Virtdomains: inter-domain admins do not work ---- was Re: Cannot
get loginrealms to work with 2.0.16
Christian Schulte
cs at schulte.it
Mon Oct 7 04:45:48 EDT 2002
Ken Murchison wrote:
>Quoting Christian Schulte <cs at schulte.it>:
>
>
>
>>>>Your other choice is to skip 2.1 and jump into 2.2
>>>>available from CVS. Since you're already compiling
>>>>your cyrus (as opposed to prepackaged binary) and
>>>>you want virtual domains support (and willing to go
>>>>to great lengths to get it), I'd suggest getting the 2.2 branch which
>>>>has native virtual domainsupport
>>>>built into it.
>>>>
>>>>There are a few ppl on the list who have been running
>>>>the 2.2 branch for a couple weeks now and don't seem
>>>>to be having any problems with it at all.
>>>>
>>>>
>>Hello again,
>>
>>actually I got the cvs branch up and running. I am now running the 2_2
>>cvs branch successfully on the same machine the 2.0.16 with SASL1 still
>>runs on!
>>
>>
>
>FYI, this _might_ break POP3 access on the 2.2 side. It's possible that
>accessing a mailbox via POP3 on 2.2 then 2.0.16 then 2.2 will not work. I
>won't get into the technical details, but the mailbox format was tweaked in
>2.1.something to fix a potential POP3 UIDL problem, and downgrading wasn't
>considered (by me) and isn't handled gracefully.
>
>
> Cyrus 2_2 got its own alias interface and the machine has two
>
>
>>IPs now. I just had to tweak one option in the masterconf.c source to
>>make the cyrus-2_2 master reading another cyrus.conf file than
>>/etc/cyrus.conf. The 2.0.16 master reads /etc/cyrus.conf as usual and
>> the 2.2 master now reads /etc/cyrus.conf.v2 . Every other configuration
>>necessary for such setup could be specified in the cyrus.conf files. The
>>old cyrus.conf file read by 2.0.16 for binding to the primary IP and
>>starting the old binaries and the second cyrus.conf.v2 file for the 2.2
>>master to bind to the secondary IP and to start the new binaries with
>>theire own configuration files specified by the -C option. That all
>>worked great and was much easier than I expected it to be! If I now
>>would not have forgotten to specify another path to the sieve scripts
>>for 2.2 than for 2.0.16, I would not have lost all my scripts. mkimap
>>created a new /usr/sieve structure and delted the already existent one.
>>But that was something I simply forgot about. For the new 2.2 I have the
>>following imapd.conf file:
>>
>>configdirectory: /var/imap
>>partition-default: /var/spool/imap
>>admins: admin at somedomain.com
>>servername: mailserver.somedomain.com
>>localdomain: somedomain.com
>>sasl_pwcheck_method: auxprop
>>sasl_auxprop_plugin: sasldb
>>sasl_allowanonymouslogin: no
>>sasl_allowplaintext: yes
>>tls_cert_file: /usr/local/var/imap/server.pem
>>tls_key_file: /usr/local/var/imap/server.pem
>>tls_ca_file: /usr/local/var/imap/CAcert.pem
>>idlesocket: /usr/local/var/imap/socket/idle
>>loginrealms: realm1.com realm2.net
>>unixhierarchysep: yes
>>virtdomains: yes
>>altnamespace: no
>>
>>If creating a user with simply saslpasswd2 -c admin in the local realm I
>>get the following situation:
>>
>>admin at somedomain.com: userPassword
>>
>>If logging in with "admin" I get the administration options but cannot
>>create mailboxes in another domain than somedomain.com (Invalid mailbox
>>name) and I cannot see any other mailboxes than in somedomain.com thus
>>domain administration seems to work.
>>If logging in with "admin at somedomain.com" I do not get any
>>administration options and only see the admin inbox which I created for
>>testing. I cannot get the difference here!
>>The DNS reverselookup to the IP resolves correctly to
>>mailserver.somedomain.com and /etc/nodename also says somedomain.com.
>>domain-administration seems to work if logging in without an
>>@localrealm, but inter-domain administration completely does not work
>>for me.
>>
>>Changing the admins: line to
>>
>>admins: admin
>>
>>
>>If now logging in with "admin" I get administration options but cannot
>>see any user mailbox and again can only see the admin inbox. If I try to
>>create a mailbox like user/test I get permission denied. If I create a
>>mailbox like user/test at otherdomain.com I get Invalid mailbox name.
>>If logging in with "admin at somedomain.com" I do not get any
>>administration options and again only see the admin inbox. So
>>inter-domain administrators do not work!
>>What am I doing wrong ? Any hints would be helpful!
>>
>>
>
>Read the administrators section of doc/install-virtdomains.html closely. Set
>
>defaultdomain: admin at somedomin.com
>
>
>
Ok! I read that thausend times but I cannot get any more hints in that.
cyrus.conf:
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="/usr/local/cyrus2-cvs/bin/ctl_cyrusdb -C
/etc/imapd.conf.v2 -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="/usr/local/cyrus2-cvs/bin/idled -C /etc/imapd.conf.v2"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="/usr/local/cyrus2-cvs/bin/imapd -C
/etc/imapd.conf.v2" listen="[212.123.33.68]:imap" prefork=0
imaps cmd="/usr/local/cyrus2-cvs/bin/imapd -C
/etc/imapd.conf.v2 -s" listen="[212.123.33.68]:imaps" prefork=0
pop3 cmd="/usr/local/cyrus2-cvs/bin/pop3d -C
/etc/imapd.conf.v2" listen="[212.123.33.68]:pop3" prefork=0
pop3s cmd="/usr/local/cyrus2-cvs/bin/pop3d -C
/etc/imapd.conf.v2 -s" listen="[212.123.33.68]:pop3s" prefork=0
sieve cmd="/usr/local/cyrus2-cvs/bin/timsieved -C
/etc/imapd.conf.v2" listen="[212.123.33.68]:sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="/usr/local/cyrus2-cvs/bin/ctl_cyrusdb -C
/etc/imapd.conf.v2 -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="/usr/local/cyrus2-cvs/bin/ctl_deliver -C
/etc/imapd.conf.v2 -E 3" period=1440
# this is only necessary if caching TLS sessions
tlsprune cmd="/usr/local/cyrus2-cvs/bin/tls_prune -C
/etc/imapd.conf.v2" period=1440
}
imapd.conf.v2:
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: imap.rent-a-mailserver.de
defaultdomain: rent-a-mailserver.de
admins: schulte
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_allowanonymouslogin: no
sasl_allowplaintext: yes
#sasl_mysql_use: smtp
#sasl_mysql_passwd: smtp
#sasl_mysql_hostnames: inforeg.epag.net
#sasl_mysql_database: jboss
#sasl_mysql_statement: select password from SASLUser where login='%u'
and domain='%r'
#sasl_mysql_verbose: yes
tls_cert_file: /usr/local/var/imap/server.pem
tls_key_file: /usr/local/var/imap/server.pem
tls_ca_file: /usr/local/var/imap/CAcert.pem
idlesocket: /usr/local/var/imap/socket/idle
unixhierarchysep: yes
virtdomains: yes
altnamespace: no
root-10:30:43:/ >dig -x 212.123.33.68
; <<>> DiG 9.2.0 <<>> -x 212.123.33.68
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;68.33.123.212.in-addr.arpa. IN PTR
;; ANSWER SECTION:
68.33.123.212.in-addr.arpa. 172800 IN PTR imap.rent-a-mailserver.de.
;; AUTHORITY SECTION:
33.123.212.in-addr.arpa. 172800 IN NS dns1.epag.net.
33.123.212.in-addr.arpa. 172800 IN NS dns2.epag.net.
;; ADDITIONAL SECTION:
dns2.epag.net. 84561 IN A 212.123.32.78
;; Query time: 6 msec
;; SERVER: 212.123.33.69#53(212.123.33.69)
;; WHEN: Mon Oct 7 10:30:48 2002
;; MSG SIZE rcvd: 145
root-10:30:48:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte 212.123.33.68
IMAP Password:
Login failed: user not found at
/usr/perl5/site_perl/5.005/i86pc-solaris/Cyrus/IMAP/Admin.pm line 114
cyradm: cannot authenticate to server with login as schulte
root-10:32:14:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte at rent-a-mailserver.de 212.123.33.68
IMAP Password:
Login failed: user not found at
/usr/perl5/site_perl/5.005/i86pc-solaris/Cyrus/IMAP/Admin.pm line 114
cyradm: cannot authenticate to server with login as
schulte at rent-a-mailserver.de
Oct 7 10:32:44 mail imap[10762]: [ID 921384 local6.debug] accepted
connection
Oct 7 10:32:47 mail imap[10762]: [ID 914338 local6.notice] badlogin:
imap.rent-a-mailserver.de[212.123.33.68] plaintext schulte SASL(-13):
user not found: checkpass failed
root-10:34:46:/ >sasldblistusers2
schulte at rent-a-mailserver.de: userPassword
Creating a user with saslpasswd2 without specifying a domain would
create a user with realm mail and not rent-a-mailserver.de !
If I now remove the defaultdomain: line from imapd.conf.v2 the behaviour
changes to:
root-10:37:03:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren)
212.123.33.68> cm user/test
createmailbox: Permission denied
212.123.33.68> cm test
createmailbox: Permission denied
212.123.33.68> cm user/test at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68> lm *
INBOX (\HasNoChildren)
212.123.33.68>
I can login in now with the same user!
root-10:38:09:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte at rent-a-mailserver.de 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren)
212.123.33.68> cm user/test
createmailbox: Permission denied
212.123.33.68> cm test
createmailbox: Permission denied
212.123.33.68> cm user/test at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68> lm *
INBOX (\HasNoChildren)
212.123.33.68>
Changing the admins: line now to be:
admins: schulte at rent-a-mailserver.de
root-10:39:47:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte at rent-a-mailserver.de 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren) user/c.schulte/Trash
(\HasNoChildren)
user/c.schulte (\HasChildren)
212.123.33.68> cm user/test
212.123.33.68> cm user/test at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68>
I can create mailboxes in the specified domain! I can administer the domain!
Adding the defaultdomain: line again but now with:
defaultdomain: schulte at rent-a-mailserver.de
root-10:40:56:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte at rent-a-mailserver.de 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren) user/c.schulte/Trash
(\HasNoChildren)
user/c.schulte (\HasChildren) user/test
(\HasNoChildren)
212.123.33.68> cm user/test2
Works!
212.123.33.68> cm user/test2 at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68> quit
Behavior has not changed !
Changing the admins line back to:
admins: schulte
root-10:42:43:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte at rent-a-mailserver.de 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren)
212.123.33.68> cm user/test3
createmailbox: Permission denied
212.123.33.68> cm user/test4 at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68> quit
root-10:43:19:/ >/usr/local/cyrus2-cvs/perl5/5.00503/bin/cyradm --auth
login --user schulte 212.123.33.68
IMAP Password:
212.123.33.68> lm
INBOX (\HasNoChildren)
212.123.33.68> cm user/test3
createmailbox: Permission denied
212.123.33.68> cm user/test3 at otherdomain.com
createmailbox: Invalid mailbox name
212.123.33.68> quit
I cannot get that to work nor can I understand what is going wrong here
! Thanks for your help!
---Christian---
More information about the Info-cyrus
mailing list