Combination of postfix + cyrus (virtdomains) problems

Guus Leeuw jr guus.leeuw at itpassion.com
Mon Dec 1 15:04:14 EST 2008 

Hello,

I want to be able to run all of these IMAP mailboxes on one machine:
* webmaster at tenantvet.net
* webmaster at option-d.co.uk
At a later stage, I want to run mailboxes like first.last at domain.com.
All with their distinct login ID through ptloader/LDAP.

So I'm testing with webmaster at option-d.co.uk as this account is not normally
receiving emails so far.


I've got a general postfix SMTP server that is capable of redirecting emails
for webmaster at option-d.co.uk to the correct server (imap4).

On imap4 I have been playing around with virtdomains (as I am supposed to)
and am currently giving up, because I don't see anymore why it doesn't work
:D

Here's my (imap4) postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_list = option-d.co.uk
html_directory = no
inet_interfaces = 192.168.123.17
local_recipient_maps = ldap:ldaplocal
mail_owner = postfix
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = option-d.co.uk, tenantvet.net mydomain =
chiswick.itpassion.com myhostname = imap4.chiswick.itpassion.com
mynetworks_style = subnet newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix readme_directory =
/usr/share/doc/postfix-2.4.5/README_FILES
relayhost = smtp.chiswick.itpassion.com
sample_directory = /usr/share/doc/postfix-2.4.5/samples
sender_canonical_maps = ldap:ldapsender
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, permit
smtpd_sasl_auth_enable = yes virtual_alias_maps = ldap:ldapvirtual

and here's my master.cf
#
# Postfix master process configuration file.  For details on the format # of
the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
cyrus     unix  -       n       n       -       -       pipe
  flags= user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m
${extension} ${recipient}


This all pretty standard, as I use that across 3 other mailservers (where I
serve one domain each).

Here's my cyrus.conf:
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=0
  ptloader      cmd="ptloader" listen="/imap/ptclient/ptsock" prefork=1

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/imap/socket/lmtp" prefork=1

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

Again, pretty standard, I would say.

Now the imapd.conf:
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
allowplainwithouttls: 1
annotation_db: skiplist
autocreatequota: 0
configdirectory: /imap
duplicate_db: skiplist
expunge_mode: delayed
hashimapspool: true
partition-default: /imap/spool
poptimeout: 10
postmaster: postmaster
quotawarn: 90
reject8bit: no
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
servername: imap4.chiswick.itpassion.com
sievedir: /imap/sieve
sieve_maxscriptsize: 96
sieve_maxscripts: 15
timeout: 30
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
virtdomain: on
defaultdomain: chiswick.itpassion.com
loginrealms: option-d.co.uk
ldap_uri: ldap://security.chiswick.itpassion.com
ldap_version: 3
ldap_size_limit: 20
ldap_sasl: 0
ldap_base: dc=itpassion,dc=com
ldap_filter: (&(uid=%u)(accountStatus=active))
auth_mech: pts
ldap_mech: plain
pts_module: ldap
ptscache_timeout: 10
ptloader_sock: /imap/ptclient/ptsock


When I create webmaster at option-d.co.uk with this setup I get, more often
than not:
localhost> cm user.webmaster at option-d.co.uk
createmailbox: Permission denied

So I stick a unixhierarchysep: 1 in the imapd.conf and
localhost> cm user/webmaster at option-d.co.uk
localhost>

So I think, I have success. Looking in the spool directory, this mailbox
doesn't show up under /imap/spool/domain, instead it shows up under
/imap/spool/w/user/webmaster\@option-d^co^uk
Sending an email to webmaster at option-d.co.uk then gets the following report
from lmtpunix:
Nov 30 15:32:32 imap4 postfix/smtpd[11957]: connect from
smtp.chiswick.itpassion.com[192.168.123.5]
Nov 30 15:32:32 imap4 postfix/smtpd[11957]: DA25318ED88:
client=smtp.chiswick.itpassion.com[192.168.123.5]
Nov 30 15:32:32 imap4 postfix/cleanup[11959]: warning: DA25318ED88:
multi-valued sender_canonical_maps entry for guus.leeuw at itpassion.com Nov 30
15:32:32 imap4 postfix/cleanup[11959]: DA25318ED88:
message-id=<!&!AAAAAAAAAAAYAAAAAAAAAL6W7FSHlxZFmEatnwmRjKeijwAAEAAAAFEXgqFz7
QRHrnzaikCceUIBAAAAAA==@itpassion.com>
Nov 30 15:32:32 imap4 postfix/smtpd[11957]: disconnect from
smtp.chiswick.itpassion.com[192.168.123.5]
Nov 30 15:32:32 imap4 postfix/qmgr[9793]: DA25318ED88:
from=<guus.leeuw at itpassion.com>, size=27336, nrcpt=1 (queue active) Nov 30
15:32:33 imap4 lmtpunix[11922]: accepted connection Nov 30 15:32:33 imap4
lmtpunix[11922]: lmtp connection preauth'd as postman Nov 30 15:32:33 imap4
lmtpunix[11922]: verify_user(user.webmaster) failed:
Mailbox does not exist
Nov 30 15:32:33 imap4 postfix/pipe[11961]: DA25318ED88:
to=<webmaster at option-d.co.uk>, relay=cyrus, delay=0.53,
delays=0.18/0.11/0/0.24, dsn=5.6.0, status=bounced (data format error.
Command output: webmaster at option-d.co.uk: Mailbox does not exist )

I have to specify loginrealms because otherwise I cannot login as
webmaster at option-d.co.uk:
Nov 30 15:40:47 imap4 imap[11937]: ptload(): fetched cache record
(webmaster at option-d.co.uk)(mark 1228059072, current 1228059647, limit
1228059637)
Nov 30 15:40:47 imap4 imap[11937]: ptload(): pinging ptloader Nov 30
15:40:47 imap4 imap[11937]: connected with no delay Nov 30 15:40:47 imap4
imap[11937]: ptload(): connected Nov 30 15:40:47 imap4 imap[11937]:
timeout_select: sock = 16, rp = 0x0, wp = 0xbf8e85a0, sec = 30 Nov 30
15:40:47 imap4 imap[11937]: timeout_select exiting. r = 1; errno = 0 Nov 30
15:40:47 imap4 imap[11937]: ptload sent data Nov 30 15:40:47 imap4
imap[11937]: timeout_select: sock = 16, rp = 0xbf8e8620, wp = 0x0, sec = 30
Nov 30 15:40:47 imap4 ptloader[11921]: accepted connection Nov 30 15:40:47
imap4 ptloader[11921]: mystore: starting txn 2147483659 Nov 30 15:40:47
imap4 ptloader[11921]: mystore: committing txn 2147483659 Nov 30 15:40:47
imap4 imap[11937]: timeout_select exiting. r = 1; errno = 0 Nov 30 15:40:47
imap4 imap[11937]: timeout_select: sock = 16, rp = 0xbf8e8620, wp = 0x0, sec
= 30 Nov 30 15:40:47 imap4 imap[11937]: timeout_select exiting. r = 1; errno
= 0 Nov 30 15:40:47 imap4 imap[11937]: ptload read data back Nov 30 15:40:47
imap4 imap[11937]: ptload returning data Nov 30 15:40:47 imap4 imap[11937]:
canonified webmaster at option-d.co.uk -> webmaster at option-d.co.uk Nov 30
15:40:47 imap4 imap[11937]: badlogin: localhost [127.0.0.1] plaintext
webmaster at option-d.co.uk SASL(-13): authentication failure: cross-realm
login webmaster at option-d.co.uk denied

option-d.co.uk is not a hosted network, and having seen remarks that a
reverse lookup is being executed by imap, I do not understand completely as
to what imap would be looking for in the reverse lookup (option-d.co.uk is
not a hostname..., so that throws me off a little as well.)

Now, I have seen a setup where ctl_mboxlist -d would give:
option-d.co.uk!user.webmaster   0 default       webmaster at option-d.co.uk
lrswipkxtecda
option-d.co.uk.Drafts!user.webmaster    0 default
webmaster at option-d.co.uk.drafts lrswipkxtecda
option-d.co.uk.Ham!user.webmaster       0 default
webmaster at option-d.co.uk.ham    lrswipkxtecda
option-d.co.uk.Sent!user.webmaster      0 default
webmaster at option-d.co.uk.sent   lrswipkxtecda
option-d.co.uk.Spam!user.webmaster      0 default
webmaster at option-d.co.uk.spam   lrswipkxtecda
option-d.co.uk.Trash!user.webmaster     0 default
webmaster at option-d.co.uk.trash  lrswipkxtecda

But for the life of me, I cannot get that situation back on my newly
installed server. Comparing notes isn't possible (it was a long time ago,
and I trashed that FC7 server for an FC10), although I suspect the whole
problem has something to do with the loginrealms and defaultdomain settings.
Not sure though.

Can somebody check these things, as I really cannot see it anymore (tried
too many things that weren't working)...

Thanks,
Guus

More information about the Info-cyrus mailing list