Issues configuring cyrus-imapd
David Robillard
david.robillard at gmail.com
Mon Dec 3 06:27:31 PST 2007
> Greetings
>
> I'm trying to configure cyrus-imapd on a FreeBSD (6.2) mail server. The
> only guide Google pointed me to is this one, who seems a bit outdated :
>
> http://www.soe.ucsc.edu/~venkat/tutorial1.html
>
> So I tried to follow it, making all the changes I could figure out.
> First, I installed mail/cyrus-imapd23 instead of mail/cyrus-imapd2. The
> first issue came when I su'd to the cyrus user and ran mkimap, where I
> got a permissions problem :
>
> chown: ./socket/lmtp: Operation not permitted
>
> No big deal, I thought, and just chown'ed /var/imap/socket/ltmp to cyrus
> as root. Everything else went fine, or at least seemed to, until I
> created the password for cyrus using saslpasswd2. No error message, but
> this apppears in my auth.log :
>
> saslpasswd2: sql_select option missing
> saslpasswd2: auxpropfunc error no mechanism available
>
> And then, when I try to login using the command described in the guide,
> I get :
>
> Please enter your password:
> C: L01 LOGIN cyrus {1}
> S: L01 NO Login only available under a layer
> Authentication failed. generic failure
> Security strength factor: 0
>
> And the same thing than before in my auth.log :
>
> imap[53980]: sql_select option missing
> imap[53980]: auxpropfunc error no mechanism available
>
> Any help to solve this would be greatly appreciated.
>
> Firas
Hello Firas,
Yes, unfortunately, the documentation on how to setup cyrus-imap is a
bit scarce. That's one of the reasons I would advise you to dump
cyrus-imap in favor of Dovecot. Unless of course you have to use
cyrus-imap for whatever reason. We've switched from cyrus-imap to
dovecot for our small site (~3000+ email accounts) and it's working
like a charm. Just thought I'd let you know about an alternative.
Now, going back to your cyrus-imap problem. It looks like you don't
have any authentication mechanism in place. Have you install
cyrus-sasl and cyrus-sasl-saslauthd ? If you haven't then you probably
should. That's the way we had it working anyway. Here's my *very*
brief notes on the topic:
1-- Install the cyrus-* ports.
2-- Configure sendmail to use SASLAUTH. These are the lines related to
cyrus in my /etc/mail/`hostname`.mc file
dnl # The AUTH mechanisms. See 24.9.5 as AuthMechanisms.
dnl # For information on SASL, see 3.4.48 and these URL:
dnl # http://www.iana.org/assignments/sasl-mechanisms
dnl # http://www.sendmail.org/~ca/email/mel/SASL_info.html
dnl #
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
dnl # confLOCAL_MAILER
dnl # Define what is the local MAILER.
dnl
define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl # MAILER
dnl # Setup various mailers.
dnl
MAILER(`cyrusv2')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl
3 -- Make sure imap without SSL is running from
/usr/local/etc/cyrus.conf. For some weird reason, I can't run cyradm
over TLS.
If you disable imap without SSL, you won't be able to login via
cyradm. That was one problem I had and was not able to fix this. So I
used pf to block all comms to the imap port unless it's coming from
the localhost or the admin machines in our LAN.
4 -- Add the cyrus administrator's user & password.
sudo saslpasswd2 cyrus
5 -- Create users. Here you must make sure your
/usr/local/etc/imapd.conf has unixhierarchysep set to no (or
comment-out). Otherwise you'll run into trouble if you use usernames
such as david.robillard (i.e. the dot seperator).
sudo su - cyrus
cyradm localhost
cyradm> cm user.username
cyradm> exit # return to user cyrus.
6 -- As the cyrus user, set a password for user username
saslpasswd2 username
7 -- Test the setup using IMAP over SSL.
imtest -v -a username -u username -s localhost
NOTE -- Deleting a Mailbox or Removing a User
NOTE: Administrators do not have delete rights on mailboxes by
default. So you must give yourself the right to do so before trying to
delete the mailbox.
sudo su - cyrus
cyradmin localhost
localhost> sam user.johndoe cyrus all
localhost> dm user.johndoe
There, that's about what I can tell you about this. Now you have a few
changes to do in syslog.conf(5). Here's how I've configured mine
(those are the LAST lines in the file)
!saslauthd
*.* /var/log/saslauthd.log
!ctl_cyrusdb
*.* /var/log/cyrus.log
!cyr_expire
*.* /var/log/cyrus.log
!master
*.* /var/log/cyrus.log
!imaps
*.* /var/log/cyrus.log
!lmtpunix
*.* /var/log/cyrus.log
!tls_prune
*.* /var/log/cyrus.log
Then tell newsyslog.conf(5) about these files.
/var/log/saslauthd.log 640 5 1024 * J
/var/log/cyrus.log 640 5 1024 * J
Of course, you must change rc.conf(5) too:
cyrus_imapd_enable="YES" # Enable imapd(8).
cyrus_imapd_flags="-d" # Flags to imapd program.
saslauthd_enable="YES" # Enable saslauthd(8) (or NO).
If you need more detailed info, I can send you my cyrus.conf(5) and
imap.conf(5) files. As you can see, it's quite a lot more complicated
then with Dovecot :)
HTH,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
More information about the freebsd-questions
mailing list