Cyrus: Socket Options
Hi,
what are the following messages supposed to tell me and does this indicate a problem?
# systemctl status cyrus-imapd
[…]
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
[…]
Exim says it can not connect to the lmtp socket even when selinux doesn´t get in the way. The configuration looks like this:
cyrus.conf (none of the two options work):
[…]
# lmtp cmd=”lmtpd -a” listen=”lmtp:127.0.0.1″ prefork=4
lmtpunix cmd=”lmtpd -a” listen=”/var/lib/imap/socket/lmtp” prefork=4
[…]
exim.conf:
[…]
begin transports
# cyrus_ltcp:
# driver = SMTP
# protocol = lmtp
# delivery_date_add
# envelope_to_add
# return_path_add
# hosts = localhost
# allow_localhost
lmtp_socket:
driver = lmtp
socket = /var/lib/imap/socket/lmtp
delivery_date_add
envelope_to_add
return_path_add
# ls -la /var/lib/imap/socket/lmtp srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp
I have this working on the old server (which doesn´t run CentOS) and am trying to migrate it to the new one (which runs CentOS 7.4). The version of cyrus and sasl are the same on both machines.
What´s the problem with CentOS that these things don´t just work as they usually do?
4 thoughts on - Cyrus: Socket Options
Am 16.03.2018 um 13:07 schrieb hw:
That’s cyrus-imapd itself failing and has nothing to do with Exim.
Providing just a snipped from the complete configuration of cyrus-imapd is insufficient.
So cyrus-imapd and cyrus-sasl are not the ones shipped by CentOS?
It works on CentOS, I can assure you that.
Alexander
Am 16.03.2018 um 13:07 schrieb hw:
Both definitions are wrong:
1) the lmtp line
man cyrus.conf
listen=
The UNIX or internet socket to listen on. This string field is required and takes one of the following forms:
path
[ host : ] port
So listen=”lmtp:127.0.0.1″ is utterly nonsense. It would be listen=”127.0.0.1:lmtp” if you want to restrict access to localhost.
2) the lmtpunix line
man lmtpd
-a
Preauthorize connections initiated on an internet socket, instead of requiring LMTP AUTH. This should only be used for connections coming from trusted hosts.
So no pre-auth on the unix socket.
And why do you define a prefork of 4?
Alexander
Well, it probably means that a socket option can not be set. That can mean that the socket can not be used at all or that the socket can be used just not as well.
That socket option makes it so that the TOS bit on all packets is being set. I don´t see how that would be required here, so maybe the socket works nonetheless.
It´s currently this:
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd=”ctl_cyrusdb -r”
# this is only necessary if using idled for IMAP IDLE
idled cmd=”idled”
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
# imap cmd=”imapd” listen=”127.0.0.1:imap” prefork=2
imaps cmd=”imapd -s” listen=”imaps” prefork=1
# pop3 cmd=”pop3d” listen=”pop3″ prefork=3
# pop3s cmd=”pop3d -s” listen=”pop3s” prefork=1
sieve cmd=”timsieved” listen=”gupta:sieve” prefork=0
# managesieve cmd=”timsieved” listen=”gupta:sieve” prefork=0
# sieve cmd=”timsieved” listen=”4190″ prefork=1
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd=”nntpd” listen=”nntp” prefork=3
# nntps cmd=”nntpd -s” listen=”nntps” prefork=1
# at least one LMTP is required for delivery
lmtp cmd=”lmtpd -a” listen=”lmtp” prefork=1
# lmtpunix cmd=”lmtpd -a” listen=”/var/lib/imap/socket/lmtp”
prefork=1
# this is only necessary if using notifications
notify cmd=”notifyd” listen=”/var/lib/imap/socket/notify”
proto=”udp” prefork=1
}
EVENTS {
# this is required
checkpoint cmd=”ctl_cyrusdb -c” period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd=”cyr_expire -E 3″ at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd=”tls_prune” at=0400
}
Apparently exim can not use the lmtp socket because of a permissions problem. Not using the socket works except that timsieved appears not to be able to find any authentication mechanics. I can connect to it but not authenticate:
# sivtest -u hw -v gupta S: “IMPLEMENTATION” “Cyrus timsieved v2.4.17-Fedora-RPM-2.4.17-13.el7”
S: “SIEVE” “comparator-i;ascii-numeric fileinto reject vacation imapflags notify envelope relational regex subaddress copy”
S: “STARTTLS”
S: “UNAUTHENTICATE”
S: OK
Authentication failed. generic failure Security strength factor: 0
logout OK “Logout Complete”
Connection closed.
I didn´t get to figure this out yet.
They are from packages installed by yum and just happen to be the same versions as on the old server. I can´t tell if the same compiling options were used, though.
Hopefully so …
Right, that must have come from all the experimentation and gone unnoticed.
I read it such that ‘-a’ means I don´t need to worry about authorization.
Do you mean to say it should only be used when the socket is not a file?
If that is so, the manpage should say that, and it should say what the option does when the socket is a file. Maybe it´s ignored for files, maybe it breaks stuff. The manpage does not say that authorization is omitted when the socket is a file, so what does it actually say?
Why not? The server has 4 cores, and I haven´t read any suggestions yet about how many processes should be preforked. I can imagine it might not make sense or not work at all when the socket is a file and that it might not make sense when the socket is not a file because there are no other hosts connecting. IIRC exim can spawn processes to do deliveries, so it might yet make sense despite no other hosts connect.