headers
Blake Hudson | 1 Jun 2012 15:59

Re: Failover for business continuity


Ram wrote the following on 5/30/2012 8:53 AM:
>
> On 05/30/2012 02:26 PM, Eric Luyten wrote:
>> On Wed, May 30, 2012 9:24 am, Ram wrote:
>>> On 05/30/2012 12:43 PM, Dmitry Banschikov wrote:
>>>
>>>> On 05/30/2012 10:52 AM, Ram wrote:
>>>>
>>>>> I am trying to setup a remote cyrus-replica to a different geographical
>>>>> location for business continuity.
>>>>>
>>>>> In case the main server goes down the users will get switched to the
>>>>> remote server by making a DNS change. The only issue is DNS replication
>>>>> would take a long time so the switch is not instantaneous. How would one
>>>>> make the switch instantaneous ? Moving the IP is not possible because the
>>>>> Remote server is on a different network
>>>>>
>>>>>
>>>> You can set TTL of RR to very small value (say 60 seconds). In this
>>>> case, DNS change will be propagated fast.
>>>>
>>>>
>>> But I have seen some DNS clients , especially on windows , do not honor
>>> TTL.
>>> For a 10 minute TTL , even after 4 hours the windows server keeps
>>> resolving to the old server
>> Ram,
>>
>>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arnaud Launay | 11 Jun 2012 11:15

Re: Problem while deleting mailbox on a private spool on NFS

Hello,

Michael Loftis <mloftis <at> wgops.com> writes:
> Don't use Cyrus over NFS.  It's not safe.  You *WILL* end up with corrupt 
> mailboxes.
> 
> There might be some NFS Client+Server combinations that are safe, but since 
> you've a Linux client I'm guessing your NFS server is also Linux, a known 
> not-safe configuration.  The reason is file locking doesn't' really work on 
> NFS.

Is it still current ? I had to move the cyrus spool to an nfs server server due
to space problems, and I'm getting some of those:

Jun 11 04:11:53 nw2 imaps[27624]: IOERROR: locking index for
toto.fr!user.coincoin: Unknown code ____ 255

Linux 3.2 on both client and server, nfs v3.

If NFS isn't a good answer, what might be ? Problem here is redundancy (the nfs
server is redundant in a drbd master/slave configuration) and space...

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Permalink | Reply | 1 comment |
headers
Patrick Boutilier | 11 Jun 2012 13:53
Picon
Favicon

Re: Problem while deleting mailbox on a private spool on NFS

On 06/11/2012 06:15 AM, Arnaud Launay wrote:
> Hello,
>
> Michael Loftis <mloftis <at> wgops.com> writes:
>> Don't use Cyrus over NFS.  It's not safe.  You *WILL* end up with corrupt
>> mailboxes.
>>
>> There might be some NFS Client+Server combinations that are safe, but since
>> you've a Linux client I'm guessing your NFS server is also Linux, a known
>> not-safe configuration.  The reason is file locking doesn't' really work on
>> NFS.
>
> Is it still current ? I had to move the cyrus spool to an nfs server server due
> to space problems, and I'm getting some of those:
>
> Jun 11 04:11:53 nw2 imaps[27624]: IOERROR: locking index for
> toto.fr!user.coincoin: Unknown code ____ 255
>
> Linux 3.2 on both client and server, nfs v3.
>
> If NFS isn't a good answer, what might be ? Problem here is redundancy (the nfs
> server is redundant in a drbd master/slave configuration) and space...

We use iscsi instead of nfs now.

>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Ingram | 13 Jun 2012 21:57
Picon

GSSAPI for various murder component setups

There seems to be quite a bit of information on the Website about
setting up a murder configuration. Most of the documentation, however,
seems to be centered on basic authentication. Is there a good resource
somewhere to using Kerberos to setup the communication between the
mupdate, frontend and backend servers for mupdate, imap and
replication processes? I see some configs in the distribution conf
directory from CMU setups, but they are only partially complete and
based on Kerberos 4.

Steve
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Permalink | Reply | 21 comments |
headers
Dave McMurtrie | 13 Jun 2012 22:05
Picon

Re: GSSAPI for various murder component setups

On 06/13/2012 03:57 PM, Stephen Ingram wrote:
> There seems to be quite a bit of information on the Website about
> setting up a murder configuration. Most of the documentation, however,
> seems to be centered on basic authentication. Is there a good resource
> somewhere to using Kerberos to setup the communication between the
> mupdate, frontend and backend servers for mupdate, imap and
> replication processes? I see some configs in the distribution conf
> directory from CMU setups, but they are only partially complete and
> based on Kerberos 4.

Hi Stephen,

I'm not aware of any documentation at all, but it would be nice to have 
that.  We're running a murder configuration at CMU and we use kerberos 
auth between servers.  Please feel free to ask any questions you need 
and I'll do my best to answer promptly.  If you don't even know where to 
start, I can try to put together some basic information in an email and 
we can go from there.  Perhaps when you get it all working you could 
contribute some docs back :)

Thanks!

Dave
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dan White | 13 Jun 2012 22:23
Gravatar

Re: GSSAPI for various murder component setups

On 06/13/12 12:57 -0700, Stephen Ingram wrote:
>There seems to be quite a bit of information on the Website about
>setting up a murder configuration. Most of the documentation, however,
>seems to be centered on basic authentication. Is there a good resource
>somewhere to using Kerberos to setup the communication between the
>mupdate, frontend and backend servers for mupdate, imap and
>replication processes? I see some configs in the distribution conf
>directory from CMU setups, but they are only partially complete and
>based on Kerberos 4.

There are two differences that come to mind:

When configuring authentication, you can simply leave the authname and
password out of your configuration, such as:

mupdate_server: mupdate.example.net
# mupdate_port
# mupdate_username:
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay
mupdate_config: standard

The other issue is that where your systems are acting as clients (such as
when a frontend server is connecting to an mupdate server), your client
will need to initialize a kerberos ticket cache, and in my experience
cannot use the kerberos credentials used to accept connections. Or in other
words, your frontends might have an imap/mail.example.net service ticket
for accepting client imap connections, but then may need a separate ticket,
(Continue reading)

Permalink | Reply | 19 comments |
headers
Stephen Ingram | 14 Jun 2012 06:02
Picon

Re: GSSAPI for various murder component setups

On Wed, Jun 13, 2012 at 1:23 PM, Dan White <dwhite <at> olp.net> wrote:
> On 06/13/12 12:57 -0700, Stephen Ingram wrote:
>>
>> There seems to be quite a bit of information on the Website about
>> setting up a murder configuration. Most of the documentation, however,
>> seems to be centered on basic authentication. Is there a good resource
>> somewhere to using Kerberos to setup the communication between the
>> mupdate, frontend and backend servers for mupdate, imap and
>> replication processes? I see some configs in the distribution conf
>> directory from CMU setups, but they are only partially complete and
>> based on Kerberos 4.
>
>
> There are two differences that come to mind:
>
> When configuring authentication, you can simply leave the authname and
> password out of your configuration, such as:
>
> mupdate_server: mupdate.example.net
> # mupdate_port
> # mupdate_username:
> # mupdate_authname
> # mupdate_realm
> # mupdate_password
> # mupdate_retry_delay
> mupdate_config: standard
>
> The other issue is that where your systems are acting as clients (such as
> when a frontend server is connecting to an mupdate server), your client
> will need to initialize a kerberos ticket cache, and in my experience
(Continue reading)

Permalink | Reply | 17 comments |
headers
Reg | 14 Jun 2012 06:57
Favicon

Creatings subfolder of INBOX from an Email client, virtual domains

Hi,

I have cyrus setup with virtual domains.

On my email client I can't create a folder under INBOX. Below you can see that creating "test 1" works but "INBOX/test 2" does not. Is this normal or is there something wrong with my setup?

05.06.2012 16:58:34 C: 00034 CREATE "test 1"
05.06.2012 16:58:35 S: 00034 OK Completed
05.06.2012 16:58:35 C: 00035 SUBSCRIBE "test 1"
05.06.2012 16:58:35 S: 00035 OK Completed
05.06.2012 16:58:35 C: 00036 LIST "" "test 1"
05.06.2012 16:58:35 S: * LIST (\HasNoChildren) "/" "test 1"
05.06.2012 16:58:35 S: 00036 OK Completed (0.000 secs 2 calls)
05.06.2012 16:58:35 C: 00037 SELECT "test 1"

05.06.2012 16:58:47 C: 00055 CREATE "INBOX/test 2"
05.06.2012 16:58:47 S: 00055 NO Invalid mailbox name 

Thanks,
Reg
 
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Permalink | Reply | 2 comments |
headers
Bron Gondwana | 14 Jun 2012 10:56
Gravatar

Re: Creatings subfolder of INBOX from an Email client, virtual domains

On Wed, Jun 13, 2012, at 09:57 PM, Reg wrote:
Hi,

I have cyrus setup with virtual domains.

On my email client I can't create a folder under INBOX. Below you can see that creating "test 1" works but "INBOX/test 2" does not. Is this normal or is there something wrong with my setup?

05.06.2012 16:58:34 C: 00034 CREATE "test 1"
05.06.2012 16:58:35 S: 00034 OK Completed
05.06.2012 16:58:35 C: 00035 SUBSCRIBE "test 1"
05.06.2012 16:58:35 S: 00035 OK Completed
05.06.2012 16:58:35 C: 00036 LIST "" "test 1"
05.06.2012 16:58:35 S: * LIST (\HasNoChildren) "/" "test 1"
05.06.2012 16:58:35 S: 00036 OK Completed (0.000 secs 2 calls)
05.06.2012 16:58:35 C: 00037 SELECT "test 1"

05.06.2012 16:58:47 C: 00055 CREATE "INBOX/test 2"
05.06.2012 16:58:47 S: 00055 NO Invalid mailbox name 
 
Yeah, you can't create subfolders of "INBOX" in altnamespace.  Any other name should be fine, but if you LIST INBOX you will see it has the \NoInferiors flag.
 
Bron.
--
Bron Gondwana
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Permalink | Reply | 0 comments |
headers
Dave McMurtrie | 14 Jun 2012 15:20
Picon

Re: GSSAPI for various murder component setups

On 06/14/2012 12:02 AM, Stephen Ingram wrote:

> This is exactly the part I'm really confused about. For murder, I see
> connections from the frontends and backends to the mupdate server. I
> also see connections from the frontends to the backends. The
> connections to the mupdate server are, in a very simplistic sense, to
> spread information about the mailboxes. I was thinking these should be
> machine to machine connections using Kerberos service accounts.

Let me try to run through which keys exist on various servers in our 
environment.  I think that will possibly clear things up a bit.

In the keytab on our Cyrus frontend servers:
--------------------------------------------
* imap/cyrus.andrew.cmu.edu <at> ANDREW.CMU.EDU service principal.  This is 
used for end-user client authentication to the imap service running on 
cyrus.andrew.cmu.edu hosts.

* pop/cyrus.andrew.cmu.edu <at> ANDREW.CMU.EDU service principal.  This is 
used for end-user client authentication to the pop service running on 
cyrus.andrew.cmu.edu hosts.

* sieve/cyrus.andrew.cmu.edu <at> ANDREW.CMU.EDU service principal.  This is 
used for end-user client authentication to the sieve service running on 
cyrus.andrew.cmu.edu hosts.

* nntp/cyrus.andrew.cmu.edu <at> ANDREW.CMU.EDU service principal.  This is 
used for end-user client authentication to the nntp service running on 
cyrus.andrew.cmu.edu hosts.

* imap/`hostname` <at> ANDREW.CMU.EDU.  The Cyrus master process runs 
authenticated as this principal.  We accomplish this by having a simple 
cyrus.auth script run on startup from cyrus.conf, and also as a 
recurring event in cyrus.conf.  It does nothing more than set KRB5CCNAME 
and run kinit.  These credentials are used to authenticate to our 
mupdate server and to each of our Cyrus backend servers.

* host/cyrus.andrew.cmu.edu <at> ANDREW.CMU.EDU.  This could really use some 
documentation.  It's used by saslauthd when saslauthd is configured to 
use kerberos5.  The idea is that saslauthd takes the user credentials 
via a socket and uses those to request a tgt.  To make sure it wasn't 
talking to a spoofed KDC, it then uses that tgt to request a "host" 
service ticket.  "host" is hard-coded in saslauthd.

In the keytab on our Cyrus backend servers:
-------------------------------------------

* imap/`hostname` <at> ANDREW.CMU.EDU.  The Cyrus master process runs 
authenticated as this principal.  We accomplish this by having a simple 
cyrus.auth script run on startup from cyrus.conf, and also as a 
recurring event in cyrus.conf.  It does nothing more than set KRB5CCNAME 
and run kinit.  These credentials are used to authenticate to our 
mupdate server.  If a client were to connect directly to one of our 
backends, it would use this service principal to authenticate.  If you 
disable referrals, you won't need to account for clients connecting 
directly to your backends and you therefore won't need any service 
principals for client authentication.

> However, I'm not really sure, should only the mupdate server have an
> mupdate service principals and then the frontend clients and backend
> clients connect to mupdate using "user" kerberos principals, or if all
> servers involved have service principals. Also when proxying a mail
> connection from frontend to backend, how should this be done?

The frontends authenticate to the backends using their 
imap/`hostname` <at> ANDREW.CMU.EDU credentials (remember, our master process 
runs authenticated).  Proxy authentication is supported in Cyrus-SASL 
for GSSAPI, so the imap/`hostname` credentials are used for 
authentication, but the connection is authorized as the "real" user, or 
the user who authenticated to the frontend.  Hence, in the Cyrus logs on 
the backend you'll see the real username as having logged in, not your 
imap/`hostname` principal.

> And then there is replication....

This works much the same.  Our replicas are all configured with our 
imap/`hostname` principals as "admins:".  sync_client runs with the same 
imap/`hostname` credentials and authenticates to sync_server thusly.

> I guess I'm mostly confused about whether and where to use user and/or
> service principals and how does the other end know that it is being
> connected to correctly.

The backends all look at "proxyservers" in imapd.conf to know if the 
authenticated user is a frontend or not.  The mupdate server uses the 
"admins:" option in imapd.conf.

> For instance is the mupdate server expecting a
> user in the admins group to connect to retrieve the mailbox list or
> simply a machine and where is that specified in the configuration
> files?

Correct.  mupdate uses "admins" in imapd.conf to determine who may 
authenticate.

> I've found a couple of configuration files floating around in
> the mailing list archives and was confused even more after looking at
> it for they only seem to cache credentials for service principal type
> accounts by inserting lines into the cyrus.conf file to create and
> then renew credentials on a regular basis.
>
> I'm really shocked that there is no good documentation on this. Am I
> going down a road that hardly anyone travels on? Or, are those who
> have ventured there simply too exhausted to write about it?
> Considering how great this all seems, I can't believe more people
> don't deploy this type of setup as it seems much more secure than
> using plain text passwords.

Documentation is usually the last thing that a busy sysadmin or 
developer has time for so it usually doesn't get done.  I'd love to see 
the state of documentation for Project Cyrus improve, and I'd welcome 
any documentation you'd be willing to create on this topic.  Jeroen has 
been busy putting together some very excellent docs, and this would 
probably fit in with that nicely.

Thanks!

Dave

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Permalink | Reply | 1 comment |

Gmane