`cyradm` login & `lm` behavior with Virtual Domains

Mon Jan 23 20:03:52 EST 2012

If you have 'virtdomains: userid' but you are still seeing a realm get
passed to mysql, but are not passing on in the client, then I'm guessing
you're doing DIGEST-MD5 authentication.

How DIGEST-MD5 and realms are intended to function is probably best
described in RFC 2831.

You could try using another mechanism, or just ignore the realm altogether
in your SQL statement. Depending on your configuration, you may be able to
ignore the realm altogether, and still support virtual domains.

On 01/23/12 11:03 -0800, Reg wrote:
>Hello Dan,
>
>Thanks for the reply.
>
>"virtdomains: userid" <- Yep, this is the way I have it set up.
>
>	"> See the manpage for imapd.conf, and:
>	> http://www.cyrusimap.org/docs/cyrus-imapd/2.4.13/install-virtdomains.php"
>
>Virtual domains do work, I've had it working for over a year. My question isn't "How to get it to work?", the question is "Is the behavior I described normal?" because it seems odd and I couldn't find any documention for some of what I saw, as I mentioned.
>
>Anyway if it's one of those unknowns I guess we'll just let it go.
>
>Thanks,
>Reg
>
>
>Monday, January 23, 2012, 9:40:45 AM, you wrote:
>
>> On 01/21/12 02:59 -0800, Reg Proctor wrote:
>>>Hi,
>
>>>I just want to confirm that logging into cyradm as I am experiencing it
>>>is normal and that lm is behaving as it should be. It seems a little
>>>unusual to me.
>
>
>>>First cyradm logging in,  here is what I am seeing:
>
>>>To log into cyradm I have to set my defaultdomain to localhost and then
>>>I can login like this:
>
>>>cyradm -u cyrus localhost
>>>pwd: xxxxxx
>
>>>However, using MySQL and setting the tracing so I can see the SQL
>>>statements I actually see this:
>
>>>SELECT AES_DECRYPT(`password`, 'xxxxxxxxxxxxx') AS password
>>>FROM `accounts`
>>>WHERE `user`='cyrus' AND `realm`='www.domain.com' AND `virtual` != 0;
>
>>>where `www.domain.com` is the fully qualified domain name (FQDN) of the
>>>server. This means in the database if the user is stored as [user:
>>>cyrus, realm: localhost], the login will fail. Instead the use has to be
>>>stored as [user: cyrus, realm: www.domain.com ], and once that change is
>>>made I can login.
>
>>>While this is trivial once you know it I couldn't find where is
>>>mentioned that that would be the behavior in the docs. Also, and perhaps
>>>more importantly, it makes the database non-portable to other servers
>>>which may cause problems with a high availability setup through multiple
>>>servers where someone is replicating a database periodically.
>
>> Do you have?
>
>> virtdomains: on
>
>> If so, try:
>
>> virtdomains: userid
>
>> See the manpage for imapd.conf, and:
>
>> http://www.cyrusimap.org/docs/cyrus-imapd/2.4.13/install-virtdomains.php
>
>> Also, some mechanisms may derive your realm from the authentication
>> exchange (digest-md5 and gssapi). I'm not clear if that realm value is
>> relevant before authentication is complete. If necessary, try explicitly
>> specifying another mechanism like plain or login (--auth).
>
>>>Second, `lm` wildcard behavior:
>
>>>With `lm`, once I am logged in this is the behavior I am seeing with
>>>wildcards:
>
>>>Works:
>>>lm
>>>lm *
>>>lm *@fulldomain
>
>>>Doesn't work:
>>>lm *@*
>>>lm *@partialdomain*
>
>>>It seems to me that if my domain was abc.com and I wanted to list all
>>>users I should be able to do so with lm *@abc* or lm *@ab* etc. however
>>>anything but the full domain will not work. Neither I guess would
>>>something like fred@* if you wanted to find all the fred's (not that I
>>>can see any reason to do that).
>
>>>I'm just wondering if this is by design or perhaps could be improved or
>>>maybe my distr. has a bug?
>
>> I don't know. Cyrus stores mailboxes internally like:
>
>> example.org!user.jsmith.Trash

-- 
Dan White
BTC Broadband
Ph  918.366.0248 (direct)   main: (918)366-8000
Fax 918.366.6610            email: dwhite at olp.net
http://www.btcbroadband.com