Discussion:
Bit of advice upgrading servers to IMAP
Andrew P. Lentvorski
2005-01-19 17:09:54 UTC
Permalink
Okay, I'm finally biting the bullet and moving from my very reliable email
reading by logging in over SSH and reading it on the command line.

I'm going to give IMAP a shot.

I'm running Postfix. I switched over to Maildir format. That appears to be
working. At least, Mutt is happy enough that it can read my incoming email
and, if y'all can read this, it can send email.

Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.

What's the magic search keyword? SASL? SSL by itself?

I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps. More
importantly, I don't want to lose my email.

I know that we have a couple of IMAP gurus floating around on the list. Any
advice would be appreciated.

Thanks,
-a
Amit Chakradeo
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very reliable email
reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I'm running Postfix. I switched over to Maildir format. That appears to be
working. At least, Mutt is happy enough that it can read my incoming email
and, if y'all can read this, it can send email.
Courier IMAP (and IMAPS) can work with maildirs and various pluggable
authenticators (PAM, userdb, vpopmail, mysql)
http://www.inter7.com/courierimap/courierimap.html
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
They don't necessarily need a database. In your case you just need
traditional password/shadow/PAM authentication module.


-Amit
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
Post by Amit Chakradeo
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password)
works fine
for me for now, but I don't see how to configure that to work
with IMAP.
They don't necessarily need a database. In your case you just need
traditional password/shadow/PAM authentication module.
I've never used courier, how does it store it's imap flags?
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Gregory K. Ruiz-Ade
2005-01-19 17:09:54 UTC
Permalink
Post by Neil Schneider
I've never used courier, how does it store it's imap flags?
Courier keeps that metadata in the message's filename. Simple, portable,
and works without (a), mucking with the file's internals or (b) requiring
an external db or some sort.

I.e., the message I'm replying to is in:

~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S

The ",S" at the end means it's been flagged "SEEN."

Now, after finding that (you'll notice that the first set of numbers
coincides with part of the message's Message-ID), I marked it "flagged",
and the filename changed to:

~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,FS

The ",FS" at the end means it's been flagged "FLAGGED,SEEN."

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Andrew P. Lentvorski
2005-01-19 17:09:54 UTC
Permalink
Post by Gregory K. Ruiz-Ade
~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S
Nice to know.

I'm getting a problem where the IMAP "Select" command is failing. I presume
this is a "You never used IMAP on this system before and haven't uttered
the magic incantation to set up the Maildir the way I want it."

Anybody know what the magic incantation is?

-a
Cory Petkovsek
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Gregory K. Ruiz-Ade
~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S
Nice to know.
I'm getting a problem where the IMAP "Select" command is failing. I presume
this is a "You never used IMAP on this system before and haven't uttered
the magic incantation to set up the Maildir the way I want it."
Anybody know what the magic incantation is?
What is telling you this? Mutt?

When you create a maildir you use maildirmake:
maildirmake /home/cory/Maildir/

Both procmail and postfix will create those maildirs for you when they deliver
mail, so regardless of your delivery agent this isn't a problem. Courier-imap
will not create the directory for you.

So your instructions are either 'wait for new mail' or use maildirmake.

"Never using imap on this system" doesn't matter.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Cory Petkovsek
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Gregory K. Ruiz-Ade
~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S
Nice to know.
I'm getting a problem where the IMAP "Select" command is failing. I presume
this is a "You never used IMAP on this system before and haven't uttered
the magic incantation to set up the Maildir the way I want it."
Anybody know what the magic incantation is?
What is telling you this? Mutt?

When you create a maildir you use maildirmake:
maildirmake /home/cory/Maildir/

Both procmail and postfix will create those maildirs for you when they deliver
mail, so regardless of your delivery agent this isn't a problem. Courier-imap
will not create the directory for you.

So your instructions are either 'wait for new mail' or use maildirmake.

"Never using imap on this system" doesn't matter.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Andrew P. Lentvorski
2005-01-19 18:35:58 UTC
Permalink
Post by Gregory K. Ruiz-Ade
~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S
Nice to know.

I'm getting a problem where the IMAP "Select" command is failing. I presume
this is a "You never used IMAP on this system before and haven't uttered
the magic incantation to set up the Maildir the way I want it."

Anybody know what the magic incantation is?

-a
Gregory K. Ruiz-Ade
2005-01-19 18:35:57 UTC
Permalink
Post by Neil Schneider
I've never used courier, how does it store it's imap flags?
Courier keeps that metadata in the message's filename. Simple, portable,
and works without (a), mucking with the file's internals or (b) requiring
an external db or some sort.

I.e., the message I'm replying to is in:

~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,S

The ",S" at the end means it's been flagged "SEEN."

Now, after finding that (you'll notice that the first set of numbers
coincides with part of the message's Message-ID), I marked it "flagged",
and the filename changed to:

~/Maildir/.Lists.kplug/cur/1084999502.17809_1.kanga.home.unnerving.org:2,FS

The ",FS" at the end means it's been flagged "FLAGGED,SEEN."

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Neil Schneider
2005-01-19 18:35:57 UTC
Permalink
Post by Amit Chakradeo
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password)
works fine
for me for now, but I don't see how to configure that to work
with IMAP.
They don't necessarily need a database. In your case you just need
traditional password/shadow/PAM authentication module.
I've never used courier, how does it store it's imap flags?
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very
reliable email
reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I'm running Postfix. I switched over to Maildir format. That
appears to be
working. At least, Mutt is happy enough that it can read my
incoming email
and, if y'all can read this, it can send email.
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
IMAP databases store flags about the state of messages, like seen
and answered. Cyrus has a database for each user that is used by
Cyrus for fast searching through mails. The cyrus mailstore hold
the mail in much the same way as maildir, with a database the
cyrus uses to find it. There are tools like "reconstruct" that
will rebuild these databases, but the mail itself is simply plain
text files.
Post by Andrew P. Lentvorski
What's the magic search keyword? SASL? SSL by itself?
SASL is an authentication method, specific to Cyrus-imapd, but
used by other applications too. I don't know of any other IMAP
server that specifically requires it.
Post by Andrew P. Lentvorski
I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps.
More
importantly, I don't want to lose my email.
I know that we have a couple of IMAP gurus floating around on the list. Any
advice would be appreciated.
Postfix and Cyrus-imapd support virtual users without requiring
other than their internal databases. Postfix also uses .db files,
but they are really hash tables of plain text files to speed
postfix searches.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Andrew P. Lentvorski
2005-01-19 17:09:54 UTC
Permalink
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.

I guess I really do need a full database system.

Phooey.
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like
seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
Well if you consider db3 and db4 full database systems. I don't
think they're sql databases.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
John H. Robinson, IV
2005-01-19 17:09:54 UTC
Permalink
Post by Neil Schneider
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
Well if you consider db3 and db4 full database systems. I don't
think they're sql databases.
bincimap (uses Maildirs) does not require an external database. i am
not sure how it actually marks the messages as read, replied to, or
whatnot, but it is probably a format similar to mutt: extensions on the
message filenames.

-john
John H. Robinson, IV
2005-01-19 18:35:57 UTC
Permalink
Post by Neil Schneider
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
Well if you consider db3 and db4 full database systems. I don't
think they're sql databases.
bincimap (uses Maildirs) does not require an external database. i am
not sure how it actually marks the messages as read, replied to, or
whatnot, but it is probably a format similar to mutt: extensions on the
message filenames.

-john
Lew Wolfgang
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
I've been using UW-IMAPD for many years, it doesn't require
a database. It works fine with pine, mozilla, Outlook, etc.
It doesn't use maildirs. It will also do imaps out of the can.

Regards,
Lew Wolfgang
Tracy R Reed
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
No, you don't. Courier stores it's flags in a file in the users ~/Maildir.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/058f0498/attachment.pgp
Neil Schneider
2005-01-19 18:35:57 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like
seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
Well if you consider db3 and db4 full database systems. I don't
think they're sql databases.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Lew Wolfgang
2005-01-19 18:35:57 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
I've been using UW-IMAPD for many years, it doesn't require
a database. It works fine with pine, mozilla, Outlook, etc.
It doesn't use maildirs. It will also do imaps out of the can.

Regards,
Lew Wolfgang
Tracy R Reed
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.
I guess I really do need a full database system.
No, you don't. Courier stores it's flags in a file in the users ~/Maildir.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/058f0498/attachment-0001.pgp
Andrew P. Lentvorski
2005-01-19 18:35:57 UTC
Permalink
Post by Neil Schneider
IMAP databases store flags about the state of messages, like seen
and answered.
Bleah. Okay, that's the piece of knowledge I needed. Sigh.

I guess I really do need a full database system.

Phooey.
Gregory K. Ruiz-Ade
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very reliable
email reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I love IMAP. IMAP is my friend.
Post by Andrew P. Lentvorski
I'm running Postfix. I switched over to Maildir format. That appears to
be working. At least, Mutt is happy enough that it can read my incoming
email and, if y'all can read this, it can send email.
Yay!
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my
standard SSH login procedure (public key exchange only, no password)
works fine for me for now, but I don't see how to configure that to work
with IMAP.
UHm... The two IMAP solutions I've used are UWIMAP (hate it, only does mbox,
and it sucks) and Courier-IMAP (awesome, supports maildirs perfectly)

Courier-IMAP requires only itself and a Maildir. Nothing else. It
authenticates via its own authdaemon, which you can easily configure to use
PAM.
Post by Andrew P. Lentvorski
What's the magic search keyword? SASL? SSL by itself?
I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps. More
importantly, I don't want to lose my email.
For _those_ features, you'll definitely want to step up to Cyrus IMAP (which
uses Cyrus SASL for authentication). This _does_ require databases (at
least, Berkeley DBs) for purposes of indexing, and does not use Maildirs in
the DJB sense, but its own style of maildir-like trees. I think you use
LMTP or soem other cyrus-imap injector mechanism to have postfix hand the
mail off to cyrus.

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
Post by Gregory K. Ruiz-Ade
For _those_ features, you'll definitely want to step up to Cyrus IMAP (which
uses Cyrus SASL for authentication). This _does_ require
databases (at
least, Berkeley DBs) for purposes of indexing, and does not use Maildirs in
the DJB sense, but its own style of maildir-like trees. I think you use
LMTP or soem other cyrus-imap injector mechanism to have postfix hand the
mail off to cyrus.
lmtp is a standard protocol, just like smtp is a standard
protocol. lmtp can be a socket or tcp/ip.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Neil Schneider
2005-01-19 18:35:58 UTC
Permalink
Post by Gregory K. Ruiz-Ade
For _those_ features, you'll definitely want to step up to Cyrus IMAP (which
uses Cyrus SASL for authentication). This _does_ require
databases (at
least, Berkeley DBs) for purposes of indexing, and does not use Maildirs in
the DJB sense, but its own style of maildir-like trees. I think you use
LMTP or soem other cyrus-imap injector mechanism to have postfix hand the
mail off to cyrus.
lmtp is a standard protocol, just like smtp is a standard
protocol. lmtp can be a socket or tcp/ip.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Cory Petkovsek
2005-01-19 17:09:54 UTC
Permalink
Post by Andrew P. Lentvorski
I'm going to give IMAP a shot.
Good.
Post by Andrew P. Lentvorski
I'm running Postfix.
Doesn't matter.
Post by Andrew P. Lentvorski
I switched over to Maildir format.
Good.
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database?
I haven't seen one that _requires_ a database.

Greg made a comment that for virtual users you will need cyrus. Disregard that
comment, it is not correct. I've used virtual users and domains with uw-imap,
courier-imap and cyrus. In fact I _recommend_ courier-imap for virtual users.
Vusers usually log in with their full email address and this causes havoc with
the way cyrus separates folders (with periods). I find cyrus quite annoying to
work with and recommend courier-imap for all of your imap needs.
Post by Andrew P. Lentvorski
Using my standard SSH login procedure (public key exchange only, no password)
works fine for me for now, but I don't see how to configure that to work with
IMAP.
What's the magic search keyword? SASL? SSL by itself?
TLS. It is the revision of SSL and what SMTP AUTH, IMAP and POP primarily
use. Of course your client needs to support it and mutt does. I have not
setup passwordless entry though. You can use mutt's preconnect or tunnel
options that may help. You can put the password in your config file. I
haven't seen any documentation on how to have a private key on your system that
mutt can use to authenticate against an imap server.

Sasl is an authentication module that can plug into postfix, cyrus-imap and
courier-imap. This allows these three daemons to authenticate users in any
method that sasl can use or their own supported mechanisms (like pam).

Courier-imap is very easy to configure. It just works. Cyrus will take more
learning and configuration. UW-imap does not do maildir and shouldn't be
considered except in special cases. Dovecot is something to keep an eye on,
but not as mature as the big Cs.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
On Wed, May 19, 2004 at 01:15:56PM -0700, Andrew P. Lentvorski
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database?
I haven't seen one that _requires_ a database.
cyrus uses db3 and now db4 files to store directory information
and imap flags. AFAIK it does require db? to be installed.
Greg made a comment that for virtual users you will need cyrus.
Disregard that
comment, it is not correct. I've used virtual users and domains with uw-imap,
courier-imap and cyrus. In fact I _recommend_ courier-imap for virtual users.
Vusers usually log in with their full email address and this
causes havoc with
the way cyrus separates folders (with periods). I find cyrus
quite annoying to
work with and recommend courier-imap for all of your imap needs.
There's a hierarcsep(sp?) option for cyrus that causes it to use /
for seperator. It's there for this specific reason. Cyrus does
vusers just fine, thank you. Cyrus is different, not annoying. I
like it because I can run a "black-box" server with not mail users
in /etc/passwd or /etc/shadow. Only sasldb or ldap entries are
required. It's a little more challenging than perhaps UW or
courier, but it will outscale both of them. If that matters to
you.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Cory Petkovsek
2005-01-19 17:09:54 UTC
Permalink
Post by Neil Schneider
There's a hierarcsep(sp?) option for cyrus that causes it to use /
for seperator. It's there for this specific reason.
Good to know.
Post by Neil Schneider
Cyrus does
vusers just fine, thank you.
Touchy!
Post by Neil Schneider
Cyrus is different, not annoying.
Yeah, that's what the Taco Bell chiwawa says. "Different is good"
Post by Neil Schneider
I
like it because I can run a "black-box" server with not mail users
in /etc/passwd or /etc/shadow. Only sasldb or ldap entries are
required.
This can be done with both uw-imap and courier.
Post by Neil Schneider
It's a little more challenging than perhaps UW or courier, but it will
outscale both of them. If that matters to you.
No comment about UW! I wonder though as to the scalability of courier to
cyrus. Granted cyrus may scale more, but where is the threshold at which it
starts to gain an advantage? 50,000 users, 100,000, 500,000? I read a
report[1] of someone using courier with 100,000 acounts in a mysql database.
Login times were .6 seconds.

For me, recommending cyrus over courier isn't going to happen unless a company
needs extreme scalability. Courier is going to meet the needs of most
businesses and administrators.

Cory

[1] http://lists.debian.org/debian-isp/2001/08/msg00060.html
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Andrew P. Lentvorski
2005-01-19 17:09:54 UTC
Permalink
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.

So, I can read email using IMAP. Yay! That's incoming email.

Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?

Thanks,
-a
Neil Schneider
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
So, I can read email using IMAP. Yay! That's incoming email.
Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?
More info please. Basically your MUA has to be configured to send
mail to postfix. You never said what MUA you're using, so I can't
tell you how to configure it. Also Postfix has to be configured to
accept mail from your MUA, if it is on another network from
Postfix. That's as simple as adding the IP where the MUA is
running to $mynetworks in Postfix.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Andrew P. Lentvorski
2005-01-19 17:09:55 UTC
Permalink
Post by Neil Schneider
More info please. Basically your MUA has to be configured to send
mail to postfix.
Absolutely. It wants to talk over port 25.
Post by Neil Schneider
You never said what MUA you're using, so I can't
tell you how to configure it.
Mail.app on OS X. So you still can't tell me how to configure it ... ;)
Post by Neil Schneider
Also Postfix has to be configured to
accept mail from your MUA, if it is on another network from
Postfix. That's as simple as adding the IP where the MUA is
running to $mynetworks in Postfix.
Is that secure enough? IP addresses are pretty easily spoofed.

I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?

Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.

Using a localhost ssh port forwarded tunnel looks cleaner to me.

-a
Lewis Wolfgang
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
Is that secure enough? IP addresses are pretty easily spoofed.
I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?
Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.
Using a localhost ssh port forwarded tunnel looks cleaner to me.
You have to consider what's going on with email.

1. Pop/Imap to receive email, requires username/password
2. SMTP to send email, no username/password required.

It's important to protect your username/password with
encryption, but unless the rest of your message is also
encrypted by itself, you can't guarantee that all the
other hops your mail takes will have encrypted channels.

In other words, why go to the trouble of encrypting
outgoing SMTP messages when you have absolutely no
control of how the message is being handled after the
first hop. You really want the encryption to protect
your username/password.

However, if you're using username/password authentication
to prevent others from using your SMTP server as an open
relay, then encryption would be appropriate.

Regards,
Lew Wolfgang
Neil Schneider
2005-01-19 17:09:55 UTC
Permalink
Post by Lewis Wolfgang
Post by Andrew P. Lentvorski
Is that secure enough? IP addresses are pretty easily spoofed.
I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?
Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.
Using a localhost ssh port forwarded tunnel looks cleaner to me.
You have to consider what's going on with email.
1. Pop/Imap to receive email, requires username/password
Yes, and you can run tls over that channel too.
Post by Lewis Wolfgang
2. SMTP to send email, no username/password required.
It's important to protect your username/password with
encryption, but unless the rest of your message is also
encrypted by itself, you can't guarantee that all the
other hops your mail takes will have encrypted channels.
In other words, why go to the trouble of encrypting
outgoing SMTP messages when you have absolutely no
control of how the message is being handled after the
first hop. You really want the encryption to protect
your username/password.
True, though tls keeps someone from sniffing the traffic between
your MUA and your SMTP server.
Post by Lewis Wolfgang
However, if you're using username/password authentication
to prevent others from using your SMTP server as an open
relay, then encryption would be appropriate.
Usually you don't authenticate to smtp, you use the authentication
of pop or imap to set up relaying temporarily for the smtp
session.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Neil Schneider
2005-01-19 18:35:58 UTC
Permalink
Post by Lewis Wolfgang
Post by Andrew P. Lentvorski
Is that secure enough? IP addresses are pretty easily spoofed.
I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?
Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.
Using a localhost ssh port forwarded tunnel looks cleaner to me.
You have to consider what's going on with email.
1. Pop/Imap to receive email, requires username/password
Yes, and you can run tls over that channel too.
Post by Lewis Wolfgang
2. SMTP to send email, no username/password required.
It's important to protect your username/password with
encryption, but unless the rest of your message is also
encrypted by itself, you can't guarantee that all the
other hops your mail takes will have encrypted channels.
In other words, why go to the trouble of encrypting
outgoing SMTP messages when you have absolutely no
control of how the message is being handled after the
first hop. You really want the encryption to protect
your username/password.
True, though tls keeps someone from sniffing the traffic between
your MUA and your SMTP server.
Post by Lewis Wolfgang
However, if you're using username/password authentication
to prevent others from using your SMTP server as an open
relay, then encryption would be appropriate.
Usually you don't authenticate to smtp, you use the authentication
of pop or imap to set up relaying temporarily for the smtp
session.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Lewis Wolfgang
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
Is that secure enough? IP addresses are pretty easily spoofed.
I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?
Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.
Using a localhost ssh port forwarded tunnel looks cleaner to me.
You have to consider what's going on with email.

1. Pop/Imap to receive email, requires username/password
2. SMTP to send email, no username/password required.

It's important to protect your username/password with
encryption, but unless the rest of your message is also
encrypted by itself, you can't guarantee that all the
other hops your mail takes will have encrypted channels.

In other words, why go to the trouble of encrypting
outgoing SMTP messages when you have absolutely no
control of how the message is being handled after the
first hop. You really want the encryption to protect
your username/password.

However, if you're using username/password authentication
to prevent others from using your SMTP server as an open
relay, then encryption would be appropriate.

Regards,
Lew Wolfgang
Andrew P. Lentvorski
2005-01-19 18:35:58 UTC
Permalink
Post by Neil Schneider
More info please. Basically your MUA has to be configured to send
mail to postfix.
Absolutely. It wants to talk over port 25.
Post by Neil Schneider
You never said what MUA you're using, so I can't
tell you how to configure it.
Mail.app on OS X. So you still can't tell me how to configure it ... ;)
Post by Neil Schneider
Also Postfix has to be configured to
accept mail from your MUA, if it is on another network from
Postfix. That's as simple as adding the IP where the MUA is
running to $mynetworks in Postfix.
Is that secure enough? IP addresses are pretty easily spoofed.

I went through all of this trouble to get IMAP to talk securely
and encrypted using SSL. Isn't there anything which corresponds
the other direction?

Yes, I have looked at the Cyrus-SASL option. It just seems so ...
ugly ... compared to normal Postfix.

Using a localhost ssh port forwarded tunnel looks cleaner to me.

-a
Cory Petkovsek
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
So, I can read email using IMAP. Yay! That's incoming email.
Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?
You use smtp. Use SMTP AUTH which will allow you to relay remotely after
authentication. Use SMTP AUTH over TLS if you want to encrypt your session.
Postfix will plug in to sasl which will handle the authentication.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
John H. Robinson, IV
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
what?!

i do find it hard to beleive that Postfix, the paragon of MTA's, would
break that badly a very basic Maildir delivery like that.

i'm seriously shocked and appalled. i hope that you are mistaken, and
that it does do proper Maildir deliveries. i'd hate to have to rescind
my blanket recomendaton of Postfix to a qualified recomendation of
Postfix with non-Maildir deliveries.

no, i don't feel like looking through the Postfix code to see what it
really does.

-john
Cory Petkovsek
2005-01-19 17:09:56 UTC
Permalink
Post by John H. Robinson, IV
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
what?!
i do find it hard to beleive that Postfix, the paragon of MTA's, would
break that badly a very basic Maildir delivery like that.
i'm seriously shocked and appalled. i hope that you are mistaken, and
that it does do proper Maildir deliveries. i'd hate to have to rescind
my blanket recomendaton of Postfix to a qualified recomendation of
Postfix with non-Maildir deliveries.
He's probably mistaken. I've never had any issue with postfix delivering or
creating Maildirs. Postfix also has a delivery command which can be passed off
to another utility like procmail or maildrop. Your recommendation of postfix
is a solid choice.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Cory Petkovsek
2005-01-19 18:35:59 UTC
Permalink
Post by John H. Robinson, IV
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
what?!
i do find it hard to beleive that Postfix, the paragon of MTA's, would
break that badly a very basic Maildir delivery like that.
i'm seriously shocked and appalled. i hope that you are mistaken, and
that it does do proper Maildir deliveries. i'd hate to have to rescind
my blanket recomendaton of Postfix to a qualified recomendation of
Postfix with non-Maildir deliveries.
He's probably mistaken. I've never had any issue with postfix delivering or
creating Maildirs. Postfix also has a delivery command which can be passed off
to another utility like procmail or maildrop. Your recommendation of postfix
is a solid choice.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Neil Schneider
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
So, I can read email using IMAP. Yay! That's incoming email.
Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?
More info please. Basically your MUA has to be configured to send
mail to postfix. You never said what MUA you're using, so I can't
tell you how to configure it. Also Postfix has to be configured to
accept mail from your MUA, if it is on another network from
Postfix. That's as simple as adding the IP where the MUA is
running to $mynetworks in Postfix.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Cory Petkovsek
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
So, I can read email using IMAP. Yay! That's incoming email.
Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?
You use smtp. Use SMTP AUTH which will allow you to relay remotely after
authentication. Use SMTP AUTH over TLS if you want to encrypt your session.
Postfix will plug in to sasl which will handle the authentication.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
John H. Robinson, IV
2005-01-19 18:35:59 UTC
Permalink
Post by Andrew P. Lentvorski
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.
what?!

i do find it hard to beleive that Postfix, the paragon of MTA's, would
break that badly a very basic Maildir delivery like that.

i'm seriously shocked and appalled. i hope that you are mistaken, and
that it does do proper Maildir deliveries. i'd hate to have to rescind
my blanket recomendaton of Postfix to a qualified recomendation of
Postfix with non-Maildir deliveries.

no, i don't feel like looking through the Postfix code to see what it
really does.

-john
Neil Schneider
2005-01-19 17:09:54 UTC
Permalink
Post by Cory Petkovsek
Post by Neil Schneider
It's a little more challenging than perhaps UW or courier, but it will
outscale both of them. If that matters to you.
No comment about UW! I wonder though as to the scalability of
courier to
cyrus. Granted cyrus may scale more, but where is the threshold at which it
starts to gain an advantage? 50,000 users, 100,000, 500,000? I read a
report[1] of someone using courier with 100,000 acounts in a mysql database.
Login times were .6 seconds.
Perdition and murder were both written to make Cyrus scale. There
are many installations at universities with 150,000+ users.
Multiple servers running behind murder, authentication on the
front end, multiple mail stores on the back end. Easy to manage
for large scale operations, easy to move mailstores. I don't know
if any of this applies to courier or UW. Sasl, though it's not
specific to Cyrus-imap, is cyrus-sasl because it was developed for
cyrus-imap.
Post by Cory Petkovsek
For me, recommending cyrus over courier isn't going to happen
unless a company
needs extreme scalability. Courier is going to meet the needs of most
businesses and administrators.
Go with what you know. I have never touched Courier, so I'd have
to scale my learning curve. Cyrus used to be the only imap server
solution for ISPMan, which is part of the reason I use it. Works
for me.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Tracy R Reed
2005-01-19 17:09:55 UTC
Permalink
Post by Neil Schneider
Perdition and murder were both written to make Cyrus scale. There
Perdition was written for Cyrus? Didn't know that. I've been using
perdition with Courier for ages.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/29806faa/attachment.pgp
Tracy R Reed
2005-01-19 18:35:58 UTC
Permalink
Post by Neil Schneider
Perdition and murder were both written to make Cyrus scale. There
Perdition was written for Cyrus? Didn't know that. I've been using
perdition with Courier for ages.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/29806faa/attachment-0001.pgp
Andrew P. Lentvorski
2005-01-19 18:35:58 UTC
Permalink
It turns out that Postfix doesn't allocate a tmp directory in
the Maildir anid Courier coughs up a hairball. Phooey.

So, I can read email using IMAP. Yay! That's incoming email.

Now, how does *outgoing* email work? Does it connect to the
the same port and send the other way? Or, do I need to configure
"Yet Another Email Program" to handle the outgoing problem?

Thanks,
-a
Neil Schneider
2005-01-19 18:35:58 UTC
Permalink
Post by Cory Petkovsek
Post by Neil Schneider
It's a little more challenging than perhaps UW or courier, but it will
outscale both of them. If that matters to you.
No comment about UW! I wonder though as to the scalability of
courier to
cyrus. Granted cyrus may scale more, but where is the threshold at which it
starts to gain an advantage? 50,000 users, 100,000, 500,000? I read a
report[1] of someone using courier with 100,000 acounts in a mysql database.
Login times were .6 seconds.
Perdition and murder were both written to make Cyrus scale. There
are many installations at universities with 150,000+ users.
Multiple servers running behind murder, authentication on the
front end, multiple mail stores on the back end. Easy to manage
for large scale operations, easy to move mailstores. I don't know
if any of this applies to courier or UW. Sasl, though it's not
specific to Cyrus-imap, is cyrus-sasl because it was developed for
cyrus-imap.
Post by Cory Petkovsek
For me, recommending cyrus over courier isn't going to happen
unless a company
needs extreme scalability. Courier is going to meet the needs of most
businesses and administrators.
Go with what you know. I have never touched Courier, so I'd have
to scale my learning curve. Cyrus used to be the only imap server
solution for ISPMan, which is part of the reason I use it. Works
for me.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Cory Petkovsek
2005-01-19 18:35:58 UTC
Permalink
Post by Neil Schneider
There's a hierarcsep(sp?) option for cyrus that causes it to use /
for seperator. It's there for this specific reason.
Good to know.
Post by Neil Schneider
Cyrus does
vusers just fine, thank you.
Touchy!
Post by Neil Schneider
Cyrus is different, not annoying.
Yeah, that's what the Taco Bell chiwawa says. "Different is good"
Post by Neil Schneider
I
like it because I can run a "black-box" server with not mail users
in /etc/passwd or /etc/shadow. Only sasldb or ldap entries are
required.
This can be done with both uw-imap and courier.
Post by Neil Schneider
It's a little more challenging than perhaps UW or courier, but it will
outscale both of them. If that matters to you.
No comment about UW! I wonder though as to the scalability of courier to
cyrus. Granted cyrus may scale more, but where is the threshold at which it
starts to gain an advantage? 50,000 users, 100,000, 500,000? I read a
report[1] of someone using courier with 100,000 acounts in a mysql database.
Login times were .6 seconds.

For me, recommending cyrus over courier isn't going to happen unless a company
needs extreme scalability. Courier is going to meet the needs of most
businesses and administrators.

Cory

[1] http://lists.debian.org/debian-isp/2001/08/msg00060.html
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Neil Schneider
2005-01-19 18:35:58 UTC
Permalink
On Wed, May 19, 2004 at 01:15:56PM -0700, Andrew P. Lentvorski
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database?
I haven't seen one that _requires_ a database.
cyrus uses db3 and now db4 files to store directory information
and imap flags. AFAIK it does require db? to be installed.
Greg made a comment that for virtual users you will need cyrus.
Disregard that
comment, it is not correct. I've used virtual users and domains with uw-imap,
courier-imap and cyrus. In fact I _recommend_ courier-imap for virtual users.
Vusers usually log in with their full email address and this
causes havoc with
the way cyrus separates folders (with periods). I find cyrus
quite annoying to
work with and recommend courier-imap for all of your imap needs.
There's a hierarcsep(sp?) option for cyrus that causes it to use /
for seperator. It's there for this specific reason. Cyrus does
vusers just fine, thank you. Cyrus is different, not annoying. I
like it because I can run a "black-box" server with not mail users
in /etc/passwd or /etc/shadow. Only sasldb or ldap entries are
required. It's a little more challenging than perhaps UW or
courier, but it will outscale both of them. If that matters to
you.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Tracy R Reed
2005-01-19 17:09:55 UTC
Permalink
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
I am using Courier IMAP and I really like it. No database required. It
*can* integrate with mysql if you want it to for virtual users.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/896b2e2b/attachment.pgp
Andrew P. Lentvorski, Jr.
2005-01-19 17:09:56 UTC
Permalink
Folks,

Well, things seem to be settling in. I was able to grab all of my
email this
morning and deal with it. I'll probably spend a couple of weeks
getting used
to it before updating to a PostgreSQL backed solution for dealing with
virtual users and domains and creating a single dedicated mail machine.

The final solution for sending was simply to use SSH to forward a high
port
on my local machine to port 25 on my mail server machine when I want to
send. Not the greatest solution, but it seems to work and it won't
open any security holes.

It looks like another solution would be to set up Postfix on my local
machine
(which Apple provides on a Powerbook with the default install!)
primarily as a
send-only relay which would then communicate with my main server via
TLS.
However, that would likely bump into port 25 blocking problems, and I
might
as well just send directly from my Powerbook.

Thanks for all of the help. There is no way I could have gotten through
this so quickly without it. I have included my thoughts in a
postmortem so that
future folks might benefit or any misconceptions I have may be
corrected.

-a

Postmortem:

The IMAP upgrade was not the hardest thing I have ever slogged through
on
open-source. However, some interoperability bakeoffs would probably be
a good
idea with email clients.

In addition, the most useful piece of practically every HOWTO article
was the
"at this point, type <XXX> and you should see <YYY> if things are going
right."
These commands correspond to "landmarks" when giving physical
directions. I wish
the article authors gave more of these.

The setup stuff:

--Changing Postfix to use Maildir:

Piece of cake. Simply changing the home_mailbox line worked.

Verification: Switched from Pine to Mutt to continue reading email. So
why
doesn't Pine handle Maildir without patches?

Caveat: There was an issue with tmp not being created in the Maildir.
It
has been pointed out that this was user error since I didn't make the
Maildir
directly. I used a conversion script on the /var/spool/mail files.

--Changing Postfix to use TLS

Surprisingly easy. The toughest part is using the magic OpenSSL
commands to
create and sign your own keys. I used:
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/
myownca.html
as my main reference for the OpenSSL magic and then:
http://www.palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO
-2.html
for the Postfix magic.

--Installing IMAP

Not great. Not bad. Since my servers are FreeBSD (I hear the cries of
"Philistine!"
already ... ) I used the Courier-IMAP on FreeBSD article at:
http://ezine.daemonnews.org/200308/courier-imap.html

I did the standard cd <portname>; make; make install dance. The
FreeBSD ports
tree still rules.

I created a new certificate signed with my original signing key for TLS
for IMAP. I
only enable IMAP on port 993 as I only want to talk via TLS and not in
the clear.
Yes, I have disabled password login to my machines in SSH, but still ...

I converted my /var/spool/mail files to Maildir using a different
conversion script than
the one specified in the article. This probably cost me. It didn't
create the tmp
directory in the Maildir which was required later.

A somewhat annoying configuration, but standard for UNIX. Shrug.

--Configuring the Email Clients

What a pain in the a**. Why does everybody feels the need to reformat
error
messages and why can't programs give useful messages? How hard is it to
provide a final line or button that says: "To see the full exchange
that just occurred,
please type <X> or press <this>." Full exchanges are especially vital
for encrypted
channels because you can't look at them with ethereal.

Anyhow, the message that came flying back was "IMAP create command
failed".
This was due to the fact that I didn't have a tmp directory inside my
Maildir. Very
descriptive folks, thanks bunches. After fixing this, Mutt could cope
locally with
looking at new mail.

The next step was getting something on my Powerbook to look at IMAP
across the
net. Various clients failed with messages of varying levels of
mystery. Finally, the
problem was tracked down to the fact that Courier *demands* that
private folders
be placed under INBOX (all caps, please), no exceptions. The Courier
folks offer
some weak excuse about clients with broken autodetection of prefix
(probably
valid); however, the fact that something like this is hardwired into
the system is
a bit strange. In addition, a little more interoperability testing is
required with clients.

However, after using the "Advanced" configuration tab in Mail.app to
adjust the
prefix to INBOX, use SSL, switch to port 993, and turn off
auto-synchronize (*shrug*,
it just solves a bunch of problems), I get email.

Of course, Mail.app proceeds to suck down my entire mail spool locally
and delete
it from the server. Arrrgggh! However, this is now IMAP, I'll figure
out how to put it
back later (I have, at this point) and change the stupid default.

It is then I discover that I have the standard problem of trying to
send email. None
of the configuration so far is helpful for the symmetric problem and my
mailer
rejects the mail as having been an attempt to relay (as it should).
Sigh.

At this point, I decide to just forward a local high port to port 25 on
the local mail
server via ssh. This works well enough, and I can even script this
upon opening
Mail.app if I really get annoyed.

Well, I hope this summarizes my experiences for the next poor slob who
comes
along and wants IMAP.

-a
Neil Schneider
2005-01-19 17:09:56 UTC
Permalink
Andrew P. Lentvorski, Jr. said:

<snip>
Post by Andrew P. Lentvorski, Jr.
Various clients failed with messages of varying levels of
mystery. Finally, the
problem was tracked down to the fact that Courier *demands* that
private folders
be placed under INBOX (all caps, please), no exceptions. The
Courier
folks offer
some weak excuse about clients with broken autodetection of prefix
(probably
valid); however, the fact that something like this is hardwired into
the system is
a bit strange. In addition, a little more interoperability
testing is
required with clients.
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.

"The interpretation of mailbox names is implementation-dependent.
However, the case-insensitive mailbox name INBOX is a special
name reserved to mean "the primary mailbox for this user on
this server".
Post by Andrew P. Lentvorski, Jr.
Of course, Mail.app proceeds to suck down my entire mail spool
locally
and delete
it from the server. Arrrgggh! However, this is now IMAP, I'll figure
out how to put it
back later (I have, at this point) and change the stupid default.
Talk about broken MUAs! According to my understanding (which could
be wrong) IMAP clients should only ask for the headers, not the
bodies and then request the message body when you read the
message. Sounds more like a POP client than IMAP.

<snip>

Glad you finally got it all working.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Andrew P. Lentvorski, Jr.
2005-01-19 17:09:56 UTC
Permalink
Post by Neil Schneider
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.
The fact that all private folders are stored under INBOX is in the RFC?

I didn't see that. Could you point out which one it is in for me?

I don't mind the fact that that there is a hardwired INBOX. I mind the
fact
that Courier demands that *everything* private is under it; however, if
it
is in the RFC then I guess I'm stuck with it.
Post by Neil Schneider
Talk about broken MUAs! According to my understanding (which could
be wrong) IMAP clients should only ask for the headers, not the
bodies and then request the message body when you read the
message. Sounds more like a POP client than IMAP.
Not surprising, though. It is the behavior most people want. Very few
people access email from more than one machine, and their accounts
are generally space limited.

I don't agree with it, but its being the default for Mail.app is not
unexpected.

-a
Neil Schneider
2005-01-19 17:09:56 UTC
Permalink
Post by Andrew P. Lentvorski, Jr.
Post by Neil Schneider
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.
The fact that all private folders are stored under INBOX is in the RFC?
I didn't see that. Could you point out which one it is in for me?
Let me look again. It's rfc2060 http://www.faqs.org/rfcs/rfc2060.html
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Neil Schneider
2005-01-19 18:35:59 UTC
Permalink
Post by Andrew P. Lentvorski, Jr.
Post by Neil Schneider
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.
The fact that all private folders are stored under INBOX is in the RFC?
I didn't see that. Could you point out which one it is in for me?
Let me look again. It's rfc2060 http://www.faqs.org/rfcs/rfc2060.html
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Andrew P. Lentvorski, Jr.
2005-01-19 18:35:59 UTC
Permalink
Post by Neil Schneider
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.
The fact that all private folders are stored under INBOX is in the RFC?

I didn't see that. Could you point out which one it is in for me?

I don't mind the fact that that there is a hardwired INBOX. I mind the
fact
that Courier demands that *everything* private is under it; however, if
it
is in the RFC then I guess I'm stuck with it.
Post by Neil Schneider
Talk about broken MUAs! According to my understanding (which could
be wrong) IMAP clients should only ask for the headers, not the
bodies and then request the message body when you read the
message. Sounds more like a POP client than IMAP.
Not surprising, though. It is the behavior most people want. Very few
people access email from more than one machine, and their accounts
are generally space limited.

I don't agree with it, but its being the default for Mail.app is not
unexpected.

-a
Cory Petkovsek
2005-01-19 17:09:56 UTC
Permalink
It is then I discover that I have the standard problem of trying to send
email. None of the configuration so far is helpful for the symmetric problem
and my mailer rejects the mail as having been an attempt to relay (as it
should). Sigh.
Glad you got everything else working. As I mentioned before you want to use
SMTP AUTH. In your mail client the options looks something like, "My smtp
server requires me to authenticate". Postfix authenticates against ldap or pam
or someone else via sasl. This is preferably done over tls on port 25.

Here is how:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Cory Petkovsek
2005-01-19 17:09:56 UTC
Permalink
On Thu, May 20, 2004 at 02:10:36PM -0700, Andrew P. Lentvorski, Jr. wrote:
... something about being unable to monitor sessions dumps due to encryption

Although I haven't seen a way to monitor encrypted sessions easily, one can use
openssl to connect directly to a ssl/tls server. It gives you a telnet like
session over an encrypted channel. Very handy.

openssl s_client -connect server:port

With imap one can enter commands like this:
* OK [CAPABILITY.....
. LOGIN ***@dom.com password
. OK [CAPABILITY... User ***@dom.com authenticated
. SELECT INBOX
* 22 EXISTS
* 0 RECENT
...
. FETCH 1 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])
* 1 FETCH (FLAGS (\Seen \Answered) BODY[HEADER.FIELDS ("DATE" "FROM")] {80}
From: "Jack Sprat" <***@happy.com>
Date: Sun, 29 Feb 2004 23:54:28 -0800

)


I typed LOGIN, SELECT and FETCH commands lines including the beginning '.'

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Andrew P. Lentvorski, Jr.
2005-01-19 17:09:56 UTC
Permalink
Post by Cory Petkovsek
Although I haven't seen a way to monitor encrypted sessions easily, one can use
openssl to connect directly to a ssl/tls server. It gives you a telnet like
session over an encrypted channel. Very handy.
openssl s_client -connect server:port
Ooooooo ... I like that one!

That goes into the sysadmin toolbox posthaste.

-a
Andrew P. Lentvorski, Jr.
2005-01-19 18:35:59 UTC
Permalink
Post by Cory Petkovsek
Although I haven't seen a way to monitor encrypted sessions easily, one can use
openssl to connect directly to a ssl/tls server. It gives you a telnet like
session over an encrypted channel. Very handy.
openssl s_client -connect server:port
Ooooooo ... I like that one!

That goes into the sysadmin toolbox posthaste.

-a
Cory Petkovsek
2005-01-19 18:35:59 UTC
Permalink
On Thu, May 20, 2004 at 02:10:36PM -0700, Andrew P. Lentvorski, Jr. wrote:
... something about being unable to monitor sessions dumps due to encryption

Although I haven't seen a way to monitor encrypted sessions easily, one can use
openssl to connect directly to a ssl/tls server. It gives you a telnet like
session over an encrypted channel. Very handy.

openssl s_client -connect server:port

With imap one can enter commands like this:
* OK [CAPABILITY.....
. LOGIN ***@dom.com password
. OK [CAPABILITY... User ***@dom.com authenticated
. SELECT INBOX
* 22 EXISTS
* 0 RECENT
...
. FETCH 1 (FLAGS BODY[HEADER.FIELDS (DATE FROM)])
* 1 FETCH (FLAGS (\Seen \Answered) BODY[HEADER.FIELDS ("DATE" "FROM")] {80}
From: "Jack Sprat" <***@happy.com>
Date: Sun, 29 Feb 2004 23:54:28 -0800

)


I typed LOGIN, SELECT and FETCH commands lines including the beginning '.'

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Gregory K. Ruiz-Ade
2005-01-19 17:09:56 UTC
Permalink
Post by Andrew P. Lentvorski, Jr.
It looks like another solution would be to set up Postfix on my local
machine (which Apple provides on a Powerbook with the default install!)
primarily as a send-only relay which would then communicate with my main
server via TLS. However, that would likely bump into port 25 blocking
problems, and I might as well just send directly from my Powerbook.
Configure your FreeBSD server's Postfix to listen on an additional high
port.

Configure your Powerbook's Postfix to sent to your server on that high port.

Use TLS on both ends for security.

voila, you're secure, your server is doing your relaying instead of your
notebook (which might be behind a firewall somewhere that won't allow SMTP
connections on port 25), and you don't have to worry about constantly
switching your SMTP server in your mail client. :)

Of course, I still need to do this myself...

:)

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040520/fa2b188c/attachment.pgp
Cory Petkovsek
2005-01-19 17:09:56 UTC
Permalink
Post by Gregory K. Ruiz-Ade
Configure your Powerbook's Postfix to sent to your server on that high port.
Use TLS on both ends for security.
voila, you're secure, your server is doing your relaying instead of your
notebook (which might be behind a firewall somewhere that won't allow SMTP
connections on port 25), and you don't have to worry about constantly
switching your SMTP server in your mail client. :)
You are secure by being obscure.... Not really secure. SMTP Authentication is
the way to go.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Gregory K. Ruiz-Ade
2005-01-19 17:09:56 UTC
Permalink
Post by Cory Petkovsek
You are secure by being obscure.... Not really secure. SMTP
Authentication is the way to go.
Well, I meant the session, and as soon as I hit "send" I realized I forgot
the SMTP auth part, but Andy's a smart guy, he'll figure it out. :)

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040520/0f4de2ee/attachment.pgp
Gregory K. Ruiz-Ade
2005-01-19 18:36:00 UTC
Permalink
Post by Cory Petkovsek
You are secure by being obscure.... Not really secure. SMTP
Authentication is the way to go.
Well, I meant the session, and as soon as I hit "send" I realized I forgot
the SMTP auth part, but Andy's a smart guy, he'll figure it out. :)

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040520/0f4de2ee/attachment-0001.pgp
Cory Petkovsek
2005-01-19 18:35:59 UTC
Permalink
Post by Gregory K. Ruiz-Ade
Configure your Powerbook's Postfix to sent to your server on that high port.
Use TLS on both ends for security.
voila, you're secure, your server is doing your relaying instead of your
notebook (which might be behind a firewall somewhere that won't allow SMTP
connections on port 25), and you don't have to worry about constantly
switching your SMTP server in your mail client. :)
You are secure by being obscure.... Not really secure. SMTP Authentication is
the way to go.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Neil Schneider
2005-01-19 18:35:59 UTC
Permalink
Andrew P. Lentvorski, Jr. said:

<snip>
Post by Andrew P. Lentvorski, Jr.
Various clients failed with messages of varying levels of
mystery. Finally, the
problem was tracked down to the fact that Courier *demands* that
private folders
be placed under INBOX (all caps, please), no exceptions. The
Courier
folks offer
some weak excuse about clients with broken autodetection of prefix
(probably
valid); however, the fact that something like this is hardwired into
the system is
a bit strange. In addition, a little more interoperability
testing is
required with clients.
I think that INBOX is a standard IMAP configuration thing. Have to
check the rfcs. Yep, it's in the rfc. Guess it's not supposed to
be case sensitive. But I think the courier folks are probably
right, some broken MUAs probably expect it to be all uppercase.

"The interpretation of mailbox names is implementation-dependent.
However, the case-insensitive mailbox name INBOX is a special
name reserved to mean "the primary mailbox for this user on
this server".
Post by Andrew P. Lentvorski, Jr.
Of course, Mail.app proceeds to suck down my entire mail spool
locally
and delete
it from the server. Arrrgggh! However, this is now IMAP, I'll figure
out how to put it
back later (I have, at this point) and change the stupid default.
Talk about broken MUAs! According to my understanding (which could
be wrong) IMAP clients should only ask for the headers, not the
bodies and then request the message body when you read the
message. Sounds more like a POP client than IMAP.

<snip>

Glad you finally got it all working.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Cory Petkovsek
2005-01-19 18:35:59 UTC
Permalink
It is then I discover that I have the standard problem of trying to send
email. None of the configuration so far is helpful for the symmetric problem
and my mailer rejects the mail as having been an attempt to relay (as it
should). Sigh.
Glad you got everything else working. As I mentioned before you want to use
SMTP AUTH. In your mail client the options looks something like, "My smtp
server requires me to authenticate". Postfix authenticates against ldap or pam
or someone else via sasl. This is preferably done over tls on port 25.

Here is how:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Gregory K. Ruiz-Ade
2005-01-19 18:35:59 UTC
Permalink
Post by Andrew P. Lentvorski, Jr.
It looks like another solution would be to set up Postfix on my local
machine (which Apple provides on a Powerbook with the default install!)
primarily as a send-only relay which would then communicate with my main
server via TLS. However, that would likely bump into port 25 blocking
problems, and I might as well just send directly from my Powerbook.
Configure your FreeBSD server's Postfix to listen on an additional high
port.

Configure your Powerbook's Postfix to sent to your server on that high port.

Use TLS on both ends for security.

voila, you're secure, your server is doing your relaying instead of your
notebook (which might be behind a firewall somewhere that won't allow SMTP
connections on port 25), and you don't have to worry about constantly
switching your SMTP server in your mail client. :)

Of course, I still need to do this myself...

:)

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040520/fa2b188c/attachment-0001.pgp
Andrew P. Lentvorski
2005-01-19 18:35:57 UTC
Permalink
Okay, I'm finally biting the bullet and moving from my very reliable email
reading by logging in over SSH and reading it on the command line.

I'm going to give IMAP a shot.

I'm running Postfix. I switched over to Maildir format. That appears to be
working. At least, Mutt is happy enough that it can read my incoming email
and, if y'all can read this, it can send email.

Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.

What's the magic search keyword? SASL? SSL by itself?

I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps. More
importantly, I don't want to lose my email.

I know that we have a couple of IMAP gurus floating around on the list. Any
advice would be appreciated.

Thanks,
-a
Amit Chakradeo
2005-01-19 18:35:57 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very reliable email
reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I'm running Postfix. I switched over to Maildir format. That appears to be
working. At least, Mutt is happy enough that it can read my incoming email
and, if y'all can read this, it can send email.
Courier IMAP (and IMAPS) can work with maildirs and various pluggable
authenticators (PAM, userdb, vpopmail, mysql)
http://www.inter7.com/courierimap/courierimap.html
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
They don't necessarily need a database. In your case you just need
traditional password/shadow/PAM authentication module.


-Amit
Neil Schneider
2005-01-19 18:35:57 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very
reliable email
reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I'm running Postfix. I switched over to Maildir format. That
appears to be
working. At least, Mutt is happy enough that it can read my
incoming email
and, if y'all can read this, it can send email.
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
IMAP databases store flags about the state of messages, like seen
and answered. Cyrus has a database for each user that is used by
Cyrus for fast searching through mails. The cyrus mailstore hold
the mail in much the same way as maildir, with a database the
cyrus uses to find it. There are tools like "reconstruct" that
will rebuild these databases, but the mail itself is simply plain
text files.
Post by Andrew P. Lentvorski
What's the magic search keyword? SASL? SSL by itself?
SASL is an authentication method, specific to Cyrus-imapd, but
used by other applications too. I don't know of any other IMAP
server that specifically requires it.
Post by Andrew P. Lentvorski
I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps.
More
importantly, I don't want to lose my email.
I know that we have a couple of IMAP gurus floating around on the list. Any
advice would be appreciated.
Postfix and Cyrus-imapd support virtual users without requiring
other than their internal databases. Postfix also uses .db files,
but they are really hash tables of plain text files to speed
postfix searches.
--
Neil Schneider
pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D

Fires can't be made with dead embers, nor can enthusiasm be
stirred by spiritless men. Enthusiasm in our daily work lightens
effort and turns even labor into pleasant tasks. --James Baldwin
Gregory K. Ruiz-Ade
2005-01-19 18:35:57 UTC
Permalink
Post by Andrew P. Lentvorski
Okay, I'm finally biting the bullet and moving from my very reliable
email reading by logging in over SSH and reading it on the command line.
I'm going to give IMAP a shot.
I love IMAP. IMAP is my friend.
Post by Andrew P. Lentvorski
I'm running Postfix. I switched over to Maildir format. That appears to
be working. At least, Mutt is happy enough that it can read my incoming
email and, if y'all can read this, it can send email.
Yay!
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my
standard SSH login procedure (public key exchange only, no password)
works fine for me for now, but I don't see how to configure that to work
with IMAP.
UHm... The two IMAP solutions I've used are UWIMAP (hate it, only does mbox,
and it sucks) and Courier-IMAP (awesome, supports maildirs perfectly)

Courier-IMAP requires only itself and a Maildir. Nothing else. It
authenticates via its own authdaemon, which you can easily configure to use
PAM.
Post by Andrew P. Lentvorski
What's the magic search keyword? SASL? SSL by itself?
I'll probably reach a point where I want the database in order to support
things like virtual users and domains, but I'm not ready
to go there yet. I want to proceed in small verifiable steps. More
importantly, I don't want to lose my email.
For _those_ features, you'll definitely want to step up to Cyrus IMAP (which
uses Cyrus SASL for authentication). This _does_ require databases (at
least, Berkeley DBs) for purposes of indexing, and does not use Maildirs in
the DJB sense, but its own style of maildir-like trees. I think you use
LMTP or soem other cyrus-imap injector mechanism to have postfix hand the
mail off to cyrus.

Gregory
--
Gregory K. Ruiz-Ade <***@bigbrother.net>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Cory Petkovsek
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
I'm going to give IMAP a shot.
Good.
Post by Andrew P. Lentvorski
I'm running Postfix.
Doesn't matter.
Post by Andrew P. Lentvorski
I switched over to Maildir format.
Good.
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database?
I haven't seen one that _requires_ a database.

Greg made a comment that for virtual users you will need cyrus. Disregard that
comment, it is not correct. I've used virtual users and domains with uw-imap,
courier-imap and cyrus. In fact I _recommend_ courier-imap for virtual users.
Vusers usually log in with their full email address and this causes havoc with
the way cyrus separates folders (with periods). I find cyrus quite annoying to
work with and recommend courier-imap for all of your imap needs.
Post by Andrew P. Lentvorski
Using my standard SSH login procedure (public key exchange only, no password)
works fine for me for now, but I don't see how to configure that to work with
IMAP.
What's the magic search keyword? SASL? SSL by itself?
TLS. It is the revision of SSL and what SMTP AUTH, IMAP and POP primarily
use. Of course your client needs to support it and mutt does. I have not
setup passwordless entry though. You can use mutt's preconnect or tunnel
options that may help. You can put the password in your config file. I
haven't seen any documentation on how to have a private key on your system that
mutt can use to authenticate against an imap server.

Sasl is an authentication module that can plug into postfix, cyrus-imap and
courier-imap. This allows these three daemons to authenticate users in any
method that sasl can use or their own supported mechanisms (like pam).

Courier-imap is very easy to configure. It just works. Cyrus will take more
learning and configuration. UW-imap does not do maildir and shouldn't be
considered except in special cases. Dovecot is something to keep an eye on,
but not as mature as the big Cs.

Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
***@AdaptableIT.com www.AdaptableIT.com
Tracy R Reed
2005-01-19 18:35:58 UTC
Permalink
Post by Andrew P. Lentvorski
Why are all of the IMAP solutions requiring a database? Using my standard
SSH login procedure (public key exchange only, no password) works fine
for me for now, but I don't see how to configure that to work with IMAP.
I am using Courier IMAP and I really like it. No database required. It
*can* integrate with mysql if you want it to for virtual users.
--
Tracy Reed The attachment is a digital signature.
http://copilotconsulting.com More info: http://copilotconsulting.com/sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20040519/896b2e2b/attachment-0001.pgp
Andrew P. Lentvorski, Jr.
2005-01-19 18:35:59 UTC
Permalink
Folks,

Well, things seem to be settling in. I was able to grab all of my
email this
morning and deal with it. I'll probably spend a couple of weeks
getting used
to it before updating to a PostgreSQL backed solution for dealing with
virtual users and domains and creating a single dedicated mail machine.

The final solution for sending was simply to use SSH to forward a high
port
on my local machine to port 25 on my mail server machine when I want to
send. Not the greatest solution, but it seems to work and it won't
open any security holes.

It looks like another solution would be to set up Postfix on my local
machine
(which Apple provides on a Powerbook with the default install!)
primarily as a
send-only relay which would then communicate with my main server via
TLS.
However, that would likely bump into port 25 blocking problems, and I
might
as well just send directly from my Powerbook.

Thanks for all of the help. There is no way I could have gotten through
this so quickly without it. I have included my thoughts in a
postmortem so that
future folks might benefit or any misconceptions I have may be
corrected.

-a

Postmortem:

The IMAP upgrade was not the hardest thing I have ever slogged through
on
open-source. However, some interoperability bakeoffs would probably be
a good
idea with email clients.

In addition, the most useful piece of practically every HOWTO article
was the
"at this point, type <XXX> and you should see <YYY> if things are going
right."
These commands correspond to "landmarks" when giving physical
directions. I wish
the article authors gave more of these.

The setup stuff:

--Changing Postfix to use Maildir:

Piece of cake. Simply changing the home_mailbox line worked.

Verification: Switched from Pine to Mutt to continue reading email. So
why
doesn't Pine handle Maildir without patches?

Caveat: There was an issue with tmp not being created in the Maildir.
It
has been pointed out that this was user error since I didn't make the
Maildir
directly. I used a conversion script on the /var/spool/mail files.

--Changing Postfix to use TLS

Surprisingly easy. The toughest part is using the magic OpenSSL
commands to
create and sign your own keys. I used:
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/
myownca.html
as my main reference for the OpenSSL magic and then:
http://www.palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO
-2.html
for the Postfix magic.

--Installing IMAP

Not great. Not bad. Since my servers are FreeBSD (I hear the cries of
"Philistine!"
already ... ) I used the Courier-IMAP on FreeBSD article at:
http://ezine.daemonnews.org/200308/courier-imap.html

I did the standard cd <portname>; make; make install dance. The
FreeBSD ports
tree still rules.

I created a new certificate signed with my original signing key for TLS
for IMAP. I
only enable IMAP on port 993 as I only want to talk via TLS and not in
the clear.
Yes, I have disabled password login to my machines in SSH, but still ...

I converted my /var/spool/mail files to Maildir using a different
conversion script than
the one specified in the article. This probably cost me. It didn't
create the tmp
directory in the Maildir which was required later.

A somewhat annoying configuration, but standard for UNIX. Shrug.

--Configuring the Email Clients

What a pain in the a**. Why does everybody feels the need to reformat
error
messages and why can't programs give useful messages? How hard is it to
provide a final line or button that says: "To see the full exchange
that just occurred,
please type <X> or press <this>." Full exchanges are especially vital
for encrypted
channels because you can't look at them with ethereal.

Anyhow, the message that came flying back was "IMAP create command
failed".
This was due to the fact that I didn't have a tmp directory inside my
Maildir. Very
descriptive folks, thanks bunches. After fixing this, Mutt could cope
locally with
looking at new mail.

The next step was getting something on my Powerbook to look at IMAP
across the
net. Various clients failed with messages of varying levels of
mystery. Finally, the
problem was tracked down to the fact that Courier *demands* that
private folders
be placed under INBOX (all caps, please), no exceptions. The Courier
folks offer
some weak excuse about clients with broken autodetection of prefix
(probably
valid); however, the fact that something like this is hardwired into
the system is
a bit strange. In addition, a little more interoperability testing is
required with clients.

However, after using the "Advanced" configuration tab in Mail.app to
adjust the
prefix to INBOX, use SSL, switch to port 993, and turn off
auto-synchronize (*shrug*,
it just solves a bunch of problems), I get email.

Of course, Mail.app proceeds to suck down my entire mail spool locally
and delete
it from the server. Arrrgggh! However, this is now IMAP, I'll figure
out how to put it
back later (I have, at this point) and change the stupid default.

It is then I discover that I have the standard problem of trying to
send email. None
of the configuration so far is helpful for the symmetric problem and my
mailer
rejects the mail as having been an attempt to relay (as it should).
Sigh.

At this point, I decide to just forward a local high port to port 25 on
the local mail
server via ssh. This works well enough, and I can even script this
upon opening
Mail.app if I really get annoyed.

Well, I hope this summarizes my experiences for the next poor slob who
comes
along and wants IMAP.

-a
Loading...