Hi,
I'm having problems getting delivering messages via exim to Shared
Folders under cyrus.
I've googled around and futzed with configuration options for an entire
afternoon and not got very far so I'm wondering if anyone here can help me.
First, here's a few words about my configuration.
I'm running a Debian etch server with the cyrus-2.2 (2.2.13-10) packages
installed. I'm using exim 4.63 as my MTA.
Exim's set up to relay outgoing mail via authenticated SMTP and incoming
mail for a few domains.
SMTP authentication uses the same database as the cyrus IMAP server.
Here's how my plaintext exim authenticator works:
server_condition = ${if
saslauthd{{${local_part:$2}}{$3}{smtpauth}{${domain:$2}}}{1}{0}}
I'm using cyrus in "virtdomains: userid" mode.
I'm doing delivery to cyrus over authenticated LMTP via a socket.
I'm running lmtp like this:
lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20
I have "lmtp_admins: exim" in /etc/imapd.conf
Exim is authenticating to the LMTP server with CRAM-MD5 as user exim.
Delivery works for users in all domains.
I have no "postuser:" setting in /etc/imapd.conf so I'm assuming that
it's default and I can address shared folders with the "+xxx@domain"
address.
I have created the following shared folders in cyradm:
shared.test@xxxxxxxxxxxxxx (\HasNoChildren)
shared@xxxxxxxxxxxxxx (\HasChildren)
...and here are the permissions:
shared@xxxxxxxxxxxxxx:
anyone lrs
shared.test@xxxxxxxxxxxxxx:
exim lrswipcda
andyjpb@xxxxxxxxxxxxxx lrswipcda
anyone lrs
I can insert and delete messages in shared.test via IMAP when I'm
authenticaed as andyjpb@xxxxxxxxxxxxxx
Whatever permissions I give to andyjpb@xxxxxxxxxxxxxx I can't do insert
or delete messages in shared via IMAP when I'm authenticated as
andyjpb@xxxxxxxxxxxxxx
Are top level folders special?
With the ACLs above, I ran a test.
Sending messages to any user at any domain that I have set up, from
anywhere, works fine.
I connected to my SMTP server, authenticated as andyjpb@xxxxxxxxxxxxxx
and sent a message to "+shared.test@xxxxxxxxxxxxxx".
If the mailbox does not exist I get a message saying so.
If the mailbox does exist (as configured above) then I get a different
error message, so I'm pretty happy that I've got the correct eMail
address for the mailbox I created...
The message was accepted by exim and then immediately bounced.
... I don't do local part checking at RCPT time in submission mode.
Anyway, I switched on the Cyrus session logging for the exim user and
here's what I got. It includes the error message that was sent in the
bounce message.
-----
---------- exim Mon Apr 20 22:57:35 2009
>1240264655>235 Authenticated!
<1240264655<MAIL FROM:<andyjpb@xxxxxxxxxxxxxx> SIZE=2523
RCPT TO:<+shared.test@xxxxxxxxxxxxxx>
DATA
>1240264655>250 2.1.0 ok
550-You do not have permission to post a message to this mailbox.
550-Please contact the owner of this mailbox in order to submit
550-your message, or postmaster if you believe you
550-received this message in error.
550 5.7.1 Permission denied
503 5.5.1 No recipients
<1240264655<QUIT
>1240264655>221 2.0.0 bye
-----
The log then continues with the successful delivery of the bounce
message to andyjpb@xxxxxxxxxxxxxx
The bounce message doesn't contain the "503 5.5.1 No recipients" line:
it stops at "550 5.7.1 Permission denied"
So...
It looks like exim is authenticating as the exim user, which is in
lmtp_admins. I also tried putting exim in admins and it didn't change
anything.
Is there anyway of getting more information about who was authenticated
and who was authorised?
Here's what I get in syslog:
-----
verify_user(ashurst.eu.org!shared.test) failed: Permission denied
-----
Here's the ACL that's on andyjpb@xxxxxxxxxxxxxx's INBOX:
andyjpb@xxxxxxxxxxxxxx lrswipcda
...so exim doesn't have 'p' rights there but it can still deliver mail
there.
exim isn't in a domain: all the other users are. I'm not sure if that is
an issue when using Cyrus in "virtdomains: user_id" mode, and I haven't
got exim configured to connect to lmtp as a different user depending on
the domain.
RCPT TO: in the error looks like the correct mailbox. MAIL FROM: is a
user that has 'p' permission on the mailbox.
I don't see an AUTH line tho... I'm authenticating as exim who should be
able to authorise as andyjpb@xxxxxxxxxxxxxxx How can I be sure that that
is happening? If it's not then as exim has 'p' rights on the mailbox it
should be able to post as itself anyway.
I haven't done anything special in exim as the documentation led me to
believe that the authentication automatically falls through.
If I give "anyone" 'p' rights then messages are delivered without errors.
As a last ditch attempt, I just reconfigured exim to use PLAIN rather
than CRAM-MD5 when authenticating to LMTP so that I could explicitly
send the exim authenticated sender along to LMTP.
Here's the authentication details I used:
-----
client_send = $authenticated_sender^exim^<PASSWORD>
-----
I think that should send the exim authenticated sender along as the
authorisation and exim and <PASSWORD> along as the authentication.
Does anyone have any idea what I am doing incorrectly or whether I
should be doing something that am not?
Many thanks for your time.
Regards,
@ndy
--
andyjpb@xxxxxxxxxxxxxx
http://www.ashurst.eu.org/
http://www.gonumber.com/andyjpb
0x7EBA75FF
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
