Cyrus IMAP Server FAQ

      * Using PAM Under Linux when using PAM and shadow passwords,
        /etc/shadow needs to be readable by the Cyrus user. 
      * Using NFS We don't recommend it. If you want to do it, it may
        possibly work but you may also lose your email or have corrupted
        cyrus.* files. You can look at the mailing list archives for more
        information. 
      * Virtual hosting - We don't support it and don't plan to support it
        unless we get a set of complete patches. If you want it, you'll
        need to do it yourself or use a commercial product. Check the list
        archives for more information. 
      * dots in userids - you can have a '.' in your username IF, AND ONLY
        IF, you use the UNIX hierarchy convention. 
      * renaming users - nope, not supported. 
      * plus addressing 
      * Performance/Capacity/Scaling - See the performance guide. 

Troubleshooting

    Q: I'm getting syslog'd messages from the master process saying
            processes are "signaled to death by 10". What's up? 
            

            A: If you're using Berkeley DB 3.0.55, try installing some
            patches to Berkeley DB available from
            http://www.sleepycat.com/update/3.0.55/patch.3.0.55.html. 
    Q: I've used saslpasswd2 to create CRAM-MD5 secrets, but imapd doesn't
            say AUTH=CRAM-MD5. Why? 
            

            A: Make sure /etc/sasldb2 is readable by the Cyrus user. 
    Q: I'm using "sasl_pwcheck_method: saslauthd", but authentication isn't
            working. 
            

            A: Make sure that the saslauthd daemon is running (you'll want
            to start it when the system boots). imapd is unable to connect
            to saslauthd if the following message appears in the logs: 

            Dec  6 12:58:57 mail3.andrew.cmu.edu imapd[1297]: cannot connect to saslauthd server

            Make sure that saslauthd is running and that the cyrus user can
            access the unix domain socket (defaults to /var/run/mux). 
    Q: I'm getting messages about "duplicate_prune". What's wrong? 
            A:These messages look like 

            Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
            /var/imap/deliverdb/deliver-x.db: No such file or directory
            Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
              /var/imap/deliverdb/deliver-y.db: No such file or directory
            Jan 14 13:46:24 grant ctl_deliver[9060]: duplicate_prune: opening
              /var/imap/deliverdb/deliver-z.db: No such file or directory

            These messages are normal; one file is maintained for each user
            beginning with "x", "y", "z", etc. If you're first starting or
            you have no users beginning with these letters, these messages
            are completely normal and can be ignored. 
    Q: I'm getting a message about "imapd: could not getenv(CYRUS_SERVICE);
            exiting" in my imapd.log. What's wrong? 
            

            A: Remove all imap, pop, lmtp and sieve lines from
            [x]inetd.conf and restart [x]inetd. 
    Q: How do I use different SSL/TLS certificates for imap and pop? 
            

            A: Specify the different certs using the appropriate options in
            imapd.conf. Read imapd.conf(5) for details. 
    Q: My KPOP client is complaining about TLS keys. What should I do? 
            

            A: Disable TLS for the kpop service. Either set
            tls_pop3_cert_file to disabled in imapd.conf (which will also
            disable SSL/TLS for pop3), or use a separate config file for
            kpop. For example, change the kpop service in cyrus.conf to
            something like: 

            kpop    cmd="pop3d -k -C /etc/kpopd.conf" listen="kpop"

            then copy /etc/imapd.conf to /etc/kpopd.conf and remove the
            tls_* options. 
    Q: Eudora 5.x can't connect using STARTTLS ("SSL Neogotiation Failed").
            What should I do? 
            

            A: First, complain to QUALCOMM because their STARTTLS
            implementation is broken. Eudora doesn't support TLSv1 (per
            RFC2246) and Cyrus requires it. If you really need this before
            it is fixed in Eudora, remove or comment out the following
            lines in tls.c: 

                if (tlsonly) {
                    off |= SSL_OP_NO_SSLv2;
                    off |= SSL_OP_NO_SSLv3;
                }

