Continued problems with virtual domains and cyradm

Paul-Erik Törrönen paul-erik.torronen at cardinal.fi
Thu Mar 24 09:56:22 EST 2005 

Hello!

I tried to identify my problem in the archives but the closest was that
described by Mike Nuss in msgid 32056 (and http://acs-
wiki.andrew.cmu.edu/twiki/bin/view/Cyrus/CreateMailboxPermissionDenied).
Unfortunatelly the 'solution' is not implementable in my case.

In short:
FC3 with the latest patches
cyrus-impapd  version 2.2.10 release 3.fc3 by RH 
cyrus-sasl version 2.1.19 release 3 by RH
openldap Version 2.2.13 Release 2 by RH
postfix  Version 2.1.5 Release 5 by RH

The server is currently located in a firewalled network *not* affiliated
by the target domains (foo.com nor bar.com). Foo.com is the real domain
while bar.com is the virtual domain.

Saslauthd is configured to authenticate against the LDAP-server

/etc/saslauthd.conf
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
ldap_servers: ldap://localhost:389/
ldap_bind_dn: cn=Manager,dc=foo,dc=com
ldap_bind_pw: <passwd>
ldap_search_base: dc=foo,dc=com
ldap_filter: uid=%u
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

/etc/imapd.conf
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus, cyrus at localhost.localdomain, poltsi at foo.com,
poltsi at bar.com
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
virtdomains: yes
defaultdomain: foo.com
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---

The directories do have the correct permissions AFAIK, cyrus.mail all
the way both for '/var/lib/imap' as well '/var/spool/imap'. The latter
has two subdirs, 'domain' and 'stage.'

Now if I run cyradm I get the following:

#cyradm --user cyrus localhost
IMAP Password: 
localhost> lm
localhost> createmailbox user.poltsi at foo.com
createmailbox: Permission denied
localhost> createmailbox user.poltsi at bar.com
createmailbox: Invalid mailbox name

The same results if I log on as cyrus at localhost.localdomain. The
difference is that the realm in saslauthd (running in another window
with the -d parameter) is undefined in the first example, while it is
set to localhost.localdomain in the second example. If I use either
poltsi at foo.com or poltsi at bar.com as defined in the imapd.conf as admin I
get the following:

# cyradm --user poltsi at foo.com localhost
IMAP Password: 
localhost> lm
localhost> createmailbox user.kvide at foo.com
createmailbox: Permission denied

So no luck there, but to confuse things, the virtual seems to be work,
albeit in a very broken way:

cyradm --user poltsi at bar.com localhost
IMAP Password: 
localhost> lm
INBOX (\HasChildren)           INBOX.uptest (\HasNoChildren)  
INBOX.Trash (\HasNoChildren)   

So it looks like I'm in user.poltsi, however:

localhost> createmailbox user.kvide at bar.com
localhost> lm
INBOX (\HasChildren)           INBOX.uptest (\HasNoChildren)  
INBOX.Trash (\HasNoChildren)   user.kvide (\HasNoChildren) 

No the structure looks very bizarre. Checking through the email-client
however there is no user/kvide subdir, and
in /var/spool/imap/domain/b/bar.com/ there is now two subdirs, 'k' and
'p' both with proper structure. The uptest-subdir was created by me
through the email client.

What am I missing here, why is the global admin (cyrus) unable to
list/create mailboxes and *why* does it work (in a weird way) for the
virtual domain?

I tried with the 'virtdomains: userid' but this seemed to be broken
likewise since I could not list mailboxes per domain with the command
'lm *@foo.com', the command listed all the mailboxes.

I also tested the setup with the following two parameters in
saslauthd.conf:

ldap_default_domain: foo.com
ldap_filter: %U@%d

But then I was unable to log on with the email client.

This is very vexing since cyrus-imapd seems to work partially but not
consistently and I can't spot where the problem is in the configuration.

With regards,

Poltsi

-- 
Paul-Erik Törrönen, 
Cardinal Information Systems Ltd.
Pursimiehenkatu 29-31 C
00150 Helsinki, Finland
Mobile: +358 (0)40 703 1231
Phone: +358 (0)424 792 204
Fax: +358 (0)424 792 207
http://www.cardinal.fi/

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list