for db in deliver.db mailboxes.db; do echo "cvt_cyrusdb /var/lib/cyrus/$db.flat flat /var/lib/cyrus/$db skiplist"; done saslpasswd2 cyrus saslpasswd2 dmitry cyradm --user dmitry localhost find /var/spool/cyrus/mail/d/user/dmitry -type d | sort | cut -c3- | tr "/" "." | while read dir; do echo "cm \"INBOX.$dir\""; done
Also read How to migrate 32-bit Cyrus IMAPD mailboxes to 64-bit and /usr/share/doc/cyrus-common-2.2/README.Debian.database.gz
.
sasl_pwcheck_method
sasl_pwcheck_method: auxprop
. In cron log:cyrus/sieve: badlogin: PLAIN no mechanism available
libsasl2-modules
, check the following libraries are present:/usr/lib/sasl2/libplain.so /usr/lib/sasl2/liblogin.so
Also check the output of sivtest
:
$ sivtest WARNING: no hostname supplied, assuming localhost S: "IMPLEMENTATION" "Cyrus timsieved v2.2.10" S: "SASL" "PLAIN" S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex" S: OK Please enter your password: C: AUTHENTICATE "PLAIN" {20+} xGbXAyRKeQB1drtjUmc5 S: OK Authenticated. Security strength factor: 0
allowanonymouslogin: no allowplaintext: no sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd sasl_auto_transition: no
For Cyrus+Postfix connection we need to make sure that Postfix can negotiate with Cyrus via UNIX socket. I tried to remount the socket with mount --bind /var/run/cyrus/socket/lmtp /var/spool/postfix/private/lmtp
with no success. The following comes in cron log:
postfix/local: warning: unexpected end-of-input from private/lmtp socket while reading input attribute name postfix/local: warning: private/lmtp socket: malformed response
The configuration worked in case when we run lmtp not in chrooted environment. In /etc/postfix/master.cf
:
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== lmtp unix - - n - - lmtp
Then in /etc/postfix/main.cf
:
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
Another possibility is to mount the complete directory with Cyrus socket. The same will be done for saslauthd
socket:
mkdir -p /var/spool/postfix/var/run/saslauthd dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd mkdir -p /var/spool/postfix/var/run/cyrus dpkg-statoverride --add cyrus mail 710 /var/spool/postfix/var/run/cyrus
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0 0 /var/run/cyrus /var/spool/postfix/var/run/cyrus none bind 0 0
or to configure Cyrus and saslauthd
socket to use sockets in Postfix chrooted environment:
You need to configure saslauthd
via /etc/saslauthd.conf
configuration file.
For Postfix2):
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
pwcheck_method: saslauthd mech_list: plain login
To test SMTP server with STARTTLS
use the following command3):
openssl s_client -starttls smtp -quiet -crlf -connect localhost:25
If you got this message:
535 5.7.8 Error: authentication failed: another step is needed in authentication
that means the realm which Postfix uses does not match the SASL's. Make sure that smtpd_sasl_local_domain
has the correct value.
saslauthd
daemon (only using the module)? apt-get install libsasl2-modules-ldap
or install the following alternative ldap module.dn: cn=sasluser,cn=centurion objectclass: person objectclass: extensibleObject cn: sasluser sn: sasluser uid: sasluser userPassword: secret authzTo: ldap:///cn=persons,cn=centurion??one?(objectClass=mailAccount)
olcPasswordHash : {CLEARTEXT} olcAuthzPolicy: to olcAuthzRegexp: uid=(.*),cn=.*,cn=auth ldap:///cn=persons,cn=centurion??one?(&(objectclass=mailAccount)(uid=$1))
slapd[840]: auxpropfunc error invalid parameter supplied slapd[840]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb slapd[840]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied slapd[840]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb cyrus/lmtpunix[27973]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied cyrus/lmtpunix[27973]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
cyrus
user (e.g. make them readable by group mail
).
STARTTLS
does not work STARTTLS
I get the following error message:
cyrus/imap: error initializing TLS cyrus/imap: TLS server engine: cannot load CA data cyrus/imap: unable to get certificate from '/etc/ssl/server/server.pem' cyrus/imap: TLS server engine: cannot load cert/key data, may be a cert/key mismatch? cyrus/imap: error initializing TLS
cat /etc/ssl/server/server.key >> /etc/ssl/server/server.pem; rm /etc/ssl/server/server.key;
Also test STARTTLS
with following command:
$ imtest -t "" -p imap WARNING: no hostname supplied, assuming localhost S: * OK centurion.domain.com IMAP4 v1.2 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED S: C01 OK Completed C: S01 STARTTLS S: S01 OK Begin TLS negotiation now TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR S: C01 OK Completed Please enter your password: C: A01 AUTHENTICATE PLAIN A2asaXRyeQe1ZmtRbmzy S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 C: Q01 LOGOUT S: BYE LOGOUT received S: Q01 OK Completed
or alternative one:
openssl s_client -starttls imap -host localhost:143 CONNECTED(00000003) depth=1 /CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=centurion.domain.com/O=Centurion Server/C=NL/L=Amsterdam i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk 1 s:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk --- Server certificate -----BEGIN CERTIFICATE---- MIIDQjCCAioCCQCwdYxxfBYD7DANBgkqhkiG9w0BAQUFADBpMRwwGgYDVQQDExNE bWl0cnkgS2F0c3VibyBSb290MSwwKgYDVQQKEyNEbWl0cnkgS2F0c3VibyBQZXJz CBDQvF1N1GwfzqMmpZdQTPeRoFgPqw== -----END CERTIFICATE----- --- SSL handshake has read 21792 bytes and written 485 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: A4487C0E1F9E242867C4F33F59711EDF618C27CA6431D20D2FE40AAC9505ADC9 Session-ID-ctx: Master-Key: AB340216CC22A72BDB431BBAA56FD31198438EC15569CB0123A36ADA6D26F5FE9B24D4617EDA50F9E6FD3FA36C20F6F2 Key-Arg : None Start Time: 1291335267 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- . OK Completed
"Девица не хочет лезть в Окно" – device not compatible with Windows.