Postfix with Cyrus Imap
Karol Pomaski
kpomaski at mexnetwork.com
Sat Jan 25 21:36:06 EST 2014
Ah I forgot to add that I am using Debian Wheezy 7.0
------ Original Message ------
From: "Karol Pomaski" <kpomaski at mexnetwork.com>
To: "Dan White" <dwhite at olp.net>
Cc: info-cyrus at lists.andrew.cmu.edu
Sent: 1/25/2014 8:28:49 PM
Subject: Re[2]: Postfix with Cyrus Imap
>Hey,
>
>Yes I have all the files. I am using Debian, do you know if this patch
>is already there?
>Here I send you all my configuration files. Could you check what is
>incorrect? Also while trying to connect through cyradm using 'cyrus'
>user it doesn't permit me to enter. Which password should be used for
>cyrus user?
>
>imapd.conf
>-------------
>
>
># Debian Cyrus imapd.conf
># See imapd.conf(5) for more information and more options
>
># Configuration directory
>configdirectory: /var/lib/cyrus
>
># Directories for proc and lock files
>proc_path: /run/cyrus/proc
>mboxname_lockpath: /run/cyrus/lock
>
># Which partition to use for default mailboxes
>defaultpartition: default
>partition-default: /var/spool/cyrus/mail
>
># News setup
>partition-news: /var/spool/cyrus/news
>newsspool: /var/spool/news
>
># Alternate namespace
># If enabled, activate the alternate namespace as documented in
># /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's
># subfolders are in the same level as the INBOX
># See also userprefix and sharedprefix on imapd.conf(5)
>altnamespace: no
>
># UNIX Hierarchy Convention
># Set to yes, and cyrus will accept dots in names, and use the forward
># slash "/" to delimit levels of the hierarchy. This is done by
>converting
># internally all dots to "^", and all "/" to dots. So the
>"rabbit.holes"
># mailbox of user "helmer.fudd" is stored in
>"user.elmer^fud.rabbit^holes"
>unixhierarchysep: yes
>allowusermoves: yes
>servername: mail.test.com
>postmaster: postmaster
>duplicatesuppression: 0
>
>
># Rejecting illegal characters in headers
># Headers of RFC2882 messages must not have characters with the 8th bit
># set. However, too many badly-written MUAs generate this, including
>most
># spamware. Enable this to reject such messages.
>#reject8bit: yes
>
># Munging illegal characters in headers
># Headers of RFC2882 messages must not have characters with the 8th bit
># set. However, too many badly-written MUAs generate this, including
>most
># spamware. If you kept reject8bit disabled, you can choose to leave
>the
># crappage untouched by disabling this (if you don't care that IMAP
>SEARCH
># won't work right anymore.
>#munge8bit: no
>
># Forcing recipient user to lowercase
># Cyrus IMAPD is case-sensitive. If all your mail users are in
>lowercase, it is
># probably a very good idea to set lmtp_downcase_rcpt to true. This is
>set by
># default, per RFC2821. This was not set by default in debian versions
>up to
># and including 2.2.12-4.
>lmtp_downcase_rcpt: yes
>
># Uncomment the following and add the space-separated users who
># have admin rights for all services.
>admins: cyrus
>
># Space-separated list of users that have lmtp "admin" status (i.e.
>that
># can deliver email through TCP/IP lmtp). If specified, this parameter
># overrides the "admins" parameter above
>#lmtp_admins: postman
>
># Space-separated list of users that have mupdate "admin" status, in
># addition to those in the admins: entry above. Note that mupdate
>slaves
>and
># backends in a Murder cluster need to autenticate against the mupdate
>master
># as admin users.
>#mupdate_admins: mupdateman
>
># Space-separated list of users that have imapd "admin" status, in
># addition to those in the admins: entry above
>#imap_admins: cyrus
>
># Space-separated list of users that have sieve "admin" status, in
># addition to those in the admins: entry above
>#sieve_admins: cyrus
>
># List of users and groups that are allowed to proxy for other users,
># seperated by spaces. Any user listed in this will be allowed to login
># for any other user. Like "admins:" above, you can have
>imap_proxyservers
># and sieve_proxyservers.
>#proxyservers: cyrus
>
># No anonymous logins
>allowanonymouslogin: no
>
># Minimum time between POP mail fetches in minutes
>popminpoll: 1
>
># If nonzero, normal users may create their own IMAP accounts by
>creating
># the mailbox INBOX. The user's quota is set to the value if it is
>positive,
># otherwise the user has unlimited quota.
>autocreatequota: -1
>
># umask used by Cyrus programs
>umask: 027
>
># Sendmail binary location
># DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim
>3.
># For now, to work around the bug, set this to a wrapper that calls
># /usr/sbin/sendmail -dropcr instead if you use Exim 3.
>#sendmail: /usr/sbin/sendmail
>
>virtdomains: on
>
># If enabled, cyrdeliver will look for Sieve scripts in user's home
># directories: ~user/.sieve.
>sieveusehomedir: false
>
># If sieveusehomedir is false, this directory is searched for Sieve
>scripts.
>sievedir: /var/spool/sieve
>
># notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL"
># notifications are disabled. Valid methods are: null, log, zephyr
>#mailnotifier: zephyr
>
># notifyd(8) method to use for "SIEVE" notifications. If not set,
>"SIEVE"
># notifications are disabled. This method is only used when no method
>is
># specified in the script. Valid methods are null, log, zephyr, mailto
>#sievenotifier: zephyr
>
># If enabled, the partitions will also be hashed, in addition to the
>hashing
># done on configuration directories. This is recommended if one
>partition has a
># very bushy mailbox tree.
>hashimapspool: true
>
># Allow plaintext logins by default (SASL PLAIN)
>allowplaintext: yes
>
># Force PLAIN/LOGIN authentication only
># (you need to uncomment this if you are not using an auxprop-based
>SASL
># mechanism. saslauthd users, that means you!). And pay attention to
># sasl_minimum_layer and allowapop below, too.
>sasl_mech_list: PLAIN LOGIN
>
># Allow use of the POP3 APOP authentication command.
># Note that this command requires that the plaintext passwords are
># available in a SASL auxprop backend (eg. sasldb), and that the system
># can provide enough entropy (eg. from /dev/urandom) to create a
>challenge
># in the banner.
>#allowapop: no
>
># The minimum SSF that the server will allow a client to negotiate. A
># value of 1 requires integrity protection; any higher value requires
>some
># amount of encryption.
>sasl_minimum_layer: 0
>
># The maximum SSF that the server will allow a client to negotiate. A
># value of 1 requires integrity protection; any higher value requires
>some
># amount of encryption.
>#sasl_maximum_layer: 256
>
># List of remote realms whose users may log in using cross-realm
># authentications. Seperate each realm name by a space. A cross-realm
># identity is considered any identity returned by SASL with an "@" in
>it.
># NOTE: To support multiple virtual domains on the same interface/IP,
># you need to list them all as loginreals. If you don't list them here,
># (most of) your users probably won't be able to log in.
>#loginrealms: example.com
>
># Enable virtual domain support. If enabled, the user's domain will
># be determined by splitting a fully qualified userid at the last '@'
># or '%' symbol. If the userid is unqualified, and the virtdomains
># option is set to "on", then the domain will be determined by doing
># a reverse lookup on the IP address of the incoming network
># interface, otherwise the user is assumed to be in the default
># domain (if set).
>#virtdomains: userid
>
># The default domain for virtual domain support
># If the domain of a user can't be taken from its login and it can't
># be determined by doing a reverse lookup on the interface IP, this
># domain is used.
>#defaultdomain:
>
>#
># SASL library options (these are handled directly by the SASL
>libraries,
># refer to SASL documentation for an up-to-date list of these)
>#
>
># The mechanism(s) used by the server to verify plaintext passwords.
>Possible
># values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They
># are tried in order, you can specify more than one, separated by
>spaces.
>#
># Do note that, since sasl will be run as user cyrus, you may have a
>lot
>of
># trouble to set this up right.
>sasl_pwcheck_method: saslauthd
>
># What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
># by default, all plugins are tried (which is probably NOT what you
>want).
>#sasl_auxprop_plugin: sasldb
>
># If enabled, the SASL library will automatically create authentication
>secrets
># when given a plaintext password. Refer to SASL documentation
>sasl_auto_transition: no
>
>#
># SSL/TLS Options
>#
>
># File containing the global certificate used for ALL services (imap,
>pop3,
># lmtp, sieve)
>#tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
>
># File containing the private key belonging to the global server
>certificate.
>#tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
>
># File containing the certificate used for imap. If not specified, the
>global
># certificate is used. A value of "disabled" will disable SSL/TLS for
>imap.
>#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem
>
># File containing the private key belonging to the imap-specific server
># certificate. If not specified, the global private key is used. A
>value
>of
># "disabled" will disable SSL/TLS for imap.
>#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key
>
># File containing the certificate used for pop3. If not specified, the
>global
># certificate is used. A value of "disabled" will disable SSL/TLS for
>pop3.
>#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem
>
># File containing the private key belonging to the pop3-specific server
># certificate. If not specified, the global private key is used. A
>value
>of
># "disabled" will disable SSL/TLS for pop3.
>#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key
>
># File containing the certificate used for lmtp. If not specified, the
>global
># certificate is used. A value of "disabled" will disable SSL/TLS for
>lmtp.
>#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
>
># File containing the private key belonging to the lmtp-specific server
># certificate. If not specified, the global private key is used. A
>value
>of
># "disabled" will disable SSL/TLS for lmtp.
>#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key
>
># File containing the certificate used for sieve. If not specified, the
>global
># certificate is used. A value of "disabled" will disable SSL/TLS for
>sieve.
>#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem
>
># File containing the private key belonging to the sieve-specific
>server
># certificate. If not specified, the global private key is used. A
>value
>of
># "disabled" will disable SSL/TLS for sieve.
>#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key
>
># File containing one or more Certificate Authority (CA) certificates.
>#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
>
># Path to directory with certificates of CAs.
>tls_ca_path: /etc/ssl/certs
>
># The length of time (in minutes) that a TLS session will be cached for
>later
># reuse. The maximum value is 1440 (24 hours), the default. A value of
>0
>will
># disable session caching.
>tls_session_timeout: 1440
>
># The list of SSL/TLS ciphers to allow, in decreasing order of
>precedence.
># The format of the string is described in ciphers(1). The Debian
>default
># selects TLSv1 high-security ciphers only, and removes all anonymous
>ciphers
># from the list (because they provide no defense against
>man-in-the-middle
># attacks). It also orders the list so that stronger ciphers come
>first.
>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>
># Require a client certificate for ALL services (imap, pop3, lmtp,
>sieve).
>#tls_require_cert: false
>
># Require a client certificate for imap ONLY.
>#imap_tls_require_cert: false
>
># Require a client certificate for pop3 ONLY.
>#pop3_tls_require_cert: false
>
># Require a client certificate for lmtp ONLY.
>#lmtp_tls_require_cert: false
>
># Require a client certificate for sieve ONLY.
>#sieve_tls_require_cert: false
>
>#
># Cyrus Murder cluster configuration
>#
># Set the following options to the values needed for this server to
># autenticate against the mupdate master server:
># mupdate_server
># mupdate_port
># mupdate_username
># mupdate_authname
># mupdate_realm
># mupdate_password
># mupdate_retry_delay
>
>##
>## KEEP THESE IN SYNC WITH cyrus.conf
>##
># Unix domain socket that lmtpd listens on.
>lmtpsocket: /var/run/cyrus/socket/lmtp
>
># Unix domain socket that idled listens on.
>idlesocket: /var/run/cyrus/socket/idle
>
># Unix domain socket that the new mail notification daemon listens on.
>notifysocket: /var/run/cyrus/socket/notify
>
># Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap
>etc.)
>syslog_prefix: cyrus
>
>##
>## DEBUGGING
>##
># Debugging hook. See
>/usr/share/doc/cyrus-common-2.4/README.Debian.debug
># Keep the hook disabled when it is not in use
>#
># gdb Back-traces
>#debug_command: /usr/bin/gdb -batch -cd=/tmp -x
>/usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d
> >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
>#
># system-call traces
>#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d
><&- 2>&1 &
>#
># library traces
>#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p
>%2$d <&- 2>&1 &
>------------------------
>
>smtpd.conf
>
>
>pwcheck_method: saslauthd
>mech_list: plain login
>allow_plaintext: true
>auxprop_plugin: sql
>sql_engine: mysql
>sql_hostnames: 127.0.0.1
>sql_user: mail_admin
>sql_passwd: 111
>sql_database: mail
>sql_select: select password from users where email = '%u@%r'
>
>
>---------------
>
>/etc/pam.d/smtp
>
># PAM configuration file for Cyrus IMAP service
>#
># If you want to use Cyrus in a setup where users don't have
># accounts on the local machine, you'll need to make sure
># you use something like pam_permit for account checking.
>#
># Remember that SASL (and therefore Cyrus) accesses PAM
># modules through saslauthd, and that SASL can only deal with
># plaintext passwords if PAM is used.
>#
>
>auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1
>db=mail table=users usercolumn=email passwdcolumn=password crypt=1
>account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1
>db=mail table=users usercolumn=email passwdcolumn=password crypt=1
>
>@include common-auth
>@include common-account
>-------------
>/etc/pam.d/imap
>
># PAM configuration file for Cyrus IMAP service
>#
># If you want to use Cyrus in a setup where users don't have
># accounts on the local machine, you'll need to make sure
># you use something like pam_permit for account checking.
>#
># Remember that SASL (and therefore Cyrus) accesses PAM
># modules through saslauthd, and that SASL can only deal with
># plaintext passwords if PAM is used.
>#
>
>auth sufficient pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1
>db=mail table=users usercolumn=email passwdcolumn=password crypt=1
>account required pam_mysql.so user=mail_admin passwd=111 host=127.0.0.1
>db=mail table=users usercolumn=email passwdcolumn=password crypt=1
>
>@include common-auth
>@include common-account
>
>------
>/etc/defaults/saslauthd
>
>#
># Settings for saslauthd daemon
># Please read /usr/share/doc/sasl2-bin/README.Debian for details.
>#
>
># Should saslauthd run automatically on startup? (default: no)
>START=yes
>
># Description of this saslauthd instance. Recommended.
># (suggestion: SASL Authentication Daemon)
>DESC="SASL Authentication Daemon"
>
># Short name of this saslauthd instance. Strongly recommended.
># (suggestion: saslauthd)
>NAME="saslauthd"
>
># Which authentication mechanisms should saslauthd use? (default: pam)
>#
># Available options in this Debian package:
># getpwent -- use the getpwent() library function
># kerberos5 -- use Kerberos 5
># pam -- use PAM
># rimap -- use a remote IMAP server
># shadow -- use the local shadow password file
># sasldb -- use the local sasldb database file
># ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
>#
># Only one option may be used at a time. See the saslauthd man page
># for more information.
>#
># Example: MECHANISMS="pam"
>MECHANISMS="pam"
>
># Additional options for this mechanism. (default: none)
># See the saslauthd man page for information about mech-specific
>options.
>MECH_OPTIONS=""
>
># How many saslauthd processes should we run? (default: 5)
># A value of 0 will fork a new process for each connection.
>THREADS=5
>
># Other options (default: -c -m /var/run/saslauthd)
># Note: You MUST specify the -m option or saslauthd won't run!
>#
># WARNING: DO NOT SPECIFY THE -d OPTION.
># The -d option will cause saslauthd to run in the foreground instead
>of
>as
># a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you
>wish
># to run saslauthd in debug mode, please run it by hand to be safe.
>#
># See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific
>information.
># See the saslauthd man page and the output of 'saslauthd -h' for
>general
># information about these options.
>#
># Example for chroot Postfix users: "-c -m
>/var/spool/postfix/var/run/saslauthd"
># Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
>#
># To know if your Postfix is running chroot, check
>/etc/postfix/master.cf.
># If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - -
>-
>smtpd"
># then your Postfix is running in a chroot.
># If it has the line "smtp inet n - n - - smtpd" then your Postfix is
>NOT
># running in a chroot.
>#OPTIONS="-c -m /var/run/saslauthd"
>OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
>
>
>
>
>------ Original Message ------
>From: "Dan White" <dwhite at olp.net>
>To: "Karol Pomaski" <kpomaski at mexnetwork.com>
>Cc: info-cyrus at lists.andrew.cmu.edu
>Sent: 1/25/2014 10:49:21 AM
>Subject: Re: Postfix with Cyrus Imap
>
>>On 01/25/14 16:21 +0000, Karol Pomaski wrote:
>>>my main.cf
>>>
>>>smtpd_sasl_auth_enable = yes
>>>smtpd_sasl_security_options = noanonymous
>>
>>You should have a sasl smtpd.conf file with authentication details,
>>such as
>>in /etc/postfix/sasl or /usr/lib/sasl2/ (saslfinger is useful here).
>>
>>You should be able to prepend 'sasl_' to it's configuration and insert
>>those statements into /etc/imapd.conf.
>>
>>>Postfix use correctly the DB, but Cyrus Imap not. As you haven't
>>>answered my question, is it possible to add acount to MySQL DB and
>>>than mailbox will be created autmatically (without using cyradm)?
>>
>>You may need to apply this patch if your OS's package has not
>>included them:
>>
>>http://code.uoa.gr/p/cyrus/autocreate/
>>
>>-- Dan White
>
>----
>Cyrus Home Page: http://www.cyrusimap.org/
>List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>To Unsubscribe:
>https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
More information about the Info-cyrus
mailing list