Subject: Re: cyrus and IMAPS?
To: NetBSD User's Discussion List <netbsd-users@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 09/15/2003 15:52:46 
--aqXhh4fzGI
Content-Type: text/plain; charset=us-ascii
Content-Description: message body and .signature
Content-Transfer-Encoding: 7bit

[ On Monday, September 15, 2003 at 06:59:21 (+0000), Johnny C. Lam wrote: ]
> Subject: Re: cyrus and IMAPS?
>
> You're right that this is easy to forget since it's not actually
> specifically indicated in the man pages.  I'll add these (commented out)
> to the default imapd.conf files installed by pkgsrc.

I've more suggestions attached!  :-)

> I thought pkgsrc did a global search-and-replace for "/etc/imapd.conf"
> and "/etc/cyrus.conf" and replaced them with ${PKG_SYSCONFDIR}/... in
> the post-patch target, so imapd should be finding the config files in
> the correct, default ${PKG_SYSCONFDIR} locations.  Did that not work?

No, it can't work due to the way they unfortunately set the filename
using just a plain old un-protected #define (and in multiple places, too!)

> It would be wonderful if cyrus-imapd honored the --sysconfdir=...
> option to its configure script.

I'm working on it, as I find time to do so!  ;-)

> > # Use these SASL authentication mechanisms.
> > #
> > # Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb.
> > #
> > sasl_mech_list: LOGIN OTP ANONYMOUS
> 
> I think you mean "PLAIN" not "LOGIN", right?  I thought LOGIN was an
> unsupported SASL mechanism that's kept around for MS Outlook clients.

I don't know about all the differences between LOGIN vs. PLAIN, but I do
know that what I say in that comment above is the only way to make unix
accounts work by default with some clients, though perhaps I should also
add "and if you start saslauthd with '-a getpwent'".  I've not yet
tested with any M$ clients (only imtest, pine, mutt, Apple OS X
"Mail.app", and Mozilla running on M$-XP).

Pine, for example, without special hacks in its own config file, is
unable to login to a Cyrus IMAP server using just "saslauthd" and
/etc/master.passwd without at least disabling CRAM-MD5.  (I think all
the IMAP-UW using clients can work around this with a setting like
"disable-these-authenticators=CRAM-MD5" in ~/.pinerc or whatever config
file the client uses to set IMAP-UW client code options, but with the
above SASL option on the server side the client's don't have to bother.)

If I understand correctly DIGEST-MD5 can also _not_ be used with plain
unix password authentication.

Mozilla "just worked" (I don't know if it simply tried LOGIN, or if it
failed trying CRAM-MD5 and then tried LOGIN), and perhaps M$-LookOut
would "just work" as well.

I haven't tried OTP yet, but I'm hoping it will "just work".  :-)

I can't imagine anyone but the most paranoid wanting to use OTP with
IMAPS though -- especially not in a mix with normal login sessions.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>


--aqXhh4fzGI
Content-Type: text/plain
Content-Description: more suggestions for example imapd.conf
Content-Disposition: inline;
	filename="cyrus-imapd.pkg-diff"
Content-Transfer-Encoding: 7bit

Index: files/imapd.conf
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/mail/cyrus-imapd21/files/imapd.conf,v
retrieving revision 1.1.1.1
diff -c -u -r1.1.1.1 imapd.conf
--- files/imapd.conf	27 Oct 2002 16:08:53 -0000	1.1.1.1
+++ files/imapd.conf	15 Sep 2003 19:39:14 -0000
@@ -1,16 +1,179 @@
 # $NetBSD: imapd.conf,v 1.1.1.1 2002/10/27 16:08:53 chris Exp $
 #
-# Cyrus IMAP server configuration file.  Refer to imapd.conf(5) for
-# more options.
+#	Cyrus IMAP server configuration file.
+#
+# Most lines in this file are commented; in this case the default is used. 
+# The commented lines (usually) contain the default value
+#
+#        Each line of the /etc/imapd.conf file has the form
+#
+#              option: value
+#
+#       where option is the name of the configuration option being
+#       set  and  value is the value that the configuration option
+#       is being set to.
+#
+#       Blank lines and lines beginning with ``#'' are ignored.
+#
+#       For boolean options, the values  ``yes'',  ``on'',  ``t[rue]'',
+#       and  ``1'' turn the option on, the values ``no'', ``off'',
+#       ``f[alse]'', and ``0'' turn the option off.
+#
+# Refer to imapd.conf(5) for more options and other details.
 
+# The pathname of the IMAP configuration directory
+#
+# This directory, and the associated partition directory listed below,
+# can be created with the ${PREFIX}/cyrus/bin/mkimap script.
+#
+# This directory should only be readable and writable by the user-id
+# configured for the daemon, and readable only by the group-id
+# configured for the daemon.  This directory should not be world
+# readable or writable or searchable.
+#
 configdirectory: /var/imap
+
+# The partition name used by default for new mailboxes
+# 
+# The naming convention is such that partition-<name> where <name> is
+# replaced by the value of following setting will specify the
+# configuration entry which defines the pathname to the default
+# partition.
+#
+#defaultpartition: default
+
+# The directory pathname for the default partition
+#
+# Other partitions can be defined with entries like partition-<name>.
+# 
+# Partition directories should only be readable and writable by the
+# user-id configured for the daemon, and readable only by the group-id
+# configured for the daemon.  This directory should not be world
+# readable or writable or searchable.
+#
 partition-default: /var/spool/imap
-sieveusehomedir: true
-hashimapspool: false
 
+### NOTE: the rest of the options below are kept sorted.
+
+# The list of userids with administrative rights.  Separate each userid
+# with a space.  We recommend that administrator userids be separate from 
+# standard userids.  Sites using Kerberos authentication may use separate
+# "admin" instances.
+#
+#admins: <none>
 admins: cyrus
 
+# If nonzero, normal users may create their own IMAP accounts by
+# creating the mailbox INBOX.  The user's quota is set to the value,
+# in kilobytes if it is positive, otherwise the user has unlimited
+# quota.
+#
+#autocreatequota: 0
+autocreatequota: 10000
+
+# If enabled, the partitions will also be hashed, in addition to the
+# hashing done on configuration directories.  This is recommended if
+# one partition has a very bushy mailbox tree.
+#
+# If you are upgrading a previous instance which did not have hashing
+# enabled you can fix the existing configdirectory and partition
+# directory with the ${PREFIX}/cyrus/bin/dohash tool.
+# 
+#hashimapspool: false
+hashimapspool: true
+
+# If enabled, lmtpd returns a permanent failure code when a user's
+# mailbox is over quota.  By default, the failure is temporary, which
+# means your users would get to use your MTA's queue to extend their
+# quota!
+#
+#lmtp_overquota_perm_failure: no
+lmtp_overquota_perm_failure: yes
+
+# Include notations in the protocol telemetry logs indicating the
+# number of seconds since the last command or response.
+#
+#logtimestamps: no
+logtimestamps: yes
+
+# Maximum incoming LMTP message size.  If set, lmtpd will reject
+# messages larger than maxmessagesize bytes.  The default is to allow
+# messages of any size.  4MB is the most smail can realistically carry.
+#
+#maxmessagesize: <unlimited>
+maxmessagesize: 4000000
+
+# If enabled at compile time, this specifies a URL to reply when
+# Netscape asks the server where the mail administration HTTP server
+# is.  Administrators should set this to a local resource with some
+# useful information for end users.  If not set, no URL is advertised.
+#
+#netscapeurl: <no default>
+
+# The alternate namespace allows a user's personal mailboxes to appear as
+# if they reside at the same level as that user's INBOX
+#
+# WARNING:  This is a _REALLY_ bad idea with PINE.
+#
+#altnamespace: no
+
+# Use the UNIX separator character '/' for delimiting levels of
+# mailbox hierarchy.  The default is to use the netnews separator
+# character '.'.
+#
+#unixhierarchysep: no
+
+# Permit logins by the user "anonymous" using any password.
+#
+# Also  allows use of the SASL ANONYMOUS mechanism unless sasl_mech_list is
+# specified explicitly below
+#
+#allowanonymouslogin: no
+
 # Use the saslauthd daemon to verify plaintext passwords.  Please ensure that
 # the saslauthd daemon is running before trying to authenticate.
 #
 sasl_pwcheck_method: saslauthd
+
+# Use these SASL authentication mechanisms.
+#
+# Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb.
+#
+sasl_mech_list: LOGIN OTP ANONYMOUS
+
+# If enabled, deliver will look for Sieve scripts in user's home
+# directories: ~user/.sieve.
+# 
+#sieveusehomedir: false
+sieveusehomedir: true
+
+# If sieveusehomedir is false, this directory is searched for Sieve
+# scripts.
+#
+#sievedir: /var/imap/sieve
+
+# The pathname of the sendmail executable.  Sieve uses sendmail for
+# sending rejections, redirects and vacation responses.
+#
+#sendmail: /usr/sbin/sendmail
+
+# File containing one or more Certificate Authority (CA) certificates.
+#
+#tls_ca_file:
+#tls_ca_file: /var/imap/private/CAcert.pem
+
+# Path to directory with certificates of CAs.
+#
+#tls_ca_path:
+
+# The file containing the global certificate, and the private key
+# belonging to the global server certificate, which will be used for
+# ALL services (imap, pop3, lmtp, sieve).
+#
+#    openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365
+#
+# Note you must give the hostname any SSL clients will use to access
+# the server as the "Common Name (CN)" when running the above.
+#
+tls_cert_file: /var/imap/server.pem
+tls_key_file: /var/imap/server.pem

--aqXhh4fzGI--