We’re going to set up cyrus (Have not tested the latest version, but I’ve been using version 2.2 from way back, so I decided to recommend this version here), make it authenticate users through sasl, and have a look at the configuration, there are some interesting things that are worth to be known/changed.
First of all, remember, I wrote this guide using an Ubuntu Server 12.04, so I will use commands like apt-get and sudo, but they may or may not be available in your distribution. But the basic configuration, packages and advices may be valid in your system.
Let’s install cyrus:
$ sudo apt-get install cyrus-admin-2.2 cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-clients-2.2 cyrus-pop3d-2.2
Then, make sure the group of /etc/sasldb2 is sasl:
$ stat /etc/sasldb2 File: `/etc/sasldb2' Size: 12288 Blocks: 24 IO Block: 4096 regular file Device: 801h/2049d Inode: 149541 Links: 1 Access: (0660/-rw-rw----) Uid: ( 0/ root) Gid: ( 45/ sasl) Access: 2013-06-19 02:58:55.485122440 +0200 Modify: 2013-06-19 02:58:55.481122227 +0200 Change: 2013-06-19 02:58:55.481122227 +0200 Birth: -
If it’s not,
$ sudo chgrp sasl /etc/sasldb2
Then, we must add user cyrus to group sasl to make auth possible:
$ groups cyrus cyrus : mail
In this case, cyrus is not a member of sasl so:
$ sudo gpasswd -a cyrus sasl
Let’s edit the configuration files (I won’t write the whole configuration file, just the lines I’ve changed. Pay attention to the bold text):
unixhierarchysep: yes .... admins: cloud .... allowanonymouslogin: no .... popminpoll: 3 .... autocreatequota: 100 quotawarn: 90 .... sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 .... loginrealms: totaki.com myotherdomain.com anotherone.com virtdomains: on .... sasl_pwcheck_method: saslauthd
Let me explain these changes:
- unixhierachysep: Let’s us have e-mails with dots, for example email@example.com Cyrus internally uses the dot to delimit levels of jierachy, so it can’t be used. With this setting to yes, it does a conversion of some characters to make it possible.
- admins: Users with administration rights for all services, we must add at least one when configuring the server, or adding a new user. We can comment this when changes are done. To have several administrators, they must be space-separated.
- allowanonymouslogin: It’s self explained. Anonymous login? We better say no. It may already be no.
- popminpoll: Time to wait for a single user between pop3 requests. If we have lots of users, we must be careful with our resources, we may receive lots of pop requests in short time, so it is useful to disallow more pop request from this people who have just requested in the last minutes. If we have only a few users we can put a 0 here, and we will allow users to request every second if they want to.
- autocreatequota: User quota in Mb for this mailbox. Limits user mailbox to the specified value. If it is zero, mailbox will be unlimited.
- quotawarn: The user will be warned if he/she has used this value percent or more. If we set user quota, it’s recommended.
- sasl_mech_list: It’s a space-separated list of mechanisms used by sasl to verify our password. We can disallow PLAIN, to avoid users identify insecurely.
- loginrealms: Space-separated list of domains we want to use for our users e-mails.
- virtdomains: Set to on, the username will be splitted by the ‘@’ char and the domain will be the right part.
- sasl_pwcheck_method: Authentication method. We’re using saslauthd for this guide.
Then, we must make sure, /run/cyrus/lock and /run/cyrus/proc exist, if they not:
$ sudo mkdir /var/cyrus/lock $ sudo mkdir /var/cyrus/proc $ sudo chown cyrus:mail /var/cyrus/lock /var/cyrus/proc
$ sudo service cyrus-imapd restart
Now, lets create a sample user and mailbox (we will explain the process in detail later):
$ sudo saslpasswd2 -c firstname.lastname@example.org Password: 1234 Again: 1234 $ cyradm --user cloud localhost Password: **** > cm email@example.com > quit
And now, it must be possible to configure this mailbox in a mail client. (Some clients like Thunderbird require outgoing mail account, and we don’t have it yet). To test the mailbox we can try to copy some messages in our mailbox.
I will explain in detail how to do common tasks like mailboxes creation, deletion, set user quota, etc,