faq.html   [plain text]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<html xmlns="http://www.w3.org/1999/xhtml">
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Cyrus IMAP Server FAQ</title>
<!-- $Id: faq.html,v 1.37 2006/11/30 17:11:16 murch Exp $ -->
<h1>Cyrus IMAP Server FAQ</h1>

<li><b>Using PAM</b> Under Linux when using PAM and shadow
passwords, /etc/shadow needs to be readable by the Cyrus user.</li>

<li><b>POP-Before-SMTP</b> It is not included in the default distribution
because there is already a standard way of doing this with SMTP AUTH.
Any good MTA and/or MUA should support SMTP AUTH, so we shouldn't have
to create a hack in an unrelated service.  However, if you would like
to install it anyway, we recommend using
<a href="http://mail.cc.umanitoba.ca/drac/">DRAC</a>,
along with the patch available in <tt>contrib/drac_auth.patch</tt>.</li>

<li><b>Using NFS</b> We don't recommend it. If you want to do it,
it may possibly work but you may also lose your email or have
corrupted <tt>cyrus.*</tt> files. You can look at the mailing list
archives for more information.</li>

<li><b>Using AFS/Coda</b> We don't recommend it. It's even less likely
to work than NFS. If you want to do it, it may possibly work but you
may also lose your email or have corrupted <tt>cyrus.*</tt>
files. CMU's previous e-mail system, AMS, leveraged AFS extensively
for storage (and transit) purposes. For various reasons it didn't
scale particularly well and led to CMU's interest in IMAP.

Cyrus was designed to use a local filesystem with Unix semantics and a
working mmap()/write() combination. AFS doesn't provide these
semantics so won't work correctly.</p>

<li><b>Virtual hosting</b> - See <a
href="install-virtdomains.html">virtual domains configuration</a>.</li>

<li><b>dots in userids</b> - you can have a '.' in your username
IF, AND ONLY IF, you use the <a
href="altnamespace.html#unixhiersep">UNIX hierarchy

<li><b>renaming users</b> - Supported, but try to make sure that the
user is not, and can not login when doing the rename.  Otherwise
user-meta may get corrupted and/or out of sync.</li>

<li><b>plus addressing</b> - Plus addressing allows direct delivery
to a particular mailbox (other than an INBOX).  This is done in two ways.

<p>The first way allows delivery to a subfolder of a specific user's
INBOX.  This is done via an address of the form: username+mailfolder@domain,
which will deliver to the user's INBOX.mailfolder folder (or altnamespace
equivalent).  This submailbox must allow the posting user the 'p' right
(generally, this means 'anyone' must have the 'p' right), otherwise the
message will just be filed into the user's INBOX.

<p>The second way is to form an address like [postuser]+mailfolder@domain.
This will deliver into the mailbox 'mailfolder'.  [postuser] is the string
specified in the imapd.conf option of the same name, and may be the
empty string.  As before, the posting user will need to have the 'p' right on
the mailbox.

<p>For both methods, if 'mailfolder' is more than one level deep, you will
need to conform to the hierarchy separator appropriate to your site.

<li><b>Performance/Capacity/Scaling</b> - See <a
href="install-perf.html">the performance guide</a>.</li>


<dl compact="compact">
<dt><b>Q:</b> I'm getting syslog'd messages from the master process
saying processes are "signaled to death by 10". What's up?</dt>

<p><b>A:</b> If you're using Berkeley DB 3.0.55, try installing
some <a
to Berkeley DB</a> available from <a

<dt><b>Q:</b> I've used <tt>saslpasswd2</tt> to create CRAM-MD5
secrets, but imapd doesn't say <tt>AUTH=CRAM-MD5</tt>. Why?</dt>

<p><b>A:</b> Make sure <tt>/etc/sasldb2</tt> is readable by the
Cyrus user.</p>

<dt><b>Q:</b> I'm using "<tt>sasl_pwcheck_method: saslauthd</tt>", but
authentication isn't working.</dt>

<p><b>A:</b> Make sure that the <tt>saslauthd</tt> daemon is running
(you'll want to start it when the system boots).  <tt>imapd</tt> is
unable to connect to <tt>saslauthd</tt> if the following message
appears in the logs:</p>

Dec  6 12:58:57 mail3.andrew.cmu.edu imapd[1297]: cannot connect to saslauthd server

<p>Make sure that <tt>saslauthd</tt> is running and that the cyrus
user can access the unix domain socket (defaults to <tt>/var/run/mux</tt>).


<dt><b>Q:</b> I'm getting messages about "duplicate_prune". What's

<dd><p><b>A:</b> These messages look like </p>

Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
  /var/imap/deliverdb/deliver-x.db: No such file or directory
Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
  /var/imap/deliverdb/deliver-y.db: No such file or directory
Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
  /var/imap/deliverdb/deliver-z.db: No such file or directory

<p>These messages are normal; one file is maintained for each user
beginning with "x", "y", "z", etc. If you're first starting or you
have no users beginning with these letters, these messages are
completely normal and can be ignored.</p>

<dt><b>Q:</b> I'm getting a message about "<tt>imapd: could not
getenv(CYRUS_SERVICE); exiting</tt>" in my <tt>imapd.log</tt>.
What's wrong?</dt>

<p><b>A:</b> Remove all <tt>imap</tt>, <tt>pop</tt>, <tt>lmtp</tt>
and <tt>sieve</tt> lines from <tt>[x]inetd.conf</tt> and restart
<tt>[x]inetd</tt>.  Cyrus is run out of its own &quot;master&quot; process.</p>

<dt><b>Q:</b> How do I use different SSL/TLS certificates for imap
and pop?</dt>

<p><b>A:</b> Specify the different certs using the appropriate
options in <tt>imapd.conf</tt>. Read <tt>imapd.conf(5)</tt> for

<dt><b>Q:</b> My KPOP client is complaining about TLS keys. What
should I do?</dt>

<p><b>A:</b> Disable TLS for the kpop service. Either set
<tt>tls_pop3_cert_file</tt> to <b>disabled</b> in
<tt>imapd.conf</tt> (which will also disable SSL/TLS for pop3), or
use a separate config file for kpop. For example, change the kpop
service in <tt>cyrus.conf</tt> to something like:</p>

kpop    cmd="pop3d -k -C /etc/kpopd.conf" listen="kpop"

<p>then copy <tt>/etc/imapd.conf</tt> to <tt>/etc/kpopd.conf</tt> and
remove the <tt>tls_*</tt> options.</p>

<dt><b>Q:</b> Eudora 5.x can't connect using STARTTLS ("SSL
Neogotiation Failed"). What should I do?</dt>

<p><b>A:</b> First, complain to QUALCOMM because their STARTTLS
implementation is broken. Eudora doesn't support TLSv1 (per
RFC2246) and Cyrus requires it. If you really need this before it
is fixed in Eudora, remove or comment out the following lines in

    if (tlsonly) {
        off |= SSL_OP_NO_SSLv2;
        off |= SSL_OP_NO_SSLv3;

<dt><b>Q:</b> I'm getting messages in <tt>imapd.log</tt> like:
Sep 11 17:23:55 ogg lmtpd[773]: DBERROR db3: 16 lockers
Sep 11 17:23:55 ogg lmtpd[1409]: DBERROR db3: 17 lockers
Sep 11 17:23:56 ogg lmtpd[1508]: DBERROR db3: 9 lockers
Sep 11 17:23:56 ogg lmtpd[776]: DBERROR db3: 9 lockers
What's wrong?

<p><b>A:</b> Nothing is wrong. These messages are logged whenever
Berkeley db encounters lock contention, but isn't necessarily a
problem by themselves. This is especially likely when you have an
empty or small duplicate delivery database and are receiving a large
volume of e-mail.</p>

<p>Berkeley db 4.0 has a bug where the number of lockers isn't
decremented properly, causing this number to be unreliable.</p>

<dt><b>Q:</b> All of the 8bit characters in the headers of messages
that I receive are being changed to 'X's.  What's going on?</dt>

<p><b>A:</b> 8-bit characters are illegal in message headers.  Following
the principal of &quot;be liberal in what you accept, and strict in what you
send&quot; cyrus converts them to Xs.  (Without a character set, having
the 8-bit characters replaced with Xs is just as good as having them be any
other 8-bit character, especially for sorting and searching).
Alternatively, you can set &quot;reject8bit: t&quot; in <tt>imapd.conf</tt> to
reject the messages outright.  It might
also be reasonable for cyrus to support the use of a default character set,
however thus far no one has done the work to do so (it would also involve
QP-encoding the corrupted headers).

<dt><b>Q:</b> Why can't I delete any messages from my over-quota mailbox?
I'm using a client with a 'trash folder'.</dt>

Trash folders, as they are commonly implemented (as an actual IMAP mailbox),
do not fit the IMAP delete/expunge model very well.  In fact, naive
client implementations will get stuck in a situation where they cannot
delete a message from a mailbox because they try to COPY it to the trash
folder before deleting the message.  This operation will fail due to the
mailbox being over quota.  This is separate from the fact that a specific 
mailbox name is not interoperable between clients (one might call it 'trash',
another 'Trash', another 'Recycle Bin', etc)
Given the lack of protocol support for a trash folder, this is mostly a
quality-of-implementation issue on the client side.  There
are a few options here:
<li>Contact your client vendor to have
the broken client fixed (one possibility is to have the client ask the user
if they wish to permanantly delete the message if the COPY operation fails).</li>
<li>Stop using the 'trash mailbox' feature of your client (if possible).</li>
<li>Set a separate quota root on the 'trash folders'
of users.  This last option is significantly harder to do correctly, since
it assumes that all clients that make use of a trash folder do so with the
same folder name.</li>

<dt><b>Q:</b> How do I stop Cyrus from advertising the DIGEST-MD5 and
CRAM-MD5 shared secret SASL mechanisms?</dt>

<p><b>A:</b> Not really a Cyrus IMAPd question, this can be fixed by
just removing the SASL plugins from where Cyrus SASL installed them
(if no other applications require them), or by using the
<tt>sasl_mech_list</tt> <tt>imapd.conf</tt> option to list only the
mechanisms that you require.</p>


<hr />
last modified: $Date: 2006/11/30 17:11:16 $ <br />
<a href="index.html">Return</a> to the Cyrus IMAP Server Home Page