Issues configuring cyrus-imapd

David Robillard david.robillard at gmail.com
Mon Dec 3 06:27:31 PST 2007 

> Greetings
>
> I'm trying to configure cyrus-imapd on a FreeBSD (6.2) mail server. The
> only guide Google pointed me to is this one, who seems a bit outdated :
>
> http://www.soe.ucsc.edu/~venkat/tutorial1.html
>
> So I tried to follow it, making all the changes I could figure out.
> First, I installed mail/cyrus-imapd23 instead of mail/cyrus-imapd2. The
> first issue came when I su'd to the cyrus user and ran mkimap, where I
> got a permissions problem :
>
>         chown: ./socket/lmtp: Operation not permitted
>
> No big deal, I thought, and just chown'ed /var/imap/socket/ltmp to cyrus
> as root. Everything else went fine, or at least seemed to, until I
> created the password for cyrus using saslpasswd2. No error message, but
> this apppears in my auth.log :
>
>         saslpasswd2: sql_select option missing
>         saslpasswd2: auxpropfunc error no mechanism available
>
> And then, when I try to login using the command described in the guide,
> I get :
>
>         Please enter your password:
>         C: L01 LOGIN cyrus {1}
>         S: L01 NO Login only available under a layer
>         Authentication failed. generic failure
>         Security strength factor: 0
>
> And the same thing than before in my auth.log :
>
>         imap[53980]: sql_select option missing
>         imap[53980]: auxpropfunc error no mechanism available
>
> Any help to solve this would be greatly appreciated.
>
> Firas

Hello Firas,

Yes, unfortunately, the documentation on how to setup cyrus-imap is a
bit scarce. That's one of the reasons I would advise you to dump
cyrus-imap in favor of Dovecot. Unless of course you have to use
cyrus-imap for whatever reason. We've switched from cyrus-imap to
dovecot for our small site (~3000+ email accounts) and it's working
like a charm. Just thought I'd let you know about an alternative.

Now, going back to your cyrus-imap problem. It looks like you don't
have any authentication mechanism in place. Have you install
cyrus-sasl and cyrus-sasl-saslauthd ? If you haven't then you probably
should. That's the way we had it working anyway. Here's my *very*
brief notes on the topic:

1-- Install the cyrus-* ports.

2-- Configure sendmail to use SASLAUTH. These are the lines related to
cyrus in my /etc/mail/`hostname`.mc file

dnl # The AUTH mechanisms. See 24.9.5 as AuthMechanisms.
dnl # For information on SASL, see 3.4.48 and these URL:
dnl # http://www.iana.org/assignments/sasl-mechanisms
dnl # http://www.sendmail.org/~ca/email/mel/SASL_info.html
dnl #
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl

dnl # confLOCAL_MAILER
dnl # Define what is the local MAILER.
dnl
define(`confLOCAL_MAILER', `cyrusv2')dnl

dnl # MAILER
dnl # Setup various mailers.
dnl
MAILER(`cyrusv2')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl


3 -- Make sure imap without SSL is running from
/usr/local/etc/cyrus.conf.  For some weird reason, I can't run cyradm
over TLS.

If you disable imap without SSL, you won't be able to login via
cyradm. That was one problem I had and was not able to fix this. So I
used pf to block all comms to the imap port unless it's coming from
the localhost or the admin machines in our LAN.


4 -- Add the cyrus administrator's user & password.

sudo saslpasswd2 cyrus


5 -- Create users. Here you must make sure your
/usr/local/etc/imapd.conf has unixhierarchysep set to no (or
comment-out). Otherwise you'll run into trouble if you use usernames
such as david.robillard (i.e. the dot seperator).

sudo su - cyrus
cyradm localhost
cyradm> cm user.username
cyradm> exit    # return to user cyrus.


6 -- As the cyrus user, set a password for user username

saslpasswd2 username


7 -- Test the setup using IMAP over SSL.

imtest -v -a username -u username -s localhost


NOTE -- Deleting a Mailbox or Removing a User
NOTE: Administrators do not have delete rights on mailboxes by
default. So you must give yourself the right to do so before trying to
delete the mailbox.

sudo su - cyrus
cyradmin localhost

localhost> sam user.johndoe cyrus all
localhost> dm user.johndoe

There, that's about what I can tell you about this. Now you have a few
changes to do in syslog.conf(5). Here's how I've configured mine
(those are the LAST lines in the file)

!saslauthd
*.*                                             /var/log/saslauthd.log
!ctl_cyrusdb
*.*                                             /var/log/cyrus.log
!cyr_expire
*.*                                             /var/log/cyrus.log
!master
*.*                                             /var/log/cyrus.log
!imaps
*.*                                             /var/log/cyrus.log
!lmtpunix
*.*                                             /var/log/cyrus.log
!tls_prune
*.*                                             /var/log/cyrus.log

Then tell newsyslog.conf(5) about these files.

/var/log/saslauthd.log                  640  5     1024  *     J
/var/log/cyrus.log                          640  5     1024  *     J

Of course, you must change rc.conf(5) too:

cyrus_imapd_enable="YES"        # Enable imapd(8).
cyrus_imapd_flags="-d"                # Flags to imapd program.
saslauthd_enable="YES"             # Enable saslauthd(8) (or NO).

If you need more detailed info, I can send you my cyrus.conf(5) and
imap.conf(5) files. As you can see, it's quite a lot more complicated
then with Dovecot :)

HTH,

David
-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122

More information about the freebsd-questions mailing list