Virtdomains: inter-domain admins do not work ---- was Re: Cannotget loginrealms to work with 2.0.16

Ken Murchison ken at oceana.com
Mon Oct 7 09:48:05 EDT 2002 


Christian Schulte wrote:
> 
> Ken Murchison wrote:
> 
> >Quoting Christian Schulte <cs at schulte.it>:
> >
> >
> >
> >>>>Your other choice is to skip 2.1 and jump into 2.2
> >>>>available from CVS.  Since you're already compiling
> >>>>your cyrus (as opposed to prepackaged binary) and
> >>>>you want virtual domains support (and willing to go
> >>>>to great lengths to get it), I'd suggest getting the 2.2 branch which
> >>>>has native virtual domainsupport
> >>>>built into it.
> >>>>
> >>>>There are a few ppl on the list who have been running
> >>>>the 2.2 branch for a couple weeks now and don't seem
> >>>>to be having any problems with it at all.
> >>>>
> >>>>
> >>Hello again,
> >>
> >>actually I got the cvs branch up and running.  I am now running the 2_2
> >>cvs branch successfully on the same machine the 2.0.16 with SASL1 still
> >>runs on!
> >>
> >>
> >
> >FYI, this _might_ break POP3 access on the 2.2 side.  It's possible that
> >accessing a mailbox via POP3 on 2.2 then 2.0.16 then 2.2 will not work.  I
> >won't get into the technical details, but the mailbox format was tweaked in
> >2.1.something to fix a potential POP3 UIDL problem, and downgrading wasn't
> >considered (by me) and isn't handled gracefully.
> >
> >
> >  Cyrus 2_2 got its own alias interface and the machine has two
> >
> >
> >>IPs now. I just had to tweak one option in the masterconf.c source to
> >>make the cyrus-2_2 master reading another  cyrus.conf file than
> >>/etc/cyrus.conf. The 2.0.16 master reads /etc/cyrus.conf as usual and
> >> the 2.2 master now reads /etc/cyrus.conf.v2 . Every other configuration
> >>necessary for such setup could be specified in the cyrus.conf files. The
> >>old cyrus.conf file read by 2.0.16 for binding to the primary IP and
> >>starting the old binaries and the second cyrus.conf.v2 file for the 2.2
> >>master to bind to the secondary IP and to start the new binaries with
> >>theire own configuration files specified by the -C option.  That all
> >>worked great and was much easier than I expected it to be! If I now
> >>would not have forgotten to specify another path to the sieve scripts
> >>for 2.2 than for 2.0.16, I would not have lost all my scripts. mkimap
> >>created a new /usr/sieve structure and delted the already existent one.
> >>But that was something I simply forgot about. For the new 2.2 I have the
> >>following imapd.conf file:
> >>
> >>configdirectory: /var/imap
> >>partition-default: /var/spool/imap
> >>admins: admin at somedomain.com
> >>servername: mailserver.somedomain.com
> >>localdomain: somedomain.com
> >>sasl_pwcheck_method: auxprop
> >>sasl_auxprop_plugin: sasldb
> >>sasl_allowanonymouslogin: no
> >>sasl_allowplaintext: yes
> >>tls_cert_file: /usr/local/var/imap/server.pem
> >>tls_key_file: /usr/local/var/imap/server.pem
> >>tls_ca_file: /usr/local/var/imap/CAcert.pem
> >>idlesocket: /usr/local/var/imap/socket/idle
> >>loginrealms: realm1.com realm2.net
> >>unixhierarchysep: yes
> >>virtdomains: yes
> >>altnamespace: no
> >>
> >>If creating a user with simply saslpasswd2 -c admin in the local realm I
> >>get the following situation:
> >>
> >>admin at somedomain.com: userPassword
> >>
> >>If logging in with "admin" I get the administration options but cannot
> >>create mailboxes in another domain than somedomain.com (Invalid mailbox
> >>name) and I cannot see any other mailboxes than in somedomain.com thus
> >>domain administration seems to work.
> >>If logging in with "admin at somedomain.com" I do not get any
> >>administration options and only see the admin inbox which I created for
> >>testing. I cannot get the difference here!
> >>The DNS reverselookup to the IP resolves correctly to
> >>mailserver.somedomain.com and /etc/nodename also says somedomain.com.
> >>domain-administration seems to work if logging in without an
> >>@localrealm, but inter-domain administration completely does not work
> >>for me.
> >>
> >>Changing the admins: line to
> >>
> >>admins: admin
> >>
> >>
> >>If now logging in with "admin" I get administration options but cannot
> >>see any user mailbox and again can only see the admin inbox. If I try to
> >>create a mailbox like user/test I get permission denied. If I create a
> >>mailbox like user/test at otherdomain.com I get Invalid mailbox name.
> >>If logging in with "admin at somedomain.com" I do not get any
> >>administration options and again only see the admin inbox. So
> >>inter-domain administrators do not work!
> >>What am I doing wrong ? Any hints would be helpful!
> >>
> >>
> >
> >Read the administrators section of doc/install-virtdomains.html closely.  Set
> >
> >defaultdomain: admin at somedomin.com
> >
> >
> >
> Ok! I read that thausend times but I cannot get any more hints in that.
> 
> cyrus.conf:
> 
> # standard standalone server implementation
> 
> START {
>   # do not delete this entry!
>   recover       cmd="/usr/local/cyrus2-cvs/bin/ctl_cyrusdb -C
> /etc/imapd.conf.v2 -r"
> 
>   # this is only necessary if using idled for IMAP IDLE
>   idled         cmd="/usr/local/cyrus2-cvs/bin/idled -C /etc/imapd.conf.v2"
> }
> 
> # UNIX sockets start with a slash and are put into /var/imap/socket
> SERVICES {
>   # add or remove based on preferences
>   imap          cmd="/usr/local/cyrus2-cvs/bin/imapd -C
> /etc/imapd.conf.v2" listen="[212.123.33.68]:imap" prefork=0
>   imaps         cmd="/usr/local/cyrus2-cvs/bin/imapd -C
> /etc/imapd.conf.v2 -s" listen="[212.123.33.68]:imaps" prefork=0
>   pop3          cmd="/usr/local/cyrus2-cvs/bin/pop3d -C
> /etc/imapd.conf.v2" listen="[212.123.33.68]:pop3" prefork=0
>   pop3s         cmd="/usr/local/cyrus2-cvs/bin/pop3d -C
> /etc/imapd.conf.v2 -s" listen="[212.123.33.68]:pop3s" prefork=0
>   sieve         cmd="/usr/local/cyrus2-cvs/bin/timsieved -C
> /etc/imapd.conf.v2" listen="[212.123.33.68]:sieve" prefork=0
> 
>   # at least one LMTP is required for delivery
> #  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
>   lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
> 
>   # this is only necessary if using notifications
> #  notify       cmd="notifyd" listen="/var/imap/socket/notify"
> proto="udp" prefork=1
> }
> 
> EVENTS {
>   # this is required
>   checkpoint    cmd="/usr/local/cyrus2-cvs/bin/ctl_cyrusdb -C
> /etc/imapd.conf.v2 -c" period=30
> 
>   # this is only necessary if using duplicate delivery suppression
>   delprune      cmd="/usr/local/cyrus2-cvs/bin/ctl_deliver -C
> /etc/imapd.conf.v2 -E 3" period=1440
> 
>   # this is only necessary if caching TLS sessions
>   tlsprune      cmd="/usr/local/cyrus2-cvs/bin/tls_prune -C
> /etc/imapd.conf.v2" period=1440
> }
> 
> imapd.conf.v2:
> 
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> servername: imap.rent-a-mailserver.de
> defaultdomain: rent-a-mailserver.de
> admins: schulte
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: sasldb
> sasl_allowanonymouslogin: no
> sasl_allowplaintext: yes
> #sasl_mysql_use: smtp
> #sasl_mysql_passwd: smtp
> #sasl_mysql_hostnames: inforeg.epag.net
> #sasl_mysql_database: jboss
> #sasl_mysql_statement: select password from SASLUser where login='%u'
> and domain='%r'
> #sasl_mysql_verbose: yes
> tls_cert_file: /usr/local/var/imap/server.pem
> tls_key_file: /usr/local/var/imap/server.pem
> tls_ca_file: /usr/local/var/imap/CAcert.pem
> idlesocket: /usr/local/var/imap/socket/idle
> unixhierarchysep: yes
> virtdomains: yes
> altnamespace: no
> 
> root-10:30:43:/ >dig -x 212.123.33.68
> 
> ; <<>> DiG 9.2.0 <<>> -x 212.123.33.68
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15539
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> ;68.33.123.212.in-addr.arpa.    IN      PTR
> 
> ;; ANSWER SECTION:
> 68.33.123.212.in-addr.arpa. 172800 IN   PTR     imap.rent-a-mailserver.de.
> 
> ;; AUTHORITY SECTION:
> 33.123.212.in-addr.arpa. 172800 IN      NS      dns1.epag.net.
> 33.123.212.in-addr.arpa. 172800 IN      NS      dns2.epag.net.
> 
> ;; ADDITIONAL SECTION:
> dns2.epag.net.          84561   IN      A       212.123.32.78
> 
> ;; Query time: 6 msec
> ;; SERVER: 212.123.33.69#53(212.123.33.69)
> ;; WHEN: Mon Oct  7 10:30:48 2002
> ;; MSG SIZE  rcvd: 145
> 
> root-10:30:48:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte 212.123.33.68
> IMAP Password:
> 
> Login failed: user not found at
> /usr/perl5/site_perl/5.005/i86pc-solaris/Cyrus/IMAP/Admin.pm line 114
> cyradm: cannot authenticate to server with login as schulte
> 
> root-10:32:14:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte at rent-a-mailserver.de 212.123.33.68
> IMAP Password:
> 
> Login failed: user not found at
> /usr/perl5/site_perl/5.005/i86pc-solaris/Cyrus/IMAP/Admin.pm line 114
> cyradm: cannot authenticate to server with login as
> schulte at rent-a-mailserver.de
> 
> Oct  7 10:32:44 mail imap[10762]: [ID 921384 local6.debug] accepted
> connection
> Oct  7 10:32:47 mail imap[10762]: [ID 914338 local6.notice] badlogin:
> imap.rent-a-mailserver.de[212.123.33.68] plaintext schulte SASL(-13):
> user not found: checkpass failed
> 
> root-10:34:46:/ >sasldblistusers2
> schulte at rent-a-mailserver.de: userPassword
> 
> Creating a user with saslpasswd2 without specifying a domain would
> create a user with realm mail and not rent-a-mailserver.de !

This is most likely your problem.  Make sure that your hostname is fully
qualified, so that saslpasswd2 creates secrets with
mail.rent-a-mailserver.de as the realm, or just leave it alone and let
it use 'mail' as the realm.  In either case, Cyrus/SASL should do the
"right thing".


> If I now remove the defaultdomain: line from imapd.conf.v2 the behaviour
> changes to:

This is a waste of time.  You can NOT have a global (inter-domain admin)
without specifying defaultdomain.  It specifically says this in the
documentation.


> root-10:37:03:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)
> 212.123.33.68> cm user/test
> createmailbox: Permission denied
> 212.123.33.68> cm test
> createmailbox: Permission denied
> 212.123.33.68> cm user/test at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68> lm *
> INBOX (\HasNoChildren)
> 212.123.33.68>
> 
> I can login in now with the same user!
> 
> root-10:38:09:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte at rent-a-mailserver.de 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)
> 212.123.33.68> cm user/test
> createmailbox: Permission denied
> 212.123.33.68> cm test
> createmailbox: Permission denied
> 212.123.33.68> cm user/test at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68> lm *
> INBOX (\HasNoChildren)
> 212.123.33.68>
> 
> Changing the admins: line now to be:
> admins: schulte at rent-a-mailserver.de
> root-10:39:47:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte at rent-a-mailserver.de 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)                 user/c.schulte/Trash
> (\HasNoChildren)
> user/c.schulte (\HasChildren)
> 212.123.33.68> cm user/test
> 212.123.33.68> cm user/test at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68>
> 
> I can create mailboxes in the specified domain! I can administer the domain!
> 
> Adding the defaultdomain: line again but now with:
> 
> defaultdomain: schulte at rent-a-mailserver.de
> 
> root-10:40:56:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte at rent-a-mailserver.de 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)                 user/c.schulte/Trash
> (\HasNoChildren)
> user/c.schulte (\HasChildren)          user/test
> (\HasNoChildren)
> 212.123.33.68> cm user/test2
> Works!
> 212.123.33.68> cm user/test2 at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68> quit
> 
> Behavior has not changed !
> 
> Changing the admins line back to:
> 
> admins: schulte
> 
> root-10:42:43:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte at rent-a-mailserver.de 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)
> 212.123.33.68> cm user/test3
> createmailbox: Permission denied
> 212.123.33.68> cm user/test4 at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68> quit
> 
> root-10:43:19:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
> login --user schulte 212.123.33.68
> IMAP Password:
> 
> 212.123.33.68> lm
> INBOX (\HasNoChildren)
> 212.123.33.68> cm user/test3
> createmailbox: Permission denied
> 212.123.33.68> cm user/test3 at otherdomain.com
> createmailbox: Invalid mailbox name
> 212.123.33.68> quit
> 
> I cannot get that to work nor can I understand what is going wrong here
> ! Thanks for your help!
> 
> ---Christian---

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list