I've made ebuilds needed to get a working Cyrus Imapd. It would be helpful if someone would add the needed changes to the base system files (services, passwd, syslog.conf). Regards, Alexander
Created attachment 1519 [details] The ebuilds
Just as note. I had to remove compile_et too compile cyrus imapd. See bug 3569.
I've just found some small bugs. In all cyrus-imap*-ebuilds I've written open-afs instead openafs in the dependencies. And in the ebuild for the imapd function pkg_postinst(), there are two lines if df ... these should be if ! df ... Alexander
I don't know if portage is broken, but it seems uploading tbz's doesnt work. At least I'm and another one are unable to download them. Here is a link where the ebuilds could be find also: http://cvs.berlios.de/cgi-bin/cvsweb.cgi/ebuilds/?cvsroot=gentoo-deutsch
The name of the ebuilds (as they could found in the cvs at above url): net-mail/cyrus-imap-admin net-mail/cyrus-imapd net-mail/postfix dev-libs/cyrus-imap-dev dev-libs/cyrus-sasl
dev-libs/cyrus-sasl-2.1.5 is now in the Portage tree as of 08 Jul 2002.
net-mail/postfix-1.1.11 is now in the Portage tree as of 08 Jul 2002.
Postfix is missing the sasl V2 fixes which I've included in the ebuild.
And the sasl ebuild is at least missing openssh in depends. See my ebuild.
dev-libs/cyrus-sasl-2.1.5-r1 net-mail/postfix-1.1.11-r3 net-mail/cyrus-imapd-2.1.5 Please test these ebuilds. I have patched cyrus-imapd so you don't have to remove compile_et. The postfix build is still masked but the others you should be able to upgrade to without changinge profiles/package.mask cyrus-imap-admin and cyrus-imap-dev are coming soon... -Nick
Please change open-afs-1.2.2 to openafs-1.2.2 (s. comment #3).
I fixed the typo with openafs. Also, please test the postfix-1.1.11.20020613 ebuild which includes support for ipv6,tls, and saslv2. Also also, cyrus-sasl-2.1.6 has been added into portage which re-enables the ldap support.
Hi Nick, sorry for bothering you, but after endless hours of pain supporting people installing cyrus with the ebuilds in the portage (again, mine almost worked fine ;)) my nerves aren't that good. I know it's not your fault. First, the people need cyrus-imap-admin because it includes cyradm and without cyrus isn't usefull. (Someone told me that just replacing 2.1.4 with 2.1.5 in my ebuild did work) Second, saslv2 should add a user cyrus to the sasldb because that user is needed as admin for cyrus. I've done this in my ebuild for saslv2 because sasldb2 should have rw permissons for root, r permisson for group (mail) and none for others. And because sasldb2 includes passwords, it really should be in /etc and not anywhere in /var/lib. I find this really important, therefor I've decided to create sasldb2 in the ebuild. Next pwcheck ins't needed anymore, it could all be done (as I've read since 2.x) with saslauthd. Third, there all complaining about the compile_et bug. See comment #2. I don't know why the bug is marked as resolved since compile_et still exists and isn't working. If that all is done, maybe I will try to support others trying out postfix with cyrus and sasl. I by myself doesn't touch all those ebuilds, I'm still angry that I've written my ebuilds for nothing but fixing other ebuilds from peoples who ignoring other ebuilds (and implementing there own awfully bad). Sorry, it's late here, I'm tired (and see paragraph 1). Regards, Alexander PS: I've found out that cyrus and postfix both have a man page named master. Maybe it's a good idea to rename the master from cyrus (and the manpage)to cyrusmaster.
Well, instead of reporting a new I thought to jump in here and say 2.1.6 seam to break a working 2.1.5 installation. I got theis entries in auth.log: Jul 25 07:34:30 ns1 PAM_pwdb[17623]: check pass; user unknown Jul 25 07:34:31 ns1 saslauthd[17623]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Jul 25 07:34:31 ns1 saslauthd[17623]: AUTHFAIL: user=joakim@ns1.astrocalc.net service=smtp realm=ns1.astrocalc.net [PAM auth error] What I did was #emerge -u world and it pulled 'cyrus-sasl-2.1.6' and 'postfix- 1.1.11r5' so possibly postfix can be to blaim as well... However, the update to cyrus-sasl-2.1.6 never removed 2.1.5 and after both were listed as installed, which is odd as no other package then postfix depends on it, and it was updated (and old removed) too. Can't say though if emerge or the ebuild it self is responsable for this. An other note, in '/etc/conf.d/sasluthd the -H switch is used, which is depricated according to 'man saslauthd' -O option should be used instead. Well I can't pinpoint exactly were the problem is located, bottom line though is I can't send mail trough server anymore :-(, look in my case as it's PAM related anyhow. Btw I unmerged 2.1.5 & 2.1.6 and emerged 2.1.6 again without result. Any idea or something I can do to futher pinpoint this? let me know... guess I can always go back to 2.1.5 but that's not what I want.
Hmm, maybe we should open a forum ;) Joakim, as long as I know is saslauthd neither used nor needed to authenticate postfix as client against other servers (smtp_sasl_auth_enable). Maybe you have activated smtpd_sasl_auth_enable instead of smtp_sasl_auth_enable during updating postfix, this would explain your errors. With first postfix tries to authenticate clients against sasl, the second (without d) is used to authenticate against relay servers.
Well, I use smtpd_sasl_auth_enable by purpose as I (and my users) access server through ISP dial-up to send mail (relaying yes) and it works with 2.1.5 (reinstalled it:-) but not with 2.1.6 - something must have got broken. Although I must say it didn't work out of the box with 2.1.5 either, had to change pwcheck_method:pam to pwcheck_method:saslauthd in /etc/sasl/smtpd.conf and create a symlink /var/lib/sasl2/smtpd.conf --> /etc/sasl/smtpd.conf However, the above don't seam to work with 2.1.6, and btw I think pwcheck_method:pam is depricated and now built into saslauthd. It would be great if 2.1.6 could be fixed to work with smtpd_sasl_auth_enable as it have some MD5 fixes which may would help some users I have unable to auth with MD5 now. Generally I think smtpd_sasl_auth_enable is more useful then smtp_sasl_auth_enable as I think it's a more common problem letting remote users use smtp server withouth open a relay for spammers. I tried rise this question in the gentoo forum but no one seamed to bother :-) If you feel it getting cluttered here, you can email me direct, as I now can reply :-) <moonwalker at astro.nu> /Joakim
Joakim, you are right, pwcheck_method:pam is depricated and saslauthd should used instead. Here are the comments I've included in my imap.conf for cyrus: # Use saslauthd if you want to use pam for imap. # But be warned: login with DIGEST-MD5 or CRAM-MD5 # is not possible using pam. #sasl_pwcheck_method: saslauthd Maybe that has changed because you said there exist md5-fixes in sasl 2.1.6, I've written this against sasl 2.1.2. PS: Just add your email to cc and you will get every new comment here as email.
Not sure as my computer have more memory then me, but I think saslauthd now is a wrapper daemon for all modes... but have read so many docs since so it may not be true... but it should be possible to serve several options for auth, PAM, MD5 and mysql too I think or it may was sasl_pwcheck_method: can take several parameters. I wish I had more time to fiddle with this and time to learn build ebuilds, but have other priorities at the moment so will stay with a working 2.1.5 - but will monitor this threed.
STEP 1) Edit your /etc/postfix/main.cf file. There are a few different options that you must add to enable sasl support. # server smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains smtpd_sasl_security_options = noanonymous # client smtp_sasl_auth_enable = yes (Please note that that the smtpd_recipient_restrictions command should be entered on one single line, not two lines as you may see above...) STEP 2) Once you have completed your postfix configuration you should execute the following commands to make sure you have made no syntax errors: # postfix check # postfix reload STEP 3) Choose your sasl authentication method. You have the choices of... pam, sasldb, shadow, or pwcheck The format of the line in your /etc/sasl/smtpd.conf should be... # /etc/sasl/smtpd.conf # #pwcheck_method:pam #pwcheck_method:sasldb #pwcheck_method:pwcheck pwcheck_method:shadow I suggest testing with the "pwcheck_method:shadow" first as your password file is probably up to date if you are already logged into the machine configuring the software. Otherwise... you can test using pwcheck_method:sasldb and add users to the sasldb like this... # saslpasswd -a smtpd -c username STEP 4) Once you have completed this, you should restart postfix using: # service postfix restart STEP 5) Test it. * let me know if this helps in whatever configuration headaches you are having... * -Nick raker@gentoo.org
Ok I don't want to be ungrateful or rude, but Nick your instructions is wrong or possibly for cyrus-sasl 1.x # /etc/sasl/smtpd.conf # #pwcheck_method:pam #pwcheck_method:sasldb #pwcheck_method:pwcheck pwcheck_method:shadow are all depricated in version 2 (although you may can use them) and built into saslauthd, so the right use is: "pwcheck_method:saslauthd" and then at startup of saslauthd you feed it with parameters. But I don't want to use shadow as above, but pam, and in neither cases I should have to run "saslpassw" (which actually shall be "saslpassw2") as this is for if using sasl2.db (Berkley db) for password storing and authification. I'm not sure, but I don't think my problems have to do with the Gentoo ebuild but version 2.1.6 it self. That's why it would be interesting to hear if anyone have this working with pam and with pwcheck_method:saslauthd? /Joakim
you're right. I may have some 1.x instructions there.... If you have a suggestion as to where to look for new relevant docs, that would be great :) The idea that I am trying to suggest is testing another sasl authentication method other than via pam and see what sort of success you have. I'll have a production system running postfix within the next week to test different sasl authentication methods... When I come up with a working configuration (including pam :) ) i'll let you know. I'll be watching this thread for other people's solutions. Thanks for the heads up.
Which version of postfix are you running that is failing? -AND- Do you have any log messages that show warnings or error messages?
hi folks I'm running postfix.1.1.11-r5 with sasl2 I can confirm that postfix/smtp is accessing /usr/lib/sasl2/smtpd.conf and reads in the config string, eitherway it persists on using the sasldb auth method (I think it just ignores the content of smtpd.conf) I also came up with the though that the current sasl-libs (2.1.6) don't work at all... finally I would say that according to the ebuild of sasl2 the configs should be in /etc/sasl2 (sound to me like authorized_keys2 (ssh))....
ok... as I dosn't work like I want I upgraded sasl to current (2.1.6) and for my suprise.... the AUTH still works (last time I had this version I got SIG 11)... All I did was up- and downgrading postfix a few times...
I've had almost the same problem after updating libc, openssh and openssl on one machine. I have recompiled postfix, sasl (2.1.2) and cyrus. I don't know if I had to recompile all (problem was sending with postifx/smtp hasn't worked), maybe just a recompile of one of them could be enough.
Saslv2 2.1.7 just appeared. This would be a good time to move the password-db from /var/anywhere to /etc/sasldb2. And I would prefer if the ebuild would create an empty sasldb2 with the correct rights (root.mail 640). Then the cyrus-imapd ebuild could create a user cyrus.
cyrus-sasl-2.1.7 has been released into portage /etc/sasl2 is the dbpath and configdir now. I have changed permissions on said directory to root:mail 640. I have also updated the postfix ebuild to -r1 and have smtpd.conf installed to /etc/sasl2. This should hopefully fix some of the sasl problems. Please report successes and failures on this bug report. emerge rsync emerge cyrus-sasl emerge postfix
A couple of TLS related fixes have been made to postfix. Please update and install the new version and let me know a status. emerge rsync emerge postfix
The recent ebuild cyrus-sasl-2.1.7-r1 turns off plain authentication. I think this is not a good idea. Many providers are using plain-auth. You can configure authentication in postfix main.cf instead. regards Jochen
I have to enable login an plain authentication (sasl) for relaying over my provider with postfix too.
The postfix-1.1.11.20020613.ebuild has disappeared from portage due to a developer accidentally thinking it was an old package. I am working on a new ebuild of postfix based on the 20020822 snapshot with all the support we have been discussing built in. The main issue I am having right now is the best ssl and ipv6 patches are together in one patch which is not how I want this software to build. ssl and ipv6 support needs to be separable. I will be spending some time with the latest tls+ipv6 patch to see if I can split it into two patches. If anyone here knows of good separate tls and ipv6 patches for postfix I will definitely entertain their usage regarding sasl plain authentication, please add sasl-plain to your use variables and re-emerge cyrus-sasl and that authentication will be enabled valid use variables for sasl authentication include --------------------------------------------------- sasl-anon sasl-login sasl-scram sasl-plain sasl-krb4 sasl-gssapi sasl-opie If you have a suggestion as to what authentication methods should be enabled by default, please let me know and I will pass the ideas around with the other developers.
since postfix-1.1.11.20020613 disappeared from CVS I have started a new ebuild. I have released postfix-1.1.11.20020822 into portage. Currently it needs testing and much updating and of course is masked. SSL support appears to work. SSL+IPV6 support is not working right yet. SASL support has yet to be added in as well. I will be working on this ebuild throughout the week to make sure I come up with something extremely solid for release. cyrus-imapd- 2.1.9 has also been relased into portage. If you have suggestions for the setting up of this ebuild or any related ebuild, please comment here.
the cyrus-sasl ebuild has been updated to include LOGIN authentication so Micro$oft mail clients can work properly.
postfix-1.1.11.20020822.ebuild has been unmasked in portage. This ebuild supports mysql, ldap, sasl (v1 and v2), ipv6, and tls. Please test and report back on this bug.
postfix-1.1.11.20020917 has been released into portage.
login and plain should enabled by default in cyrus-sasl. The first for outlook, the second for postfix because many providers only supporting plain authentication. I also don't see the point why all the sasl-useflags are needed. Normally the application defines what login methods are allowed, not the library. E.g. cyrus in imapd.conf (allowplain...) or postfix in main.cf with smtp(d)_sasl...
login and plain are both enabled by default in cyrus-sasl-2.1.7-r1 (and the masked -r2) the undocumented use flags have been removed already.
I'm just testing all those ebuilds, starting with cyrus-sasl-2.1.7: for src_install(): -------------- # create directory /etc/sasl2 (for sasldb2): mkdir $[D}etc/sasl2 # create an empty sasldb2: # Just touching sasldb2 doesn't work, so we are creating and deleting an account echo "gentoo" | ${D}usr/sbin/saslpasswd2 -f ${D}etc/sasl2/sasldb2 -p cyrus ${D}usr/sbin/saslpasswd2 -f ${D}etc/sasl2/sasldb2 -d cyrus # Setting right permissions for sasldb2 (important because it contains passwords) chown root.mail ${D}etc/sasl2/sasldb2 chmod 0640 ${D}etc/sasl2/sasldb2 --------- I will now test cyrus-imapd, but after a quick view over the ebuild I can say that either the ebuild should add user cyrus (for admin) to the sasldb2 (in post_install() with an default pwd like gentoo) or it should instruct the user to create them with saslpasswd2.
I don't know why, but pkg_postinst() in cyrus-sasl hasn't created /etc/sasl2 or /var/lib/sasl2. The first will be done with the above creating of the emtpy sasldb2, but doesn't it work creating an empty directory /var/lib/sasl2 in src_install()? Then this could be removed with an unmerge.
postfix-1.1.11-20020917 (after deleteing the defect openafs-ebuild ;)): As authentication is often wanted, I would add those few lines to main.cf: ---------main.cf------------ # To authenticate at relay hosts: # generate the hash for saslpass after changes with 'postmap /etc/postfix/saslpass' #smtp_sasl_password_maps = hash:/etc/postfix/saslpass #smtp_sasl_security_options = noanonymous #smtp_sasl_auth_enable = yes # To authenticate clients (against passwords generated with saslpasswd2): #smtpd_sasl_auth_enable = yes #smtpd_sasl_security_options = noanonymous ---------------------------- I've also a few lines for amavis-perl: ---------main.cf------------ # For amavis-perl #content_filter = vscan ---------------------------- --------master.cf----------- # For Amavis-perl #vscan unix - n n - 10 pipe user=vscan # argv=/usr/sbin/amavis ${sender} ${recipient} #localhost:10025 inet n - n - - smtpd # -o content_filter= ---------------------------- And to avoid all those ._cfg* in etc/postfix/sample maybe it's a good idea to create symlinks for all those samples from etc/postfix/sample/* to /usr/share/doc/postfix/sample/* or just exclude that directory from CONFIG_PROTECT (I don't know how emerge follows symlinks in CONFIG_PROTECT).
cyrus-sasl-2.1.7 I've just seen in my old ebuild that I've set LD_LIBRARY to get saslpasswd2 working in src_install. Here are the lines I've used: ------cyrus-sasl.ebuild--------- LD_OLD=${LD_LIBRARY_PATH} export LD_LIBRARY_PATH=${S}/lib/.libs ... ...saslpasswd2 ... ... export LD_LIBRARY_PATH=${LD_OLD} --------------------------------
I've made fixes to the ebuilds for all that stuff: *cyrus-sasl-2.1.7-r3 (06 Oct 2002) cyrus-sasl-2.1.7-r3.ebuild: Added generation of an empty sasldb2 with correct permissions. *cyrus-imapd-2.1.9-r3 (06 Oct 2002) cyrus-imapd-2.1.9-r3.ebuild, files/cyrus_2.conf, files/gentestcrt.sh, files/imapd_2.conf, files/master.8.diff: Removed cyradm and sieveshell (now in package cyrus-imap-admin). Added generation of a self-signed test certificate. Enabled pop3s and imaps per default. Added 'use dns logger' to the startup-script. Renamed master to cyrusmaster because postfix has a master too (manpage conflict) *cyrus-imap-admin-2.1.9 (06 Oct 2002) Initial checkin of this package. *cyrus-imap-dev-2.1.9 (06 Oct 2002) Initial checkin of this package. postfix: files/master.cf files/main.cf, files/postfix.rc6: Added usefull comments for authentication and amavis-perl. Added use dns to depend() I've appended those ebuilds as .tar.bz2, hoping this works.
Created attachment 4438 [details] cyrus-ebuilds.tar.bz2 The new ebuilds
Someone just told me, that for cyrus-imap-admin Extutils-MakeMaker is needed.
In fact it seems to be the opposite. If Extutils-MakeMaker is installed, cyrus-imap-admin won't install. Removing MakeMaker doesn't help (I think this won't work). But on a system where MakeMaker hasn't been installed, emerging cyrus-imap-admin works fine. Someone knows what going on?
I give up, see bug 8813
Just a last comment on this describing how to install cyrus-imap-admin: emerge unmerge ExtUtils-MakeMaker emerge perl emerge cyrus-imap-admin