Wikislax: Created page with "{{RightTOC}} == What is Cyrus-IMAP ? == [http://www.cyrusimap.org/index.php Cyrus-IMAP] is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer..."

2017-12-06T21:31:03Z

Created page with "{{RightTOC}} == What is Cyrus-IMAP ? == [http://www.cyrusimap.org/index.php Cyrus-IMAP] is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer..."

New page

{{RightTOC}}

== What is Cyrus-IMAP ? ==

[http://www.cyrusimap.org/index.php Cyrus-IMAP] is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer Agents, IMAP and POP are designed to convey mail to clients such as Thunderbird. Cyrus-IMAP is an industrial grade server, handling IMAP folders and quotas. An option in Sendmail affords delivering mail to Cyrus-IMAP rather than writing it into the standard Unix folders '''/var/spool/mail'''. Cyrus-IMAP stores its information in a Berkeley DB database. [http://www.cyrusimap.org/mediawiki/index.php/Downloads#IMAP_Server Download Cyrus-IMAP] and untar under /usr/local. [http://www.cyrusimap.org/docs/cyrus-imapd Documentation] is available online and also in html format under the doc directory.

== Installing Cyrus-imap ==

Required pre-installed sotwares and minimal versions are libsasl 2.17, Berkeley DB 3.0.55, GNU Make, makedepend, Perl 5, OpenSSL 0.9.4 and optionnally libwrap and Net-SNMP. '''--with-auth''' is the authorization module to use, unix or kerberos (krb or krb_pts). '''--with-cyrus-prefix''' is the location of the cyrus-imap executable structure, '''--cyrus-user''' is the cyrus user name, '''--with-dbdir''' is the location of the db executable structure, '''--with-openssl''' is the location of the openssl executable structure, '''--with-perl''' is the location of the perl executable, '''--with-sasl''' is the location of the libsasl executable structure, '''--enable-netscape-hack''' enables X-Netscape extension (administration URLs).

# tar -C /usr/local -xvf cyrus-imapd-x.y.z.tar.gz
# cd /usr/local
# chown -R root:root cyrus-imapd-x.y.z
# cd cyrus-imapd-x.y.z
# .configure --help | less
# ./configure --libdir=/usr/local/lib64 \
--mandir=/usr/local/man --with-cyrus-prefix=/usr/local --with-cyrus-user=cyrus \
--with-dbdir=/usr --with-openssl=/usr/local --with-perl=/usr/bin/perl \
--with-sasl=/usr/local --enable-netscapehack
# make depend
# make all
# make install
# make clean

== Configuring Cyrus-imap ==

Refer to '''doc/install-configure.html''' and the imapd.conf (5) man pages. First, reconfigure '''syslog.conf''' to use two additional files, then edit '''/etc/imapd.conf''' , create the required directory structures, and last, put together the server certificate (first, encrypted part only) and private unsecure key (second) in file '''/etc/ssl/certs/server.pem''', securitizing with chmod 600.

Cyrus SASL has a number of options that can be configured by the application. To configure these via imapd.conf, simply prefix the appropriate option name with sasl_ (e.g. pwcheck_method becomes sasl_pwcheck_method).

# touch /var/log/imapd.log /var/log/auth.log
# vi /etc/syslog.conf
a
# this is for cyrus-imapd
local6.warning -/var/log/imapd.log
auth.warning -/var/log/auth.log
:x
<esc>
# cd /etc
# vi imapd.conf
i
admins: postmaster
allowpop: no
allowplaintext: yes
configdirectory: /var/imap
lmtp_over_quota_perm_failure: yes
ldap_authz: proxyUser
ldap_base: dc=domain,dc=com
ldap_filter: cn=%u
ldap_id: proxyUser
ldap_mech: DIGEST-MD5
ldap_password: proxyPassword
ldap_sasl: yes
ldap_uri: ldap://localhost
mech_list: PLAIN
partition-default: /var/spool/imap
sasl_auxprop_plugin: ldapdb
sasl_log_level: 0
sasl_pwcheck_method: auxprop
sendmail: /usr/sbin/sendmail
tls_ca_file: /etc/ssl/certs/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_cert_file: /etc/ssl/certs/server.pem
tls_key_file: /etc/ssl/certs/server.pem
<esc>
:x
# cd /var
# mkdir imap
# useradd -g mail cyrus
# chown cyrus:mail imap
# chmod 750 imap
# cd spool
# mkdir imap
# chown cyrus:mail imap
# chmod 750 imap
# su cyrus
$ cd /usr/local/cyrus-imap*
$ tools/mkimap
<ctrl>d
# cd /etc/ssl/certs
# vi mtacert.pem
d59d
:$
:r ../private/mtakey.pem.unsecure
:w server.pem
:x
# chown cyrus:mail server.pem
# chmod 600 server.pem

If using the older ext2fs filesystem, also set the user, quota, and partition directories to update synchronously as described in doc/install-configure.html (for ext3fs this is not necessary). Also set the queue directory of the mail daemon to update synchronously (the example given is for sendmail).

# cd /var/imap
# chattr +S user quota user/* quota/*
# chattr +S /var/spool/imap /var/spool/imap/*
# chattr +S /var/spool/mqueue

== Configuring Cyrus-imap SASL ==

For SMTP authentication, we use SASL against the OpenLDAP directory installed previously. As only mechanism, we use PLAIN, later ensuring security by forcing SSL encryption over port 465 SMTPS (actually, DIGEST-MD5 and CRAM-MD5 are not widely used, and Microsoft Outlook uses only the LOGIN non standard mechanism). Here is the content of file '''/usr/local/lib/sasl2/Cyrus.conf''' :

auxprop_plugin: ldapdb
ldapdb_id: proxyUser
ldapdb_mech: DIGEST-MD5
ldapdb_pw: proxyUserPassword
ldapdb_uri: ldap://localhost
log_level: 0
mech_list: PLAIN
pwcheck_method: auxprop

As it contains sensitive information, the owner and rights of this file should be set so that it can be read only by its user cyrus:mail.

== Running Cyrus-imap ==

Remove any imap, imaps, pop3, pop3s, kpop, lmtp entry from '''/etc/inetd.conf''', copy '''/etc/cyrus.conf''' from one of the templates provided under '''master/conf'''. Arrange to start '''/usr/local/bin/master''' as root when the system starts and to stop it when the system shuts down. Until the system reboots, you can start the master process by hand. Monitor the progress of the master process by examining the '''imapd.log''' file.

# vi /etc/inetd.conf
# kill -HUP `head -1 /var/run/inetd.pid`
# cd /usr/local/cyrus-imap*
# cp master/conf/normal.conf /etc/cyrus.conf
# vi /etc/cyrus.conf
#pop3 cmd="pop3d" listen="pop3" prefork=0
#pop3s cmd="pop3d -s" listen="pop3s" prefork=0
notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
<esc>
:x
# vi /etc/rc.d/rc.local
a
# start cyrus-imapd
if [ -x /usr/local/bin/master ]; then
echo "Starting cyrus-imap: /usr/local/bin/master &"
/usr/local/bin/master &
fi
<esc>
:x
# vi /etc/rc.d/rc.local_shutdown
a
# stop cyrus-imapd
if [ -r /var/run/cyrus-master.pid ]; then
echo "Stopping cyrus-imapd: kill -INT `cat /var/run/cyrus-master.pid`"
kill -INT `cat /var/run/cyrus-master.pid`
fi
<esc>
:x
# /usr/local/bin/master &

To test, telnet to local host:

# telnet localhost imap
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5 SASL-IR] inner Cyrus IMAP4 v2.4.16 server ready
. login postmaster postmasterPassword
. OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED URLAUTH] User logged in
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.

== Administering cyrus-imap ==

Cyradm is a client for performing system administration on the Cyrus server. Currently cyradm is not available for use with '''imaps''' so it is necessary to keep '''imap''' configured in '''/etc/cyrus.conf''' to use it. If imap is not otherwise used, it is possible to limit imap listening to “127.0.0.1:imap” and to block the imap port at the firewall level. Cyradm can be launched and used as described below.

# cd /usr/local/cyrus-imapd-x.y.z
# cd lib
# make
# cd ../perl/imap
# perl Makefile.PL
# make
# make install
# cyradm --user postmaster --auth plain localhost
Password:
Localhost>

To get the list of available commands type '''help'''. To get help on some particular command type '''help command'''. To list existing mailboxes, type '''lm'''. To create a mailbox type '''cm mailbox'''. To list mailbox rights, type '''lam mailbox'''. To delete a mailbox type '''dm mailbox'''. To set quotas on a mailbox type '''sq mailbox number''' (Kbytes).

User mailboxes names are on the form '''user.name''' and can specify dot-separated subfolders. The mailboxes not prefixed with the user keyword are shared and accessible by all users. Access to mailboxes is controlled by access control lists. At creation time the user gets all the rights on their mailboxes but the admin does not. So before deleting a mailbox, administration rights must be granted to the cyrus admin. The other access rights are :

l Lookup (visible to LIST/LSUB/UNSEEN)
r Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
s Seen (STORE \SEEN)
w Write flags other than \SEEN and \DELETED
i Insert (APPEND, COPY destination)
p Post (send mail to mailbox)
c Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox)
d Delete (STORE \DELETED, EXPUNGE)
a Administer (SETACL)

Here is how you create a mailbox and subfolders and quota, create and delete a mailbox. <u>Note</u> : the access rights need to be changed before you actually delete a mailbox as postmater.

# cyradm --user postmaster --auth plain localhost
Password:
Localhost> cm user.myUser
Localhost> cm user.myUser.Drafts
Localhost> cm user.myUser.Junk
Localhost> cm user.myUser.Sent
Localhost> cm user.myUser.Trash
Localhost> sq user.myUser 307200
Localhost> cm user.myErrorUser
Localhost> sam user.myErrorUser postmaster c
Localhost> dm user.myErrorUser
Localhost> quit

== Sendmail interlock ==

Generate a sendmail configuration file which delivers local mail to the IMAP server. Generate sendmail.cf, copy sendmail.mc and sendmail.cf to '''/etc/mail'''.

# cd /usr/local/sendmail*/cf/cf
# vi sendmail.mc
a
define(`confLOCAL_MAILER', `cyrusv2')dnl
MAILER(`cyrusv2')dnl
# m4 ../m4/cf.m4 sendmail.mc > sendmail.cf
# cp sendmail.mc /etc/mail
# cp sendmail.cf /etc/mail
# /etc/rc.d/rc.sendmail restart

Last open the required ports in file '''/etc/rc.d/rc.firewall''' then restart the firewall service :

iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW -s 192.168.0.0/24
# /etc/rc.d/rc.firewall restart

You should now be able to configure pop and imap mail accounts in a mail client to test the service. To solve issues, check the firewall logs and '''/var/log/maillog'''.

<br/>

{{pFoot|[[Sendmail]]|[[Main Page]]|[[SpamAssassin]]}}

Cyrus-IMAP - Revision history

Wikislax: Created page with "{{RightTOC}} == What is Cyrus-IMAP ? == [http://www.cyrusimap.org/index.php Cyrus-IMAP] is an IMAP and POP server. Unlike SMTP, designed to convey mail between Mail Transfer..."