[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Woody -> Sarge upgrade report

Roberto C. Sanchez wrote:
> In summary, here are the things that I saw:
> 1. Dependency resolution was spectacular (who would expect less from
> Debian?)
> 2. New config files went OK.
> 3. Cyrus IMAP (going from cyrus v1.5 to cyrus21) broke very hard
> 4. sslwrap upgrade completely choked over openssl
> 3.  I really have no idea what happened here.  I carefully followed
> the upgrade instructions, but my mailboxes.db ended up corrupted, which
> caused the cyrus server to go crazy.  Also, once I got saslauthd to
> where it would work correctly, cyrus refused all imap and imaps
> connections.  I ended up having to go into /etc/hosts.allow and add
> ALL:LOCAL for cyrus to finally accept only local imap connections.
> I never figured out how to get it to accept imaps connections without
> adding ALL:ALL, which is not an acceptable solution).  About 4 hours
> of Google searching yielded no useful information.  I ended up setting
> impas to go through sslwrap (as I had for cyrus v1.5), since it would
> accept remote connections.  I can't tell if this is a bug or a mis-
> configuration on my part.

OK.  I figured this out.  The problem was misconfiguration on my part.
However, I think the documentation was less than helpful.  I had this
in /etc/hosts.allow prior to upgrade:

imapd: LOCAL

Since cyrus in Woody was not ssl-enabled, I had sslwrap to proxy imaps.
Here is the section from README.Debian in cyrus21-common:

 o The services are tcp-wrapped.  Their hosts.allow/hosts.deny id is the
   service name in /etc/cyrus.conf. See hosts_access(5).

I didn't quite understand and/or see this during the upgrade, but
I ended up having to add LOCAL: ALL to /etc/hosts.allow (which I did
not like).  I finally figured this out after reading the README.Debian
for about the fifth time yesterday.

I don't think it is quite worthy of a bug report (maybe low priority,
but then the change won't go into Sarge).  However, I think that it
should be more clearly stated that, e.g., if you HAD 'imapd' listed in
hosts.allow, that it now becomes 'imap'.  I consider myself an
experienced user/admin and this little thing totally caught me off

Just my thoughts,


Roberto C. Sanchez

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: