====== [[http://www.cyrusimap.org/|Cyrus IMAP Server]] ======

  * [[http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples|Sieve Examples]]


===== User mailbox migration for Cyrus =====

<code bash>
for db in deliver.db mailboxes.db; do echo "cvt_cyrusdb /var/lib/cyrus/$db.flat flat /var/lib/cyrus/$db skiplist"; done
saslpasswd2 cyrus
saslpasswd2 dmitry
cyradm --user dmitry localhost
find /var/spool/cyrus/mail/d/user/dmitry -type d | sort | cut -c3- | tr "/" "." | while read dir; do echo "cm \"INBOX.$dir\""; done
</code>

Also read [[http://cynici.wordpress.com/2010/12/06/how-to-migrate-32-bit-cyrus-imapd-mailboxes-to-64-bit|How to migrate 32-bit Cyrus IMAPD mailboxes to 64-bit]] and ''/usr/share/doc/cyrus-common-2.2/README.Debian.database.gz''.


===== Questions answered =====


=== Cyrus sieve does not want to accept SASL PLAIN authentication with "auxprop" ''sasl_pwcheck_method'' ===

<note question>

Cyrus sieve does not want to accept SASL PLAIN authentication with ''sasl_pwcheck_method: auxprop''. In cron log:

<code>
cyrus/sieve: badlogin: PLAIN no mechanism available
</code>
</note>
<note tip>

Install the package ''libsasl2-modules'', check the following libraries are present:

<code>
/usr/lib/sasl2/libplain.so
/usr/lib/sasl2/liblogin.so
</code>

Also check the output of ''sivtest'':

<code console>
$ sivtest
WARNING: no hostname supplied, assuming localhost

S: "IMPLEMENTATION" "Cyrus timsieved v2.2.10"
S: "SASL" "PLAIN"
S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {20+}
xGbXAyRKeQB1drtjUmc5
S: OK
Authenticated.
Security strength factor: 0
</code>
</note>


=== How to configure Cyrus+Postfix+SASL? ===

<note tip>
Cyrus should be configured as following((For more information check [[http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html|here]])):

<code|/etc/imapd.conf>
allowanonymouslogin: no
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
</code>

For Cyrus+Postfix connection we need to make sure that Postfix can negotiate with Cyrus via UNIX socket. I tried to remount the socket with ''mount %%--%%bind /var/run/cyrus/socket/lmtp /var/spool/postfix/private/lmtp'' with no success. The following comes in cron log:

<code>
postfix/local: warning: unexpected end-of-input from private/lmtp socket while reading input attribute name
postfix/local: warning: private/lmtp socket: malformed response
</code>

The configuration worked in case when we run lmtp **not** in chrooted environment. In ''/etc/postfix/master.cf'':

<code>
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
lmtp      unix  -       -       n       -       -       lmtp
</code>
Then in ''/etc/postfix/main.cf'':
<code>
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
</code>
----
Another possibility is to mount the complete directory with Cyrus socket. The same will be done for ''saslauthd'' socket:

<code console>
mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

mkdir -p /var/spool/postfix/var/run/cyrus
dpkg-statoverride --add cyrus mail 710 /var/spool/postfix/var/run/cyrus
</code>

<code|/etc/fstab>
/var/run/saslauthd   /var/spool/postfix/var/run/saslauthd  none  bind  0  0
/var/run/cyrus       /var/spool/postfix/var/run/cyrus      none  bind  0  0
</code>

or to configure Cyrus and ''saslauthd'' socket to use sockets in Postfix chrooted environment:



You need to configure ''saslauthd'' via ''/etc/saslauthd.conf'' configuration file.

For Postfix((See more information [[http://www.postfix.org/SASL_README.html|here]] and [[http://www.greens.org/~cls/linux/howtos/smtp-auth-saslauthd.html|here]] and [[http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html#d0e1860|here]]. Also refer ''/usr/share/doc/sasl2-bin/README.Debian.gz'' and ''/usr/share/doc/postfix/README.Debian'')):

<code|/etc/postfix/main.cf>
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
</code>

<code|/etc/postfix/sasl/smtpd.conf>
pwcheck_method: saslauthd
mech_list: plain login
</code>

To test SMTP server with ''STARTTLS'' use the following command((Taken from [[http://qmail.jms1.net/test-auth.shtml|here]])):
<code console>
openssl s_client -starttls smtp -quiet -crlf -connect localhost:25
</code>

If you got this message:
<code>
535 5.7.8 Error: authentication failed: another step is needed in authentication
</code>
that means the realm which Postfix uses does not match the SASL's. Make sure that ''smtpd_sasl_local_domain'' has the correct value.
</note>


=== How to setup SASL LDAP authentication without ''saslauthd'' daemon (only using the module)? ===

<note tip>
  * ''apt-get install libsasl2-modules-ldap'' or install the following [[http://southbrain.com/south/2008/06/writing-a-cyrus-sasl-ldap-auxp.html|alternative ldap module]].
  * LDAP should be added a special user:
    <code>
dn: cn=sasluser,cn=centurion
objectclass: person
objectclass: extensibleObject
cn: sasluser
sn: sasluser
uid: sasluser
userPassword: secret
authzTo: ldap:///cn=persons,cn=centurion??one?(objectClass=mailAccount)
</code>
  * LDAP should be configured to store passwords as plain text and enable authentication forwarding:
    <code|/etc/ldap/slapd.d/cn=config>
olcPasswordHash : {CLEARTEXT}
olcAuthzPolicy: to
olcAuthzRegexp: uid=(.*),cn=.*,cn=auth ldap:///cn=persons,cn=centurion??one?(&(objectclass=mailAccount)(uid=$1))
</code>
  * Read the following articles about how to setup cyrus to use Cyrus LDAP Authentication using LDAP Proxy mechanism:
    * [[http://www.postfix.ru/viewtopic.php?p=774|postfix ldap cyrus-imap]]
    * [[http://www.mail-archive.com/cyrus-sasl@lists.andrew.cmu.edu/msg00105.html|Can't get SASL Authentication to work]]
    * [[http://bgbilling.ru/v4.3/doc/ch12s04.html|Сборка почтовой системы Exim + Cyrus + OpenLDAP на FreeBSD]]
    * [[http://www.irbs.net/internet/cyrus-sasl/0505/0119.html|Security of authorization proxy password in imapd.conf file]]
    * [[http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg32662.html|groups, members, LDAP and ptloader]]
    * [[http://www.mail-archive.com/cyrus-sasl@lists.andrew.cmu.edu/msg00109.html|Can't get SASL Authentication to work]]
    * [[http://cyrusimap.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=8425|Sponsoring a canon_user plugin for LDAP lookup]]
    * [[http://lists.andrew.cmu.edu/pipermail/info-cyrus/2004-March/007781.html|Cyrus IMAP 2.2.3 & ldapdb auxprop]]
    * [[http://osdir.com/ml/security.cyrus.sasl/2006-10/msg00001.html|Cyrus IMAPd → SASL auxprop-plugin: ldapdb]]
    * [[https://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg39405.html|Cyrus-Imap and auxprop ldap]]
    * [[http://postfix.state-of-mind.de/patrick.koetter/surviving_cyrus_sasl.pdf|Surviving Cyrus SASL]]
    * [[http://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-November/034155.html|Problems testing cyrus imap server (cyrus sasl + ldapdb plugin)]]
    * [[http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:postfix:sasl_ldapdb|Postfix AUTH using SASL and LDAPDB]]
    * [[http://www.redhat.com/archives/rhl-list/2005-December/msg02649.html|LDAP + Cyrus IMAP + Postfix on FC4]]
    * [[http://osdir.com/ml/security.cyrus.sasl/2006-04/msg00053.html|ldapdb: error: invalid parameter supplied]]
    * [[http://www.openldap.org/doc/admin24/sasl.html|Using SASL]]

<note>
After installation of the module the following popped up in logs:

<code console>
slapd[840]: auxpropfunc error invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
slapd[840]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

cyrus/lmtpunix[27973]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
cyrus/lmtpunix[27973]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
</code>

</note>
</note>


=== [[serverfault>511083|TLS server engine: cannot load cert/key data]] ===

<note tip>
Check that key (PEM) is readable by ''cyrus'' user (e.g. make them readable by group ''mail'').
</note>


=== Cyrus ''STARTTLS'' does not work ===

<note question>
When Cyrus is configured to support ''STARTTLS'' I get the following error message:
<code>
cyrus/imap: error initializing TLS
cyrus/imap: TLS server engine: cannot load CA data
cyrus/imap: unable to get certificate from '/etc/ssl/server/server.pem'
cyrus/imap: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
cyrus/imap: error initializing TLS
</code>
</note>
<note tip>
Make sure that you've concatenated the certificate and the private key with command ''%%cat /etc/ssl/server/server.key >> /etc/ssl/server/server.pem; rm /etc/ssl/server/server.key;%%''

Also test ''STARTTLS'' with following command:

<code console>
$ imtest -t "" -p imap
WARNING: no hostname supplied, assuming localhost

S: * OK centurion.domain.com IMAP4 v1.2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR
S: C01 OK Completed
Please enter your password: 
C: A01 AUTHENTICATE PLAIN A2asaXRyeQe1ZmtRbmzy
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
C: Q01 LOGOUT
S: BYE LOGOUT received
S: Q01 OK Completed
</code>

or alternative one:
<code console>
openssl s_client -starttls imap -host localhost:143
CONNECTED(00000003)
depth=1 /CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=centurion.domain.com/O=Centurion Server/C=NL/L=Amsterdam
   i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
 1 s:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
   i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDQjCCAioCCQCwdYxxfBYD7DANBgkqhkiG9w0BAQUFADBpMRwwGgYDVQQDExNE
bWl0cnkgS2F0c3VibyBSb290MSwwKgYDVQQKEyNEbWl0cnkgS2F0c3VibyBQZXJz
CBDQvF1N1GwfzqMmpZdQTPeRoFgPqw==
-----END CERTIFICATE-----
---
SSL handshake has read 21792 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: A4487C0E1F9E242867C4F33F59711EDF618C27CA6431D20D2FE40AAC9505ADC9
    Session-ID-ctx:
    Master-Key: AB340216CC22A72BDB431BBAA56FD31198438EC15569CB0123A36ADA6D26F5FE9B24D4617EDA50F9E6FD3FA36C20F6F2
    Key-Arg   : None
    Start Time: 1291335267
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Completed
</code>
</note>


{{tag>Cyrus IMAP Postfix LDAP mail}}