1
Setting up Cyrus IMAPd for Postfix (Debian)
2
$Id: README.postfix 229 2005-12-08 23:26:29Z astronut $
3
===========================================================
5
Cyrus works wonderfully well with Postfix, both in single-system stores (where
6
Postfix runs in the same host as Cyrus IMAPd), and remote mail stores (where
7
Cyrus IMAPd is in a different host than Postfix).
9
Delivery to Cyrus should _always_ be done through direct LMTP from Postfix. It
10
is far simpler and faster to do such delivery using Unix sockets, but Unix
11
sockets are only an option for single-system stores. Cyrdeliver is just a
12
stdio-to-LMTP proxy, and it slows down mail delivery greatly.
14
Cyrus requires LMTP deliveries to be authenticated. It assumes that any
15
deliveries done through an Unix socket are trustable, and pre-authenticates
16
them as if coming from the "postman" (fictitious) user (but you _can_
17
re-authenticate them as another lmtp admin user, if you wish).
19
Deliveries done through TCP sockets are not limited to the same host, unlike
20
the Unix socket ones, and can therefore be used in remote mail stores.
21
However, Cyrus requires that the LMTP session be authenticated using one of the
22
SASL mechs available to Cyrus (you can switch this off by giving a "-a"
23
parameter to lmtpd in cyrus.conf, but that is unsafe since anyone can bypass
24
any user authentication controls you might have on mail delivery, that way).
26
TCP-socket LMTP sessions should be authenticated as one of the Cyrus LMTP
27
admins, normal Cyrus users are not enough. This requires Postfix with SASL
31
Setting up Postfix for LMTP delivery to Cyrus
32
=============================================
34
Just set up a transport (either using a transport map, or the default_transport
35
configuration directive of Postfix). Do not use cyrdeliver.
37
I suggest that the lmtp transport be duplicated and renamed to cyrus if you
38
use it to talk to anything else (such as amavisd-new, or amavis-ng). That
39
way, LMTP connection caching to the Cyrus store gets optimized, and you can
40
use the lmtp-named LMTP transport for something else.
42
WARNING: Postfix 2.0 does not downcase the recipient in LMTP deliveries, so if
43
your users require it, you will have to set lmtp_downcase_rcpt: yes in
50
For Unix sockets, the Postfix transport is specified as
51
"lmtp:unix:/var/run/cyrus/socket/lmtp", (we are using the default Cyrus unix
52
socket location as an example, you can change it in /etc/cyrus.conf and
55
You need a Cyrus lmtpd service listening on that socket, of course, so make
58
lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp"
60
is in the SERVICES section of the /etc/cyrus.conf file. You also need to make
61
sure both Cyrus and Postfix can talk through that socket. Unix sockets work
62
just like files, so that translates to making sure both the user "cyrus" and
63
the user Postfix is using for LMTP delivery can both read and write to that
66
WARNING: Since Cyrus pre-auths anything coming through the Unix socket, anyone
67
who can write to it will be able to inject email into Cyrus directly.
69
Use dpkg-statoverride to make sure your configuration for the socket
70
permissions will not be overwritten by the Cyrus packages. Do remember that
71
Postfix usually runs the LMTP transport as user "postfix" (configurable in
72
/etc/postfix/master.cf). Also, do not run the postfix lmtp transport chrooted
73
if the socket is not inside the chroot.
75
1. Create a lmtp group:
78
2. Put user postfix in that group:
79
# adduser postfix lmtp
81
3. Fix the socket directory permissions:
82
# dpkg-statoverride --force --update --add \
83
cyrus lmtp 750 /var/run/cyrus/socket
85
4. Restart Postfix and Cyrus IMAPd
86
# /etc/init.d/postfix restart
87
# /etc/init.d/cyrus2.2 restart
93
TCP sockets are easier on the Cyrus side, and more complicated on the Postfix
94
side. For Cyrus, it is enough to have an "lmtpd" service listening on the
95
desired IP interface (or in all of them, if you leave the interface unspecified
96
as in the example below), that means something like this in /etc/cyrus.conf
99
lmtp cmd="lmtpd" listen="lmtp"
101
(do note that you MUST have an lmtp entry in /etc/services for this to work).
103
Also, remember to set the tcpwrapper permissions up (/etc/hosts.allow and
104
/etc/hosts.deny), or Cyrus might refuse the connections.
106
To configure Postfix' lmtp transport to authenticate using SASL, do the
109
1. Configure the lmtp transport SASL layer:
110
(add to /etc/postfix/main.cf):
111
lmtp_sasl_auth_enable = yes
112
lmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
113
lmtp_sasl_security_options =
114
lmtp_destination_concurrency_limit = 100
115
lmtp_destination_recipient_limit = 0
117
The *_limit values should match whatever you configured as limits in
118
Cyrus. The above configuration will allow plain text logins.
120
Create the password map /etc/postfix/sasl_passwd to tell postfix
121
of a Cyrus LMTP administrator user and password to use.
124
echo "mycyrusspool.my.domain.org postman:foobar" >sasl_passwd
127
2. Configure Cyrus to accept that user as a lmtp administrator
128
(add to /etc/imapd.conf)
131
3. Tell postfix to use the lmtp transport to deliver email using
132
transport maps or something else. I suggest making a copy of the
133
postfix lmtp transport in master.cf, renaming it to "cyrus", and
136
4. Note that to use the new feature of virtual domains in Cyrus v2.2,
137
you need to tell postfix to use the lmtp transport as the
138
virtual_transport. If you also want "local" mail recipients, i.e.
139
those that are addressed to hosts listed in mydestination, to
140
be delivered to Cyrus v2.2, you also need to use lmtp as the