Thanks for that Vladislav, it was very
helpful. :-)
I have managed to get exim to use the defined cyrus_delivery
transport attempting to deliver a received mail but it is baulking
on the SSL cert.
From /var/log/mail.err :
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: unable to
get private key from '/etc/ssl/private/ssl-cert-snakeoil.key'
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: TLS server engine:
cannot load cert/key data, may be a cert/key mismatch?
Feb 12 14:58:46 blmail cyrus/lmtp[3523]: [lmtpd] error
initializing TLS
I have run
root@blmail:~# bash
/usr/share/doc/exim4-base/examples/exim-gencert --force
and confirm the permissions on the cert file:
root@blmail:~# ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root root 916 Feb 12 12:41
ssl-cert-snakeoil.key
What process/user should have access to this key? Is it simply
the wrong owner/group?
I can access cyrus and 'see' mailboxes, create them etc:
root@blmail:~# cyradm --user cyrus --auth login
localhost
IMAP Password:
localhost> lm
user.hire (\HasChildren) user.hire.Trash
(\HasNoChildren)
user.hire.Drafts (\HasNoChildren) user.hire.test
(\HasNoChildren)
user.hire.Sent (\HasNoChildren) user.paul
(\HasNoChildren)
but I believe this is using saslauth LOGIN so maybe it's not using
the SSL anyway?
When I attempt to send mail to an account on there I get the
following in /var/log/exim4/mainlog :
2014-02-12 14:58:46 1WDilR-0000ul-Rh DKIM:
d=gmail.com s=20120113 c=relaxed/relaxed a=rsa-sha256
[verification succeeded]
2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Debug:
SAEximRunCond expand returned: '0'
2014-02-12 14:58:46 1WDilR-0000ul-Rh SA: Action: Not running
SA because SAEximRunCond expanded to false (Message-Id:
1WDilR-0000ul-Rh). From <paulororke@xxxxxxxxx>
(host=mail-oa0-f53.google.com [209.85.219.53]) for
hire@xxxxxxxxxxxxxxxxxxxxxxxxx
2014-02-12 14:58:46 1WDilR-0000ul-Rh <=
paulororke@xxxxxxxxx H=mail-oa0-f53.google.com [209.85.219.53]
P=esmtps X=TLS1.0:RSA_ARCFOUR_SHA1:128 S=30551
id=CAPXX1o6M5XkRaZv97zkrnPPMLGV1s98tvNEC4QuND0PwGGbwKA@xxxxxxxxxxxxxx
2014-02-12 14:58:46 1WDilR-0000ul-Rh ==
hire@xxxxxxxxxxxxxxxxxxxxxxxxx R=local_user T=cyrus_delivery
defer (-45): SMTP error from remote mail server after MAIL
FROM:<paulororke@xxxxxxxxx> SIZE=32614: host 127.0.0.1
[127.0.0.1]: 430 Authentication required
I'll come back to the Spamassassin issue later (unless of course
it's related!)
So I seem to be getting confused about when the SSL is used.
Ideally I'd like to use SSL and authentication for SMTP and IMAP.
Is it that the LMTP needs authentication and it's not? I did use
in /etc/cyrus.conf
lmtp cmd="lmtpd" -a
listen="localhost:lmtp" prefork=0 maxchild=20
I feel like I'm close, but still not fully understanding the
relationship between exim and cyrus regards lmtp and saslauth.
Have I mixed things up here?
Hoping for more of the excellent help I've received thus far.
Paul O’Rorke
On 2/11/2014 12:56 AM, Vladislav Kurz wrote:
On Monday 10 of February 2014 23:13:42 Paul
O'Rorke wrote:
> Hi again Cyrus list,
>
> still trying to find a definitive
resource to use to get this mail
> server up and running. Does anyone know
of a good howto for setting up
> Debian/Exim/Cyrus? I think this is the
combination I want to move from
> the Centos/Exim/Dovecote box I inherited
but I must confess to really
> struggling here.
Here are the most important snippets of my
Debian/exim/cyrus config for sasldb authentication, exim split
config. Based on squeeze, so be careful there might be small
changes in wheezy. Changes noted as a diff file.
/etc/exim4/conf.d/main/00_exim4-config_localmacros:
(new file)
+ LOCAL_DELIVERY = cyrus_delivery
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:
# Insist that any other recipient address
that we accept is either in one of
# our local domains, or is in a domain for
which we explicitly allow
# relaying. Any other domain is rejected as
being unacceptable for relaying.
require
message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to
be verifiable. This check will
# do local part verification for both local
and remote domains.
# Callout is needed to do the check via
LMTP.
# This is important to avoid backscatter
bounces.
# If you act as backup MX, you might need to
adjust.
require
- verify = recipient
+ verify = recipient/callout
/etc/exim4/conf.d/router/900_exim4-config_local_user:
# There are no local users in /etc/passwd.
Check is done by callout in ACL.
# Also there is no harm in having a mailbox
named root.
local_user:
debug_print = "R: local_user for
$local_part@$domain"
driver = accept
domains = +local_domains
- check_local_user
- local_parts = ! root
transport = LOCAL_DELIVERY
cannot_route_message = Unknown user
/etc/exim4/conf.d/transport/30_exim4-config_cyrus_delivery:
+ # LMTP over TCP/IP, allows callout
verification, needs `lmtpd -a`
+ cyrus_delivery:
+ driver = smtp
+ protocol = lmtp
+ hosts = 127.0.0.1
+ allow_localhost
/etc/exim4/conf.d/auth/30_exim4-config_examples
Uncomment all examples where driver =
cyrus_sasl. Set server realm to full hostname, or check what is
behind @ in sasldblistusers2. NTLM and MD5 authentication can be
allowd even over unencrypted connections.
/etc/imapd.conf
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
/etc/cyrus.conf
lmtp cmd="lmtpd -a" listen="localhost:lmtp"
prefork=0 maxchild=20
#lmtpunix cmd="lmtpd"
listen="/var/run/cyrus/socket/lmtp" prefork=0 ...
/etc/services
lmtp 24/tcp
--- eof ---
I have omitted lots of other changes I do to
exim config, as they are not related to exim-cyrus integration.
--
Best Regards
Vladislav Kurz
=== WebStep, s.r.o. (Ltd.) ========= a step
to the Web ===
address: Mezirka 1, 602 00 Brno, CZ, tel:
+420 548 214 711
=== www.webstep.net =======
vladislav.kurz@xxxxxxxxxxx ===
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
