From Jean-Christophe.Delaye at eurecom.fr Tue Apr 2 13:02:34 2019 From: Jean-Christophe.Delaye at eurecom.fr (Jean-Christophe Delaye) Date: Tue, 2 Apr 2019 19:02:34 +0200 Subject: cyrus http proxy in murder HTTP/1.1 403 Forbidden Message-ID: <9225fd3a-5220-db71-fcd4-9680efa5ea53@eurecom.fr> Hello, We're testing Cyrus3.0.9 in a murder configuration. It works fine for imap/imaps services. I can access mailboxes from differents frontend, and move mailboxes from on backend to another ! I'm now blocked with the calendar features in this configuration. It works fine in both read and write mode directly from the backend. http://backend.eurecom.fr/dav/calendars/user/xxxx/Default/ PUT /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => "HTTP/1.1 204 No Content" I've configured http/https also on the frontend to enable accessing calendars from there: http://frontend.eurecom.fr/dav/calendars/user/xxxx/Default/ It work perfectly in read only mode from the frontend, but if I try to do some changes, it does not complete with Forbidden message. "PUT /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => "HTTP/1.1 403 Forbidden" I've compiled backend and frontend with the same options Server: Cyrus-HTTP/3.0.9 Cyrus-SASL/2.1.26 OpenSSL/1.0.0 Nghttp2/1.35.0 Zlib/1.2.11 LibXML2.9.5 SQLite/3.24.0 LibiCal/3.0 ICU4C/59.1 Jansson/2.10 WWW-Authenticate: Basic realm="frontend.eurecom.fr" DAV: 1, 2, 3, access-control, extended-mkcol, resource-sharing DAV: calendar-access, calendar-auto-schedule DAV: calendar-query-extended, calendar-availability, calendar-managed-attachments DAV: calendarserver-sharing, inbox-availability DAV: addressbook Allow: OPTIONS, GET, HEAD, POST, PUT, PATCH, DELETE, TRACE Allow: PROPFIND, REPORT, COPY, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL Allow: MKCALENDAR Content-Length: 0 The question is: Is there specific configuration parameters to enable proxy http/https in murder configuration ? I can't find usefull informations in the documentation. I've seen the Interactive HTTP test program httptest, but can't find parameters to simulate calendar clients. Thank you From murch at fastmail.com Tue Apr 2 13:15:36 2019 From: murch at fastmail.com (Ken Murchison) Date: Tue, 2 Apr 2019 13:15:36 -0400 Subject: cyrus http proxy in murder HTTP/1.1 403 Forbidden In-Reply-To: <9225fd3a-5220-db71-fcd4-9680efa5ea53@eurecom.fr> References: <9225fd3a-5220-db71-fcd4-9680efa5ea53@eurecom.fr> Message-ID: <2d9019d8-d336-955a-9513-e0d4ea6865ab@fastmail.com> On 4/2/19 1:02 PM, Jean-Christophe Delaye wrote: > Hello, > > We're testing Cyrus3.0.9 in a murder configuration. > It works fine for imap/imaps services. I can access mailboxes from > differents frontend, and move mailboxes from on backend to another ! > > I'm now blocked with the calendar features in this configuration. > It works fine in both read and write mode directly from the backend. > > http://backend.eurecom.fr/dav/calendars/user/xxxx/Default/ > > PUT > /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics > HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => > "HTTP/1.1 204 No Content" > > I've configured http/https also on the frontend to enable accessing > calendars from there: > > http://frontend.eurecom.fr/dav/calendars/user/xxxx/Default/ > > It work perfectly in read only mode from the frontend, but if I try to > do some changes, it does not complete with Forbidden message. > > "PUT > /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics > HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => > "HTTP/1.1 403 Forbidden" Is there any body in the 403 response with more information?? You might have to enable telemetry on the backend. Is the frontend proxy authenticating as the owner of the calendar?? Check the cyrus log on the backend. > I've compiled backend and frontend with the same options > > Server: Cyrus-HTTP/3.0.9 Cyrus-SASL/2.1.26 OpenSSL/1.0.0 Nghttp2/1.35.0 > Zlib/1.2.11 LibXML2.9.5 SQLite/3.24.0 LibiCal/3.0 ICU4C/59.1 Jansson/2.10 > WWW-Authenticate: Basic realm="frontend.eurecom.fr" > DAV: 1, 2, 3, access-control, extended-mkcol, resource-sharing > DAV: calendar-access, calendar-auto-schedule > DAV: calendar-query-extended, calendar-availability, > calendar-managed-attachments > DAV: calendarserver-sharing, inbox-availability > DAV: addressbook > Allow: OPTIONS, GET, HEAD, POST, PUT, PATCH, DELETE, TRACE > Allow: PROPFIND, REPORT, COPY, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL > Allow: MKCALENDAR > Content-Length: 0 > > The question is: > Is there specific configuration parameters to enable proxy http/https in > murder configuration ? I can't find usefull informations in the > documentation. I've seen the Interactive HTTP test program httptest, but > can't find parameters to simulate calendar clients. > > Thank you > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Ken Murchison Cyrus Development Team FastMail US LLC -------------- next part -------------- A non-text attachment was scrubbed... Name: murch.vcf Type: text/x-vcard Size: 4 bytes Desc: not available URL: From Jean-Christophe.Delaye at eurecom.fr Thu Apr 4 09:42:31 2019 From: Jean-Christophe.Delaye at eurecom.fr (Jean-Christophe Delaye) Date: Thu, 4 Apr 2019 15:42:31 +0200 Subject: cyrus http proxy in murder HTTP/1.1 403 Forbidden In-Reply-To: <2d9019d8-d336-955a-9513-e0d4ea6865ab@fastmail.com> References: <9225fd3a-5220-db71-fcd4-9680efa5ea53@eurecom.fr> <2d9019d8-d336-955a-9513-e0d4ea6865ab@fastmail.com> Message-ID: On 4/2/19 7:15 PM, Ken Murchison wrote: > > On 4/2/19 1:02 PM, Jean-Christophe Delaye wrote: >> Hello, >> >> We're testing Cyrus3.0.9 in a murder configuration. >> It works fine for imap/imaps services. I can access mailboxes from >> differents frontend, and move mailboxes from on backend to another ! >> >> I'm now blocked with the calendar features in this configuration. >> It works fine in both read and write mode directly from the backend. >> >> http://backend.eurecom.fr/dav/calendars/user/xxxx/Default/ >> >> PUT >> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics >> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => >> "HTTP/1.1 204 No Content" >> >> I've configured http/https also on the frontend to enable accessing >> calendars from there: >> >> http://frontend.eurecom.fr/dav/calendars/user/xxxx/Default/ >> >> It work perfectly in read only mode from the frontend, but if I try to >> do some changes, it does not complete with Forbidden message. >> >> "PUT >> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics >> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") => >> "HTTP/1.1 403 Forbidden" > Thanks for your reply. I've activated telemetry and debug mode on both frontend and backend. My feeling is that the frontend do not forward to selected backend when operate in WRITE mode [:method: PUT] (can't see authentication request on the backend nor network activity between them while monitored with snoop). But it works fine when just accessing and browsing the calendar without modification [:method: PROPFIND] or even delete events [:method: DELETE] http log for user xxxx on backend: <1554373427 > Is there any body in the 403 response with more information?? You might > have to enable telemetry on the backend. > > Is the frontend proxy authenticating as the owner of the calendar?? > Check the cyrus log on the backend. > > >> I've compiled backend and frontend with the same options >> >> Server: Cyrus-HTTP/3.0.9 Cyrus-SASL/2.1.26 OpenSSL/1.0.0 Nghttp2/1.35.0 >> Zlib/1.2.11 LibXML2.9.5 SQLite/3.24.0 LibiCal/3.0 ICU4C/59.1 Jansson/2.10 >> WWW-Authenticate: Basic realm="frontend.eurecom.fr" >> DAV: 1, 2, 3, access-control, extended-mkcol, resource-sharing >> DAV: calendar-access, calendar-auto-schedule >> DAV: calendar-query-extended, calendar-availability, >> calendar-managed-attachments >> DAV: calendarserver-sharing, inbox-availability >> DAV: addressbook >> Allow: OPTIONS, GET, HEAD, POST, PUT, PATCH, DELETE, TRACE >> Allow: PROPFIND, REPORT, COPY, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL >> Allow: MKCALENDAR >> Content-Length: 0 >> >> The question is: >> Is there specific configuration parameters to enable proxy http/https in >> murder configuration ? I can't find usefull informations in the >> documentation. I've seen the Interactive HTTP test program httptest, but >> can't find parameters to simulate calendar clients. >> >> Thank you >> >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -------------- next part -------------- cyrus/https[1651]: [ID 560950 local3.debug] tls_client_ca_dir=(NULL) tls_client_ca_file=/global/cyrus/etc/ssl/DigiCertCA.crt cyrus/https[1651]: [ID 810032 local3.debug] tls_server_cert=/global/cyrus/etc/ssl/imap_eurecom_fr.crt tls_server_key=/global/cyrus/etc/ssl/imap.eurecom.fr.key cyrus/https[1651]: [ID 817102 local3.notice] inittls: Loading hard-coded DH parameters cyrus/https[1651]: [ID 495959 local3.debug] Set client CA list: Client cert requested, not required cyrus/https[1651]: [ID 704172 local3.debug] TLS Server Name Indication (SNI) Extension: "imap.eurecom.fr" cyrus/https[1651]: [ID 574029 local3.debug] SSL_accept() incomplete -> wait cyrus/https[1651]: [ID 867439 local3.debug] SSL_accept() succeeded -> done cyrus/https[1651]: [ID 702911 local3.notice] starttls: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication; application protocol = h2 cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(15): 0 cyrus/https[1651]: [ID 739106 local3.debug] ret: 0, eof: 0, want read: 1 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 148, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 430, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 611534 local3.debug] http2_begin_headers_cb(id=15, type=1) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:method: PUT) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:path: /dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:authority: imap.eurecom.fr) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:scheme: https) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 Lightning/6.2.5) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept: text/xml) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-language: en-GB,en;q=0.5) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-encoding: gzip, deflate, br) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-charset: utf-8,*;q=0.1) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-length: 9332) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-type: text/calendar; charset=utf-8) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(if-match: "50ab3d1a71c68976f2738e4c7a8276f8d41d4468") cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(cookie: SESS2f0096f341f49daa238064955414f109=k69uvq1krqi679tguccttm2qs0) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(authorization: Basic c3RhbmRhcmQ6SGVyc2VsLg==) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(pragma: no-cache) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(cache-control: no-cache) cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=1, flags=0x24 cyrus/https[1651]: [ID 364641 local3.debug] conn flags: 0 upgrade flags: 0 tls req: 0 cyrus/https[1651]: [ID 909740 local3.debug] http_auth: status=0 scheme='' creds='Basic ' cyrus/https[1651]: [ID 796571 local3.debug] http_auth: find client scheme cyrus/https[1651]: [ID 113398 local3.debug] http_auth: found matching scheme: Basic cyrus/https[1651]: [ID 564409 local3.notice] login: anjou.eurecom.fr [172.17.20.150] xxxx Basic+TLS User logged in SESSIONID= cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=8, flags=0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 4096, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=4087, txnflags=0) cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 4096, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=4096, txnflags=0) cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 1149, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=1149, txnflags=0) cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=0, flags=0x1 cyrus/https[1651]: [ID 133476 local3.debug] write_body(code = -1964266992, flags.te = 0, len = 0) cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(:status: 403) cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Date: Thu, 04 Apr 2019 13:12:49 GMT) cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Strict-Transport-Security: max-age=600) cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Cache-Control: no-cache) cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Content-Length: 0) cyrus/https[1651]: [ID 518894 local3.debug] end_resp_headers(code = -1964266992, len = 0, flags.te = 0) cyrus/https[1651]: [ID 829378 local3.debug] nghttp2_submit headers(id=15, flags=0x1) cyrus/https[1651]: [ID 702911 local3.info] anjou.eurecom.fr [172.17.20.150] as "xxxx" with "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 Lightning/6.2.5"; "PUT /dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics HTTP/2" (if-match="50ab3d1a71c68976f2738e4c7a8276f8d41d4468") => "HTTP/2 403 Forbidden" cyrus/https[1651]: [ID 334236 local3.debug] nghttp2_submit_data(id=15, len=0, outlen=0, flags=0x1) cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(9): 0 cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(63): 0 cyrus/https[1651]: [ID 640762 local3.debug] http2_stream_close_cb(id=15) cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 9, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = -504, eof = 0, err = '', errno = 11 From flashl at cox.net Sun Apr 7 19:23:42 2019 From: flashl at cox.net (Flash) Date: Sun, 7 Apr 2019 19:23:42 -0400 (EDT) Subject: [No Subject] Message-ID: <417871996.7365.1554679422260@myemail.cox.net> subscribe info-cyrus flashlb at dailybrood.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Christophe.Delaye at eurecom.fr Mon Apr 8 10:53:47 2019 From: Jean-Christophe.Delaye at eurecom.fr (Jean-Christophe Delaye) Date: Mon, 8 Apr 2019 16:53:47 +0200 Subject: HTTP proxy in murder Message-ID: Hi, I'm always stucked in configuring a murder cluster for Cyrus HTTP. Is it possible to disable http on both backend and frontend, and only use https ? I have tried with only entries https in cyrus.conf on both backend/frontend and I notice connexion refused from the frontend. imap cyrus/https[1502]: [ID 130975 local3.error] connect(backend.eurecom.fr) failed: Connection refused to be sure, if I disable http entry in services getaddrinfo(backend.eurecom.fr) failed: service name not available for the specified socket type Is it necessary to have http between frontend and backend for the proxy to work ? Has anybody have a running configuration for Calendars over murder agregator ? Thanks From lists at localguru.de Sun Apr 21 17:09:06 2019 From: lists at localguru.de (Marcus Schopen) Date: Sun, 21 Apr 2019 23:09:06 +0200 Subject: 2FA and IMAP Message-ID: Hi, a friend wants to restrict access to his mailbox with 2FA. As webmailer I use Roundcube, which offers a 2FA plugin. But in the end this is pointless, because besides the webmailer there is also the native IMAP access available. Is it therefore possible to restrict the access to a single IMAP account to a certain IP so that this mailbox can only be accessed via the Roundcube? Ciao! Marcus From awilliam at whitemice.org Mon Apr 22 13:09:58 2019 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Mon, 22 Apr 2019 13:09:58 -0400 Subject: 2FA and IMAP In-Reply-To: References: Message-ID: <1555952998.6420.8.camel@whitemice.org> On Sun, 2019-04-21 at 23:09 +0200, Marcus Schopen wrote: > Hi, > > a friend wants to restrict access to his mailbox with 2FA. As > webmailer I use Roundcube, which offers a 2FA plugin. But in the end > this is pointless, because besides the webmailer there is also the > native IMAP access available. Is it therefore possible to restrict > the access to a single IMAP account to a certain IP so that this > mailbox can only be accessed via the Roundcube? I doubt it, but maybe. ? All the authentication stuff is handled by SASL - not really Cyrus - and SASL is deeply configurable. https://www.cyrusimap.org/sasl/ -- Adam Tauno Williams, awilliam at whitemice.org Multi-Modal Activists Against Auto Dependent Development resisting the unAmerican socialists of the Motorist hegemony http://www.mmaaadd.org From sven.schwedas at tao.at Tue Apr 23 05:45:55 2019 From: sven.schwedas at tao.at (Sven Schwedas) Date: Tue, 23 Apr 2019 11:45:55 +0200 Subject: LDAP auth and ptloader Message-ID: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I always get "ptload(): can't connect to ptloader server: No such file or directory" as error. The directory for ptloader_sock exists and is the same as for all other sockets, so there shouldn't be any permission problems with the socket. I suppose I need to somehow manually start up ptloader via cyrus.conf, but there's no documentation and nothing I can find in the mailing list archives as to *how*? What am I missing? -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: From Willem at Offermans.Rompen.nl Tue Apr 23 07:43:04 2019 From: Willem at Offermans.Rompen.nl (Willem Offermans) Date: Tue, 23 Apr 2019 13:43:04 +0200 Subject: LDAP auth and ptloader In-Reply-To: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> References: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> Message-ID: <2747CCFE-5185-46B3-8BAA-0DADDB2ACB15@Offermans.Rompen.nl> Dear Cyrus Friends and Sven, I don?t know if this is of any help. I have setup saslauthd to do LDAP authentication of Cyrus. Now I?m at this point. I know this is off-topic: LDAP is a database and not developed to do authentication. Radius is developed to do AAA (Authentication, Authorization and Accounting). Radius can do authentication in many different ways with many different databases. Is it possible to do authentication with radius, for example freeradius? Wiel Offermans Willem at Offermans.Rompen.nl > On 23 Apr 2019, at 11:45, Sven Schwedas wrote: > > I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I > always get "ptload(): can't connect to ptloader server: No such file or > directory" as error. The directory for ptloader_sock exists and is the > same as for all other sockets, so there shouldn't be any permission > problems with the socket. > > I suppose I need to somehow manually start up ptloader via cyrus.conf, > but there's no documentation and nothing I can find in the mailing list > archives as to *how*? What am I missing? > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ? sven.schwedas at tao.at | ? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -------------- next part -------------- An HTML attachment was scrubbed... URL: From sven.schwedas at tao.at Tue Apr 23 07:50:34 2019 From: sven.schwedas at tao.at (Sven Schwedas) Date: Tue, 23 Apr 2019 13:50:34 +0200 Subject: LDAP auth and ptloader In-Reply-To: <2747CCFE-5185-46B3-8BAA-0DADDB2ACB15@Offermans.Rompen.nl> References: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> <2747CCFE-5185-46B3-8BAA-0DADDB2ACB15@Offermans.Rompen.nl> Message-ID: <5f1f861d-a124-c159-c5d9-6edc91dedeb3@tao.at> On 23.04.19 13:43, Willem Offermans wrote: > Dear Cyrus Friends and Sven, > > I don?t know if this is of any help. > > I have setup saslauthd to do LDAP authentication of Cyrus. That's what I want to get away from, because saslauthd cannot handle groups, and I need to maintain PAM LDAP auth in parallel just to handle that. -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: From Willem at Offermans.Rompen.nl Tue Apr 23 07:56:35 2019 From: Willem at Offermans.Rompen.nl (Willem Offermans) Date: Tue, 23 Apr 2019 13:56:35 +0200 Subject: LDAP auth and ptloader In-Reply-To: <5f1f861d-a124-c159-c5d9-6edc91dedeb3@tao.at> References: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> <2747CCFE-5185-46B3-8BAA-0DADDB2ACB15@Offermans.Rompen.nl> <5f1f861d-a124-c159-c5d9-6edc91dedeb3@tao.at> Message-ID: <4C26FE9A-A5D1-4748-BD0C-8F4B1D93553D@Offermans.Rompen.nl> Dear Cyrus friends and Sven, A reason to look for authentication by radius. But maybe this should go to feature request. Wiel Offermans Willem at Offermans.Rompen.nl > On 23 Apr 2019, at 13:50, Sven Schwedas wrote: > > On 23.04.19 13:43, Willem Offermans wrote: >> Dear Cyrus Friends and Sven, >> >> I don?t know if this is of any help. >> >> I have setup saslauthd to do LDAP authentication of Cyrus. > > That's what I want to get away from, because saslauthd cannot handle > groups, and I need to maintain PAM LDAP auth in parallel just to handle > that. > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ? sven.schwedas at tao.at | ? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sven.schwedas at tao.at Tue Apr 23 08:01:41 2019 From: sven.schwedas at tao.at (Sven Schwedas) Date: Tue, 23 Apr 2019 14:01:41 +0200 Subject: LDAP auth and ptloader In-Reply-To: <4C26FE9A-A5D1-4748-BD0C-8F4B1D93553D@Offermans.Rompen.nl> References: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> <2747CCFE-5185-46B3-8BAA-0DADDB2ACB15@Offermans.Rompen.nl> <5f1f861d-a124-c159-c5d9-6edc91dedeb3@tao.at> <4C26FE9A-A5D1-4748-BD0C-8F4B1D93553D@Offermans.Rompen.nl> Message-ID: This has nothing to do with my problem. Please stop spamming. On 23.04.19 13:56, Willem Offermans wrote: > Dear Cyrus friends and Sven, > > A reason to look for authentication by radius. > But maybe this should go to feature request. > > > Wiel Offermans > Willem at Offermans.Rompen.nl > > > > >> On 23 Apr 2019, at 13:50, Sven Schwedas > > wrote: >> >> On 23.04.19 13:43, Willem Offermans wrote: >>> Dear Cyrus Friends and Sven, >>> >>> I don?t know if this is of any help. >>> >>> I have setup saslauthd to do LDAP authentication of Cyrus. >> >> That's what I want to get away from, because saslauthd cannot handle >> groups, and I need to maintain PAM LDAP auth in parallel just to handle >> that. >> >> -- >> Mit freundlichen Gr??en, / Best Regards, >> Sven Schwedas, Systemadministrator >> ? sven.schwedas at tao.at | ? +43 680 301 7167 >> TAO Digital ??| Teil der TAO Beratungs- & Management GmbH >> Lendplatz 45 ?| FN 213999f/Klagenfurt, FB-Gericht Villach >> A8020 Graz ???| https://www.tao-digital.at >> > -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: From biggosh at gmail.com Tue Apr 23 14:46:57 2019 From: biggosh at gmail.com (Christian Fontana) Date: Tue, 23 Apr 2019 20:46:57 +0200 Subject: 2FA and IMAP In-Reply-To: <1555952998.6420.8.camel@whitemice.org> References: <1555952998.6420.8.camel@whitemice.org> Message-ID: Hi. But the documentation not seems to be complete. I was not able to find an example or an explanation about how to restrict access to a single IMAP account from a certain IP. May you point me to the righe page of documentation? thanks On Mon, 22 Apr 2019 at 19:14, Adam Tauno Williams wrote: > On Sun, 2019-04-21 at 23:09 +0200, Marcus Schopen wrote: > > Hi, > > > > a friend wants to restrict access to his mailbox with 2FA. As > > webmailer I use Roundcube, which offers a 2FA plugin. But in the end > > this is pointless, because besides the webmailer there is also the > > native IMAP access available. Is it therefore possible to restrict > > the access to a single IMAP account to a certain IP so that this > > mailbox can only be accessed via the Roundcube? > > I doubt it, but maybe. > > All the authentication stuff is handled by SASL - not really Cyrus - > and SASL is deeply configurable. > > https://www.cyrusimap.org/sasl/ > > -- > Adam Tauno Williams, awilliam at whitemice.org > Multi-Modal Activists Against Auto Dependent Development > resisting the unAmerican socialists of the Motorist hegemony > http://www.mmaaadd.org > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alvin at netvel.net Tue Apr 23 15:10:33 2019 From: alvin at netvel.net (Alvin Starr) Date: Tue, 23 Apr 2019 15:10:33 -0400 Subject: 2FA and IMAP In-Reply-To: References: <1555952998.6420.8.camel@whitemice.org> Message-ID: This is not multifactor authentication? and I am not sure if it will work but I was kicking around the idea of trying to use client certificates to insure that only mail clients with the proper client certificate? installed can connect. On 4/23/19 2:46 PM, Christian Fontana wrote: > Hi. But the documentation not seems to be complete. I was not able to > find an example or an explanation about how to restrict access to a > single IMAP account from a certain IP. > May you point me to the righe page of documentation? > > thanks > > > On Mon, 22 Apr 2019 at 19:14, Adam Tauno Williams > > wrote: > > On Sun, 2019-04-21 at 23:09 +0200, Marcus Schopen wrote: > > Hi, > > > > a friend wants to restrict access to his mailbox with 2FA. As > > webmailer I use Roundcube, which offers a 2FA plugin. But in the end > > this is pointless, because besides the webmailer there is also the > > native IMAP access available. Is it therefore possible to restrict > > the access to a single IMAP account to a certain IP so that this > > mailbox can only be accessed via the Roundcube? > > I doubt it, but maybe. > > All the authentication stuff is handled by SASL - not really Cyrus - > and SASL is deeply configurable. > > https://www.cyrusimap.org/sasl/ > > -- > Adam Tauno Williams, awilliam at whitemice.org > > Multi-Modal Activists Against Auto Dependent Development > resisting the unAmerican socialists of the Motorist hegemony > http://www.mmaaadd.org > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin at netvel.net || -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.menge at zdv.uni-tuebingen.de Tue Apr 23 16:53:33 2019 From: michael.menge at zdv.uni-tuebingen.de (Michael Menge) Date: Tue, 23 Apr 2019 22:53:33 +0200 Subject: 2FA and IMAP In-Reply-To: References: Message-ID: Hi, You can configure a different IMAP Service in cyrus.conf for roundcube (differnt IP or port) and use pam with for authentication or block login for the other services wither cyrus denydb Am 21. April 2019 23:09:06 MESZ schrieb Marcus Schopen : >Hi, > >a friend wants to restrict access to his mailbox with 2FA. As webmailer >I use Roundcube, which offers a 2FA plugin. But in the end this is >pointless, because besides the webmailer there is also the native IMAP >access available. Is it therefore possible to restrict the access to a >single IMAP account to a certain IP so that this mailbox can only be >accessed via the Roundcube? > >Ciao! >Marcus > >---- >Cyrus Home Page: http://www.cyrusimap.org/ >List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >To Unsubscribe: >https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ismael.tanguy at univ-brest.fr Wed Apr 24 15:43:12 2019 From: ismael.tanguy at univ-brest.fr (=?UTF-8?Q?Isma=c3=abl_Tanguy?=) Date: Wed, 24 Apr 2019 21:43:12 +0200 Subject: cyradm | Duplicate specification Message-ID: Hello, I've got this error after connecting to cyrus with cyradm (as root or cyrus user): # cyradm -u cyrus localhost Variable "$cyrref" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 724. Variable "$lfh" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 726. Duplicate specification "server|s=s" for option "s" I can make operation on mailbox (lam, sam, xfer, ..), everything seems to work fine but I'm not confident to put that in production.. Cyrus version is 3.08 installed with rpm on Centos7. I've build the rpms, so maybe I've made mistake at this step. cyrus was build like that : # cyr_buildinfo { ? "component": { ??? "event_notification": true, ??? "gssapi": true, ??? "autocreate": true, ??? "idled": true, ??? "httpd": true, ??? "kerberos_v4": false, ??? "murder": true, ??? "nntpd": true, ??? "replication": true, ??? "sieve": true, ??? "calalarmd": true, ??? "objectstore": false, ??? "backup": true ? }, ? "dependency": { ??? "ldap": true, ??? "openssl": true, ??? "pcre": true, ??? "clamav": true ? }, ? "database": { ??? "mysql": false, ??? "pgsql": false, ??? "sqlite": true, ??? "lmdb": false ? }, ? "search": { ??? "squat": true, ??? "sphinx": false, ??? "xapian": false, ??? "xapian_flavor": "none" ? }, ? "hardware": { ??? "sse42": true ? } } Thank you ------------------- Isma?l TANGUY -------------- next part -------------- An HTML attachment was scrubbed... URL: From ellie at fastmail.com Fri Apr 26 04:03:25 2019 From: ellie at fastmail.com (ellie timoney) Date: Fri, 26 Apr 2019 04:03:25 -0400 Subject: LDAP auth and ptloader In-Reply-To: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> References: <190cb420-4836-1f98-36f9-70e6bde97629@tao.at> Message-ID: <0c0acdee-a654-4b67-a23a-f58aa58d6672@www.fastmail.com> Hi Sven, I don't know much about running it in a production capacity, but our test suite sets up the following for LDAP pts: imapd.conf: ... ptloader_sock: /path/to/some/socket auth_mech: pts pts_module: ldap ... cyrus.conf: SERVICES { ... ptloader cmd="ptloader" listen="/path/to/some/socket" ... } Does this get you going? Cheers, ellie On Tue, Apr 23, 2019, at 7:52 PM, Sven Schwedas wrote: > I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I > always get "ptload(): can't connect to ptloader server: No such file or > directory" as error. The directory for ptloader_sock exists and is the > same as for all other sockets, so there shouldn't be any permission > problems with the socket. > > I suppose I need to somehow manually start up ptloader via cyrus.conf, > but there's no documentation and nothing I can find in the mailing list > archives as to *how*? What am I missing? > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ? sven.schwedas at tao.at | ? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > *Attachments:* > * signature.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: From ellie at fastmail.com Fri Apr 26 04:11:05 2019 From: ellie at fastmail.com (ellie timoney) Date: Fri, 26 Apr 2019 04:11:05 -0400 Subject: cyradm | Duplicate specification In-Reply-To: References: Message-ID: <1713774a-9fd9-4fc9-beab-24e40aee8d81@www.fastmail.com> Hi Isma?l, Which version of perl are you running? (`perl --version` will tell you) A fairly newish one, I guess? The cyradm tools were written using a quite old version of perl, which didn't produce a lot of warnings. I expect it's working fine, but your newer perl version is producing warnings that the older versions did not. It would be good to fix up a lot of this cruft -- do you want to raise an issue on https://github.com/cyrusimap/cyrus-imapd/issues and include the details from your email and your perl version? I can't promise it'll get looked at quickly, but at least it won't get forgotten. :) Cheers, ellie On Thu, Apr 25, 2019, at 5:49 AM, Isma?l Tanguy wrote: > Hello, > I've got this error after connecting to cyrus with cyradm (as root or cyrus user): > # cyradm -u cyrus localhost Variable "$cyrref" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 724. Variable "$lfh" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 726. Duplicate specification "server|s=s" for option "s" > > I can make operation on mailbox (lam, sam, xfer, ..), everything seems to work fine but I'm not confident to put that in production.. > Cyrus version is 3.08 installed with rpm on Centos7. > I've build the rpms, so maybe I've made mistake at this step. > cyrus was build like that : > # cyr_buildinfo { ? "component": { ??? "event_notification": true, ??? "gssapi": true, ??? "autocreate": true, ??? "idled": true, ??? "httpd": true, ??? "kerberos_v4": false, ??? "murder": true, ??? "nntpd": true, ??? "replication": true, ??? "sieve": true, ??? "calalarmd": true, ??? "objectstore": false, ??? "backup": true ? }, ? "dependency": { ??? "ldap": true, ??? "openssl": true, ??? "pcre": true, ??? "clamav": true ? }, ? "database": { ??? "mysql": false, ??? "pgsql": false, ??? "sqlite": true, ??? "lmdb": false ? }, ? "search": { ??? "squat": true, ??? "sphinx": false, ??? "xapian": false, ??? "xapian_flavor": "none" ? }, ? "hardware": { ??? "sse42": true ? } } > Thank you > ------------------- > Isma?l TANGUY > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -------------- next part -------------- An HTML attachment was scrubbed... URL: From ismael.tanguy at univ-brest.fr Fri Apr 26 04:56:32 2019 From: ismael.tanguy at univ-brest.fr (=?UTF-8?Q?Isma=c3=abl_Tanguy?=) Date: Fri, 26 Apr 2019 10:56:32 +0200 Subject: cyradm | Duplicate specification In-Reply-To: <1713774a-9fd9-4fc9-beab-24e40aee8d81@www.fastmail.com> References: <1713774a-9fd9-4fc9-beab-24e40aee8d81@www.fastmail.com> Message-ID: <800d5336-51fb-9a68-4225-b8e7a9971160@univ-brest.fr> Thanks Ellie, https://github.com/cyrusimap/cyrus-imapd/issues/2747 ------------------------------ Isma?l Le 26/04/2019 ? 10:11, ellie timoney a ?crit?: > Hi Isma?l, > > Which version of perl are you running? (`perl --version` will tell > you) ?A fairly newish one, I guess? > > The cyradm tools were written using a quite old version of perl, which > didn't produce a lot of warnings. ?I expect it's working fine, but > your newer perl version is producing warnings that the older versions > did not. > > It would be good to fix up a lot of this cruft -- do you want to raise > an issue on https://github.com/cyrusimap/cyrus-imapd/issues?and > include the details from your email and your perl version? ?I can't > promise it'll get looked at quickly, but at least it won't get > forgotten. :) > > Cheers, > > ellie > > On Thu, Apr 25, 2019, at 5:49 AM, Isma?l Tanguy wrote: >> >> Hello, >> >> I've got this error after connecting to cyrus with cyradm (as root or >> cyrus user): >> >> # cyradm -u cyrus localhost >> Variable "$cyrref" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 724. >> Variable "$lfh" will not stay shared at /usr/lib64/perl5/vendor_perl/Cyrus/IMAP/Shell.pm line 726. >> Duplicate specification "server|s=s" for option "s" >> >> >> I can make operation on mailbox (lam, sam, xfer, ..), everything >> seems to work fine but I'm not confident to put that in production.. >> >> Cyrus version is 3.08 installed with rpm on Centos7. >> >> I've build the rpms, so maybe I've made mistake at this step. >> >> cyrus was build like that : >> >> # cyr_buildinfo >> { >> ? "component": { >> ??? "event_notification": true, >> ??? "gssapi": true, >> ??? "autocreate": true, >> ??? "idled": true, >> ??? "httpd": true, >> ??? "kerberos_v4": false, >> ??? "murder": true, >> ??? "nntpd": true, >> ??? "replication": true, >> ??? "sieve": true, >> ??? "calalarmd": true, >> ??? "objectstore": false, >> ??? "backup": true >> ? }, >> ? "dependency": { >> ??? "ldap": true, >> ??? "openssl": true, >> ??? "pcre": true, >> ??? "clamav": true >> ? }, >> ? "database": { >> ??? "mysql": false, >> ??? "pgsql": false, >> ??? "sqlite": true, >> ??? "lmdb": false >> ? }, >> ? "search": { >> ??? "squat": true, >> ??? "sphinx": false, >> ??? "xapian": false, >> ??? "xapian_flavor": "none" >> ? }, >> ? "hardware": { >> ??? "sse42": true >> ? } >> } >> >> Thank you >> >> ------------------- >> >> Isma?l TANGUY >> >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -------------- next part -------------- An HTML attachment was scrubbed... URL: