Murder sample configs
Andrew Morgan
morgan at orst.edu
Thu Apr 15 14:03:56 EDT 2010
On Thu, 15 Apr 2010, Simon Beale wrote:
> Hi
>
> I'm trying to set up a cyrus murder set of boxes on 2.3.16 to eventually
> replace our single creaking dovecot server, and am currently failing to
> get a working configuration.
>
> My current intention is to have
> switch-101 (frontend + murder master)
> switch-102 (frontend)
> store-101 (backend)
> store-102 (backend)
> with user authentication being done via saslauthd against pam (which in
> turn looks at ldap).
>
> On the frontend + murder master box, I've got the following imapd.conf
> (sanitized):
>
> ========================
> admins: cyrus cyrus-frontend
> allowplaintext: false
> allowusermoves: true
> configdirectory: /var/lib/imap
> delete_mode: delayed
> duplicate_db: skiplist
> expunge_mode: delayed
> force_sasl_client_mech: plain
> hashimapspool: true
> improved_mboxlist_sort: true
> lmtp_downcase_rcpt: true
> mupdate_config: unified
> normalizeuid: true
> partition-default: /var/spool/imap
> proxy_authname: cyrus-frontend
> proxyd_disable_mailbox_referrals: true
> proxy_password: ********
> ptscache_db: skiplist
> sasl_mech_list: DIGEST-MD5 PLAIN LOGIN
> sasl_pwcheck_method: saslauthd auxprop
> serverlist: store-101
> sieve_allowreferrals: false
> sievedir: /var/lib/imap/sieve
> statuscache_db: skiplist
> tlscache_db: skiplist
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> tls_cert_file: /etc/pki/tls/certs/wildcard.pem
> tls_key_file: /etc/pki/tls/certs/wildcard.pem
> unix_group_enable: false
> ========================
>
> And on the backend boxes I have:
> ========================
> admins: cyrus cyrus-frontend
> allowallsubscribe: true
> allowplaintext: false
> allowusermoves: true
> configdirectory: /var/lib/imap
> delete_mode: delayed
> duplicate_db: skiplist
> expunge_mode: delayed
> hashimapspool: true
> improved_mboxlist_sort: true
> lmtp_downcase_rcpt: true
> mupdate_authname: cyrus-frontend
> mupdate_password: ********
> mupdate_server: switch-101
> mupdate_username: cyrus-frontend
> normalizeuid: true
> partition-default: /var/spool/imap
> proxyservers: cyrus-frontend
> ptscache_db: skiplist
> sasl_mech_list: DIGEST-MD5 PLAIN LOGIN
> sasl_pwcheck_method: auxprop
> sievedir: /var/lib/imap/sieve
> statuscache_db: skiplist
> tlscache_db: skiplist
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> tls_cert_file: /etc/pki/tls/certs/wildcard.pem
> tls_key_file: /etc/pki/tls/certs/wildcard.pem
> unix_group_enable: false
> =====================
>
> These configs do let me log in on the frontend and do a LIST, but when I
> try and do a SELECT it fails:
>
> from switch-101: couldn't authenticate to backend server: authentication
> failure
> from store-101: badlogin: switch-101 [10.10.10.37] PLAIN [SASL(-16):
> encryption needed to use mechanism: security flags do not match required
>
> Is there something obvious that I'm missing in my configuration? Or could
> I ask for some kind soul to send me a known-good sample murder
> configuration set of imapd.conf files that I can at least start from?
On your backend server, set:
allowplaintext: true
and I think it will work. That's how I have it configured at my site.
Frontends do not allow plaintext (unencrypted) logins, but the backends
do. I'm not sure how to configure the frontends to use TLS/SSL when
proxying to the backends.
Andy
More information about the Info-cyrus
mailing list