What is Cyrus-IMAP ?
Cyrus-IMAP is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer Agents, IMAP and POP are designed to convey mail to clients such as Thunderbird. Cyrus-IMAP is an industrial grade server, handling IMAP folders and quotas. An option in Sendmail affords delivering mail to Cyrus-IMAP rather than writing it into the standard Unix folders /var/spool/mail. Cyrus-IMAP stores its information in a Berkeley DB database. Download Cyrus-IMAP and untar under /usr/local. Documentation is available online and also in html format under the doc directory.
Required pre-installed sotwares and minimal versions are libsasl 2.17, Berkeley DB 3.0.55, GNU Make, makedepend, Perl 5, OpenSSL 0.9.4 and optionnally libwrap and Net-SNMP. --with-auth is the authorization module to use, unix or kerberos (krb or krb_pts). --with-cyrus-prefix is the location of the cyrus-imap executable structure, --cyrus-user is the cyrus user name, --with-dbdir is the location of the db executable structure, --with-openssl is the location of the openssl executable structure, --with-perl is the location of the perl executable, --with-sasl is the location of the libsasl executable structure, --enable-netscape-hack enables X-Netscape extension (administration URLs).
# tar -C /usr/local -xvf cyrus-imapd-x.y.z.tar.gz # cd /usr/local # chown -R root:root cyrus-imapd-x.y.z # cd cyrus-imapd-x.y.z # .configure --help | less # ./configure --libdir=/usr/local/lib64 \ --mandir=/usr/local/man --with-cyrus-prefix=/usr/local --with-cyrus-user=cyrus \ --with-dbdir=/usr --with-openssl=/usr/local --with-perl=/usr/bin/perl \ --with-sasl=/usr/local --enable-netscapehack # make depend # make all # make install # make clean
Refer to doc/install-configure.html and the imapd.conf (5) man pages. First, reconfigure syslog.conf to use two additional files, then edit /etc/imapd.conf , create the required directory structures, and last, put together the server certificate (first, encrypted part only) and private unsecure key (second) in file /etc/ssl/certs/server.pem, securitizing with chmod 600.
Cyrus SASL has a number of options that can be configured by the application. To configure these via imapd.conf, simply prefix the appropriate option name with sasl_ (e.g. pwcheck_method becomes sasl_pwcheck_method).
# touch /var/log/imapd.log /var/log/auth.log # vi /etc/syslog.conf a # this is for cyrus-imapd local6.warning -/var/log/imapd.log auth.warning -/var/log/auth.log :x <esc> # cd /etc # vi imapd.conf i admins: postmaster allowpop: no allowplaintext: yes configdirectory: /var/imap lmtp_over_quota_perm_failure: yes ldap_authz: proxyUser ldap_base: dc=domain,dc=com ldap_filter: cn=%u ldap_id: proxyUser ldap_mech: DIGEST-MD5 ldap_password: proxyPassword ldap_sasl: yes ldap_uri: ldap://localhost mech_list: PLAIN partition-default: /var/spool/imap sasl_auxprop_plugin: ldapdb sasl_log_level: 0 sasl_pwcheck_method: auxprop sendmail: /usr/sbin/sendmail tls_ca_file: /etc/ssl/certs/cacert.pem tls_ca_path: /etc/ssl/certs tls_cert_file: /etc/ssl/certs/server.pem tls_key_file: /etc/ssl/certs/server.pem <esc> :x # cd /var # mkdir imap # useradd -g mail cyrus # chown cyrus:mail imap # chmod 750 imap # cd spool # mkdir imap # chown cyrus:mail imap # chmod 750 imap # su cyrus $ cd /usr/local/cyrus-imap* $ tools/mkimap <ctrl>d # cd /etc/ssl/certs # vi mtacert.pem d59d :$ :r ../private/mtakey.pem.unsecure :w server.pem :x # chown cyrus:mail server.pem # chmod 600 server.pem
If using the older ext2fs filesystem, also set the user, quota, and partition directories to update synchronously as described in doc/install-configure.html (for ext3fs this is not necessary). Also set the queue directory of the mail daemon to update synchronously (the example given is for sendmail).
# cd /var/imap # chattr +S user quota user/* quota/* # chattr +S /var/spool/imap /var/spool/imap/* # chattr +S /var/spool/mqueue
Configuring Cyrus-imap SASL
For SMTP authentication, we use SASL against the OpenLDAP directory installed previously. As only mechanism, we use PLAIN, later ensuring security by forcing SSL encryption over port 465 SMTPS (actually, DIGEST-MD5 and CRAM-MD5 are not widely used, and Microsoft Outlook uses only the LOGIN non standard mechanism). Here is the content of file /usr/local/lib/sasl2/Cyrus.conf :
auxprop_plugin: ldapdb ldapdb_id: proxyUser ldapdb_mech: DIGEST-MD5 ldapdb_pw: proxyUserPassword ldapdb_uri: ldap://localhost log_level: 0 mech_list: PLAIN pwcheck_method: auxprop
As it contains sensitive information, the owner and rights of this file should be set so that it can be read only by its user cyrus:mail.
Remove any imap, imaps, pop3, pop3s, kpop, lmtp entry from /etc/inetd.conf, copy /etc/cyrus.conf from one of the templates provided under master/conf. Arrange to start /usr/local/bin/master as root when the system starts and to stop it when the system shuts down. Until the system reboots, you can start the master process by hand. Monitor the progress of the master process by examining the imapd.log file.
# vi /etc/inetd.conf # kill -HUP `head -1 /var/run/inetd.pid` # cd /usr/local/cyrus-imap* # cp master/conf/normal.conf /etc/cyrus.conf # vi /etc/cyrus.conf #pop3 cmd="pop3d" listen="pop3" prefork=0 #pop3s cmd="pop3d -s" listen="pop3s" prefork=0 notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1 <esc> :x # vi /etc/rc.d/rc.local a # start cyrus-imapd if [ -x /usr/local/bin/master ]; then echo "Starting cyrus-imap: /usr/local/bin/master &" /usr/local/bin/master & fi <esc> :x # vi /etc/rc.d/rc.local_shutdown a # stop cyrus-imapd if [ -r /var/run/cyrus-master.pid ]; then echo "Stopping cyrus-imapd: kill -INT `cat /var/run/cyrus-master.pid`" kill -INT `cat /var/run/cyrus-master.pid` fi <esc> :x # /usr/local/bin/master &
To test, telnet to local host:
# telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5 SASL-IR] inner Cyrus IMAP4 v2.4.16 server ready . login postmaster postmasterPassword . OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED URLAUTH] User logged in . logout * BYE LOGOUT received . OK Completed Connection closed by foreign host.
Cyradm is a client for performing system administration on the Cyrus server. Currently cyradm is not available for use with imaps so it is necessary to keep imap configured in /etc/cyrus.conf to use it. If imap is not otherwise used, it is possible to limit imap listening to “127.0.0.1:imap” and to block the imap port at the firewall level. Cyradm can be launched and used as described below.
# cd /usr/local/cyrus-imapd-x.y.z # cd lib # make # cd ../perl/imap # perl Makefile.PL # make # make install # cyradm --user postmaster --auth plain localhost Password: Localhost>
To get the list of available commands type help. To get help on some particular command type help command. To list existing mailboxes, type lm. To create a mailbox type cm mailbox. To list mailbox rights, type lam mailbox. To delete a mailbox type dm mailbox. To set quotas on a mailbox type sq mailbox number (Kbytes).
User mailboxes names are on the form user.name and can specify dot-separated subfolders. The mailboxes not prefixed with the user keyword are shared and accessible by all users. Access to mailboxes is controlled by access control lists. At creation time the user gets all the rights on their mailboxes but the admin does not. So before deleting a mailbox, administration rights must be granted to the cyrus admin. The other access rights are :
l Lookup (visible to LIST/LSUB/UNSEEN) r Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source) s Seen (STORE \SEEN) w Write flags other than \SEEN and \DELETED i Insert (APPEND, COPY destination) p Post (send mail to mailbox) c Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox) d Delete (STORE \DELETED, EXPUNGE) a Administer (SETACL)
Here is how you create a mailbox and subfolders and quota, create and delete a mailbox. Note : the access rights need to be changed before you actually delete a mailbox as postmater.
# cyradm --user postmaster --auth plain localhost Password: Localhost> cm user.myUser Localhost> cm user.myUser.Drafts Localhost> cm user.myUser.Junk Localhost> cm user.myUser.Sent Localhost> cm user.myUser.Trash Localhost> sq user.myUser 307200 Localhost> cm user.myErrorUser Localhost> sam user.myErrorUser postmaster c Localhost> dm user.myErrorUser Localhost> quit
Generate a sendmail configuration file which delivers local mail to the IMAP server. Generate sendmail.cf, copy sendmail.mc and sendmail.cf to /etc/mail.
# cd /usr/local/sendmail*/cf/cf # vi sendmail.mc a define(`confLOCAL_MAILER', `cyrusv2')dnl MAILER(`cyrusv2')dnl # m4 ../m4/cf.m4 sendmail.mc > sendmail.cf # cp sendmail.mc /etc/mail # cp sendmail.cf /etc/mail # /etc/rc.d/rc.sendmail restart
Last open the required ports in file /etc/rc.d/rc.firewall then restart the firewall service :
iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW -s 192.168.0.0/24 # /etc/rc.d/rc.firewall restart
You should now be able to configure pop and imap mail accounts in a mail client to test the service. To solve issues, check the firewall logs and /var/log/maillog.