====== [[http://www.cyrusimap.org/|Cyrus IMAP Server]] ======
* [[http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples|Sieve Examples]]
===== User mailbox migration for Cyrus =====
for db in deliver.db mailboxes.db; do echo "cvt_cyrusdb /var/lib/cyrus/$db.flat flat /var/lib/cyrus/$db skiplist"; done
saslpasswd2 cyrus
saslpasswd2 dmitry
cyradm --user dmitry localhost
find /var/spool/cyrus/mail/d/user/dmitry -type d | sort | cut -c3- | tr "/" "." | while read dir; do echo "cm \"INBOX.$dir\""; done
Also read [[http://cynici.wordpress.com/2010/12/06/how-to-migrate-32-bit-cyrus-imapd-mailboxes-to-64-bit|How to migrate 32-bit Cyrus IMAPD mailboxes to 64-bit]] and ''/usr/share/doc/cyrus-common-2.2/README.Debian.database.gz''.
===== Questions answered =====
=== Cyrus sieve does not want to accept SASL PLAIN authentication with "auxprop" ''sasl_pwcheck_method'' ===
Cyrus sieve does not want to accept SASL PLAIN authentication with ''sasl_pwcheck_method: auxprop''. In cron log:
cyrus/sieve: badlogin: PLAIN no mechanism available
Install the package ''libsasl2-modules'', check the following libraries are present:
/usr/lib/sasl2/libplain.so
/usr/lib/sasl2/liblogin.so
Also check the output of ''sivtest'':
$ sivtest
WARNING: no hostname supplied, assuming localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.2.10"
S: "SASL" "PLAIN"
S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {20+}
xGbXAyRKeQB1drtjUmc5
S: OK
Authenticated.
Security strength factor: 0
=== How to configure Cyrus+Postfix+SASL? ===
Cyrus should be configured as following((For more information check [[http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html|here]])):
allowanonymouslogin: no
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
For Cyrus+Postfix connection we need to make sure that Postfix can negotiate with Cyrus via UNIX socket. I tried to remount the socket with ''mount %%--%%bind /var/run/cyrus/socket/lmtp /var/spool/postfix/private/lmtp'' with no success. The following comes in cron log:
postfix/local: warning: unexpected end-of-input from private/lmtp socket while reading input attribute name
postfix/local: warning: private/lmtp socket: malformed response
The configuration worked in case when we run lmtp **not** in chrooted environment. In ''/etc/postfix/master.cf'':
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
lmtp unix - - n - - lmtp
Then in ''/etc/postfix/main.cf'':
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
----
Another possibility is to mount the complete directory with Cyrus socket. The same will be done for ''saslauthd'' socket:
mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/cyrus
dpkg-statoverride --add cyrus mail 710 /var/spool/postfix/var/run/cyrus
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0 0
/var/run/cyrus /var/spool/postfix/var/run/cyrus none bind 0 0
or to configure Cyrus and ''saslauthd'' socket to use sockets in Postfix chrooted environment:
You need to configure ''saslauthd'' via ''/etc/saslauthd.conf'' configuration file.
For Postfix((See more information [[http://www.postfix.org/SASL_README.html|here]] and [[http://www.greens.org/~cls/linux/howtos/smtp-auth-saslauthd.html|here]] and [[http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html#d0e1860|here]]. Also refer ''/usr/share/doc/sasl2-bin/README.Debian.gz'' and ''/usr/share/doc/postfix/README.Debian'')):
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
pwcheck_method: saslauthd
mech_list: plain login
To test SMTP server with ''STARTTLS'' use the following command((Taken from [[http://qmail.jms1.net/test-auth.shtml|here]])):
openssl s_client -starttls smtp -quiet -crlf -connect localhost:25
If you got this message:
535 5.7.8 Error: authentication failed: another step is needed in authentication
that means the realm which Postfix uses does not match the SASL's. Make sure that ''smtpd_sasl_local_domain'' has the correct value.
=== How to setup SASL LDAP authentication without ''saslauthd'' daemon (only using the module)? ===
* ''apt-get install libsasl2-modules-ldap'' or install the following [[http://southbrain.com/south/2008/06/writing-a-cyrus-sasl-ldap-auxp.html|alternative ldap module]].
* LDAP should be added a special user:
dn: cn=sasluser,cn=centurion
objectclass: person
objectclass: extensibleObject
cn: sasluser
sn: sasluser
uid: sasluser
userPassword: secret
authzTo: ldap:///cn=persons,cn=centurion??one?(objectClass=mailAccount)
* LDAP should be configured to store passwords as plain text and enable authentication forwarding:
olcPasswordHash : {CLEARTEXT}
olcAuthzPolicy: to
olcAuthzRegexp: uid=(.*),cn=.*,cn=auth ldap:///cn=persons,cn=centurion??one?(&(objectclass=mailAccount)(uid=$1))
* Read the following articles about how to setup cyrus to use Cyrus LDAP Authentication using LDAP Proxy mechanism:
* [[http://www.postfix.ru/viewtopic.php?p=774|postfix ldap cyrus-imap]]
* [[http://www.mail-archive.com/cyrus-sasl@lists.andrew.cmu.edu/msg00105.html|Can't get SASL Authentication to work]]
* [[http://bgbilling.ru/v4.3/doc/ch12s04.html|Сборка почтовой системы Exim + Cyrus + OpenLDAP на FreeBSD]]
* [[http://www.irbs.net/internet/cyrus-sasl/0505/0119.html|Security of authorization proxy password in imapd.conf file]]
* [[http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg32662.html|groups, members, LDAP and ptloader]]
* [[http://www.mail-archive.com/cyrus-sasl@lists.andrew.cmu.edu/msg00109.html|Can't get SASL Authentication to work]]
* [[http://cyrusimap.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=8425|Sponsoring a canon_user plugin for LDAP lookup]]
* [[http://lists.andrew.cmu.edu/pipermail/info-cyrus/2004-March/007781.html|Cyrus IMAP 2.2.3 & ldapdb auxprop]]
* [[http://osdir.com/ml/security.cyrus.sasl/2006-10/msg00001.html|Cyrus IMAPd → SASL auxprop-plugin: ldapdb]]
* [[https://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg39405.html|Cyrus-Imap and auxprop ldap]]
* [[http://postfix.state-of-mind.de/patrick.koetter/surviving_cyrus_sasl.pdf|Surviving Cyrus SASL]]
* [[http://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-November/034155.html|Problems testing cyrus imap server (cyrus sasl + ldapdb plugin)]]
* [[http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:postfix:sasl_ldapdb|Postfix AUTH using SASL and LDAPDB]]
* [[http://www.redhat.com/archives/rhl-list/2005-December/msg02649.html|LDAP + Cyrus IMAP + Postfix on FC4]]
* [[http://osdir.com/ml/security.cyrus.sasl/2006-04/msg00053.html|ldapdb: error: invalid parameter supplied]]
* [[http://www.openldap.org/doc/admin24/sasl.html|Using SASL]]
After installation of the module the following popped up in logs:
slapd[840]: auxpropfunc error invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
slapd[840]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
cyrus/lmtpunix[27973]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
cyrus/lmtpunix[27973]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
=== [[serverfault>511083|TLS server engine: cannot load cert/key data]] ===
Check that key (PEM) is readable by ''cyrus'' user (e.g. make them readable by group ''mail'').
=== Cyrus ''STARTTLS'' does not work ===
When Cyrus is configured to support ''STARTTLS'' I get the following error message:
cyrus/imap: error initializing TLS
cyrus/imap: TLS server engine: cannot load CA data
cyrus/imap: unable to get certificate from '/etc/ssl/server/server.pem'
cyrus/imap: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
cyrus/imap: error initializing TLS
Make sure that you've concatenated the certificate and the private key with command ''%%cat /etc/ssl/server/server.key >> /etc/ssl/server/server.pem; rm /etc/ssl/server/server.key;%%''
Also test ''STARTTLS'' with following command:
$ imtest -t "" -p imap
WARNING: no hostname supplied, assuming localhost
S: * OK centurion.domain.com IMAP4 v1.2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN A2asaXRyeQe1ZmtRbmzy
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
C: Q01 LOGOUT
S: BYE LOGOUT received
S: Q01 OK Completed
or alternative one:
openssl s_client -starttls imap -host localhost:143
CONNECTED(00000003)
depth=1 /CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=centurion.domain.com/O=Centurion Server/C=NL/L=Amsterdam
i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
1 s:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDQjCCAioCCQCwdYxxfBYD7DANBgkqhkiG9w0BAQUFADBpMRwwGgYDVQQDExNE
bWl0cnkgS2F0c3VibyBSb290MSwwKgYDVQQKEyNEbWl0cnkgS2F0c3VibyBQZXJz
CBDQvF1N1GwfzqMmpZdQTPeRoFgPqw==
-----END CERTIFICATE-----
---
SSL handshake has read 21792 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A4487C0E1F9E242867C4F33F59711EDF618C27CA6431D20D2FE40AAC9505ADC9
Session-ID-ctx:
Master-Key: AB340216CC22A72BDB431BBAA56FD31198438EC15569CB0123A36ADA6D26F5FE9B24D4617EDA50F9E6FD3FA36C20F6F2
Key-Arg : None
Start Time: 1291335267
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Completed
{{tag>Cyrus IMAP Postfix LDAP mail}}