After upgrading from FC1 to FC2 test 3 i realized that FC2 uses cyrus-imap and not the standard IMAP package that FC1 used and that it doesn't use PAM by default because I can no longer login through IMAP. The server is running fine because I can telnet to it but when atempting to login I get a authentication error. I have looked around at cyrus documentation of the cyrus site and redhat's site but the admin tools (mkimap, cm.user, etc) do not work. I even tried changing the .conf file to pam authentication by changing the method to sasl_passwd_check: pam and I tried shadow. any help getting users back in any way would be appreciated, thanks
_____________________________________________________________ An ye harm none, do as ye will!
Get your FREE E-Mail account today! http://mail.americanwicca.com
On 5/6/2004 4:01 PM, seth doty wrote:
After upgrading from FC1 to FC2 test 3 i realized that FC2 uses cyrus-imap and not the standard IMAP package that FC1 used and that it doesn't use PAM by default because I can no longer login through IMAP. The server is running fine because I can telnet to it but when atempting to login I get a authentication error. I have looked around at cyrus documentation of the cyrus site and redhat's site but the admin tools (mkimap, cm.user, etc) do not work. I even tried changing the .conf file to pam authentication by changing the method to sasl_passwd_check: pam and I tried shadow. any help getting users back in any way would be appreciated, thanks
Yes, documentation is scarce. The admin user on Fedora Cyrus is cyrus. Set a password for it (passwd cyrus) and use cyradm (man cyradm) to add users. Cyrus on FC2 is compiled to use shadow passwords for authentication, so users must exist on the system before a mailbox is created with cyradm.
Cheers,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anyone have any information (anecdotal or otherwise) on the performance of cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
- -- Ken Snider
On Fri, 7 May 2004 14:20, Ken Snider ksnider@flarn.com wrote:
Anyone have any information (anecdotal or otherwise) on the performance of cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
If you use mbox or mbox+ formats then performance will suck terribly on large mail boxes. For decent performance you need either Maildir or a database, although I suspect that most mail servers will have some performance issues with such a large mailbox regardless of format.
On Fri, 2004-05-07 at 09:12, Russell Coker wrote:
On Fri, 7 May 2004 14:20, Ken Snider ksnider@flarn.com wrote:
Anyone have any information (anecdotal or otherwise) on the performance of cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
If you use mbox or mbox+ formats then performance will suck terribly on large mail boxes. For decent performance you need either Maildir or a database, although I suspect that most mail servers will have some performance issues with such a large mailbox regardless of format.
Anyone know if it reads the mbx format? UW-IMAPD docs said the was a fast mailbox format that allows concurrent access. We use it.
On 2004.05.07 15:12, Russell Coker wrote:
On Fri, 7 May 2004 14:20, Ken Snider ksnider@flarn.com wrote:
Anyone have any information (anecdotal or otherwise) on the
performance of
cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
If you use mbox or mbox+ formats then performance will suck terribly on large mail boxes. For decent performance you need either Maildir or a database, although I suspect that most mail servers will have some performance issues with such a large mailbox regardless of format.
The recommended mailbox format for UW-IMAP is mbx - other mailbox formats are just for compatibility with other software. What is the mbox+ format that you are referring to? I do not see it mentioned in the list of mailbox formats supported by UW-IMAP[1].
Regarding the performance, it really depends on what you do. Cyrus makes it easier to setup large "sealed" imap servers, tends to use less memory per connection (the difference - from my experience - is not large) and usually opens mailboxes bit faster. On the other hand, if you do lot of searches, UW-IMAP is definetely superior. Otherwise, they are pretty similar.
Pawel
[1]. http://www.washington.edu/imap/documentation/drivers.txt.html
On May 7 Pawel Salek wrote:
Regarding the performance, it really depends on what you do. Cyrus makes it easier to setup large "sealed" imap servers, tends to use less memory per connection (the difference - from my experience - is not large) and usually opens mailboxes bit faster. On the other hand, if you do lot of searches, UW-IMAP is definetely superior. Otherwise, they
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Don't believe you. I searched my "lists.redhat" folder for the word "squatter" and it found 0 results from 13486 messages before I let go of the return key. It took less than two seconds to return the 55 hits (from the same 13486 messages) for the word "mailbox". My client is Pine, and my server is the Cyrus 2.2.3 RPM rebuilt on a meagre (twin 1Ghz PIII, 768M RAM, slowish 4-drive RAID5 array) FC1 server.
Hint: man squatter :)
On Fri, 2004-05-07 at 14:20, Ken Snider wrote:
Anyone have any information (anecdotal or otherwise) on the performance of cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
I wondered this myself, as one of the main reasons i switched to cyrus-imap was the woeful performance of uw-imap.
On UW-imap, mailboxes only 10meg in size took "a while" to open. Far longer than they should. On Cyrus, there was no noticeable delay between clicking on the message, and the message loading in the preview pane.
To _really_ test it out, i set up a small usenet feed (1 binary group) and delivered it to cyrus using fetchnews. Over the space of a few days, the group reached over 7gig in size, and performance was still really outstanding (ie far better than uw-imap with its 10meg mailboxes)
Note I was only testing with a single user on both UW and Cyrus, on a 1.7GHz P4/512MB Ram/80GIG WD HDD, but everything in cyrus outshined UW.
Is anyone else using Evolution/Pine + GSSAPI + Cyrus? How much does that rock :)
On 05/08/2004 05:37:54 AM, Dan wrote:
On Fri, 2004-05-07 at 14:20, Ken Snider wrote:
Anyone have any information (anecdotal or otherwise) on the
performance of
cyrus versus UW-IMAPd on really big mailboxes (more than 1 gig/30k messages)? Or is this exclusively a function of mailbox format?
I wondered this myself, as one of the main reasons i switched to cyrus-imap was the woeful performance of uw-imap.
On UW-imap, mailboxes only 10meg in size took "a while" to open. Far longer than they should. On Cyrus, there was no noticeable delay between clicking on the message, and the message loading in the preview pane.
Did you use mbx mailbox format with UW-IMAP? Did you try searching on the server side? -pawel
On Thu, May 06, 2004 at 10:08:53PM -0400, David Collantes wrote:
Cyrus on FC2 is compiled to use shadow passwords for authentication, so users must exist on the system before a mailbox is created with cyradm.
The main redeeming feature of cyrus, with its huge size and really PITA administration, is that it is possible to have mailboxes _without_ corresponding accounts on a server. So if this is feature is killed it is difficult to imagine why would anybody would want to use _that_.
$ rpm -qip cyrus-imapd-2.2.3-10.i386.rpm ..... Size : 18429389 ....
and that is not all of it. Also in a "description" part you can read:
<quote> It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. </quote>
So what is here really correct?
Michal
On Fri, 2004-05-07 at 02:21, Michal Jaegermann wrote:
On Thu, May 06, 2004 at 10:08:53PM -0400, David Collantes wrote:
Cyrus on FC2 is compiled to use shadow passwords for authentication, so users must exist on the system before a mailbox is created with cyradm.
The main redeeming feature of cyrus, with its huge size and really PITA administration, is that it is possible to have mailboxes _without_ corresponding accounts on a server. So if this is feature is killed it is difficult to imagine why would anybody would want to use _that_.
Just to confirm what I have read: FC2 will NOT include the UW-IMAPD (I didn't see this in the release notes)???
If so, and if it it true that cyrus is not a drop-in replacement, can we start developing some upgrade documentation? Could people who have done this upgrade before give some details?
Is dovecot a better choice for those upgrading from UW-IMAPd?
Will Backman said: [snip]
Just to confirm what I have read: FC2 will NOT include the UW-IMAPD (I didn't see this in the release notes)???
http://download.fedora.redhat.com/pub/fedora/linux/core/test/1.92/i386/os/RE... "imap Replaced by cyrus-imapd"
If so, and if it it true that cyrus is not a drop-in replacement, can we start developing some upgrade documentation? Could people who have done this upgrade before give some details?
Is dovecot a better choice for those upgrading from UW-IMAPd?
dovecot is included too.
On Fri, 2004-05-07 at 10:36, William Hooper wrote:
Will Backman said: [snip]
Just to confirm what I have read: FC2 will NOT include the UW-IMAPD (I didn't see this in the release notes)???
http://download.fedora.redhat.com/pub/fedora/linux/core/test/1.92/i386/os/RE... "imap — Replaced by cyrus-imapd"
Sorry, missed that. Guess I was looking for "uw-imapd"
If so, and if it it true that cyrus is not a drop-in replacement, can we start developing some upgrade documentation? Could people who have done this upgrade before give some details?
Is dovecot a better choice for those upgrading from UW-IMAPd?
dovecot is included too.
From http://dovecot.org/
"Shared mailboxes aren't yet supported." "mbox support isn't yet perfect. For personal use it seems to work quite well, but there are a few known problems such as sometimes losing mails in Drafts-mailbox"
I'm scared.
On 5/7/2004 10:44 AM, Will Backman wrote:
From http://dovecot.org/ "Shared mailboxes aren't yet supported." "mbox support isn't yet perfect. For personal use it seems to work quite well, but there are a few known problems such as sometimes losing mails in Drafts-mailbox"
I'm scared.
Cyrus is better. Shared mailboxes, quota, robust. I am going to play with it a bit more to see if I can get it to work without the need of having the user on the shadow file (imap user not a unix user).
Cheers,
David Collantes wrote:
On 5/7/2004 10:44 AM, Will Backman wrote:
From http://dovecot.org/ "Shared mailboxes aren't yet supported." "mbox support isn't yet perfect. For personal use it seems to work quite well, but there are a few known problems such as sometimes losing mails in Drafts-mailbox"
I'm scared.
Cyrus is better. Shared mailboxes, quota, robust. I am going to play with it a bit more to see if I can get it to work without the need of having the user on the shadow file (imap user not a unix user).
You should be able to do this. I backend Cyrus IMAPd user accounts to an LDAP server using saslauthd, because it makes the management of the accounts easier for me. Before I started using an LDAP backend, I just put the user accounts in the sasldb2 file.
On Fri, May 07, 2004 at 10:54:36AM -0400, David Collantes wrote:
Cyrus is better. Shared mailboxes, quota, robust.
Cyrus has a different set of trade-offs. If you have hundreds or thousands mail accounts, you need some things like quota, you have a manpower to maintain all of that, and you can set up a "sealed server" then surely cyrus is your choice. OTOH there are also frequent situations when you need an imap server for rather small number of users, with simple needs and setup, and cyrus there is heavily "overqualified". It looks like that dovecot could fit here if not those scary remarks that it may loose some mails.
Dovecot also should be mentioned in notes as a possible, already provided, alternative to imapd-uw without leaving this position solely to cyrus.
Michal
On 5/7/2004 1:01 PM, Michal Jaegermann wrote:
Cyrus has a different set of trade-offs. If you have hundreds or thousands mail accounts, you need some things like quota, you have a manpower to maintain all of that, and you can set up a "sealed server" then surely cyrus is your choice. OTOH there are also frequent situations when you need an imap server for rather small number of users, with simple needs and setup, and cyrus there is heavily "overqualified".
If the Fedora team manages to make the Cyrus Imap as easy "drop-in" as sendmail has been (for most setups it just works), then it would be no problem on using Cyrus for big or small situations. After all, a Porshe can tow a boat.
Cheers,
On Mon, 2004-05-10 at 05:55, David Collantes wrote:
On 5/7/2004 1:01 PM, Michal Jaegermann wrote:
Cyrus has a different set of trade-offs. If you have hundreds or thousands mail accounts, you need some things like quota, you have a manpower to maintain all of that, and you can set up a "sealed server" then surely cyrus is your choice. OTOH there are also frequent situations when you need an imap server for rather small number of users, with simple needs and setup, and cyrus there is heavily "overqualified".
If the Fedora team manages to make the Cyrus Imap as easy "drop-in" as sendmail has been (for most setups it just works), then it would be no problem on using Cyrus for big or small situations. After all, a Porshe can tow a boat.
Just don't try to stop, or turn... :(
And yes, I used to drive a semi-tractor professionally, and did once jackknife. I was only going 15mph at the time, but still: "Not fun".
On Fri, 2004-05-07 at 13:01, Michal Jaegermann wrote:
On Fri, May 07, 2004 at 10:54:36AM -0400, David Collantes wrote:
Cyrus is better. Shared mailboxes, quota, robust.
Cyrus has a different set of trade-offs. If you have hundreds or thousands mail accounts, you need some things like quota, you have a manpower to maintain all of that, and you can set up a "sealed server" then surely cyrus is your choice. OTOH there are also frequent situations when you need an imap server for rather small number of users, with simple needs and setup, and cyrus there is heavily "overqualified". It looks like that dovecot could fit here if not those scary remarks that it may loose some mails.
Dovecot also should be mentioned in notes as a possible, already provided, alternative to imapd-uw without leaving this position solely to cyrus.
Michal
One issue for us is procmail. We use a nice program called the Procmail Email Sanitizer at http://www.impsec.org/email-tools/procmail-security.html which does a great job for us. I also use some other cool procmail scripts. I guess I'd have to find replacements.
Am Do, den 13.05.2004 schrieb Will Backman um 22:44:
One issue for us is procmail. We use a nice program called the Procmail Email Sanitizer at http://www.impsec.org/email-tools/procmail-security.html which does a great job for us. I also use some other cool procmail scripts. I guess I'd have to find replacements.
Not necessarily. See
/usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-imapd-procmail+cyrus.mc /usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-procmailrc /usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-user-procmailrc.template
for how to use procmail as LDA with Sendmail, which then calls the cyrus deliver tool.
Alexander
On 5/13/2004 6:23 PM, Alexander Dalloz wrote:
One issue for us is procmail. We use a nice program called the Procmail Email Sanitizer at http://www.impsec.org/email-tools/procmail-security.html which does a great job for us. I also use some other cool procmail scripts. I guess I'd have to find replacements.
Not necessarily. See
/usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-imapd-procmail+cyrus.mc /usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-procmailrc /usr/share/doc/cyrus-imapd-2.2.3/m4/cyrus-user-procmailrc.template
for how to use procmail as LDA with Sendmail, which then calls the cyrus deliver tool.
I checked those files and it refers to a "deliver-wrapper" for which I could not find information anywhere. Does anyone knows/has it documented how to use Sendmail -> Procmail -> Cyrus? I have searched and search and everything I found is bogus and/or it doesn't work.
What did you ended up doing, Will? Thanks for any input.
Cheers,
On Fri, May 07, 2004 at 10:05:44AM -0400, Will Backman wrote:
Just to confirm what I have read: FC2 will NOT include the UW-IMAPD (I didn't see this in the release notes)???
[Forwarded that point to Ed]
With respect to uw-imapd I'm sure it will also migrate to fedora extras (or for now fedora.us) if there are enough people willing to rebuild/test it
Am Fr, den 07.05.2004 schrieb Michal Jaegermann um 08:21:
On Thu, May 06, 2004 at 10:08:53PM -0400, David Collantes wrote:
Cyrus on FC2 is compiled to use shadow passwords for authentication, so users must exist on the system before a mailbox is created with cyradm.
<quote> It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. </quote>
So what is here really correct?
Michal
I like to ask the same question, as it was still not answered / validated by the other replies:
Is the information by David Collantes correct that cyrus-imapd coming with FC2 can only be used with system user account for each mail user?
I hardly doubt that because it would be total nonsense to not compile against sasl and to force such a setup. I think it is wrong and that just the default setup uses saslauthd with MECH=shadow, like already on FC1 this is the default setup for Sendmail's and Postfix's STMP AUTH. It would make some sense and the (more experienced) user can decide to use a different authentification mech / method for the mail account users like an LDAP backend or instead of using saslauthd directly requesting a sasldb2. As the upcoming cyrus-imapd package most widely is based on Simon Matter's great packaging (he does a really good job since long time), I assume being sticked to system user accounts is just wrong information.
Alexander
On Sat, 2004-05-08 at 02:45, Alexander Dalloz wrote:
Am Fr, den 07.05.2004 schrieb Michal Jaegermann um 08:21:
On Thu, May 06, 2004 at 10:08:53PM -0400, David Collantes wrote:
Cyrus on FC2 is compiled to use shadow passwords for authentication, so users must exist on the system before a mailbox is created with cyradm.
<quote> It differs from other IMAP server implementations in that it is run on "sealed" servers, where users are not normally permitted to log in. </quote>
So what is here really correct?
Michal
I like to ask the same question, as it was still not answered / validated by the other replies:
Is the information by David Collantes correct that cyrus-imapd coming with FC2 can only be used with system user account for each mail user?
Nope, I just beat it to death (learned all I know now about it in the last 2-3 hours) and I successfully used our official packages without users being listed in /etc/passwd or /etc/shadow by using sasldb authentication. I followed the instructions here:
http://asg.web.cmu.edu/cyrus/download/imapd/install.html
(specifically the "Authenticating Users" section)
I hardly doubt that because it would be total nonsense to not compile against sasl and to force such a setup. I think it is wrong and that just the default setup uses saslauthd with MECH=shadow, like already on FC1 this is the default setup for Sendmail's and Postfix's STMP AUTH. It would make some sense and the (more experienced) user can decide to use a different authentification mech / method for the mail account users like an LDAP backend or instead of using saslauthd directly requesting a sasldb2. As the upcoming cyrus-imapd package most widely is based on Simon Matter's great packaging (he does a really good job since long time), I assume being sticked to system user accounts is just wrong information.
Alexander
The instructions I used (as you will see) do bypass saslauthd entierly by calling sasldb through 'auxprop'. I have not probed the murky depths of saslauthd yet at all.
On 5/9/2004 7:53 AM, Chris Kloiber wrote:
Nope, I just beat it to death (learned all I know now about it in the last 2-3 hours) and I successfully used our official packages without users being listed in /etc/passwd or /etc/shadow by using sasldb authentication. I followed the instructions here:
http://asg.web.cmu.edu/cyrus/download/imapd/install.html
(specifically the "Authenticating Users" section)
Can you (or anyone who knows) explain this on more detail? The pointer to the page, specifically that section, doesn't really cut it. The way imap.conf comes with FC2T3 is:
sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN
As we all know. Also, the file on /etc/sysconfig/saslauthd contains (among others):
MECH=shadow
With very little documentation about what was done on FC2T3, I created a password for imap admin user cyrus (listed on /etc/imapd.conf as "admins: cyrus"), --passwd cyrus--, su to it --su cyrus-- and after 'cyradm localhost', authenticating with the previously set password, I was ready to add users. Now those users had to be created on the system as regular users as well, just like cyrus is. And, of course, saslauthd must be running and so cyrus-imap.
The above procedures work. Proved. But, as some already noticed, the users created with cyradm must be also present on /etc/passwd and /etc/shadow and /etc/groups... in other words, they must be users of the system, even 'shell-less' one's, doesn't matter, they must be real users.
So, can you, or anyone, detail as simply as I just did, how to accomplish the userless (using /etc/sasldb or sasldb2) scenario?
Cheers,
On 5/9/2004 5:15 PM, David Collantes wrote:
So, can you, or anyone, detail as simply as I just did, how to accomplish the userless (using /etc/sasldb or sasldb2) scenario?
I forgot to add that certain entry are needed on sendmail to deliver to cyrus-imap mailboxes. I found this on Google somewhere (do not recall now), which I entered on my /etc/mail/sendmail.mc and later regenerated my sendmail.cf, which works fine:
MAILER(cyrus) define(`confLOCAL_MAILER',`cyrus') LOCAL_RULE_0 R$=N $:$#local $: $1 R$=N < @ $=w . > $: $#local $: $1 Rbb + $+ < @ $=w . > $#cyrusbb $: $1
Cheers,
Am So, den 09.05.2004 schrieb David Collantes um 23:37:
I forgot to add that certain entry are needed on sendmail to deliver to cyrus-imap mailboxes. I found this on Google somewhere (do not recall now), which I entered on my /etc/mail/sendmail.mc and later regenerated my sendmail.cf, which works fine:
MAILER(cyrus) define(`confLOCAL_MAILER',`cyrus') LOCAL_RULE_0 R$=N $:$#local $: $1 R$=N < @ $=w . > $: $#local $: $1 Rbb + $+ < @ $=w . > $#cyrusbb $: $1
Cheers,
David
But its not correct. Valid settings in sendmail.mc are:
define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl MAILER(cyrusv2)dnl
Andrzej Adam Filip has even created newer macros for the cyrus-imapd and sendmail combination:
http://anfi.homeunix.net/cyrus/
Setting the socket path is at least necessary with the Simon Matter RPM.
Alexander
On 5/9/2004 9:28 PM, Alexander Dalloz wrote:
define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl MAILER(cyrusv2)dnl
Andrzej Adam Filip has even created newer macros for the cyrus-imapd and sendmail combination:
Thanks for the correction and the excellent resource URL, Alexander.
Cheers,
On Mon, 2004-05-10 at 10:53, David Collantes wrote:
On 5/9/2004 9:28 PM, Alexander Dalloz wrote:
define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl MAILER(cyrusv2)dnl
Andrzej Adam Filip has even created newer macros for the cyrus-imapd and sendmail combination:
Thanks for the correction and the excellent resource URL, Alexander.
Cheers,
Things like this beg adding (commented out, perhaps) in the default sendmail.mc. Can you bugzilla please. If there are postfix changes necessary, bug that one too.
Am Mo, den 10.05.2004 schrieb Chris Kloiber um 06:09:
Things like this beg adding (commented out, perhaps) in the default sendmail.mc. Can you bugzilla please. If there are postfix changes necessary, bug that one too.
Chris Kloiber
Hi Chris,
you are absolutely right. I just filed following bugzilla RFEs:
1) Sendmail -> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122909
2) Postfix -> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122910
3) Exim -> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122912
I hope it helps people willing to give Cyrus-IMAPd a chance. Its one of the most powerful IMAP/POP3 mail daemons with much features. Though or because of that setup is not trivial.
Alexander
P.S. off-topic, but did you leave Redhat? I ask, because you no longer use the @redhat.com mail address and I wonder.
Am Mo, den 10.05.2004 schrieb Alexander Dalloz um 14:39:
you are absolutely right. I just filed following bugzilla RFEs:
- Sendmail ->
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122909
- Postfix ->
Replying to myself, I forgot to mention that everyone with good knowledge about Postfix and Exim - I am just a Sendmail addict - should contribute to the bugzilla entries with suggestions for pre-definitions making it easy to get the MTA + Cyrus-IMAPd combination running.
Alexander
On Mon, 2004-05-10 at 20:39, Alexander Dalloz wrote:
P.S. off-topic, but did you leave Redhat? I ask, because you no longer use the @redhat.com mail address and I wonder.
No, still here, but my @redhat.com email has a quota, my private email puts @gmail.google.com to shame (if I choose to use it all). One more good reason for figuring out cyrus asap, although that machine runs Red Hat Enterprise Linux 3 ES, not Fedora is it is a "production" machine.
On Mon, 2004-05-10 at 05:15, David Collantes wrote:
On 5/9/2004 7:53 AM, Chris Kloiber wrote:
Nope, I just beat it to death (learned all I know now about it in the last 2-3 hours) and I successfully used our official packages without users being listed in /etc/passwd or /etc/shadow by using sasldb authentication. I followed the instructions here:
http://asg.web.cmu.edu/cyrus/download/imapd/install.html
(specifically the "Authenticating Users" section)
Can you (or anyone who knows) explain this on more detail? The pointer to the page, specifically that section, doesn't really cut it. The way imap.conf comes with FC2T3 is:
sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN
As we all know. Also, the file on /etc/sysconfig/saslauthd contains (among others):
MECH=shadow
With very little documentation about what was done on FC2T3, I created a password for imap admin user cyrus (listed on /etc/imapd.conf as "admins: cyrus"), --passwd cyrus--, su to it --su cyrus-- and after 'cyradm localhost', authenticating with the previously set password, I was ready to add users. Now those users had to be created on the system as regular users as well, just like cyrus is. And, of course, saslauthd must be running and so cyrus-imap.
The above procedures work. Proved. But, as some already noticed, the users created with cyradm must be also present on /etc/passwd and /etc/shadow and /etc/groups... in other words, they must be users of the system, even 'shell-less' one's, doesn't matter, they must be real users.
So, can you, or anyone, detail as simply as I just did, how to accomplish the userless (using /etc/sasldb or sasldb2) scenario?
/etc/imapd.conf: sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN
Turn off saslauthd if nothing else is using it.
run, and create a password: # touch /etc/sasldb2 # chown cyrus /etc/sasldb2 # saslpasswd2 cyrus # service cyrus-imapd restart # cyradm --user cyrus localhost
Then log in with the password you created with saslpasswd2. I was able to create mailboxes for users with no entries in /etc/passwd on the system, and access them from evolution. I was *NOT* able to delete those accounts using 'dm username' I keep getting 'permission denied'. That's something I'm probably not doing right.
Am Mo, den 10.05.2004 schrieb Chris Kloiber um 01:43:
Then log in with the password you created with saslpasswd2. I was able to create mailboxes for users with no entries in /etc/passwd on the system, and access them from evolution. I was *NOT* able to delete those accounts using 'dm username' I keep getting 'permission denied'. That's something I'm probably not doing right.
Chris Kloiber
That is a security feature. This avoids that users accidentally delete their mail account. The cyrus-imapd superuser would have to change the permissions. But even if you delete the mailbox inside cyrus the authentification data will persist in the sasldb(2) database unless root deletes the user. And the cyrus-imapd should be compiled with the autocreate patch, so that for users with login data the INBOX will be created automagically on first login/delivery.
Alexander
On Mon, 2004-05-10 at 09:35, Alexander Dalloz wrote:
Am Mo, den 10.05.2004 schrieb Chris Kloiber um 01:43:
Then log in with the password you created with saslpasswd2. I was able to create mailboxes for users with no entries in /etc/passwd on the system, and access them from evolution. I was *NOT* able to delete those accounts using 'dm username' I keep getting 'permission denied'. That's something I'm probably not doing right.
Chris Kloiber
That is a security feature. This avoids that users accidentally delete their mail account. The cyrus-imapd superuser would have to change the permissions. But even if you delete the mailbox inside cyrus the authentification data will persist in the sasldb(2) database unless root deletes the user. And the cyrus-imapd should be compiled with the autocreate patch, so that for users with login data the INBOX will be created automagically on first login/delivery.
Alexander
I was logged in as user 'cyrus'. I created a mailbox 'ckloiber' which worked, and I could set/remove permissions and store mail there. But I discovered that all mail boxes should be created like:
galileo.ckloiber.com> cm 'user.ckloiber'
Which gives that user an official 'INBOX:' So I was having difficulty running the command:
galileo.ckloiber.com> dm 'ckloiber'
Which I expect to work when I'm logged in as 'cyrus'. I suspect the difficulty may lie in the fact the mailbox to be deleted does not follow the naming convention.
Am Mo, den 10.05.2004 schrieb Chris Kloiber um 06:06:
I was logged in as user 'cyrus'. I created a mailbox 'ckloiber' which worked, and I could set/remove permissions and store mail there. But I discovered that all mail boxes should be created like:
I remember my first steps with Cyrus-IMAPd and I did the same mistake by creating a mail account with name adalloz instead of user.adalloz. Unfortunately I just do not remember how I got rid of the wrong box.
galileo.ckloiber.com> cm 'user.ckloiber'
Which gives that user an official 'INBOX:' So I was having difficulty running the command:
galileo.ckloiber.com> dm 'ckloiber'
Which I expect to work when I'm logged in as 'cyrus'. I suspect the difficulty may lie in the fact the mailbox to be deleted does not follow the naming convention.
Yes, with wrong naming it is not treated as a mailbox.
One other thing you should avoid - I did run into that fault by my own lack of knowledge - is, to define in /etc/imapd.conf an additional admin user
admins: cyrus kcloiber
i.e. here ckloiber and using that account as a normal mailbox too, because you may think it will make some maintenance easier. It will cause you much trouble with wrongly created entries in the cyrus mailbox storage.
Chris Kloiber
Alexander
On Mon, 2004-05-10 at 20:46, Alexander Dalloz wrote:
One other thing you should avoid - I did run into that fault by my own lack of knowledge - is, to define in /etc/imapd.conf an additional admin user
admins: cyrus kcloiber
i.e. here ckloiber and using that account as a normal mailbox too, because you may think it will make some maintenance easier. It will cause you much trouble with wrongly created entries in the cyrus mailbox storage.
This one I picked up on myself. What I haven't tested yet is if I cm 'user.ckloiber', do I need to use 'user.ckloiber' or 'ckloiber' as my username in imap clients to log in?
Am Mo, den 10.05.2004 schrieb Chris Kloiber um 19:54:
This one I picked up on myself. What I haven't tested yet is if I cm 'user.ckloiber', do I need to use 'user.ckloiber' or 'ckloiber' as my username in imap clients to log in?
Chris Kloiber
ckloiber will be your username with which you authenticate. Certain as long as we are speaking about single domain setup. If running the new virtual domain hosting feature I am not sure whether you might authenticate with user@realm where realm is then the specific domain. I would guess it might be this way. You then will have to store the user auth data in the sasldb2 too with the proper realm set. As far as I remember the "user.accountname" scheme is for distinction between personal user mailboxes and shared boxes.
Alexander
On 5/9/2004 7:43 PM, Chris Kloiber wrote:
[...]
I was able to create mailboxes for users with no entries in /etc/passwd on the system, and access them from evolution. I was *NOT* able to delete those accounts using 'dm username' I keep getting 'permission denied'. That's something I'm probably not doing right.
I got that part to work. Simple do:
cyradm> sam user.usertobedeleted cyrus c cyradm> dm user.usertobedeleted
Very nice, Chris. I really love Cyrus IMAP and the ability to create folders deep down, as well as the ACL, etc. And it is fast! Love it, really do.
Thanks for the tips and... cheers,
Is saslauthd installed and running? It has a test program, testsaslauthd. Make sure it works.
On Thu, 2004-05-06 at 13:01, seth doty wrote:
After upgrading from FC1 to FC2 test 3 i realized that FC2 uses cyrus-imap and not the standard IMAP package that FC1 used and that it doesn't use PAM by default because I can no longer login through IMAP. The server is running fine because I can telnet to it but when atempting to login I get a authentication error. I have looked around at cyrus documentation of the cyrus site and redhat's site but the admin tools (mkimap, cm.user, etc) do not work. I even tried changing the .conf file to pam authentication by changing the method to sasl_passwd_check: pam and I tried shadow. any help getting users back in any way would be appreciated, thanks
An ye harm none, do as ye will!
Get your FREE E-Mail account today! http://mail.americanwicca.com