Cyrus IMAP Server

User mailbox migration for Cyrus 

for db in deliver.db mailboxes.db; do echo "cvt_cyrusdb /var/lib/cyrus/$db.flat flat /var/lib/cyrus/$db skiplist"; done
saslpasswd2 cyrus
saslpasswd2 dmitry
cyradm --user dmitry localhost
find /var/spool/cyrus/mail/d/user/dmitry -type d | sort | cut -c3- | tr "/" "." | while read dir; do echo "cm \"INBOX.$dir\""; done

Also read How to migrate 32-bit Cyrus IMAPD mailboxes to 64-bit and /usr/share/doc/cyrus-common-2.2/README.Debian.database.gz.

Questions answered

Cyrus sieve does not want to accept SASL PLAIN authentication with “auxprop” sasl_pwcheck_method

Cyrus sieve does not want to accept SASL PLAIN authentication with sasl_pwcheck_method: auxprop. In cron log:
cyrus/sieve: badlogin: PLAIN no mechanism available

Install the package libsasl2-modules, check the following libraries are present:
/usr/lib/sasl2/libplain.so
/usr/lib/sasl2/liblogin.so

Also check the output of sivtest: 

$ sivtest
WARNING: no hostname supplied, assuming localhost

S: "IMPLEMENTATION" "Cyrus timsieved v2.2.10"
S: "SASL" "PLAIN"
S: "SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
S: OK
Please enter your password:
C: AUTHENTICATE "PLAIN" {20+}
xGbXAyRKeQB1drtjUmc5
S: OK
Authenticated.
Security strength factor: 0

How to configure Cyrus+Postfix+SASL?

Cyrus should be configured as following1):

/etc/imapd.conf

allowanonymouslogin: no
allowplaintext: no
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no

For Cyrus+Postfix connection we need to make sure that Postfix can negotiate with Cyrus via UNIX socket. I tried to remount the socket with mount --bind /var/run/cyrus/socket/lmtp /var/spool/postfix/private/lmtp with no success. The following comes in cron log: 

postfix/local: warning: unexpected end-of-input from private/lmtp socket while reading input attribute name
postfix/local: warning: private/lmtp socket: malformed response

The configuration worked in case when we run lmtp not in chrooted environment. In /etc/postfix/master.cf: 

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
lmtp      unix  -       -       n       -       -       lmtp

Then in /etc/postfix/main.cf: 

mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp

Another possibility is to mount the complete directory with Cyrus socket. The same will be done for saslauthd socket: 

mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

mkdir -p /var/spool/postfix/var/run/cyrus
dpkg-statoverride --add cyrus mail 710 /var/spool/postfix/var/run/cyrus

/etc/fstab

/var/run/saslauthd   /var/spool/postfix/var/run/saslauthd  none  bind  0  0
/var/run/cyrus       /var/spool/postfix/var/run/cyrus      none  bind  0  0

or to configure Cyrus and saslauthd socket to use sockets in Postfix chrooted environment:

You need to configure saslauthd via /etc/saslauthd.conf configuration file.

For Postfix2):

/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

To test SMTP server with STARTTLS use the following command3): 

openssl s_client -starttls smtp -quiet -crlf -connect localhost:25

If you got this message: 

535 5.7.8 Error: authentication failed: another step is needed in authentication

that means the realm which Postfix uses does not match the SASL's. Make sure that smtpd_sasl_local_domain has the correct value.

How to setup SASL LDAP authentication without saslauthd daemon (only using the module)?

After installation of the module the following popped up in logs:
slapd[840]: auxpropfunc error invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
slapd[840]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
slapd[840]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

cyrus/lmtpunix[27973]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
cyrus/lmtpunix[27973]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb

TLS server engine: cannot load cert/key data

Check that key (PEM) is readable by cyrus user (e.g. make them readable by group mail).

Cyrus STARTTLS does not work

When Cyrus is configured to support STARTTLS I get the following error message: 
cyrus/imap: error initializing TLS
cyrus/imap: TLS server engine: cannot load CA data
cyrus/imap: unable to get certificate from '/etc/ssl/server/server.pem'
cyrus/imap: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
cyrus/imap: error initializing TLS

Make sure that you've concatenated the certificate and the private key with command cat /etc/ssl/server/server.key >> /etc/ssl/server/server.pem; rm /etc/ssl/server/server.key;

Also test STARTTLS with following command: 

$ imtest -t "" -p imap
WARNING: no hostname supplied, assuming localhost

S: * OK centurion.domain.com IMAP4 v1.2 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN SASL-IR
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN A2asaXRyeQe1ZmtRbmzy
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
C: Q01 LOGOUT
S: BYE LOGOUT received
S: Q01 OK Completed

or alternative one: 

openssl s_client -starttls imap -host localhost:143
CONNECTED(00000003)
depth=1 /CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=centurion.domain.com/O=Centurion Server/C=NL/L=Amsterdam
   i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
 1 s:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
   i:/CN=Dmitry Katsubo Root/O=Dmitry Katsubo Personal Certificate/C=BY/L=Minsk
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDQjCCAioCCQCwdYxxfBYD7DANBgkqhkiG9w0BAQUFADBpMRwwGgYDVQQDExNE
bWl0cnkgS2F0c3VibyBSb290MSwwKgYDVQQKEyNEbWl0cnkgS2F0c3VibyBQZXJz
CBDQvF1N1GwfzqMmpZdQTPeRoFgPqw==
-----END CERTIFICATE-----
---
SSL handshake has read 21792 bytes and written 485 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: A4487C0E1F9E242867C4F33F59711EDF618C27CA6431D20D2FE40AAC9505ADC9
    Session-ID-ctx:
    Master-Key: AB340216CC22A72BDB431BBAA56FD31198438EC15569CB0123A36ADA6D26F5FE9B24D4617EDA50F9E6FD3FA36C20F6F2
    Key-Arg   : None
    Start Time: 1291335267
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
. OK Completed

, , , ,
1) For more information check here
2) See more information here and here and here. Also refer /usr/share/doc/sasl2-bin/README.Debian.gz and /usr/share/doc/postfix/README.Debian
3) Taken from here