Postfix with Cyrus Imap

Karol Pomaski kpomaski at mexnetwork.com
Sat Jan 25 21:28:49 EST 2014 

Hey,

Yes I have all the files. I am using Debian, do you know if this patch 
is already there?
Here I send you all my configuration files. Could you check what is 
incorrect? Also while trying to connect through cyradm using 'cyrus' 
user it doesn't permit me to enter. Which password should be used for 
cyrus user?

imapd.conf
-------------


# Debian Cyrus imapd.conf
# See imapd.conf(5) for more information and more options

# Configuration directory
configdirectory: /var/lib/cyrus

# Directories for proc and lock files
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock

# Which partition to use for default mailboxes
defaultpartition: default
partition-default: /var/spool/cyrus/mail

# News setup
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news

# Alternate namespace
# If enabled, activate the alternate namespace as documented in
# /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's
# subfolders are in the same level as the INBOX
# See also userprefix and sharedprefix on imapd.conf(5)
altnamespace: no

# UNIX Hierarchy Convention
# Set to yes, and cyrus will accept dots in names, and use the forward
# slash "/" to delimit levels of the hierarchy. This is done by 
converting
# internally all dots to "^", and all "/" to dots. So the "rabbit.holes"
# mailbox of user "helmer.fudd" is stored in 
"user.elmer^fud.rabbit^holes"
unixhierarchysep: yes
allowusermoves: yes
servername: mail.test.com
postmaster: postmaster
duplicatesuppression: 0


# Rejecting illegal characters in headers
# Headers of RFC2882 messages must not have characters with the 8th bit
# set. However, too many badly-written MUAs generate this, including 
most
# spamware. Enable this to reject such messages.
#reject8bit: yes

# Munging illegal characters in headers
# Headers of RFC2882 messages must not have characters with the 8th bit
# set. However, too many badly-written MUAs generate this, including 
most
# spamware. If you kept reject8bit disabled, you can choose to leave the
# crappage untouched by disabling this (if you don't care that IMAP 
SEARCH
# won't work right anymore.
#munge8bit: no

# Forcing recipient user to lowercase
# Cyrus IMAPD is case-sensitive. If all your mail users are in 
lowercase, it is
# probably a very good idea to set lmtp_downcase_rcpt to true. This is 
set by
# default, per RFC2821. This was not set by default in debian versions 
up to
# and including 2.2.12-4.
lmtp_downcase_rcpt: yes

# Uncomment the following and add the space-separated users who
# have admin rights for all services.
admins: cyrus

# Space-separated list of users that have lmtp "admin" status (i.e. that
# can deliver email through TCP/IP lmtp). If specified, this parameter
# overrides the "admins" parameter above
#lmtp_admins: postman

# Space-separated list of users that have mupdate "admin" status, in
# addition to those in the admins: entry above. Note that mupdate slaves 
and
# backends in a Murder cluster need to autenticate against the mupdate 
master
# as admin users.
#mupdate_admins: mupdateman

# Space-separated list of users that have imapd "admin" status, in
# addition to those in the admins: entry above
#imap_admins: cyrus

# Space-separated list of users that have sieve "admin" status, in
# addition to those in the admins: entry above
#sieve_admins: cyrus

# List of users and groups that are allowed to proxy for other users,
# seperated by spaces. Any user listed in this will be allowed to login
# for any other user. Like "admins:" above, you can have 
imap_proxyservers
# and sieve_proxyservers.
#proxyservers: cyrus

# No anonymous logins
allowanonymouslogin: no

# Minimum time between POP mail fetches in minutes
popminpoll: 1

# If nonzero, normal users may create their own IMAP accounts by 
creating
# the mailbox INBOX. The user's quota is set to the value if it is 
positive,
# otherwise the user has unlimited quota.
autocreatequota: -1

# umask used by Cyrus programs
umask: 027

# Sendmail binary location
# DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 
3.
# For now, to work around the bug, set this to a wrapper that calls
# /usr/sbin/sendmail -dropcr instead if you use Exim 3.
#sendmail: /usr/sbin/sendmail

virtdomains: on

# If enabled, cyrdeliver will look for Sieve scripts in user's home
# directories: ~user/.sieve.
sieveusehomedir: false

# If sieveusehomedir is false, this directory is searched for Sieve 
scripts.
sievedir: /var/spool/sieve

# notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL"
# notifications are disabled. Valid methods are: null, log, zephyr
#mailnotifier: zephyr

# notifyd(8) method to use for "SIEVE" notifications. If not set, 
"SIEVE"
# notifications are disabled. This method is only used when no method is
# specified in the script. Valid methods are null, log, zephyr, mailto
#sievenotifier: zephyr

# If enabled, the partitions will also be hashed, in addition to the 
hashing
# done on configuration directories. This is recommended if one 
partition has a
# very bushy mailbox tree.
hashimapspool: true

# Allow plaintext logins by default (SASL PLAIN)
allowplaintext: yes

# Force PLAIN/LOGIN authentication only
# (you need to uncomment this if you are not using an auxprop-based SASL
# mechanism. saslauthd users, that means you!). And pay attention to
# sasl_minimum_layer and allowapop below, too.
sasl_mech_list: PLAIN LOGIN

# Allow use of the POP3 APOP authentication command.
# Note that this command requires that the plaintext passwords are
# available in a SASL auxprop backend (eg. sasldb), and that the system
# can provide enough entropy (eg. from /dev/urandom) to create a 
challenge
# in the banner.
#allowapop: no

# The minimum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires 
some
# amount of encryption.
sasl_minimum_layer: 0

# The maximum SSF that the server will allow a client to negotiate. A
# value of 1 requires integrity protection; any higher value requires 
some
# amount of encryption.
#sasl_maximum_layer: 256

# List of remote realms whose users may log in using cross-realm
# authentications. Seperate each realm name by a space. A cross-realm
# identity is considered any identity returned by SASL with an "@" in 
it.
# NOTE: To support multiple virtual domains on the same interface/IP,
# you need to list them all as loginreals. If you don't list them here,
# (most of) your users probably won't be able to log in.
#loginrealms: example.com

# Enable virtual domain support. If enabled, the user's domain will
# be determined by splitting a fully qualified userid at the last '@'
# or '%' symbol. If the userid is unqualified, and the virtdomains
# option is set to "on", then the domain will be determined by doing
# a reverse lookup on the IP address of the incoming network
# interface, otherwise the user is assumed to be in the default
# domain (if set).
#virtdomains: userid

# The default domain for virtual domain support
# If the domain of a user can't be taken from its login and it can't
# be determined by doing a reverse lookup on the interface IP, this
# domain is used.
#defaultdomain:

#
# SASL library options (these are handled directly by the SASL 
libraries,
# refer to SASL documentation for an up-to-date list of these)
#

# The mechanism(s) used by the server to verify plaintext passwords. 
Possible
# values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They
# are tried in order, you can specify more than one, separated by 
spaces.
#
# Do note that, since sasl will be run as user cyrus, you may have a lot 
of
# trouble to set this up right.
sasl_pwcheck_method: saslauthd

# What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
# by default, all plugins are tried (which is probably NOT what you 
want).
#sasl_auxprop_plugin: sasldb

# If enabled, the SASL library will automatically create authentication 
secrets
# when given a plaintext password. Refer to SASL documentation
sasl_auto_transition: no

#
# SSL/TLS Options
#

# File containing the global certificate used for ALL services (imap, 
pop3,
# lmtp, sieve)
#tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem

# File containing the private key belonging to the global server 
certificate.
#tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key

# File containing the certificate used for imap. If not specified, the 
global
# certificate is used. A value of "disabled" will disable SSL/TLS for 
imap.
#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem

# File containing the private key belonging to the imap-specific server
# certificate. If not specified, the global private key is used. A value 
of
# "disabled" will disable SSL/TLS for imap.
#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key

# File containing the certificate used for pop3. If not specified, the 
global
# certificate is used. A value of "disabled" will disable SSL/TLS for 
pop3.
#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem

# File containing the private key belonging to the pop3-specific server
# certificate. If not specified, the global private key is used. A value 
of
# "disabled" will disable SSL/TLS for pop3.
#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key

# File containing the certificate used for lmtp. If not specified, the 
global
# certificate is used. A value of "disabled" will disable SSL/TLS for 
lmtp.
#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem

# File containing the private key belonging to the lmtp-specific server
# certificate. If not specified, the global private key is used. A value 
of
# "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key

# File containing the certificate used for sieve. If not specified, the 
global
# certificate is used. A value of "disabled" will disable SSL/TLS for 
sieve.
#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem

# File containing the private key belonging to the sieve-specific server
# certificate. If not specified, the global private key is used. A value 
of
# "disabled" will disable SSL/TLS for sieve.
#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key

# File containing one or more Certificate Authority (CA) certificates.
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem

# Path to directory with certificates of CAs.
tls_ca_path: /etc/ssl/certs

# The length of time (in minutes) that a TLS session will be cached for 
later
# reuse. The maximum value is 1440 (24 hours), the default. A value of 0 
will
# disable session caching.
tls_session_timeout: 1440

# The list of SSL/TLS ciphers to allow, in decreasing order of 
precedence.
# The format of the string is described in ciphers(1). The Debian 
default
# selects TLSv1 high-security ciphers only, and removes all anonymous 
ciphers
# from the list (because they provide no defense against 
man-in-the-middle
# attacks). It also orders the list so that stronger ciphers come first.
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

# Require a client certificate for ALL services (imap, pop3, lmtp, 
sieve).
#tls_require_cert: false

# Require a client certificate for imap ONLY.
#imap_tls_require_cert: false

# Require a client certificate for pop3 ONLY.
#pop3_tls_require_cert: false

# Require a client certificate for lmtp ONLY.
#lmtp_tls_require_cert: false

# Require a client certificate for sieve ONLY.
#sieve_tls_require_cert: false

#
# Cyrus Murder cluster configuration
#
# Set the following options to the values needed for this server to
# autenticate against the mupdate master server:
# mupdate_server
# mupdate_port
# mupdate_username
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay

##
## KEEP THESE IN SYNC WITH cyrus.conf
##
# Unix domain socket that lmtpd listens on.
lmtpsocket: /var/run/cyrus/socket/lmtp

# Unix domain socket that idled listens on.
idlesocket: /var/run/cyrus/socket/idle

# Unix domain socket that the new mail notification daemon listens on.
notifysocket: /var/run/cyrus/socket/notify

# Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap 
etc.)
syslog_prefix: cyrus

##
## DEBUGGING
##
# Debugging hook. See 
/usr/share/doc/cyrus-common-2.4/README.Debian.debug
# Keep the hook disabled when it is not in use
#
# gdb Back-traces
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x 
/usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d 
 >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
#
# system-call traces
#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d 
<&- 2>&1 &
#
# library traces
#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p 
%2$d <&- 2>&1 &
------------------------

smtpd.conf


pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: 111
sql_database: mail
sql_select: select password from users where email = '%u@%r'


---------------

/etc/pam.d/smtp

# PAM configuration file for Cyrus IMAP service
#
# If you want to use Cyrus in a setup where users don't have
# accounts on the local machine, you'll need to make sure
# you use something like pam_permit for account checking.
#
# Remember that SASL (and therefore Cyrus) accesses PAM
# modules through saslauthd, and that SASL can only deal with
# plaintext passwords if PAM is used.
#

auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 
db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 
db=mail table=users usercolumn=email passwdcolumn=password crypt=1

@include common-auth
@include common-account
-------------
/etc/pam.d/imap

# PAM configuration file for Cyrus IMAP service
#
# If you want to use Cyrus in a setup where users don't have
# accounts on the local machine, you'll need to make sure
# you use something like pam_permit for account checking.
#
# Remember that SASL (and therefore Cyrus) accesses PAM
# modules through saslauthd, and that SASL can only deal with
# plaintext passwords if PAM is used.
#

auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 
db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1 
db=mail table=users usercolumn=email passwdcolumn=password crypt=1

@include common-auth
@include common-account

------
/etc/defaults/saslauthd

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific 
options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of 
as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you 
wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific 
information.
# See the saslauthd man page and the output of 'saslauthd -h' for 
general
# information about these options.
#
# Example for chroot Postfix users: "-c -m 
/var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check 
/etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - 
smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is 
NOT
# running in a chroot.
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"




------ Original Message ------
From: "Dan White" <dwhite at olp.net>
To: "Karol Pomaski" <kpomaski at mexnetwork.com>
Cc: info-cyrus at lists.andrew.cmu.edu
Sent: 1/25/2014 10:49:21 AM
Subject: Re: Postfix with Cyrus Imap

>On 01/25/14 16:21 +0000, Karol Pomaski wrote:
>>my main.cf
>>
>>smtpd_sasl_auth_enable = yes
>>smtpd_sasl_security_options = noanonymous
>
>You should have a sasl smtpd.conf file with authentication details, 
>such as
>in /etc/postfix/sasl or /usr/lib/sasl2/ (saslfinger is useful here).
>
>You should be able to prepend 'sasl_' to it's configuration and insert
>those statements into /etc/imapd.conf.
>
>>Postfix use correctly the DB, but Cyrus Imap not. As you haven't 
>>answered my question, is it possible to add acount to MySQL DB and 
>>than mailbox will be created autmatically (without using cyradm)?
>
>You may need to apply this patch if your OS's package has not
>included them:
>
>http://code.uoa.gr/p/cyrus/autocreate/
>
>-- Dan White

More information about the Info-cyrus mailing list