Ah I forgot to add that I am using Debian Wheezy 7.0 ------ Original Message ------ From: "Karol Pomaski" <kpomaski@xxxxxxxxxxxxxx> To: "Dan White" <dwhite@xxxxxxx> Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx Sent: 1/25/2014 8:28:49 PM Subject: Re[2]: Postfix with Cyrus Imap >Hey, > >Yes I have all the files. I am using Debian, do you know if this patch >is already there? >Here I send you all my configuration files. Could you check what is >incorrect? Also while trying to connect through cyradm using 'cyrus' >user it doesn't permit me to enter. Which password should be used for >cyrus user? > >imapd.conf >------------- > > ># Debian Cyrus imapd.conf ># See imapd.conf(5) for more information and more options > ># Configuration directory >configdirectory: /var/lib/cyrus > ># Directories for proc and lock files >proc_path: /run/cyrus/proc >mboxname_lockpath: /run/cyrus/lock > ># Which partition to use for default mailboxes >defaultpartition: default >partition-default: /var/spool/cyrus/mail > ># News setup >partition-news: /var/spool/cyrus/news >newsspool: /var/spool/news > ># Alternate namespace ># If enabled, activate the alternate namespace as documented in ># /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's ># subfolders are in the same level as the INBOX ># See also userprefix and sharedprefix on imapd.conf(5) >altnamespace: no > ># UNIX Hierarchy Convention ># Set to yes, and cyrus will accept dots in names, and use the forward ># slash "/" to delimit levels of the hierarchy. This is done by >converting ># internally all dots to "^", and all "/" to dots. So the >"rabbit.holes" ># mailbox of user "helmer.fudd" is stored in >"user.elmer^fud.rabbit^holes" >unixhierarchysep: yes >allowusermoves: yes >servername: mail.test.com >postmaster: postmaster >duplicatesuppression: 0 > > ># Rejecting illegal characters in headers ># Headers of RFC2882 messages must not have characters with the 8th bit ># set. However, too many badly-written MUAs generate this, including >most ># spamware. Enable this to reject such messages. >#reject8bit: yes > ># Munging illegal characters in headers ># Headers of RFC2882 messages must not have characters with the 8th bit ># set. However, too many badly-written MUAs generate this, including >most ># spamware. If you kept reject8bit disabled, you can choose to leave >the ># crappage untouched by disabling this (if you don't care that IMAP >SEARCH ># won't work right anymore. >#munge8bit: no > ># Forcing recipient user to lowercase ># Cyrus IMAPD is case-sensitive. If all your mail users are in >lowercase, it is ># probably a very good idea to set lmtp_downcase_rcpt to true. This is >set by ># default, per RFC2821. This was not set by default in debian versions >up to ># and including 2.2.12-4. >lmtp_downcase_rcpt: yes > ># Uncomment the following and add the space-separated users who ># have admin rights for all services. >admins: cyrus > ># Space-separated list of users that have lmtp "admin" status (i.e. >that ># can deliver email through TCP/IP lmtp). If specified, this parameter ># overrides the "admins" parameter above >#lmtp_admins: postman > ># Space-separated list of users that have mupdate "admin" status, in ># addition to those in the admins: entry above. Note that mupdate >slaves >and ># backends in a Murder cluster need to autenticate against the mupdate >master ># as admin users. >#mupdate_admins: mupdateman > ># Space-separated list of users that have imapd "admin" status, in ># addition to those in the admins: entry above >#imap_admins: cyrus > ># Space-separated list of users that have sieve "admin" status, in ># addition to those in the admins: entry above >#sieve_admins: cyrus > ># List of users and groups that are allowed to proxy for other users, ># seperated by spaces. Any user listed in this will be allowed to login ># for any other user. Like "admins:" above, you can have >imap_proxyservers ># and sieve_proxyservers. >#proxyservers: cyrus > ># No anonymous logins >allowanonymouslogin: no > ># Minimum time between POP mail fetches in minutes >popminpoll: 1 > ># If nonzero, normal users may create their own IMAP accounts by >creating ># the mailbox INBOX. The user's quota is set to the value if it is >positive, ># otherwise the user has unlimited quota. >autocreatequota: -1 > ># umask used by Cyrus programs >umask: 027 > ># Sendmail binary location ># DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim >3. ># For now, to work around the bug, set this to a wrapper that calls ># /usr/sbin/sendmail -dropcr instead if you use Exim 3. >#sendmail: /usr/sbin/sendmail > >virtdomains: on > ># If enabled, cyrdeliver will look for Sieve scripts in user's home ># directories: ~user/.sieve. >sieveusehomedir: false > ># If sieveusehomedir is false, this directory is searched for Sieve >scripts. >sievedir: /var/spool/sieve > ># notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL" ># notifications are disabled. Valid methods are: null, log, zephyr >#mailnotifier: zephyr > ># notifyd(8) method to use for "SIEVE" notifications. If not set, >"SIEVE" ># notifications are disabled. This method is only used when no method >is ># specified in the script. Valid methods are null, log, zephyr, mailto >#sievenotifier: zephyr > ># If enabled, the partitions will also be hashed, in addition to the >hashing ># done on configuration directories. This is recommended if one >partition has a ># very bushy mailbox tree. >hashimapspool: true > ># Allow plaintext logins by default (SASL PLAIN) >allowplaintext: yes > ># Force PLAIN/LOGIN authentication only ># (you need to uncomment this if you are not using an auxprop-based >SASL ># mechanism. saslauthd users, that means you!). And pay attention to ># sasl_minimum_layer and allowapop below, too. >sasl_mech_list: PLAIN LOGIN > ># Allow use of the POP3 APOP authentication command. ># Note that this command requires that the plaintext passwords are ># available in a SASL auxprop backend (eg. sasldb), and that the system ># can provide enough entropy (eg. from /dev/urandom) to create a >challenge ># in the banner. >#allowapop: no > ># The minimum SSF that the server will allow a client to negotiate. A ># value of 1 requires integrity protection; any higher value requires >some ># amount of encryption. >sasl_minimum_layer: 0 > ># The maximum SSF that the server will allow a client to negotiate. A ># value of 1 requires integrity protection; any higher value requires >some ># amount of encryption. >#sasl_maximum_layer: 256 > ># List of remote realms whose users may log in using cross-realm ># authentications. Seperate each realm name by a space. A cross-realm ># identity is considered any identity returned by SASL with an "@" in >it. ># NOTE: To support multiple virtual domains on the same interface/IP, ># you need to list them all as loginreals. If you don't list them here, ># (most of) your users probably won't be able to log in. >#loginrealms: example.com > ># Enable virtual domain support. If enabled, the user's domain will ># be determined by splitting a fully qualified userid at the last '@' ># or '%' symbol. If the userid is unqualified, and the virtdomains ># option is set to "on", then the domain will be determined by doing ># a reverse lookup on the IP address of the incoming network ># interface, otherwise the user is assumed to be in the default ># domain (if set). >#virtdomains: userid > ># The default domain for virtual domain support ># If the domain of a user can't be taken from its login and it can't ># be determined by doing a reverse lookup on the interface IP, this ># domain is used. >#defaultdomain: > ># ># SASL library options (these are handled directly by the SASL >libraries, ># refer to SASL documentation for an up-to-date list of these) ># > ># The mechanism(s) used by the server to verify plaintext passwords. >Possible ># values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They ># are tried in order, you can specify more than one, separated by >spaces. ># ># Do note that, since sasl will be run as user cyrus, you may have a >lot >of ># trouble to set this up right. >sasl_pwcheck_method: saslauthd > ># What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop ># by default, all plugins are tried (which is probably NOT what you >want). >#sasl_auxprop_plugin: sasldb > ># If enabled, the SASL library will automatically create authentication >secrets ># when given a plaintext password. Refer to SASL documentation >sasl_auto_transition: no > ># ># SSL/TLS Options ># > ># File containing the global certificate used for ALL services (imap, >pop3, ># lmtp, sieve) >#tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem > ># File containing the private key belonging to the global server >certificate. >#tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key > ># File containing the certificate used for imap. If not specified, the >global ># certificate is used. A value of "disabled" will disable SSL/TLS for >imap. >#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem > ># File containing the private key belonging to the imap-specific server ># certificate. If not specified, the global private key is used. A >value >of ># "disabled" will disable SSL/TLS for imap. >#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key > ># File containing the certificate used for pop3. If not specified, the >global ># certificate is used. A value of "disabled" will disable SSL/TLS for >pop3. >#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem > ># File containing the private key belonging to the pop3-specific server ># certificate. If not specified, the global private key is used. A >value >of ># "disabled" will disable SSL/TLS for pop3. >#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key > ># File containing the certificate used for lmtp. If not specified, the >global ># certificate is used. A value of "disabled" will disable SSL/TLS for >lmtp. >#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem > ># File containing the private key belonging to the lmtp-specific server ># certificate. If not specified, the global private key is used. A >value >of ># "disabled" will disable SSL/TLS for lmtp. >#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key > ># File containing the certificate used for sieve. If not specified, the >global ># certificate is used. A value of "disabled" will disable SSL/TLS for >sieve. >#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem > ># File containing the private key belonging to the sieve-specific >server ># certificate. If not specified, the global private key is used. A >value >of ># "disabled" will disable SSL/TLS for sieve. >#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key > ># File containing one or more Certificate Authority (CA) certificates. >#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem > ># Path to directory with certificates of CAs. >tls_ca_path: /etc/ssl/certs > ># The length of time (in minutes) that a TLS session will be cached for >later ># reuse. The maximum value is 1440 (24 hours), the default. A value of >0 >will ># disable session caching. >tls_session_timeout: 1440 > ># The list of SSL/TLS ciphers to allow, in decreasing order of >precedence. ># The format of the string is described in ciphers(1). The Debian >default ># selects TLSv1 high-security ciphers only, and removes all anonymous >ciphers ># from the list (because they provide no defense against >man-in-the-middle ># attacks). It also orders the list so that stronger ciphers come >first. >tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH > ># Require a client certificate for ALL services (imap, pop3, lmtp, >sieve). >#tls_require_cert: false > ># Require a client certificate for imap ONLY. >#imap_tls_require_cert: false > ># Require a client certificate for pop3 ONLY. >#pop3_tls_require_cert: false > ># Require a client certificate for lmtp ONLY. >#lmtp_tls_require_cert: false > ># Require a client certificate for sieve ONLY. >#sieve_tls_require_cert: false > ># ># Cyrus Murder cluster configuration ># ># Set the following options to the values needed for this server to ># autenticate against the mupdate master server: ># mupdate_server ># mupdate_port ># mupdate_username ># mupdate_authname ># mupdate_realm ># mupdate_password ># mupdate_retry_delay > >## >## KEEP THESE IN SYNC WITH cyrus.conf >## ># Unix domain socket that lmtpd listens on. >lmtpsocket: /var/run/cyrus/socket/lmtp > ># Unix domain socket that idled listens on. >idlesocket: /var/run/cyrus/socket/idle > ># Unix domain socket that the new mail notification daemon listens on. >notifysocket: /var/run/cyrus/socket/notify > ># Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap >etc.) >syslog_prefix: cyrus > >## >## DEBUGGING >## ># Debugging hook. See >/usr/share/doc/cyrus-common-2.4/README.Debian.debug ># Keep the hook disabled when it is not in use ># ># gdb Back-traces >#debug_command: /usr/bin/gdb -batch -cd=/tmp -x >/usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d > >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 & ># ># system-call traces >#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d ><&- 2>&1 & ># ># library traces >#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p >%2$d <&- 2>&1 & >------------------------ > >smtpd.conf > > >pwcheck_method: saslauthd >mech_list: plain login >allow_plaintext: true >auxprop_plugin: sql >sql_engine: mysql >sql_hostnames: 127.0.0.1 >sql_user: mail_admin >sql_passwd: 111 >sql_database: mail >sql_select: select password from users where email = '%u@%r' > > >--------------- > >/etc/pam.d/smtp > ># PAM configuration file for Cyrus IMAP service ># ># If you want to use Cyrus in a setup where users don't have ># accounts on the local machine, you'll need to make sure ># you use something like pam_permit for account checking. ># ># Remember that SASL (and therefore Cyrus) accesses PAM ># modules through saslauthd, and that SASL can only deal with ># plaintext passwords if PAM is used. ># > >auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 >db=mail table=users usercolumn=email passwdcolumn=password crypt=1 >account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 >db=mail table=users usercolumn=email passwdcolumn=password crypt=1 > >@include common-auth >@include common-account >------------- >/etc/pam.d/imap > ># PAM configuration file for Cyrus IMAP service ># ># If you want to use Cyrus in a setup where users don't have ># accounts on the local machine, you'll need to make sure ># you use something like pam_permit for account checking. ># ># Remember that SASL (and therefore Cyrus) accesses PAM ># modules through saslauthd, and that SASL can only deal with ># plaintext passwords if PAM is used. ># > >auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 >db=mail table=users usercolumn=email passwdcolumn=password crypt=1 >account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 >db=mail table=users usercolumn=email passwdcolumn=password crypt=1 > >@include common-auth >@include common-account > >------ >/etc/defaults/saslauthd > ># ># Settings for saslauthd daemon ># Please read /usr/share/doc/sasl2-bin/README.Debian for details. ># > ># Should saslauthd run automatically on startup? (default: no) >START=yes > ># Description of this saslauthd instance. Recommended. ># (suggestion: SASL Authentication Daemon) >DESC="SASL Authentication Daemon" > ># Short name of this saslauthd instance. Strongly recommended. ># (suggestion: saslauthd) >NAME="saslauthd" > ># Which authentication mechanisms should saslauthd use? (default: pam) ># ># Available options in this Debian package: ># getpwent -- use the getpwent() library function ># kerberos5 -- use Kerberos 5 ># pam -- use PAM ># rimap -- use a remote IMAP server ># shadow -- use the local shadow password file ># sasldb -- use the local sasldb database file ># ldap -- use LDAP (configuration is in /etc/saslauthd.conf) ># ># Only one option may be used at a time. See the saslauthd man page ># for more information. ># ># Example: MECHANISMS="pam" >MECHANISMS="pam" > ># Additional options for this mechanism. (default: none) ># See the saslauthd man page for information about mech-specific >options. >MECH_OPTIONS="" > ># How many saslauthd processes should we run? (default: 5) ># A value of 0 will fork a new process for each connection. >THREADS=5 > ># Other options (default: -c -m /var/run/saslauthd) ># Note: You MUST specify the -m option or saslauthd won't run! ># ># WARNING: DO NOT SPECIFY THE -d OPTION. ># The -d option will cause saslauthd to run in the foreground instead >of >as ># a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you >wish ># to run saslauthd in debug mode, please run it by hand to be safe. ># ># See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific >information. ># See the saslauthd man page and the output of 'saslauthd -h' for >general ># information about these options. ># ># Example for chroot Postfix users: "-c -m >/var/spool/postfix/var/run/saslauthd" ># Example for non-chroot Postfix users: "-c -m /var/run/saslauthd" ># ># To know if your Postfix is running chroot, check >/etc/postfix/master.cf. ># If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - >- >smtpd" ># then your Postfix is running in a chroot. ># If it has the line "smtp inet n - n - - smtpd" then your Postfix is >NOT ># running in a chroot. >#OPTIONS="-c -m /var/run/saslauthd" >OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r" > > > > >------ Original Message ------ >From: "Dan White" <dwhite@xxxxxxx> >To: "Karol Pomaski" <kpomaski@xxxxxxxxxxxxxx> >Cc: info-cyrus@xxxxxxxxxxxxxxxxxxxx >Sent: 1/25/2014 10:49:21 AM >Subject: Re: Postfix with Cyrus Imap > >>On 01/25/14 16:21 +0000, Karol Pomaski wrote: >>>my main.cf >>> >>>smtpd_sasl_auth_enable = yes >>>smtpd_sasl_security_options = noanonymous >> >>You should have a sasl smtpd.conf file with authentication details, >>such as >>in /etc/postfix/sasl or /usr/lib/sasl2/ (saslfinger is useful here). >> >>You should be able to prepend 'sasl_' to it's configuration and insert >>those statements into /etc/imapd.conf. >> >>>Postfix use correctly the DB, but Cyrus Imap not. As you haven't >>>answered my question, is it possible to add acount to MySQL DB and >>>than mailbox will be created autmatically (without using cyradm)? >> >>You may need to apply this patch if your OS's package has not >>included them: >> >>http://code.uoa.gr/p/cyrus/autocreate/ >> >>-- Dan White > >---- >Cyrus Home Page: http://www.cyrusimap.org/ >List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >To Unsubscribe: >https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
