make installBe sure that the server programs ended up in the directory specified by "--with-cyrus-prefix" (by default, "/usr/cyrus/bin").
mv syslogd /etc/syslogd mv syslog.conf /etc/syslog.confIf you do not copy the "syslog/syslog.conf" file to the "/etc" directory, be sure to add support for "local6.debug". The file should include a line like:
local6.debug /var/log/imapd.logYou probably also want to log SASL messages with a line like:
auth.debug /var/log/auth.logAfter installation and testing, you probably want to change the ".debug" component to something a little less verbose. Create the log files:
touch /var/log/imapd.log /var/log/auth.log
configdirectory: /var/imap partition-default: /var/spool/imap admins: curtj abell sasl_pwcheck_method: passwdFor a description of all the fields in this file, see the imapd.conf(5) man page. (Note that this file also exports values to libsasl, the most important of them the pwcheck_method. In this example, users are authenticated via the getpwnam() call.)
READ THE imapd.conf(5) MAN PAGE. There are options in there that you will want to know about and default behavior that you may not like.
Note that everyday users should not be administrators. Admins have powers not granted to regular users and while the server allows them to receive mail, some problems will occur if admins are used as regular users. You also should not read mail as an administrator. You should have separate accounts for reading mail and administrating.
This document uses the configuration directory "/var/imap" in its examples. This directory should be owned by the cyrus user and group and should not permit access to other users.
cd /var mkdir imap chown cyrus imap chgrp mail imap chmod 750 imap
This document uses a default partition directory of "/var/spool/imap" in the following example:
cd /var/spool mkdir imap chown cyrus imap chgrp mail imap chmod 750 imapThe partition directory is similar in concept to /var/spool/news. It is where the mailboxes are stored. Unlike most netnews systems, Cyrus allows you to have more than one partition. Do not use the string "news" as a partition name, as it is reserved for netnews.
cd /usr mkdir sieve chown cyrus sieve chgrp mail sieve chmod 750 sieve
su cyrus tools/mkimap exitIf Perl is not available, it should be easy (but time consuming) to create these directories by hand.
cd /var/imap chattr +S user quota user/* quota/* chattr +S /var/spool/imap /var/spool/imap/*Also set the queue directory of the mail daemon to update synchronously. The following example is for sendmail:
chattr +S /var/spool/mqueue
pop3 110/tcp imap 143/tcp imsp 406/tcp acap 674/tcp imaps 993/tcp pop3s 995/tcp kpop 1109/tcp sieve 2000/tcp lmtp 2003/tcp fud 4201/udp
To use normal.conf, do:
cp master/conf/normal.conf /etc/cyrus.conf
Optionally, you can edit /etc/cyrus.conf to disable or enabling certain services, or to tune the number of preforked copies. Be sure not to remove the entries that are labeled required.
/usr/cyrus/bin/master &
In order to deliver mail to the Cyrus system, you'll have to configure your MTA (usually Sendmail) appropriately.
The interface between the MTA and Cyrus has changed in Cyrus version 2, so take care when using older Sendmails.
cd /var/spool mkdir imap-news chown cyrus imap-news chgrp mail imap-news chmod 750 imap-news
partition-news: /var/spool/imap-news newsspool: /var/spool/news
collectnews!:*:Tf,WO:collectnews
Transport Layer Security (TLS), is a standardized version of the Secure Sockets Layer (SSL v3) standard. IMAP can make use of two different versions of TLS/SSL: STARTTLS and an SSL wrapped session.
In STARTTLS, a client connects to the IMAP port as normal and then issues the STARTTLS command, which begins a TLS negotiation. This is currently supported by the Cyrus IMAP server when it is compiled with OpenSSL.
The alternative, a SSL wrapped connection, involves the client connected to a seperate port ("imaps") and negotiating a SSL session before starting the IMAP protocol. Again, this is supported natively by the Cyrus IMAP server when it is compiled with OpenSSL.
Both TLS and SSL require a server key and a certificate. Optionally, in addition to establishing a secure connection, TLS can authenticate the client.
OpenSSL requires the certificate and key in PEM format. You can create the server's private key and certificate yourself using OpenSSL. Here, we create a self-signed key for the machine " foobar.andrew.cmu.edu" and put both the certificate and key in the file "/var/imap/server.pem".
Please do not blindly enter in the information to OpenSSL below. Instead, enter the appropriate information for your organization (i.e. NOT Carnegie Mellon University for the Organization name, etc.).
openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365 Using configuration from /usr/local/lib/openssl/openssl.cnf Generating a 1024 bit RSA private key .............+++++ ......................+++++ writing new private key to '/var/imap/server.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Pennsylvania Locality Name (eg, city) []:Pittsburgh Organization Name (eg, company) [Internet Widgits Pty Ltd]:Carnegie Mellon University Organizational Unit Name (eg, section) []:Andrew Systems Group Common Name (eg, YOUR name) []:foobar.andrew.cmu.edu Email Address []:
tls_cert_file: /var/imap/server.pem tls_key_file: /var/imap/server.pem
If you have a Certificate Authority (CA), you may wish to generate a certificate request and send it to be signed by your CA.
imtest -t "" foobar.andrew.cmu.edu
Client certificates are somewhat harder to configure than server certificates. You'll need a CA (certificate authority) and need to generate client certificates signed by that CA. STARTTLS in Sendmail and other MTAs have similiar problems, so Claus Assman's page is a good reference.
You can use the self-signed certificate generated above as a CA for client certificates. To do this, try the following:
TODO: write me!
Unfortunately, there's no standard on how to convert the client's authenticate DN (distinguished name) to a SASL authentication name.