1
Cyrus IMAP for Debian, Simple Install Guide
2
$Id: README.Debian.simpleinstall 229 2005-12-08 23:26:29Z astronut $
3
-------------------------------------------
5
"All systems administrators have their horror stories. For me, it was
6
setting up a HP Color Bubblejet under Linux using ghostscript before
7
linuxprinting.org was alive. Well that was a piece of cake compared
8
to what I am about to describe in this document."
9
-- "Hosting email for virtual domains using Postfix and Cyrus"
10
Haim Dimermanas, 2001-08-01
12
"I warned you to read all the documentation first, didn't I?"
13
-- Henrique M. Holschuh, 2002-10-01
16
This document describes how to get Cyrus running with a simple configuration
17
that you can then tweak to your real needs.
19
READ README.Debian AS WELL. I MEAN IT! Cyrus is easy, all the trouble is
20
in SASL, and even that becomes easy after you understand how SASL works.
22
IMPORTANT: Cyrus is a closed-box email system. Your system will access your
23
email through LMTP, IMAP and POP3 *only*. No direct file access to the email
24
store is supposed to take place.
27
To setup Cyrus so that you can administer it (i.e. create users),
28
and get email inside it for those users:
30
1. Make sure libsasl2-modules, libsasl2 and sasl2-bin are installed
32
2. Make sure /etc/sasldb2 is readable by group sasl. Pay attention
33
to overrides (dpkg-statoverride)!
35
3. Make sure user cyrus belongs to group sasl (cyrus-common-2.2's install
36
tries to do this automatically for you).
38
4. Edit /etc/cyrus.conf, and make sure the services you need are
39
enabled. These are most probably "imap", "pop3", "lmtpunix".
41
5. Edit /etc/imapd.conf, and make sure you have some admin users
42
listed in the entry "admins:". I suggest using "cyrus" as your
45
I also suggest enabling plain text logins, and setting
48
If you have unixhierarchysep enabled in imapd.conf, change all
49
"." in mailbox names mentioned on this document to "/", since Cyrus
50
will use "/" as the hierarchy separator instead of the default ".".
51
I suggest you just leave unixhierarchysep set to false for now.
53
6. Restart Cyrus (/etc/init.d/cyrus2.2 restart)
55
7. Use saslpasswd2 -c to create an account for your admin:
58
8. Use sasldblistusers2 to make sure step 7 worked fine.
60
9. Add other users to SASL likewise (saslpasswd2 -c).
62
10. Log in cyrus as the administrator, and create the mailboxes:
63
cyradm --user cyrus localhost
69
(notice that there is an "user." in front of the mailbox name!)
70
You must use "user/bob", "user/anna" instead if you have the
71
unixhierarchysep option enabled in imapd.conf.
73
For this to work, you obviously need the cyrus-admin-2.2 package
76
11. Try to login as a normal user, using imtest or a IMAP/POP3 client.
77
If you have trouble with mutt and CRAM-MD5 or DIGEST-MD5, edit
78
/etc/imapd.conf, and look for sasl_mech_list. Set it to:
79
sasl_mech_list: plain cram-md5
80
(this will disable digest-md5, which causes trouble with mutt).
82
12. Setup your MTA to deliver email inside Cyrus. Basically that can
85
a) running /usr/sbin/cyrdeliver (SLOW)
86
You need the lmtpunix service enabled in /etc/cyrus.conf for this
88
b) delivering using LMTP to /var/run/cyrus/socket/lmtp
89
You need the lmtpunix service enabled in /etc/cyrus.conf for this
92
Just make sure (and use dpkg-statoverride to do that) that your
93
MTA can get to /var/run/cyrus/socket/lmtp. It works just like any
94
file in a Unix system.
96
Cyrus REQUIRES a valid RFC2822 message, and will refuse messages with
97
bad headers (such as that From foobar header, notice the missing ':'),
98
embedded NULLs or any other crap.
101
That's it. See /usr/share/doc/cyrus-common-2.2/README.{postfix,exim,sendmail}
102
for help on how to setup your MTA to correctly deliver to Cyrus.
108
First, do the steps above and verify that your system is working fine.
110
SASL is perfectly capable of trying various authentication methods one after
111
another. We will change our Cyrus setup for SASL to use a LDAP server lookup
114
1. Create the configuration for saslauthd to know what it must do:
116
Write the following file to /etc/saslauthd.conf:
118
ldap_servers: ldap://127.0.0.1/
123
ldap_cache_mem: 32768
125
ldap_search_base: ou=mail,o=mydomain
126
ldap_auth_method: bind
127
ldap_filter: maildrop=%u
129
And of course, edit it to fit your LDAP setup.
131
2. Now, configure saslauthd to use LDAP mode and our config file:
133
Modify /etc/default/saslauthd so that it reads:
135
PARAMS="-O /etc/saslauthd.conf"
137
(MECHANISMS can be a space-separated list of authentication
138
mechanisms. If you wanted saslauthd to try LDAP, then PAM, you
139
could use MECHANISMS="ldap pam")
143
/etc/init.d/saslauthd restart
145
4. Make sure Cyrus will be able to talk to saslauthd
147
Set the following options in /etc/imapd.conf:
148
sasl_mech_list: PLAIN
151
sasl_minimum_layer: 0
152
sasl_pwcheck_method: saslauthd
154
And restart Cyrus. You'd better understand that the above allows
155
plaintext logins over the network. There is a LDAP SASL auxprop
156
plugin being worked on that might fix this issue. As it stands
157
right now, you're better off by only accepting IMAPS (secure IMAP)
160
(sasl_pwcheck_method is a space separated list of SASL methods to
161
try. If you want to have some local users in /etc/sasldb2, for
162
example, you could have "sasl_pwcheck_method: auxprop saslauthd"
163
and also "sasl_auxprop_plugin: sasldb")
165
One *extremely* important point to notice is that saslauthd works
166
ONLY with plaintext. APOP, CRAM-MD5, OTP, DIGEST-MD5 and any other
167
"auxprop" SASL mech will *not* work through saslauthd.
169
5. That's it. There is a LDAP auxprop module in the works which can deal
170
with APOP, CRAM-MD5, OTP, DIGEST-MD5 and so on, look for it in the SASL
171
docs and openldap's contrib stuff.
173
-- Henrique de Moraes Holschuh <hmh@debian.org>