Cyrus-IMAP

From Wikislax
Jump to: navigation, search

What is Cyrus-IMAP ?

Cyrus-IMAP is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer Agents, IMAP and POP are designed to convey mail to clients such as Thunderbird. Cyrus-IMAP is an industrial grade server, handling IMAP folders and quotas. An option in Sendmail affords delivering mail to Cyrus-IMAP rather than writing it into the standard Unix folders /var/spool/mail. Cyrus-IMAP stores its information in a Berkeley DB database. Download Cyrus-IMAP and untar under /usr/local. Documentation is available online and also in html format under the doc directory.

Installing Cyrus-imap

Required pre-installed sotwares and minimal versions are libsasl 2.17, Berkeley DB 3.0.55, GNU Make, makedepend, Perl 5, OpenSSL 0.9.4 and optionnally libwrap and Net-SNMP. --with-auth is the authorization module to use, unix or kerberos (krb or krb_pts). --with-cyrus-prefix is the location of the cyrus-imap executable structure, --cyrus-user is the cyrus user name, --with-dbdir is the location of the db executable structure, --with-openssl is the location of the openssl executable structure, --with-perl is the location of the perl executable, --with-sasl is the location of the libsasl executable structure, --enable-netscape-hack enables X-Netscape extension (administration URLs).

# tar -C /usr/local -xvf cyrus-imapd-x.y.z.tar.gz
# cd /usr/local
# chown -R root:root cyrus-imapd-x.y.z
# cd cyrus-imapd-x.y.z
# .configure --help | less
# ./configure --libdir=/usr/local/lib64 \
--mandir=/usr/local/man --with-cyrus-prefix=/usr/local --with-cyrus-user=cyrus \
--with-dbdir=/usr --with-openssl=/usr/local --with-perl=/usr/bin/perl \
--with-sasl=/usr/local --enable-netscapehack
# make depend
# make all
# make install
# make clean

Configuring Cyrus-imap

Refer to doc/install-configure.html and the imapd.conf (5) man pages. First, reconfigure syslog.conf to use two additional files, then edit /etc/imapd.conf , create the required directory structures, and last, put together the server certificate (first, encrypted part only) and private unsecure key (second) in file /etc/ssl/certs/server.pem, securitizing with chmod 600.

Cyrus SASL has a number of options that can be configured by the application. To configure these via imapd.conf, simply prefix the appropriate option name with sasl_ (e.g. pwcheck_method becomes sasl_pwcheck_method).

# touch /var/log/imapd.log /var/log/auth.log
# vi /etc/syslog.conf
a
# this is for cyrus-imapd
local6.warning		-/var/log/imapd.log
auth.warning		-/var/log/auth.log
:x
<esc>
# cd /etc
# vi imapd.conf
i
admins: postmaster
allowpop: no
allowplaintext: yes
configdirectory: /var/imap
lmtp_over_quota_perm_failure: yes
ldap_authz: proxyUser
ldap_base: dc=domain,dc=com
ldap_filter: cn=%u
ldap_id: proxyUser
ldap_mech: DIGEST-MD5
ldap_password: proxyPassword
ldap_sasl: yes
ldap_uri: ldap://localhost
mech_list: PLAIN
partition-default: /var/spool/imap
sasl_auxprop_plugin: ldapdb
sasl_log_level: 0
sasl_pwcheck_method: auxprop
sendmail: /usr/sbin/sendmail
tls_ca_file: /etc/ssl/certs/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_cert_file: /etc/ssl/certs/server.pem
tls_key_file: /etc/ssl/certs/server.pem
<esc>
:x
# cd /var
# mkdir imap
# useradd -g mail cyrus
# chown cyrus:mail imap
# chmod 750 imap
# cd spool
# mkdir imap
# chown cyrus:mail imap
# chmod 750 imap
# su cyrus
$ cd /usr/local/cyrus-imap*
$ tools/mkimap
<ctrl>d
# cd /etc/ssl/certs
# vi mtacert.pem
d59d
:$
:r ../private/mtakey.pem.unsecure
:w server.pem
:x
# chown cyrus:mail server.pem
# chmod 600 server.pem

If using the older ext2fs filesystem, also set the user, quota, and partition directories to update synchronously as described in doc/install-configure.html (for ext3fs this is not necessary). Also set the queue directory of the mail daemon to update synchronously (the example given is for sendmail).

# cd /var/imap
# chattr +S user quota user/* quota/*
# chattr +S /var/spool/imap /var/spool/imap/*
# chattr +S /var/spool/mqueue

Configuring Cyrus-imap SASL

For SMTP authentication, we use SASL against the OpenLDAP directory installed previously. As only mechanism, we use PLAIN, later ensuring security by forcing SSL encryption over port 465 SMTPS (actually, DIGEST-MD5 and CRAM-MD5 are not widely used, and Microsoft Outlook uses only the LOGIN non standard mechanism). Here is the content of file /usr/local/lib/sasl2/Cyrus.conf :

auxprop_plugin: ldapdb
ldapdb_id: proxyUser
ldapdb_mech: DIGEST-MD5
ldapdb_pw: proxyUserPassword
ldapdb_uri: ldap://localhost
log_level: 0
mech_list: PLAIN
pwcheck_method: auxprop

As it contains sensitive information, the owner and rights of this file should be set so that it can be read only by its user cyrus:mail.

Running Cyrus-imap

Remove any imap, imaps, pop3, pop3s, kpop, lmtp entry from /etc/inetd.conf, copy /etc/cyrus.conf from one of the templates provided under master/conf. Arrange to start /usr/local/bin/master as root when the system starts and to stop it when the system shuts down. Until the system reboots, you can start the master process by hand. Monitor the progress of the master process by examining the imapd.log file.

# vi /etc/inetd.conf
# kill -HUP `head -1 /var/run/inetd.pid`
# cd /usr/local/cyrus-imap*
# cp master/conf/normal.conf /etc/cyrus.conf
# vi /etc/cyrus.conf
 #pop3         cmd="pop3d" listen="pop3" prefork=0
 #pop3s        cmd="pop3d -s" listen="pop3s" prefork=0
 notify        cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
<esc>
:x
# vi /etc/rc.d/rc.local
a
# start cyrus-imapd
if [ -x /usr/local/bin/master ]; then
	echo "Starting cyrus-imap: /usr/local/bin/master &"
	/usr/local/bin/master &
fi
<esc>
:x
# vi /etc/rc.d/rc.local_shutdown
a
# stop cyrus-imapd
if [ -r /var/run/cyrus-master.pid ]; then
        echo "Stopping cyrus-imapd: kill -INT `cat /var/run/cyrus-master.pid`"
        kill -INT `cat /var/run/cyrus-master.pid`
fi
<esc>
:x
# /usr/local/bin/master &

To test, telnet to local host:

# telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5 SASL-IR] inner Cyrus IMAP4 v2.4.16 server ready
. login postmaster postmasterPassword
. OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED URLAUTH] User logged in
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.

Administering cyrus-imap

Cyradm is a client for performing system administration on the Cyrus server. Currently cyradm is not available for use with imaps so it is necessary to keep imap configured in /etc/cyrus.conf to use it. If imap is not otherwise used, it is possible to limit imap listening to “127.0.0.1:imap” and to block the imap port at the firewall level. Cyradm can be launched and used as described below.

# cd /usr/local/cyrus-imapd-x.y.z
# cd lib
# make
# cd ../perl/imap
# perl Makefile.PL
# make
# make install
# cyradm --user postmaster --auth plain localhost
Password:
Localhost>

To get the list of available commands type help. To get help on some particular command type help command. To list existing mailboxes, type lm. To create a mailbox type cm mailbox. To list mailbox rights, type lam mailbox. To delete a mailbox type dm mailbox. To set quotas on a mailbox type sq mailbox number (Kbytes).

User mailboxes names are on the form user.name and can specify dot-separated subfolders. The mailboxes not prefixed with the user keyword are shared and accessible by all users. Access to mailboxes is controlled by access control lists. At creation time the user gets all the rights on their mailboxes but the admin does not. So before deleting a mailbox, administration rights must be granted to the cyrus admin. The other access rights are :

l   Lookup (visible to LIST/LSUB/UNSEEN)
r   Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
s   Seen (STORE \SEEN)
w   Write flags other than \SEEN and \DELETED
i   Insert (APPEND, COPY destination)
p   Post (send mail to mailbox)
c   Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox)
d   Delete (STORE \DELETED, EXPUNGE)
a   Administer (SETACL)

Here is how you create a mailbox and subfolders and quota, create and delete a mailbox. Note : the access rights need to be changed before you actually delete a mailbox as postmater.

# cyradm --user postmaster --auth plain localhost
Password:
Localhost> cm user.myUser
Localhost> cm user.myUser.Drafts
Localhost> cm user.myUser.Junk
Localhost> cm user.myUser.Sent
Localhost> cm user.myUser.Trash
Localhost> sq user.myUser 307200
Localhost> cm user.myErrorUser
Localhost> sam user.myErrorUser postmaster c
Localhost> dm user.myErrorUser
Localhost> quit

Sendmail interlock

Generate a sendmail configuration file which delivers local mail to the IMAP server. Generate sendmail.cf, copy sendmail.mc and sendmail.cf to /etc/mail.

# cd /usr/local/sendmail*/cf/cf
# vi sendmail.mc
a
define(`confLOCAL_MAILER', `cyrusv2')dnl
MAILER(`cyrusv2')dnl
# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf
# cp sendmail.mc /etc/mail
# cp sendmail.cf /etc/mail
# /etc/rc.d/rc.sendmail restart

Last open the required ports in file /etc/rc.d/rc.firewall then restart the firewall service :

iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW -s 192.168.0.0/24
# /etc/rc.d/rc.firewall restart

You should now be able to configure pop and imap mail accounts in a mail client to test the service. To solve issues, check the firewall logs and /var/log/maillog.


Sendmail Main Page SpamAssassin