Cyrus IMAP - Non-local passwords
Hi, I'm setting up Cyrus IMAP on Suse 10.0. I found out how to set up mailboxes using cyradm, have 2 set up so far. One is the same name as a normal login user, and the other is not a login user. Cyrus accepts the login password of the normal login user. How do I set the password on the non-login user to access this user mailbox only? Also, how do I set Cyrus up to only accept connections over imaps (port 993)? Many thanks, Jim Flanagan
On Mon, 14 Nov, 2005 at 18:55:51 -0600, Jim Flanagan wrote:
Hi,
I'm setting up Cyrus IMAP on Suse 10.0. I found out how to set up mailboxes using cyradm, have 2 set up so far. One is the same name as a normal login user, and the other is not a login user. Cyrus accepts the login password of the normal login user. How do I set the password on the non-login user to access this user mailbox only?
http://docs.opengroupware.org/Members/helge/Mail/CyrusSuSE82/view (part C) is about 8.2 - though it worked for me on 9.3. Once you've set up Cyrus to use sasldb you'll need to make passwords for the users; (as root); `saslpasswd2 username`
Also, how do I set Cyrus up to only accept connections over imaps (port 993)?
Not so long since I set it up, and already it's kind of hazy :P ... Basically, IIRC, it consists of; - Creating a certificate - Pointing Cyrus to it (also in /etc/imapd.conf - Restarting Cyrus So; `openssl req -new -x509 -nodes -out /path/to/imap-cert.pem -keyout \ /path/to/imap-cert.pem -days 700` - in imapd.conf uncomment/edit; tls_cert_file: /path/to/imap-cert.pem tls_key_file: /path/to/imap-cert.pem - and; `rccyrus restart` Cyrus still accepts non-ssl connections, but if your client doesn't automatically check if ssl is available (mine does; Mutt) - then you can set it manually. I don't know how one sets Cyrus to *only* accept ssl, but you can always just disallow the non-ssl traffic with your firewall. HTH /Jon -- YMMV
Jon Clausen wrote:
On Mon, 14 Nov, 2005 at 18:55:51 -0600, Jim Flanagan wrote:
Hi,
I'm setting up Cyrus IMAP on Suse 10.0. I found out how to set up mailboxes using cyradm, have 2 set up so far. One is the same name as a normal login user, and the other is not a login user. Cyrus accepts the login password of the normal login user. How do I set the password on the non-login user to access this user mailbox only?
http://docs.opengroupware.org/Members/helge/Mail/CyrusSuSE82/view (part C)
is about 8.2 - though it worked for me on 9.3.
Once you've set up Cyrus to use sasldb you'll need to make passwords for the users;
(as root); `saslpasswd2 username`
Hi Jon, Pardon my inexperience, but what is the difference between using the sasldb file vs. saslauthd/PAM? I'm only using this as a home server at present, not too many users. Many thanks, Jim
On Thu, 17 Nov, 2005 at 23:18:23 -0600, Jim Flanagan wrote:
Hi Jon,
Pardon my inexperience, but what is the difference between using the sasldb file vs. saslauthd/PAM?
Well... I'm by no means the expert on this, and I understand too little of salsauthd/PAM to explain it. I'm using this setup because I *wanted* to have separate shell and imap passwords, and using sasldb offered the path of least resistance in achieving it. HTH /Jon -- YMMV
Jon Clausen wrote:
On Thu, 17 Nov, 2005 at 23:18:23 -0600, Jim Flanagan wrote:
Hi Jon,
Pardon my inexperience, but what is the difference between using the sasldb file vs. saslauthd/PAM?
I'm using this setup because I *wanted* to have separate shell and imap passwords, and using sasldb offered the path of least resistance in achieving it.
HTH /Jon Hi Jon,
OK, I modified the cyrus imapd.conf file with auxprop, and used saslpasswd2 to set passwords for 2 users. I tried to use cyradm to set up new cyrus mailboxes, but the login to user cyrus now fails. How do I set up users mailboxes under with cyrus set up to use sasldb? Many thanks, Jim
On Sun, 20 Nov, 2005 at 22:15:07 -0600, Jim Flanagan wrote:
Hi Jon,
OK, I modified the cyrus imapd.conf file with auxprop, and used saslpasswd2 to set passwords for 2 users. I tried to use cyradm to set up new cyrus mailboxes, but the login to user cyrus now fails.
Did you remember to `rcsaslauthd restart` after you changed the config?
How do I set up users mailboxes under with cyrus set up to use sasldb?
Sorry Jim, but I can't parse the above :P Before you start with the mailboxes, you have to get beyond the login. Use `imtest` to test that, and watch the logs for errors. Also look at the docs in /usr/share/doc/packages/cyrus-imapd/doc/ -specifically; install-auth.html and, for ssl; install-configure.html HTH /Jon -- YMMV
Jon Clausen wrote:
On Sun, 20 Nov, 2005 at 22:15:07 -0600, Jim Flanagan wrote:
Hi Jon,
OK, I modified the cyrus imapd.conf file with auxprop, and used saslpasswd2 to set passwords for 2 users. I tried to use cyradm to set up new cyrus mailboxes, but the login to user cyrus now fails.
Did you remember to `rcsaslauthd restart` after you changed the config?
Yes, I did do that.
How do I set up users mailboxes under with cyrus set up to use sasldb?
Sorry Jim, but I can't parse the above :P
What I mean here is that after I changed the auth from pam to sasldb, I can't login to cyradm to set up users mailboxes. (this using "cyradm --auth login localhost --user cyrus". I get a wrong password message. Before I changed imap.conf to use sasldb, I could get to that using the root password. This now fails. So I set up a new user wiht "saslpasswd2 cyrus" and enterd a password for that user, but the cyradm login still fails. Not sure how to create cyrus mailboxes under this new setup.
Before you start with the mailboxes, you have to get beyond the login. Use `imtest` to test that, and watch the logs for errors.
Also look at the docs in /usr/share/doc/packages/cyrus-imapd/doc/ -specifically; install-auth.html and, for ssl; install-configure.html
HTH /Jon
Will look into this. Many thanks, Jim
On Mon, 21 Nov, 2005 at 09:16:39 -0600, Jim Flanagan wrote:
Jon Clausen wrote:
Did you remember to `rcsaslauthd restart` after you changed the config?
Yes, I did do that.
and `rccyrus restart` too?
What I mean here is that after I changed the auth from pam to sasldb, I can't login to cyradm to set up users mailboxes. (this using "cyradm --auth login localhost --user cyrus". I get a wrong password message.
Right. Please quote from the log.
Before I changed imap.conf to use sasldb, I could get to that using the root password. This now fails. So I set up a new user wiht "saslpasswd2 cyrus" and enterd a password for that user, but the cyradm login still fails. Not sure how to create cyrus mailboxes under this new setup.
You manage the mailboxes the same way as before, but;
Before you start with the mailboxes, you have to get beyond the login.
What does `grep -v "#" /etc/imapd.conf` look like? HTH /Jon -- YMMV
Jon Clausen wrote:
On Mon, 21 Nov, 2005 at 09:16:39 -0600, Jim Flanagan wrote:
Jon Clausen wrote:
Did you remember to `rcsaslauthd restart` after you changed the config?
Yes, I did do that.
and `rccyrus restart` too?
Yes, rccyrus restart too.
What I mean here is that after I changed the auth from pam to sasldb, I can't login to cyradm to set up users mailboxes. (this using "cyradm --auth login localhost --user cyrus". I get a wrong password message.
Right. Please quote from the log.
Before I changed imap.conf to use sasldb, I could get to that using the root password. This now fails. So I set up a new user wiht "saslpasswd2 cyrus" and enterd a password for that user, but the cyradm login still fails. Not sure how to create cyrus mailboxes under this new setup.
You manage the mailboxes the same way as before, but;
Before you start with the mailboxes, you have to get beyond the login.
What does `grep -v "#" /etc/imapd.conf` look like?
HTH /Jon
Hi Jon, OK, here is some detailed info. telnet shows... ----------- test10:/home/user # telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK test10 Cyrus IMAP4 v2.2.12 server ready -------- grep shows... -------- test10:/etc # grep -v "#" /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes test10:/etc # -------- /var/log/messages shows... -------- Nov 22 20:02:36 test10 master[7356]: about to exec /usr/lib/cyrus/bin/imapd Nov 22 20:02:36 test10 imap[7356]: executed Nov 22 20:02:36 test10 imap[7356]: accepted connection Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: badlogin: localhost [127.0.0.1] plaintext cyrus SASL(-13): user not found: checkpass failed -------- l of /etc shows... -------- -rw-r----- 1 root root 12288 2005-11-20 21:34 sasldb2 -------- Trying to use cryadm to login/manage user cyrus... -------- test10:/home/user # cyradm --auth login localhost -u cyrus IMAP Password: Login failed: user not found at /usr/lib/perl5/vendor_perl/5.8.7/i586-linux-thread-multi/Cyrus/IMAP/Admin.pm line 118 cyradm: cannot authenticate to server with login as cyrus -------- /usr/lib/perl5/vendor_perl/5.8.7/i586-linux-thread-multi/Cyrus/IMAP/admin.pm shows... ------ 113 sub authenticate { 114 my $self = shift; 115 if(@_) { 116 $self->{authopts} = \@_; 117 } 118 my $rc = $self->{cyrus}->authenticate(@_); -------- I'm not sure what is going on here. I did not follow Part D of the web link instructions, as I beleive this to be fixed in Suse 9.3/10.0. After I first set up sasldb, I tried to login to imap using cyradm -u cyrus. This did not work using the system (pam) root password. So I did saslpasswd -c cyrus and set a password for that. Still cannot login to imap using cyradm -u cyrus. Thanks for the continued help. Jim
On Tue, Nov 22, 2005 at 08:36:01PM -0600, Jim Flanagan wrote:
Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap. -Kastus
Kastus wrote:
On Tue, Nov 22, 2005 at 08:36:01PM -0600, Jim Flanagan wrote:
Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
-Kastus
OK, will try that. What group. Currently on my system I have system user "imap" belonging to group "mail". Jim
Jim Flanagan wrote:
Kastus wrote:
On Tue, Nov 22, 2005 at 08:36:01PM -0600, Jim Flanagan wrote:
Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
-Kastus
OK, will try that. What group. Currently on my system I have system user "imap" belonging to group "mail".
Jim
Sorry, that should read "cyrus" "mail", not imap. Jim
Kastus wrote:
On Tue, Nov 22, 2005 at 08:36:01PM -0600, Jim Flanagan wrote:
Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied Nov 22 20:02:41 test10 imap[7356]: unable to open Berkeley db /etc/sasldb2: Permission denied
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
-Kastus
OK, that works! I set permission on that file to be user "cyrus" with group "mail". All seems to be working fine now. Is the group "mail" the correct (and safe) setting? Many thanks to you, Ciro and notably Jon for your help. The link and other info Jon sent was most helpful. Happy Thanksgiving to all who celebrate that US tradition. Jim
On Wed, 23 Nov, 2005 at 08:38:54 -0600, Jim Flanagan wrote:
Kastus wrote:
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
OK, that works! I set permission on that file to be user "cyrus" with group "mail". All seems to be working fine now. Is the group "mail" the correct (and safe) setting?
Depends. Basically the file just needs to be readable for cyrus. My /etc/sasldb2 is -rw-r----- cyrus:root As long as you're manipulating the sasldb as root (running saslpasswd2 from the commandline) there is no need for the group 'mail' ownership.
Many thanks to you, Ciro and notably Jon for your help. The link and other info Jon sent was most helpful.
"We aim to please" :)
Happy Thanksgiving to all who celebrate that US tradition.
Indeed. /Jon -- YMMV
Jon Clausen wrote:
On Wed, 23 Nov, 2005 at 08:38:54 -0600, Jim Flanagan wrote:
Kastus wrote:
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
OK, that works! I set permission on that file to be user "cyrus" with group "mail". All seems to be working fine now. Is the group "mail" the correct (and safe) setting?
Depends. Basically the file just needs to be readable for cyrus. My /etc/sasldb2 is -rw-r----- cyrus:root
As long as you're manipulating the sasldb as root (running saslpasswd2 from the commandline) there is no need for the group 'mail' ownership.
Many thanks to you, Ciro and notably Jon for your help. The link and other info Jon sent was most helpful.
"We aim to please" :)
Happy Thanksgiving to all who celebrate that US tradition.
Indeed.
/Jon
Hi Jon, Was wondering, instead of FTP, could we use SCP in SSH instead? I use SSH often to run VNC sessions. I'm not sure how to do an scp from a win box with putty to my suse server, but will look into that. Tks again for the great help! Jim
On Thu, 24 Nov, 2005 at 21:29:37 -0600, Jim Flanagan wrote:
Was wondering, instead of FTP, could we use SCP in SSH instead?
Sure. I use it all the time.
I use SSH often to run VNC sessions. I'm not sure how to do an scp from a win box with putty to my suse server, but will look into that.
Google for winscp. It's available from the same place(s) you'd get putty. Never tried it (I'm fortunate; I rarely *have* to use windows) but I'd hazard a guess it works...
Tks again for the great help!
No problem. Though I have a hard time connecting this (ftp vs scp vs winscp) to the original subject of non-local imap passwords? Maybe start a new thread? /Jon -- YMMV
Jon Clausen wrote:
On Wed, 23 Nov, 2005 at 08:38:54 -0600, Jim Flanagan wrote:
Kastus wrote:
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
OK, that works! I set permission on that file to be user "cyrus" with group "mail". All seems to be working fine now. Is the group "mail" the correct (and safe) setting?
Depends. Basically the file just needs to be readable for cyrus. My /etc/sasldb2 is -rw-r----- cyrus:root
As long as you're manipulating the sasldb as root (running saslpasswd2 from the commandline) there is no need for the group 'mail' ownership.
Many thanks to you, Ciro and notably Jon for your help. The link and other info Jon sent was most helpful.
"We aim to please" :)
Happy Thanksgiving to all who celebrate that US tradition.
Indeed.
/Jon
Hi again Jon, Since I changed the saslauth to work with sasldb, Squirrelmail seems to be broken. Going to http://localhost/squirrelmail/ give a 403 error page message stating that I don't have permission to access that dir, or that there is no index doc or the dir is read-protected. I didn't have this problem before, and was wondering if it is related to sasldb not having a password for squirrelmail or something. Permissions on ~/squirrelmail are root, with user read/write, others can read. Same for the index.php file in that dir. This might not be the problem however as I don't get the squirrelmail login screen, so I don't get to the point where I enter user names or passwords. I can access my cyrus imap mailboxes using Thunderbird on port 143, so that is working. Any thoughts? Jim
On Sun, 27 Nov, 2005 at 23:47:16 -0600, Jim Flanagan wrote:
Since I changed the saslauth to work with sasldb, Squirrelmail seems to be broken. Going to http://localhost/squirrelmail/ give a 403 error page message stating that I don't have permission to access that dir, or that there is no index doc or the dir is read-protected. I didn't have this problem before, and was wondering if it is related to sasldb not having a password for squirrelmail or something. Permissions on ~/squirrelmail are root, with user read/write, others can read. Same for the index.php file in that dir.
This might not be the problem however as I don't get the squirrelmail login screen, so I don't get to the point where I enter user names or passwords. I can access my cyrus imap mailboxes using Thunderbird on port 143, so that is working.
Any thoughts?
Yeah... I can't send mail to the list from work... :P What I tried to send earlier went pretty much like this; "ehhm nope, dunno - haven't done any squirrelmail in quite a while..." Basically I can only come up with; Check the logs (apache and cyrus both) - and *maybe* there could be a problem if cyrus wants to use ssl, and squirrelmail (php) doesn't handle that correctly? (I seem to remember that that exists as a thing that can go wrong...) Sorry /Jon -- YMMV
Jon Clausen wrote:
On Sun, 27 Nov, 2005 at 23:47:16 -0600, Jim Flanagan wrote:
Since I changed the saslauth to work with sasldb, Squirrelmail seems to be broken. Going to http://localhost/squirrelmail/ give a 403 error page message stating that I don't have permission to access that dir, or that there is no index doc or the dir is read-protected. I didn't have this problem before, and was wondering if it is related to sasldb not having a password for squirrelmail or something. Permissions on ~/squirrelmail are root, with user read/write, others can read. Same for the index.php file in that dir.
This might not be the problem however as I don't get the squirrelmail login screen, so I don't get to the point where I enter user names or passwords. I can access my cyrus imap mailboxes using Thunderbird on port 143, so that is working.
Any thoughts?
Yeah... I can't send mail to the list from work... :P
What I tried to send earlier went pretty much like this;
"ehhm nope, dunno - haven't done any squirrelmail in quite a while..."
Basically I can only come up with;
Check the logs (apache and cyrus both)
- and *maybe* there could be a problem if cyrus wants to use ssl, and squirrelmail (php) doesn't handle that correctly?
(I seem to remember that that exists as a thing that can go wrong...)
OK, thanks. I'm still working on squirrelmail. Not sure what is happening. I thought it was a php update thru yast, but I rolled back to the dvd version, no fix. Even rolled back to an older version of squirrelmail to no avail. I thought it was something I did in httpd.conf but that dosen't seem to be it either. Still looking. I am slowly getting my mind around the sasldb2 setup, and was wondering is there anything I need to do to get postfix to recognize those users, or will it pass mail for any user, (not a pam login user)? I seem to remember that postfix will only pass mail to known users, so do I have to set up postfix to use the users in sasldb2? I have some more questions regarding sasldb2, but will start a new thread on that. Again, many thanks! Jim
On Sun, 27 Nov 2005, Jim Flanagan wrote:
Jon Clausen wrote:
On Wed, 23 Nov, 2005 at 08:38:54 -0600, Jim Flanagan wrote:
Kastus wrote:
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
That is seriously bad advice <snip>
Hi again Jon,
Since I changed the saslauth to work with sasldb, Squirrelmail seems to be broken. Going to http://localhost/squirrelmail/ give a 403 error page message
with this one of the likely bad outcomes. I don't have the knowledge to tell you precisely what to do, and if I did it would be based on Debian. Please, read the documents real close, and consult the relevant websites and google.
stating that I don't have permission to access that dir, or that there is no index doc or the dir is read-protected. I didn't have this problem before, and was wondering if it is related to sasldb not having a password for squirrelmail or something. Permissions on ~/squirrelmail are root, with user read/write, others can read. Same for the index.php file in that dir.
This might not be the problem however as I don't get the squirrelmail login screen, so I don't get to the point where I enter user names or passwords. I can access my cyrus imap mailboxes using Thunderbird on port 143, so that is working.
The sasl has unencrypted passwords in it. You want access to it controlled properly. Don't trust me, trust SUSE that there is a way to do with without changing permissions or ownership.
John Summerfield wrote:
On Sun, 27 Nov 2005, Jim Flanagan wrote:
Jon Clausen wrote:
On Wed, 23 Nov, 2005 at 08:38:54 -0600, Jim Flanagan wrote:
Kastus wrote:
Here is your problem. User imap cannot read /etc/sasldb2 which is owned by root, I believe. Change ownership of /etc/sasldb2 to imap.
That is seriously bad advice
<snip>
Hi again Jon,
Since I changed the saslauth to work with sasldb, Squirrelmail seems to be broken. Going to http://localhost/squirrelmail/ give a 403 error page message
with this one of the likely bad outcomes.
I don't have the knowledge to tell you precisely what to do, and if I did it would be based on Debian. Please, read the documents real close, and consult the relevant websites and google.
stating that I don't have permission to access that dir, or that there is no index doc or the dir is read-protected. I didn't have this problem before, and was wondering if it is related to sasldb not having a password for squirrelmail or something. Permissions on ~/squirrelmail are root, with user read/write, others can read. Same for the index.php file in that dir.
This might not be the problem however as I don't get the squirrelmail login screen, so I don't get to the point where I enter user names or passwords. I can access my cyrus imap mailboxes using Thunderbird on port 143, so that is working.
The sasl has unencrypted passwords in it. You want access to it controlled properly. Don't trust me, trust SUSE that there is a way to do with without changing permissions or ownership.
Hi. I'm trying to do this the SUSE way, but not clear as to what that is. The problem was when I first created the sasldb2 file, it was set for owner/group as root, which CRYADM could not read to allow me to set up my cyrus mailboxes. I did not want all to read that file, so that is why I changed it to cyrus/mail. Many thanks for pointing out the importance of proper controll on the sasldb2 file. I'm still not sure if this is correct or not, or more importantly secure, but it is working. Not sure what dorked squirrelmail. Still working on that. Many thanks, Jim
Jim Flanagan wrote:
Hi. I'm trying to do this the SUSE way, but not clear as to what that is. The problem was when I first created the sasldb2 file, it was set for owner/group as root, which CRYADM could not read to allow me to set up my cyrus mailboxes. I did not want all to read that file, so that is why I changed it to cyrus/mail. Many thanks for pointing out the importance of proper controll on the sasldb2 file. I'm still not sure if this is correct or not, or more importantly secure, but it is working. Not sure what dorked squirrelmail. Still working on that.
Many thanks,
Jim
You should have a /etc/init.d/saslauthd or similar script to start a daemon that controls access to the info. Here are the first few lines of the Debian script: !/bin/sh -e NAME=saslauthd DAEMON="/usr/sbin/${NAME}" DESC="SASL Authentication Daemon" DEFAULTS=/etc/default/saslauthd PWDIR=/var/run/saslauthd PIDFILE="/var/run/${NAME}/saslauthd.pid" At some point it starts saslauthd Surely Suse has some docs for you to read:-)
participants (4)
-
Jim Flanagan -
John Summerfield -
Jon Clausen -
Kastus