for db in deliver.db mailboxes.db; do echo "cvt_cyrusdb /var/lib/cyrus/$db.flat flat /var/lib/cyrus/$db skiplist"; done saslpasswd2 cyrus saslpasswd2 dmitry cyradm --user dmitry localhost find /var/spool/cyrus/mail/d/user/dmitry -type d | sort | cut -c3- | tr "/" "." | while read dir; do echo "cm \"INBOX.$dir\""; done
Also read How to migrate 32-bit Cyrus IMAPD mailboxes to 64-bit and /usr/share/doc/cyrus-common-2.2/README.Debian.database.gz.
sasl_pwcheck_method sasl_pwcheck_method: auxprop. In cron log:cyrus/sieve: badlogin: PLAIN no mechanism available
libsasl2-modules, check the following libraries are present:/usr/lib/sasl2/libplain.so /usr/lib/sasl2/liblogin.so
Also check the output of sivtest:
$ sivtest
WARNING: no hostname supplied, assuming localhost
S: "IMPLEMENTATION" "Cyrus timsieved v2.2.10"
S: "SASL" "PLAIN"
S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {20+}
xGbXAyRKeQB1drtjUmc5
S: OK
Authenticated.
Security strength factor: 0
allowanonymouslogin: no allowplaintext: no sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd sasl_auto_transition: no
For Cyrus+Postfix connection we need to make sure that Postfix can negotiate with Cyrus via UNIX socket. I tried to remount the socket with mount --bind /var/run/cyrus/socket/lmtp /var/spool/postfix/private/lmtp with no success. The following comes in cron log:
postfix/local: warning: unexpected end-of-input from private/lmtp socket while reading input attribute name postfix/local: warning: private/lmtp socket: malformed response
The configuration worked in case when we run lmtp not in chrooted environment. In /etc/postfix/master.cf:
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== lmtp unix - - n - - lmtp
Then in /etc/postfix/main.cf:
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
Another possibility is to mount the complete directory with Cyrus socket. The same will be done for saslauthd socket:
mkdir -p /var/spool/postfix/var/run/saslauthd dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd mkdir -p /var/spool/postfix/var/run/cyrus dpkg-statoverride --add cyrus mail 710 /var/spool/postfix/var/run/cyrus
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0 0 /var/run/cyrus /var/spool/postfix/var/run/cyrus none bind 0 0
or to configure Cyrus and saslauthd socket to use sockets in Postfix chrooted environment:
You need to configure saslauthd via /etc/saslauthd.conf configuration file.
For Postfix2):
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
pwcheck_method: saslauthd mech_list: plain login
To test SMTP server with STARTTLS use the following command3):
openssl s_client -starttls smtp -quiet -crlf -connect localhost:25
If you got this message:
535 5.7.8 Error: authentication failed: another step is needed in authentication
that means the realm which Postfix uses does not match the SASL's. Make sure that smtpd_sasl_local_domain has the correct value.
saslauthd daemon (only using the module)? apt-get install libsasl2-modules-ldap or install the following alternative ldap module.dn: cn=sasluser,cn=centurion objectclass: person objectclass: extensibleObject cn: sasluser sn: sasluser uid: sasluser userPassword: secret authzTo: ldap:///cn=persons,cn=centurion??one?(objectClass=mailAccount)
olcPasswordHash : {CLEARTEXT}
olcAuthzPolicy: to
olcAuthzRegexp: uid=(.*),cn=.*,cn=auth ldap:///cn=persons,cn=centurion??one?(&(objectclass=mailAccount)(uid=$1))slapd[840]: auxpropfunc error invalid parameter supplied slapd[840]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb slapd[840]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied slapd[840]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb cyrus/lmtpunix[27973]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied cyrus/lmtpunix[27973]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
cyrus user (e.g. make them readable by group mail).
STARTTLS does not work STARTTLS I get the following error message:
cyrus/imap: error initializing TLS cyrus/imap: TLS server engine: cannot load CA data cyrus/imap: unable to get certificate from '/etc/ssl/server/server.pem' cyrus/imap: TLS server engine: cannot load cert/key data, may be a cert/key mismatch? cyrus/imap: error initializing TLS
cat /etc/ssl/server/server.key >> /etc/ssl/server/server.pem; rm /etc/ssl/server/server.key;
Also test STARTTLS with following command:
$ imtest -t "" -p imap WARNING: no hostname supplied, assuming localhost S: * OK centurion.domain.com IMAP4 v1.2 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR S: C01 OK Completed Please enter your password: C: A01 AUTHENTICATE PLAIN A2asaXRyeQe1ZmtRbmzy S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 C: Q01 LOGOUT S: BYE LOGOUT received S: Q01 OK Completed
or alternative one:
openssl s_client -starttls imap -host localhost:143
CONNECTED(00000003)
depth=1 /CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=centurion.domain.com/O=Centurion Server/C=NL/L=Amsterdam
i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
1 s:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDQjCCAioCCQCwdYxxfBYD7DANBgkqhkiG9w0BAQUFADBpMRwwGgYDVQQDExNE
bWl0cnkgS2F0c3VibyBSb290MSwwKgYDVQQKEyNEbWl0cnkgS2F0c3VibyBQZXJz
CBDQvF1N1GwfzqMmpZdQTPeRoFgPqw==
-----END CERTIFICATE-----
---
SSL handshake has read 21792 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: A4487C0E1F9E242867C4F33F59711EDF618C27CA6431D20D2FE40AAC9505ADC9
Session-ID-ctx:
Master-Key: AB340216CC22A72BDB431BBAA56FD31198438EC15569CB0123A36ADA6D26F5FE9B24D4617EDA50F9E6FD3FA36C20F6F2
Key-Arg : None
Start Time: 1291335267
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Completed
"Девица не хочет лезть в Окно" – device not compatible with Windows.