Implementing Cyrus on Redhat with an LDAP backend

Note: It is assumed that you already have an LDAP backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid "cyrus" user though.

Using RPMs downloaded from Simon Matter's Website...

• Build from the source RPMs: rpmbuild -ba --target arch cyrus-imapd-2.x.x-x.src.rpm
• Install ALL of the resulting RPMS.
• Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
• Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to saslauthd. That's right. EVEN though you will be using pam!
• Edit /etc/sysconfig/saslauthd, and add the line MECH="pam"
• Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:

auth        sufficient   /lib/security/pam_ldap.so
account     sufficient   /lib/security/pam_ldap.so

• Edit /etc/openldap/ldap.conf and add the following lines:
• Note: Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf

host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid

• Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on).
• Start both services (service saslauthd start && service cyrus-imapd start).
• That's it - you can now create mailboxes, and auth to them using your LDAP accounts.

Implementing Cyrus 2.1 on Debian Woody with an LDAP backend

This is the same as above, but implemented under Debian Woody instead. Again, make sure there is a cyrus user with a password you can use to run cyradmin

Get the backported cyrus21 debs and dependencies from http://people.debian.org/hmh/ or the cyrus21 debs from sid/unstable.

• install cyrus21-{admin,clients,common,docs,imapd,pop3d}
• install libsasl2-modules libsasl2 sasl2-bin
• Make sure /etc/sasldb2 is readable by group sasl. Pay attention to overrides (dpkg-statoverride)!
• Make sure user cyrus belongs to group sasl (cyrus21-common's install tries to do this automatically for you).
• Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
• Edit /etc/cyrus.conf and check that the processes you want running are enabled
• Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to saslauthd. Set the admin user to cyrus. I also suggest enabling plain text logins, and setting sasl_minimum_layer: 0
• Edit /etc/defaults/saslauthd and ensure that START="yes" and MECHANISM="pam" are uncommented
• Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:
  

auth        sufficient   /lib/security/pam_ldap.so
account     sufficient   /lib/security/pam_ldap.so

• Edit /etc/openldap/ldap.conf (SEE NOTE BELOW regarding /etc/openldap/ldap.conf vs. /etc/ldap.conf) and add the following lines:

host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid

• Ensure saslauthd and cyrus-imapd are set to start at boot time (update-rc.d cyrus21 defaults && update-rc.d saslauthd defaults)
• Start both services (/etc/init.d/saslauthd start && /etc/init.d/cyrus-imapd start).
• That's it - you can now create mailboxes, and auth to them using your LDAP accounts.

There is a nasty bug regarding Cyrus and SASL on debian woody that can cause a lot of problems. You need to get the deb src, edit debian/rules and remove --with-cyrus-sasl, recompile, and reinstall. Note that this is a bug with cyrus and not ldap/sasl. -- TomHibbert

IMAP Password:
Login failed: generic failure at /usr/lib/perl5/Cyrus/IMAP/Admin.pm line 118

In syslog:

Oct 12 22:57:56 ''server'' perl: No worthy mechs found
Oct 12 22:57:57 ''server'' cyrus/imapd[''number'']:
  cannot connect to saslauthd server: Permission denied

Another thing that tripped me up the second time around is the permissions on /var/run/saslauthd if you're using that as your auth mechanism - just make sure that cyrus can read it and all will be fine -- TomHibbert

The best way to do this IMO is to make a sasl group on your system, make cyrus a member of this group, and give /var/run/saslauthd/ group +x permissions (only needs +x in order to be able to get into the dir, the actual socket on /var/run/saslauthd/mux is world +rwx anyway). This way, if you have other apps that use sasl, you just need to make them members of the sasl group as well and they can also read the socket. This is, AFAIK, the way the debian packages normally handle this -- DanielLawson

I slammed my head against this for some time before figuring out that even though openldap creates /etc/openldap/ldap.conf as it's ldap client default configuration file, other programs aren't looking for that file. They're looking for /etc/ldap.conf. The additions listed above for /etc/openldap/ldap.conf should actually be added to /etc/ldap.conf I figured this out by setting the loglevel on openldap to -1 and watching the conversation while doing a cyradm --user cyrus localhost -- EugeneWood

Here is what I was seeing in /var/log/messages Hopefully someone will catch this page from google with these terms -- EugeneWood

 Sep 20 14:44:35 ''server'' perl: No worthy mechs found
 Sep 20 14:44:37 ''server'' saslauthd[6341]: pam_ldap: ldap_search_s No such object
 Sep 20 14:44:37 ''server'' saslauthd[6341]: do_auth         : auth failure: [user=cyrus]
                 [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

Recovering from accidental deletion of mailspool dir

If you have (stupidly - I did ths!) deleted the cyrus spool directory for a mailbox, you will find you are unable to easily remove the mailbox from the db - cyrus will always think it exists. While I have no reason to believe this will harm anything, it is not a pleasant state to leave things in. I fixed it like this:

1. Copy an existing mailbox spool dir, being careful to preserve the permissions, and name it the same as the one you deleted.
2. Su to the cyrus admin user (ie su cyrus)
3. Run reconstruct -f nameofmailbox (eg /usr/lib/cyrus/bin/reconstruct -f user/mailbox@I.accidentally.trashed).
4. Use the cyradm "sam" command to set the acls on the mailbox so the cyrus user has full rights to it
5. NOW you can use dm to delete the mailbox.
6. Don't do it again! ;)

Getting Sieve working with Cyrus2.1 on Debian Sarge

By Default Cyrus2.1 uses SASL2 based Authentication, which requires the installation of sasl2-bin, but doesn't install libsasl2-modules, which are required for sieve authentication.

Note: see LDAPNotes for more information regarding LDAP under Debian

Setting cyrus to listen for lmtp deliver

Cyrus supports LMTP mail delivery - this is much more efficient than using a delivery program such as deliver, or using procmail. Edit /etc/cyrus.conf and add a SERVICES entry similar to the following (it may already be enabled)

 lmtp          cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0

This will listen for lmtp on the localhost IP. You may wish to use a unix domain socket instead:

 lmtpunix      cmd="lmtpd -a" listen="/var/imap/socket/lmtp" prefork=0

You can now set your MTA to deliver to cyrus via LMTP, by specifying the appropriate address. You'll need to look at the notes for the MTA on how to do this, eg EximNotes, PostfixNotes

Delivering to Cyrus from procmail.

If you happen to be using an MTA that doesn't support LMTP delivery, and you really have to use something like procmail to get the mail from the MTA into cyrus, then you MUST use the deliver program packaged with cyrus. Do not attempt to deliver directly into the cyrus mailspool.

See ProcmailNotes for an example recipe snippet. Or upgrade your MTA to something like exim or postfix.

CategoryMailNotes