Newbie question

Tue Nov 25 05:29:13 EST 2003

I'm not a Cyrus expert - being fairly new to it myself - but I thought 
I'd jump in and explain my understanding of things in case it's useful 
to you:

>     I am trying to configure Cyrus-IMAP (version 2.1.12), and I am a little
> confused.  As I understand it one of the main advantages of the Cyrus mail
> server is that the server is a sealed server.

It can run as a sealed server but it doesn't have to. I run Cyrus on a 
host that does /many/ other things.

> Do I undestand correctly from
> this that the users do not have to be created on the OS of the Cyrus mail
> server, that the mailboxes just have to be created via the cyradm tool.

You will need some form of user authentication in addition to the 
existance of mailboxes. The server needs to be able to validate that 
that the person trying to log in as "bob" really is "bob" and should 
have access to "bob"'s mailbox.

It's possible to have Cyrus look up a separate user database (sasldb, 
private LDAP directory, etc) _or_ share the system's user authentication 
(shared LDAP; PAM; unix auth, kerberos, etc). It's very common to use an 
LDAP directory to authenticate users, either one private to cyrus or one 
that's used by the rest of the system as well. Using PAM to share the 
same authentication setup as the rest of the server is also common.

I found Cyrus's authentication quite complex at first, but it does make 
sense - it's a bit complex because it's extremely flexible. I recently 
did a "map" of the way the various ways cyrus can authenticate users - 
it's a draft and not accompanied by any explanation, but in case it's of 
any use you can read it here:

http://www.postnewspapers.com.au/~craig/cyrus_authentication_map.pdf

Most of these components are fairly well documented, it's just an 
overview of how it all fits together that seems to be missing.

> Or
> is that you create the users on the OS but just don't provide them with a
> shell?

That's possible too. You can also potentially have all normal users on 
the OS able to access Cyrus, /and/ some extra Cyrus-only users. It all 
depends on the authentication scheme you choose, and how you plug 
everything together.

I recently posted a rather badly written example config to the cyrus 
wiki, based on my setup here. If it's of any interest, you can find it here:
http://asg.web.cmu.edu/twiki/bin/view/Cyrus/SampleCyrusConfigurations

My setup falls into the non-sealed server category, and every user with 
mail access also has system login access - we don't need mail-only users 
here at present.

Hope this helps.

Craig Ringer