn=20 op=2 SRCH attr=cn ldap slapd[30259]: conn=20 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= And the ptdump tells: user: admins time: 1250751529 groups: 0 user: cyrusimap time: 1250751556 groups: 0 user: group:admins time: 1250751780 groups: 0 user: postmaster time: 1250751701 groups: 0 Needless to say, the authorization fails, without even giving me access to usual, not shared mailboxes. >> EA> pts_module: ldap >> >> This module is currently very difficult to configure, IMHO. > That's true. :) But it's doable. I would be glad not to use this pts_module, but if I leave it to defaults I see: mail ptloader[18396]: starting: $Id: ptloader.c,v 1.32.2.9 2005/02/25 07:19:06 shadow Exp $ mail ptloader[18396]: PTS module afskrb not supported mail master[18364]: process 18428 exited, status 75 mail master[18364]: service ptloader pid 18428 in READY state: terminated abnormally Please refer me to any instructions on pts_module, if I do need to make changes. One more question: I am confused about the role of ldap_group_filter and ldap_group_base. Isn't ldap_member* enough? Evgeniy From hans.moser at ofd-sth.niedersachsen.de Thu Aug 20 05:44:24 2009 From: hans.moser at ofd-sth.niedersachsen.de (Marc Patermann) Date: Thu, 20 Aug 2009 11:44:24 +0200 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908200154k119809c1p1fc17d99758740cd@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <4A8C0628.60401@SiriusIT.co.uk> <4A8CE293.8000205@ofd-sth.niedersachsen.de> <56c989d50908200154k119809c1p1fc17d99758740cd@mail.gmail.com> Message-ID: <4A8D1AF8.4030803@ofd-sth.niedersachsen.de> Hi, Evgeniy Arbatov schrieb: > Thank you for your suggestions! They helped me a great deal. > The situation is better now, in a sense that ptloader connects to LDAP > and finds something. OK. :) > After corrections my imapd.conf: This ist what I have. auth_mech: pts pts_module: ldap ptloader_sock: /var/lib/imap/socket/ptclient sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN sasl_log_level: 5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://tfas099.foo sasl_ldapdb_id: xxx sasl_ldapdb_pw: xxxx sasl_ldapdb_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN allowplaintext: yes sasl_minimum_layer: 0 sasl_ldapdb_starttls: Demand sasl_ldap_search_base: ou=humans,ou=foo sasl_ldap_search_filter: maildrop=%U lmtp_overquota_perm_failure: no maxmessagesize: 25000000 ldap_id: xxxx ldap_sasl: 1 ldap_password: xxxx ldap_uri: ldap://tfas099.foo ldap_mech: PLAIN DIGEST-MD5 CRAM-MD5 LOGIN ldap_tls_cacert_file: /opt/mail/etc/openldap/ssl/ca2006.pem ldap_tls_cert: /opt/mail/etc/openldap/ssl/cert2006.pem ldap_tls_key: /opt/mail/etc/openldap/ssl/key2006.pem ldap_base: ou=humans,ou=foo ldap_group_base: ou=gruppen,ou=humans,ou=foo ldap_group_filter: ou=%U ldap_member_attribute: member ldap_group_scope: sub ldap_member_method: attribute > The LDAP now looks as following: I use group like you did before. Marc From murch at andrew.cmu.edu Thu Aug 20 10:14:06 2009 From: murch at andrew.cmu.edu (Ken Murchison) Date: Thu, 20 Aug 2009 10:14:06 -0400 Subject: Cyrus SASL 2.1.24 RC1 Released Message-ID: <4A8D5A2E.4090103@andrew.cmu.edu> I'd like to announce the release of Cyrus SASL 2.1.24 RC1 on ftp.andrew.cmu.edu. This release candidate includes numerous bugfixes and several minor feature enhancements. For a complete list, look at the NEWS file in the distribution. I'd like to get some independent testing of this code before I make a final release. Please send any feedback either to cyrus-sasl at lists.andrew.cmu.edu (public list) or to cyrus-bugs at andrew.cmu.edu. Download at: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.24rc1.tar.gz -- Kenneth Murchison Systems Programmer Carnegie Mellon University From wcooley at nakedape.cc Thu Aug 20 14:09:12 2009 From: wcooley at nakedape.cc (Wil Cooley) Date: Thu, 20 Aug 2009 11:09:12 -0700 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> Message-ID: <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advice on the use of ptloader for LDAP-based > authorization in Cyrus IMAP. Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090820/d263f3e4/attachment.bin From wcooley at nakedape.cc Thu Aug 20 14:38:47 2009 From: wcooley at nakedape.cc (Wil Cooley) Date: Thu, 20 Aug 2009 11:38:47 -0700 Subject: Removing the "Web Changes Notification Service" from the wiki Message-ID: <1250793527.13437.62.camel@wildebeest.oit.pdx.edu> Having long been annoyed by the monstrous block of text called the "Web Changes Notification Service" on the wiki, I finally decided to try to edit a page and see if it could be easily removed. Turns out it's just this line: %INCLUDE{"_default.WebNotify"}% Does anyone mind if this is removed from the Cyrus/WebHome page on the wiki (and possibly any other pages where I find it)? Wil -- Wil Cooley -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090820/05aec943/attachment.bin From dave64 at andrew.cmu.edu Thu Aug 20 14:41:32 2009 From: dave64 at andrew.cmu.edu (Dave McMurtrie) Date: Thu, 20 Aug 2009 14:41:32 -0400 Subject: Removing the "Web Changes Notification Service" from the wiki In-Reply-To: <1250793527.13437.62.camel@wildebeest.oit.pdx.edu> References: <1250793527.13437.62.camel@wildebeest.oit.pdx.edu> Message-ID: <4A8D98DC.8080707@andrew.cmu.edu> Wil Cooley wrote: > Having long been annoyed by the monstrous block of text called the "Web > Changes Notification Service" on the wiki, I finally decided to try to > edit a page and see if it could be easily removed. Turns out it's just > this line: > > %INCLUDE{"_default.WebNotify"}% > > Does anyone mind if this is removed from the Cyrus/WebHome page on the > wiki (and possibly any other pages where I find it)? Not at all. It looks much nicer now. Thanks! Dave -- Dave McMurtrie, SPE Email Systems Team Leader Carnegie Mellon University, Computing Services From nodens2099 at gmail.com Thu Aug 20 18:38:05 2009 From: nodens2099 at gmail.com (=?UTF-8?Q?Cl=C3=A9ment_Hermann_=28nodens=29?=) Date: Fri, 21 Aug 2009 00:38:05 +0200 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> Message-ID: <73c61560908201538x6fbc95caic9b5fdfa76a70827@mail.gmail.com> Hi, I stumbled onto this before. What is not clearly stated in the doc is that if you use auth_mech: pts , every user need to exist in the pts database (ldap in your case). Well, maybe it is clearly stated, but I overlooked it ;-) That said, you do not need AFS to use pts, though it seems to be very AFS oriented. Kind regards, Clement Hermann P.S. : Sorry about the top posting : blame the stupid android gmail client... On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090821/fab26fe1/attachment.html From nodens2099 at gmail.com Thu Aug 20 18:38:05 2009 From: nodens2099 at gmail.com (=?UTF-8?Q?Cl=C3=A9ment_Hermann_=28nodens=29?=) Date: Fri, 21 Aug 2009 00:38:05 +0200 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> Message-ID: <73c61560908201538p2fe78c59t992e99f4dc81eb41@mail.gmail.com> Oops, about the slowness : it is really fast. The pts information is cached. Actually, you will likely use ptexpire a lot when setting your groups at first, to reset the cache. On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: On Wed, 2009-08-19 at 15:33 +0300, Evgeniy Arbatov wrote: > Dear list, > > I want to ask your advic... Do I understand correctly from this discussion and the sparse mention of this in the documentation that the LDAP ptloader module can be used to manage group ACLs with "auth_mech=pts/pts_module=ldap", instead of "auth_mech=unix/unix_group_enable=1"? Does this solve the slowness caused by UNIX groups in LDAP? Does "auth_mech" affect anything else? I have heretofore ignored mention of the pts/ptloader stuff because I was under the impression that it was entirely AFS-related, which I have no infrastructure for, but if this is the way to enable groups in LDAP without the slowness, then I need to look more closely at this. Wil -- Wil Cooley ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090821/2fbbbb42/attachment.html From alex.q.castle at gmail.com Thu Aug 20 19:03:35 2009 From: alex.q.castle at gmail.com (Alexander) Date: Thu, 20 Aug 2009 19:03:35 -0400 Subject: Modifying existing setup to use Cyrus Murder Message-ID: <28e2f6960908201603y3a79a949gdfc2b74cccefa899@mail.gmail.com> Hello All, I've inherited a working Cyrus installation (a pair of servers behind a Perdition proxy), and I'd like to modify the existing setup to make use of the Cyrus Murder. I've found the following documentation: http://cyrusimap.web.cmu.edu/imapd/install-murder.html But the reason I'm writing is to ask for general advice before I start. The document is a little short on specific detail; have any of you done the same? Have you run into any traps, or non-obvious issues? Anything to watch out for, or general advice? Also, I see that there is a warning at the beginning of the document about "Murder is still relatively young". Is this still the case, or is this just a leftover warning from years ago? Can it be considered reasonably stable and ready for usage? Thank you very much, Alexander From wes at umich.edu Thu Aug 20 21:54:25 2009 From: wes at umich.edu (Wesley Craig) Date: Thu, 20 Aug 2009 21:54:25 -0400 Subject: Modifying existing setup to use Cyrus Murder In-Reply-To: <28e2f6960908201603y3a79a949gdfc2b74cccefa899@mail.gmail.com> References: <28e2f6960908201603y3a79a949gdfc2b74cccefa899@mail.gmail.com> Message-ID: <6B3CB8E6-F088-42BA-AC71-6CF16F041D81@umich.edu> On 20 Aug 2009, at 19:03, Alexander wrote: > Also, I see that there is a warning at the beginning of the document > about "Murder is still relatively young". Is this still the case, or > is this just a leftover warning from years ago? Can it be considered > reasonably stable and ready for usage? It's hardly young. While I'd describe vanilla murder as stable, there's not much code to stop you from doing something really stupid. The worst case scenario is that you will inadvertently instruct ctl_mboxlist to remove all of the mail from your live backend. So, don't do that. Always make sure that it's going to do what you expect before committing. Also, unified murder *is* young, and I would not describe it as currently stable. It's getting close, tho. :wes From duncan.gibb at siriusit.co.uk Sun Aug 23 09:34:24 2009 From: duncan.gibb at siriusit.co.uk (Duncan Gibb) Date: Sun, 23 Aug 2009 14:34:24 +0100 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <73c61560908201538x6fbc95caic9b5fdfa76a70827@mail.gmail.com> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> <73c61560908201538x6fbc95caic9b5fdfa76a70827@mail.gmail.com> Message-ID: <4A914560.8070804@siriusit.co.uk> > On 8 20, 2009 8:10 PM, "Wil Cooley" wrote: WC> Do I understand correctly [..] that the LDAP ptloader WC> module can be used to manage group ACLs with WC> "auth_mech=pts/pts_module=ldap", instead of WC> "auth_mech=unix/unix_group_enable=1"? Yes. WC> Does this solve the slowness caused by UNIX groups in LDAP? I haven't benchmarked it, but I wouldn't be surprised if pts ldap were faster than unix groups + nss_ldap. Neither should be /slow/ though, given a good underlying LDAP setup. IMHO the advantage of pts ldap is that the groups needed for mailbox ACLs don't leak out into the operating system, which is much more in keeping with the Cyrus "black box" design. WC> Does "auth_mech" affect anything else? Cl?ment Hermann (nodens) wrote: CH> What is not clearly stated in the doc is that if you use CH> auth_mech: pts , every user need to exist in the pts CH> database (ldap in your case). ...which has advantages and disadvantages. It catches typos in user and group names in ACLs, but it's very annoying in a Murder where server-to-server authentication is not via LDAP. Attached is a hack which allows pts ldap to accept a list of identifiers as valid without actually doing an LDAP lookup. We use this to list certificates for Murder authentication (see also client certs patch at https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3133). Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 96-pts_ldap_external.dpatch Url: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090823/1908a161/attachment.ksh From nina.pollak at wu.ac.at Mon Aug 24 08:21:25 2009 From: nina.pollak at wu.ac.at (Nina Pollak) Date: Mon, 24 Aug 2009 14:21:25 +0200 Subject: replica: sync error In-Reply-To: <20090817015013.GE10171@brong.net> References: <4A8528B0.8010806@wu.ac.at> <20090817015013.GE10171@brong.net> Message-ID: <4A9285C5.5020107@wu.ac.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bron Gondwana wrote: > On Fri, Aug 14, 2009 at 11:04:48AM +0200, Nina Pollak wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> hi, >> I have setuped a replica server in a murder environment. >> Before I started the sync_client in rolling replication mode, I made an >> initial sync with -u for usermode. >> >> Now the sync_client dies after few hours, with this entry in my log: >> Error in do_sync(): bailing out! >> sync_client[15378]: Processing sync log file /var/imap/sync/log-15377 >> failed: The remote Server(s) denied the operation >> >> Has anyone an idea what's going wrong? > > Yeah, I've got some ideas, but I need more information? I suspect it's > a folder rename to a sub directory, but it depends what version of Cyrus > you're running (precisely) and the contents of that log file would probably > help too. Logs from the replica might also help. hi bron, the sync_client runs Cyrus IMAP4 (Murder) v2.3.11 and on the syncserver I have Cyrus IMAP v2.3.13 installed. here are more log-entries: sync_client[28921]: RENAME received NO response: Rename failed user.rb0001 -> user.rb0001.restore: Operation is not supported on mailbox sync_client[28921]: do_folders(): failed to rename: user.rb0001 -> user.rb0001.restore imap[26948]: open: user automatix opened user/rb-afs-control/nw sync_client[28921]: Promoting: MAILBOX user.rb-afs-control.nagios -> USER rb-afs-control sync_client[28921]: Error in do_sync(): bailing out! sync_client[28921]: Processing sync log file /var/imap/sync/log-23358 failed: The remote Server(s) denied the operation sync_client[23358]: process 28921 exited, status 1 syncserver[11169]: Unlocked nina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqShcUACgkQVkg+WKeDIb0NDwCgzY0s6uC7d17zw5Ymwjrg1h8W XlcAn0NfSR92UYBr2akQckArrp13Z5bH =MHvN -----END PGP SIGNATURE----- From drew at danieldata.com Tue Aug 25 13:11:00 2009 From: drew at danieldata.com (Drew Phillips) Date: Tue, 25 Aug 2009 10:11:00 -0700 Subject: Inbox and Deleted Items folders are Journal folders Message-ID: <1c612498.1ca25a7.45ba19.365a@danieldata.com> Recently one of our user?s mailboxes started appearing to Outlook 2007 as a journal folder rather than a mail folder and we have been struggling to get it fixed for quite some time now. I have tried loading his mail in Outlook 2003 and 2007 on 3 other PC?s but the problem persists on the new machines so it appears to be a flag on the server somewhere. When running ctl_mboxlist and piping it to a file, his inbox appears on a line like this: user.dan default dan lrswipcda4 admin lrswipcda I think the 4 denotes a journal folder and a 1 is a regular email folder. I have attempted to change the 4 to a 1 and then bring the config back to mailboxes.db and then reconstruct all folders. If I look in mailboxes.db the inbox folder appears to be a ?1?, but when going back and running ctl_mboxlist again, it comes out as a 4. We have tried several things including creating a new user and copying his messages over, the new user?s inbox is also a journal. I have tried removing all messages from the inbox folder and rebuilding in case a message in there was affecting the parsing of folder types but that did not help either. Our last attempt was a series of commands to rebuild mailboxes.db and all the __db files from the db folder and finally a reconstruct. While the mailboxes.db file shows his folder as a ?1?, ctl_mboxlist still shows it as a ?4? when it comes out. The folder was apparently changed to a journal near the end of 2008 but his inbox in outlook didn?t reflect that change until a month or two ago when he was cleaning up his inbox. Any help or suggestions are appreciated. Drew Phillips -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090825/f47499c0/attachment.html From ka-el at laposte.net Tue Aug 25 13:53:13 2009 From: ka-el at laposte.net (kael) Date: Tue, 25 Aug 2009 19:53:13 +0200 Subject: Exporting mailboxes hierarchy Message-ID: <4A942509.1000504@laposte.net> Hello, I'd like to export shared mailboxes hierarchy (used with the NNTP-IMAP gateway) to reinstall my server and not to have to recreate mailboxes again manually. Is there a tool to export the hierarchy with only the mailboxes names ? Thanks. -- kael From flathill at netspring.co.jp Tue Aug 25 22:48:56 2009 From: flathill at netspring.co.jp (Seiichirou Hiraoka) Date: Wed, 26 Aug 2009 11:48:56 +0900 (JST) Subject: [HELP] IOERROR: opening cyrus.expunge: No such file or directory In-Reply-To: <20090818.162158.71130383.flathill@netspring.co.jp> References: <20090818.162158.71130383.flathill@netspring.co.jp> Message-ID: <20090826.114856.08364150.flathill@netspring.co.jp> Hello, I supplement it. I found following messages in /var/log/imapd.log --- Aug 3 14:46:11 server imaps[8638]: [ID 630590 local6.notice] Deleted mailbox user.test.AAA Aug 3 14:46:22 server imaps[11640]: [ID 136705 local6.error] IOERROR: opening /var/spool/imap/user/test/AAA/cyrus.expunge: No such file or directory --- When IOERROR was output in this way, an email spool was deleted entirely. Any advice ? - flathill From: Seiichirou Hiraoka Subject: [HELP] IOERROR: opening cyrus.expunge: No such file or directory Date: Tue, 18 Aug 2009 16:21:58 +0900 (JST) > Hello, > > I'm using Cyrus-IMAP on following environment. > OS: Solaris10 SPARC > Cyrus-IMAP: 2.3.9 > Cyrus-SASL: 2.1.22 > > The following messages are rarely output and are troubled. > > IOERROR: opening /path/to/mail/spool/cyrus.expunge: No such file or directory > > In the case of most, I can't find directory /path/to/mail/spool itself... > And there was an answer that nothing had any problem when I asked a user. > > I don't know why such problem happens. > > Because I offer it if there is necessary information, I am happy when > I can have advice. > > Best regards! > > - flathill From kleo+cyrus at netbox.cz Wed Aug 26 05:51:04 2009 From: kleo+cyrus at netbox.cz (Vladimir Klejch) Date: Wed, 26 Aug 2009 11:51:04 +0200 (CEST) Subject: make_sha1 and virtual domains Message-ID: Hi Is there a way to use make_sha1 with virtualdomais ??? I see in source hardcoded adding of "user." in beginning of supplied user to make mailboxname and i think, this cann't work with virtualdomains. I need this to check replication and have all mailboxes in more virtual domains. in imapd.conf is set : altnamespace: yes unixhierarchysep: yes virtdomains: userid guid_mode: sha1 sha1_dir: /var/spool/cyrus/sha1 ... and more Thanks Kleo -- ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... From steffo76 at gmx.de Fri Aug 28 11:29:15 2009 From: steffo76 at gmx.de (steffo76 at gmx.de) Date: Fri, 28 Aug 2009 17:29:15 +0200 Subject: No subject Message-ID: <20090828152915.252190@gmx.net> Hi there, I got an unusual problem with sync_client. I am running two machines with cyrus-imapd 2.3.14, let's call them primary and secondary. I ususally have syncserver_allowplaintext: 0 set on the secondary so sync_client on the primary will connect using TLS. This worked fine until a few weeks ago. I am monitoring the sync_client on primary via a daemon to see if it's running and suddenly got noticed that sync_client died. Checking the problem I found out that all of a sudden the sync_client wouldn't connect using TLS anymore. I didn't change anything on either of the machines, the only thing that happend that morning was a problem with our DNS server. The funny thing is that synctest is working using TLS but when I try to run sync_client with TLS I get a Segmentation fault. Using strace I can see that sync_client connects to secondary and gets the greeting from secondary. After that it gets an SIGSEGV. This is not related to the certificates, these have not changed and are still valid. Any ideas ? -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser From zhuzhixin at realss.com Mon Aug 31 02:51:03 2009 From: zhuzhixin at realss.com (zhuzhixin) Date: Mon, 31 Aug 2009 14:51:03 +0800 Subject: Can not log seperates message Message-ID: <4A9B72D7.3000709@realss.com> Hi, *** http://cyrusimap.web.cmu.edu/imapd/install-configure.html*** In the page above, it tell us howto make seperate message for cyrus-imapd log. I follow the page and add two lines in /etc/syslog.conf -- local6.debug /var/log/imapd.log auth.debug /var/log/auth.log I also touch these two files and give them correct permissions. But the log message still appears in /var/log/syslog, meanwhile the /var/log/imapd.log keeps empty. Why? The document says: The Cyrus IMAP server uses the 4.3BSD syslog that separates messages into both levels and categories. Invoke "man syslog" to see if "openlog()" takes three arguments. If it does not, replace the system "syslogd" and "syslog.conf" with the files provided in the "syslog" directory. Since i cannot find the manual of syslog but syslogd, and it doesn't have openlog() function either. So i don't know howto determine if the syslog in my system uses 4.3BSD. I want the messages logged into imapd.log and auth.log, and meanwhile not log messages to /var/log/syslog. My system is Debian lenny i386, cyrus-imapd version is 2.2.13-14. Please help! Thanks, Zhu Zhixin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3262 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090831/6b4aeaac/attachment.bin From michael.menge at zdv.uni-tuebingen.de Mon Aug 31 03:41:49 2009 From: michael.menge at zdv.uni-tuebingen.de (Michael Menge) Date: Mon, 31 Aug 2009 09:41:49 +0200 Subject: Can not log seperates message In-Reply-To: <4A9B72D7.3000709@realss.com> References: <4A9B72D7.3000709@realss.com> Message-ID: <20090831094149.172336z9c4pdthh9@webmail.uni-tuebingen.de> Hi, did you reload/restart syslogd? Quoting zhuzhixin : > Hi, > > *** http://cyrusimap.web.cmu.edu/imapd/install-configure.html*** > > In the page above, it tell us howto make seperate message for > cyrus-imapd log. I follow the page and add two lines in /etc/syslog.conf > > local6.debug /var/log/imapd.log > auth.debug /var/log/auth.log > > I also touch these two files and give them correct permissions. > > But the log message still appears in /var/log/syslog, meanwhile the > /var/log/imapd.log keeps empty. > > Why? > > The document says: The Cyrus IMAP server uses the 4.3BSD syslog that > separates messages into both levels and categories. Invoke "man syslog" > to see if "openlog()" takes three arguments. If it does not, replace the > system "syslogd" and "syslog.conf" with the files provided in the > "syslog" directory. > > Since i cannot find the manual of syslog but syslogd, and it doesn't > have openlog() function either. So i don't know howto determine if the > syslog in my system uses 4.3BSD. > > I want the messages logged into imapd.log and auth.log, and meanwhile > not log messages to /var/log/syslog. > > My system is Debian lenny i386, cyrus-imapd version is 2.2.13-14. > > Please help! > > Thanks, > > Zhu Zhixin > -------------------------------------------------------------------------------- M.Menge Tel.: (49) 7071/29-70316 Universit?t T?bingen Fax.: (49) 7071/29-5912 Zentrum f?r Datenverarbeitung mail: michael.menge at zdv.uni-tuebingen.de W?chterstra?e 76 72074 T?bingen -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5339 bytes Desc: S/MIME krytographische Unterschrift Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090831/d0c0efe6/attachment.bin From pcravero at as2594.net Mon Aug 31 03:58:36 2009 From: pcravero at as2594.net (Paolo Cravero) Date: Mon, 31 Aug 2009 09:58:36 +0200 Subject: Removing the "Web Changes Notification Service" from the wiki In-Reply-To: <1250793527.13437.62.camel@wildebeest.oit.pdx.edu> References: <1250793527.13437.62.camel@wildebeest.oit.pdx.edu> Message-ID: <4A9B82AC.9070801@as2594.net> Wil Cooley wrote: > edit a page and see if it could be easily removed. Turns out it's just > this line: > > %INCLUDE{"_default.WebNotify"}% > > Does anyone mind if this is removed from the Cyrus/WebHome page on the > wiki (and possibly any other pages where I find it)? I've found that long text still present on several subpages (like Specifications and Standards), but I'm not writing because of that. Rather... http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/WebHome the last link looks like spam. Or a way to attract more /customers/ ?! :) Anyone registered on wiki that can remove it? Paolo From zhuzhixin at realss.com Mon Aug 31 04:21:56 2009 From: zhuzhixin at realss.com (zhuzhixin) Date: Mon, 31 Aug 2009 16:21:56 +0800 Subject: Can not log seperates message In-Reply-To: <20090831094149.172336z9c4pdthh9@webmail.uni-tuebingen.de> References: <4A9B72D7.3000709@realss.com> <20090831094149.172336z9c4pdthh9@webmail.uni-tuebingen.de> Message-ID: <4A9B8824.2050301@realss.com> Michael Menge wrote: > Hi, > > did you reload/restart syslogd? Yes;-) I even restart the system. But still now work;-( Zhu Zhixin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3262 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090831/bfcfe005/attachment-0001.bin From kai at ich-geh-kaputt.de Mon Aug 31 04:45:28 2009 From: kai at ich-geh-kaputt.de (Kai Moritz) Date: Mon, 31 Aug 2009 10:45:28 +0200 Subject: Caching Proxy Message-ID: <1251708328.12716.81.camel@macbook> Hi, my company receives a lot of mails with big attachments. Since the internet-link is slow, it would be desireable to store these mails on a local server. But unfortunatly, the received mail has to be accessable (read, copy, delete) for some employees, which are working at home as well. So, I was thinking of some kind of caching IMAP-proxy. At first glance, I thought, that cyrus murder might do the trick. But diving into the documentation, it looks like a front end server is only caching the Mailbox-Metadata, not the messages itself. Is it possible to build a cyrus cluster with a frontend server, that caches messages, so that a second FETCH for the same message hits on the cached copy located on the front end server, instead of fetching it again from the backend server? Or does anybody has another suggestion to deal with this problem? Greetings Kai Moritz From kleo+cyrus at netbox.cz Mon Aug 31 04:50:59 2009 From: kleo+cyrus at netbox.cz (Vladimir Klejch) Date: Mon, 31 Aug 2009 10:50:59 +0200 (CEST) Subject: make_sha1 and virtual domains In-Reply-To: References: Message-ID: Hi is somebody using make_sha1 or make_md5 with virtual domains ??? How to use it ??? I'm fiddling with source but make_sha1 does not find mailboxes for given login in mailboxes.db. I think there is no functionality in source of make_sha1 or make_md5 for vitrual domains ??? Would it by posible to have virtualdomains functionality in all parts of cyrus source code ?? Zatim Kleo On Wed, 26 Aug 2009, Vladimir Klejch wrote: > > Hi > > Is there a way to use make_sha1 with virtualdomais ??? > > I see in source hardcoded adding of "user." in beginning of supplied user > to make mailboxname and i think, this cann't work with virtualdomains. > > > I need this to check replication and have all mailboxes in more virtual > domains. > > > > in imapd.conf is set : > > altnamespace: yes > unixhierarchysep: yes > virtdomains: userid > guid_mode: sha1 > sha1_dir: /var/spool/cyrus/sha1 > > ... and more > > Thanks > Kleo > > > > -- _____________________________________________________________ | You have moved the mouse. # | Windows must be restarted for the changes to take effect. # | # ##############################################################/ ~~ ~~ ~~ ~~ ~~ ~~ ~~ Vladimir `KLEO' Klejch Kleo'at'netbox.cz ... ... ... ... From arbatovevgeniy at gmail.com Mon Aug 31 05:39:12 2009 From: arbatovevgeniy at gmail.com (Evgeniy Arbatov) Date: Mon, 31 Aug 2009 12:39:12 +0300 Subject: Ptloader configuration in Cyrus IMAP In-Reply-To: <4A914560.8070804@siriusit.co.uk> References: <56c989d50908190533g12b259b9u56b5f7c5a3a1b928@mail.gmail.com> <1250791752.13437.57.camel@wildebeest.oit.pdx.edu> <73c61560908201538x6fbc95caic9b5fdfa76a70827@mail.gmail.com> <4A914560.8070804@siriusit.co.uk> Message-ID: <56c989d50908310239j3140c428o350d7b7839d8fdf9@mail.gmail.com> Hello, Finally I am able to get the ptloader working. In my case the major issue was that I used Cyrus IMAP 2.3.7, that has a segmentation fault when reading from LDAP. This issue was previously discussed in http://www.irbs.net/internet/info-cyrus/0608/0129.html I solved the problem by updating to Cyrus IMAP 2.3.14 + doing the above mentioned configuration changes Evgeniy From steffo76 at gmx.de Mon Aug 31 05:49:26 2009 From: steffo76 at gmx.de (steffo76 at gmx.de) Date: Mon, 31 Aug 2009 11:49:26 +0200 Subject: sync_client segfault Message-ID: <20090831094926.297300@gmx.net> Hi there, I haven't got the original message here, I posted a problem with sync_client on Fri Aug 28 11:29:15. I tried to get a backtrace but have some trouble with gdb. This is what I got: Failed to read a valid object file image from memory. Program received signal SIGSEGV, Segmentation fault. 0x080967ef in xstrdup (str=0x0) at xmalloc.c:92 92 char *p = xmalloc(strlen(str)+1); -- GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From pcravero at as2594.net Mon Aug 31 10:51:46 2009 From: pcravero at as2594.net (Paolo Cravero) Date: Mon, 31 Aug 2009 16:51:46 +0200 Subject: Compress attachments In-Reply-To: <20090811145422.14905d4ntb7kn20w@titan> References: <20090811145422.14905d4ntb7kn20w@titan> Message-ID: <4A9BE382.8040407@as2594.net> andreas.moroder at sb-brixen.it wrote: Hello Andreas, > Is it possible to configure cyrus the way that it compresses the > attachments on the storage ( not for tranfer as in RFC 4978 ) ? I know AFAIK there is no cyrus option to do this. Moreover cyrus does not separate attachments from the message body, so the whole message would need to be gzipped. For each and every message. > that diskspace is cheap, but when you have to get back thousands of > mailboxes from a backup, the smaller the files are the faster the > restore is done. Well, replicate live mailboxes data rather than rely on a single node and frequent backups. :-) I'm also starting to love the delayed expunge facility with respect to cheap disk space. Ciao, Paolo From awilliam at whitemice.org Mon Aug 31 11:34:14 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 31 Aug 2009 11:34:14 -0400 Subject: Compress attachments In-Reply-To: <4A9BE382.8040407@as2594.net> References: <20090811145422.14905d4ntb7kn20w@titan> <4A9BE382.8040407@as2594.net> Message-ID: <1251732854.6707.9.camel@linux-m3mt> On Mon, 2009-08-31 at 16:51 +0200, Paolo Cravero wrote: > andreas.moroder at sb-brixen.it wrote: > > Is it possible to configure cyrus the way that it compresses the > > attachments on the storage ( not for tranfer as in RFC 4978 ) ? I know > AFAIK there is no cyrus option to do this. Moreover cyrus does not separate > attachments from the message body, so the whole message would need to be > gzipped. For each and every message. > > that diskspace is cheap, but when you have to get back thousands of > > mailboxes from a backup, the smaller the files are the faster the > > restore is done. Why not just compress the backup/restore stream? > Well, replicate live mailboxes data rather than rely on a single node and > frequent backups. :-) I'm also starting to love the delayed expunge facility > with respect to cheap disk space. I could never go back to living without delayed expunge; a fabulous feature! -- OpenGroupware developer: awilliam at whitemice.org OpenGroupare & Cyrus IMAPd documenation @ From michael.menge at zdv.uni-tuebingen.de Mon Aug 31 13:19:33 2009 From: michael.menge at zdv.uni-tuebingen.de (Michael Menge) Date: Mon, 31 Aug 2009 19:19:33 +0200 Subject: Compress attachments In-Reply-To: <1251732854.6707.9.camel@linux-m3mt> References: <20090811145422.14905d4ntb7kn20w@titan> <4A9BE382.8040407@as2594.net> <1251732854.6707.9.camel@linux-m3mt> Message-ID: <20090831191933.554138ovytlz8y79@webmail.uni-tuebingen.de> Quoting Adam Tauno Williams : > On Mon, 2009-08-31 at 16:51 +0200, Paolo Cravero wrote: >> andreas.moroder at sb-brixen.it wrote: >> > Is it possible to configure cyrus the way that it compresses the >> > attachments on the storage ( not for tranfer as in RFC 4978 ) ? I know >> AFAIK there is no cyrus option to do this. Moreover cyrus does not separate >> attachments from the message body, so the whole message would need to be >> gzipped. For each and every message. >> > that diskspace is cheap, but when you have to get back thousands of >> > mailboxes from a backup, the smaller the files are the faster the >> > restore is done. IHMO the size does not matter that much, if you have many small files and a filebased backup, the metadata handling on restore will take a great percentage of the restore time and is independent of the size. You need two different aproches for restore of few mailboxes and disaster recovery. The first case can be done with any normal backuptool, and delayed expung will take care of mails which arrived and where deleted bevor they where backuped. It also makes restoring of mails easy. For desaster recovery you need somthing where you can acces a copy of the data, or can stream the data back to disk. So you need an image based backup, snapshot or replication. > > Why not just compress the backup/restore stream? > IMHO the size of transfered data is not the problem. >> Well, replicate live mailboxes data rather than rely on a single node and >> frequent backups. :-) I'm also starting to love the delayed expunge facility >> with respect to cheap disk space. > > I could never go back to living without delayed expunge; a fabulous > feature! I don't want to miss it either -------------------------------------------------------------------------------- M.Menge Tel.: (49) 7071/29-70316 Universit?t T?bingen Fax.: (49) 7071/29-5912 Zentrum f?r Datenverarbeitung mail: michael.menge at zdv.uni-tuebingen.de W?chterstra?e 76 72074 T?bingen From support at harmsconsulting.com Mon Aug 31 19:20:27 2009 From: support at harmsconsulting.com (Harms Consulting IT support desk) Date: Tue, 01 Sep 2009 09:20:27 +1000 Subject: Can not log seperates message In-Reply-To: <4A9B72D7.3000709@realss.com> References: <4A9B72D7.3000709@realss.com> Message-ID: <4A9C5ABB.6080409@harmsconsulting.com> zhuzhixin wrote: > Hi, > > *** http://cyrusimap.web.cmu.edu/imapd/install-configure.html*** > > In the page above, it tell us howto make seperate message for > cyrus-imapd log. I follow the page and add two lines in /etc/syslog.conf > > -- > local6.debug /var/log/imapd.log > auth.debug /var/log/auth.log > > Whilst folk are looking at syslog and the wiki, does anyone have a copy of the example logwatch script that is referenced on this wiki page: http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/Logwatch ? Thanks, Josh