Best distro for Exim/Cyrus

Paul O'Rorke paul at tracker-software.com
Wed Feb 12 18:30:55 EST 2014 

Thanks for that Vladislav, it was very helpful.  :-)

I have managed to get exim to use the defined cyrus_delivery transport 
attempting to deliver a received mail but it is baulking on the SSL cert.

 From /var/log/mail.err :

    Feb 12 14:58:46 blmail cyrus/lmtp[3523]: unable to get private key
    from '/etc/ssl/private/ssl-cert-snakeoil.key'
    Feb 12 14:58:46 blmail cyrus/lmtp[3523]: TLS server engine: cannot
    load cert/key data, may be a cert/key mismatch?
    Feb 12 14:58:46 blmail cyrus/lmtp[3523]: [lmtpd] error initializing TLS

I have run

    root at blmail:~# bash /usr/share/doc/exim4-base/examples/exim-gencert
    --force

and confirm the permissions on the cert file:

    root at blmail:~# ls -l /etc/ssl/private/
    total 4
    -rw-r----- 1 root root 916 Feb 12 12:41 ssl-cert-snakeoil.key

What process/user should have access to this key?  Is it simply the 
wrong owner/group?

I can access cyrus and 'see' mailboxes, create them etc:

    root at blmail:~# cyradm --user cyrus --auth login localhost
    IMAP Password:
    localhost> lm
    user.hire (\HasChildren)           user.hire.Trash (\HasNoChildren)
    user.hire.Drafts (\HasNoChildren)  user.hire.test (\HasNoChildren)
    user.hire.Sent (\HasNoChildren)    user.paul (\HasNoChildren)

but I believe this is using saslauth LOGIN so maybe it's not using the 
SSL anyway?

When I attempt to send mail to an account on there I get the following 
in /var/log/exim4/mainlog :

    2014-02-12 14:58:46 1WDilR-0000ul-Rh DKIM: d=gmail.com s=20120113
    c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
    2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Debug: SAEximRunCond expand
    returned: '0'
    2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Action: Not running SA
    because SAEximRunCond expanded to false (Message-Id:
    1WDilR-0000ul-Rh). From <paulororke at gmail.com>
    (host=mail-oa0-f53.google.com [209.85.219.53]) for
    hire at chemainus.mjbrownloos.com
    2014-02-12 14:58:46 1WDilR-0000ul-Rh <= paulororke at gmail.com
    H=mail-oa0-f53.google.com [209.85.219.53] P=esmtps
    X=TLS1.0:RSA_ARCFOUR_SHA1:128 S=30551
    id=CAPXX1o6M5XkRaZv97zkrnPPMLGV1s98tvNEC4QuND0PwGGbwKA at mail.gmail.com
    2014-02-12 14:58:46 1WDilR-0000ul-Rh ==
    hire at chemainus.mjbrownloos.com R=local_user T=cyrus_delivery defer
    (-45): SMTP error from remote mail server after MAIL
    FROM:<paulororke at gmail.com> SIZE=32614: host 127.0.0.1 [127.0.0.1]:
    430 Authentication required

I'll come back to the Spamassassin issue later (unless of course it's 
related!)

So I seem to be getting confused about when the SSL is used. Ideally I'd 
like to use SSL and authentication for SMTP and IMAP. Is it that the 
LMTP needs authentication and it's not?  I did use in /etc/cyrus.conf

    lmtp            cmd="lmtpd" -a listen="localhost:lmtp" prefork=0
    maxchild=20

I feel like I'm close, but still not fully understanding the 
relationship between exim and cyrus  regards lmtp and saslauth. Have I 
mixed things up here?

Hoping for more of the excellent help I've received thus far.

*
Paul O'Rorke*

Tracker Software Products
paul at tracker-software.com <mailto:paul.ororke at tracker-software.com>

On 2/11/2014 12:56 AM, Vladislav Kurz wrote:
>
> On Monday 10 of February 2014 23:13:42 Paul O'Rorke wrote:
>
> > Hi again Cyrus list,
>
> >
>
> > still trying to find a definitive resource to use to get this mail
>
> > server up and running. Does anyone know of a good howto for setting up
>
> > Debian/Exim/Cyrus? I think this is the combination I want to move from
>
> > the Centos/Exim/Dovecote box I inherited but I must confess to really
>
> > struggling here.
>
> Here are the most important snippets of my Debian/exim/cyrus config 
> for sasldb authentication, exim split config. Based on squeeze, so be 
> careful there might be small changes in wheezy. Changes noted as a 
> diff file.
>
> /etc/exim4/conf.d/main/00_exim4-config_localmacros: (new file)
>
> + LOCAL_DELIVERY = cyrus_delivery
>
> /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:
>
> # Insist that any other recipient address that we accept is either in 
> one of
>
> # our local domains, or is in a domain for which we explicitly allow
>
> # relaying. Any other domain is rejected as being unacceptable for 
> relaying.
>
> require
>
> message = relay not permitted
>
> domains = +local_domains : +relay_to_domains
>
> # We also require all accepted addresses to be verifiable. This check will
>
> # do local part verification for both local and remote domains.
>
> # Callout is needed to do the check via LMTP.
>
> # This is important to avoid backscatter bounces.
>
> # If you act as backup MX, you might need to adjust.
>
> require
>
> - verify = recipient
>
> + verify = recipient/callout
>
> /etc/exim4/conf.d/router/900_exim4-config_local_user:
>
> # There are no local users in /etc/passwd. Check is done by callout in 
> ACL.
>
> # Also there is no harm in having a mailbox named root.
>
> local_user:
>
> debug_print = "R: local_user for $local_part@$domain"
>
> driver = accept
>
> domains = +local_domains
>
> - check_local_user
>
> - local_parts = ! root
>
> transport = LOCAL_DELIVERY
>
> cannot_route_message = Unknown user
>
> /etc/exim4/conf.d/transport/30_exim4-config_cyrus_delivery:
>
> + # LMTP over TCP/IP, allows callout verification, needs `lmtpd -a`
>
> + cyrus_delivery:
>
> + driver = smtp
>
> + protocol = lmtp
>
> + hosts = 127.0.0.1
>
> + allow_localhost
>
> /etc/exim4/conf.d/auth/30_exim4-config_examples
>
> Uncomment all examples where driver = cyrus_sasl. Set server realm to 
> full hostname, or check what is behind @ in sasldblistusers2. NTLM and 
> MD5 authentication can be allowd even over unencrypted connections.
>
> /etc/imapd.conf
>
> sasl_pwcheck_method: auxprop
>
> sasl_auxprop_plugin: sasldb
>
> /etc/cyrus.conf
>
> lmtp cmd="lmtpd -a" listen="localhost:lmtp" prefork=0 maxchild=20
>
> #lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 ...
>
> /etc/services
>
> lmtp 24/tcp
>
> --- eof ---
>
> I have omitted lots of other changes I do to exim config, as they are 
> not related to exim-cyrus integration.
>
> -- 
>
> Best Regards
>
> Vladislav Kurz
>
> === WebStep, s.r.o. (Ltd.) ========= a step to the Web ===
>
> address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711
>
> === www.webstep.net ======= vladislav.kurz at webstep.net ===
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20140212/ca830b0a/attachment-0001.html

More information about the Info-cyrus mailing list