Table of content
  1. Installation
    1. File system
    2. Compilation
  2. Configuration
    1. cyrus.conf
    2. imapd.conf
      1. Authentication
      2. Certificats
      3. Serveur et domaines virtuels
      4. Sieve
      5. Working directory
      6. Email reception
      7. Mailboxes
      8. Access rights
      9. Quota
      10. SNMP
  3. Initialisation
  4. Startup
  5. Tools
    1. Creating a mailbox
    2. Deleting a mailbox
    3. Renaming a mailbox

Installing an imap server with encrypted communications to protect passwords and email content. User accounts are managed from an LDAP directory.

Build information

Ensure the following options:

mail/cyrus-imapd30
1

TODO

Installation

File system

Four file systems are created to manage the processes, mailboxes, metadata and filters.

ZFS name Mountpoint Opt Description
system/services/imap /var/imap   Internal data management
system/services/imap/meta /var/spool/imap-meta   Mailbox metadata
system/services/imap/mbox /var/spool/imap C Storage for mailboxes and emails
system/services/imap/sieve /var/spool/sieve   Mailbox filtering rules

The separation of metadata and mailboxes (ie: emails), allows the introduction of compression, for mail, at the file system without impacting performance for metadata access.

Compilation

cd /usr/ports/mail/cyrus-imapd24/ && make install

The selected build options are:

[X] IDLED Enable IMAP idled support [X] SNMP Enable SNMP support Currently with the 5.14.1 version of perl there is an execution error when the SNMP support is enabled at compile time. This is likely to produce the following error when cyrus-imap is started-up: Shared object "libperl.so" not found, required by "libnetsnmpmibs.so.30" In this case, one way to fix the problem is to tell the system where to find the `libperl.so`{:.file} library. It can be done through the `/etc/ld-elf.so.conf`{:.file} file, where the correct path need to be registered: /usr/local/lib/perl5/5.14.1/mach/CORE/

Configuration

cyrus.conf

It is responsible for managing the various processes needed for the operation of the imap service:

ctl_cyrusdb
Opérations de maintenance de la base de données utilisée par cyrus-imap. En particulier, il s’occupe de la récupération des données en cas de crash (option -r) et de la création de points de sauvegarde (option -c).
imapd
Gestion du protocole IMAP. L’option -s permet de spécifier l’utilisation de SSL pour les connexions, dans le cas contraire, les connexions ne sont pas chiffrées sauf si le client décide d’initier un basculement vers TLS.
idled
Gestion du mode IDLE dans IMAP. Ceci permet d’informer, presque en temps réel, le client de la présence de nouveaux messages.
sieve
Gestion des filtres de messageries. Il permet la prise en charge, directement au niveau du serveur, de l’exécution de scripts utilisateurs permettant le filtrage des e-mails (choix de dossier, suppression, redirection, …).
lmtpunix / lmtp
Réception des messages. C’est ce processus qui va gérer la réception des messages transférés par le serveur mail, soit depuis une socket unix, soit depuis une connection TCP sur un port dédié.
squatter
Réalise l’indexation des mails (en-têtes et messages) afin de permettre une recherche plus rapide lors des commandes IMAP SEARCH. À noter que l’indexation peut être coûteuse en temps si de nombreuses boîtes aux lettres et messages sont présents, et son absence n’empêchera pas le bon fonctionnement du système.

The following configuration is done in the cyrus.conf file and allows the use of IMAP with TLS or SSL connections, to deal with the IDLE mode, to manage sieve scripts, to automatically supress duplicated messages at reception time, to periodically index messages. Messages being delivered from a unix socket.

cyrus.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

START {
  recover	cmd="ctl_cyrusdb -r"
  idled		cmd="idled"
}

SERVICES {
  imap		cmd="imapd"     listen="imap"                  prefork=0
  imaps		cmd="imapd -s"  listen="imaps"                 prefork=0
  sieve		cmd="timsieved" listen="sieve"                 prefork=0
  lmtpunix	cmd="lmtpd"     listen="/var/imap/socket/lmtp" prefork=0
}

EVENTS {
  checkpoint	cmd="ctl_cyrusdb -c"  period=30
  delprune	cmd="cyr_expire -E 3" at=0400
  tlsprune	cmd="tls_prune"       at=0400
  squat         cmd="squatter -i"     at=0100
}

imapd.conf

The configuration file is imapd.conf, despite its name, it manages the configuration for all the different processes involved in cyrus.conf.

Authentication

Le mécanisme d’authentification s’appuie sur saslauthd qui permet l’interrogation d’un annuaire LDAP, sans imposer la sauvegarde des mots de passe en clair au sein de l’annuaire (contrairement à une configuration via les directives ldap_*). En contre partie, il est nécessaire de transmettre les mots de passe en clair (plain ou login) entre le client et le serveur, et afin d’éviter le risque d’interception, on interdit leur émission sur une connexion réseau qui n’est pas chiffrée (allowplaintext positioné à faux).

imapd.conf
1
2
3
4
5
6
7
8

# Authentication
#  ! Password verification with SASL pwcheck/saslauthd services
#  ! only support clear text mecanism such as PLAIN or LOGIN.
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain

# Disallow sending password on a connection which is not secured
allowplaintext:      no

Certificats

To allow encryption, the list of certificats to use is specified by the folllowing directives:

imapd.conf
1
2
3
4
5
6

# Certificats
#  If a non-global certificat is required, he directive must be prefixed
#  with the service name: imap, pop3, lmtp ...
tls_cert_file:    /etc/cert/wildcard.example.com.crt
tls_key_file:     /etc/cert/wildcard.example.com.key
tls_ca_file:      /etc/cert/cachain.pem

Et afin de ne pas imposer au client l’utilisation d’un certificat (pour s’authentifier lui-même):

imapd.conf
1

tls_require_cert: 0

Serveur et domaines virtuels

Si le serveur possède plusieurs noms, il est souhaitable d’utiliser servname pour spécifier celui à utiliser plutôt que de compter sur la valeur retournée par gethostname(2):

imapd.conf
1
2

# Nom a utiliser lors du message de bienvenue
servername: mail.example.com

Permet la gestion de plusieurs domaines différents grâce aux domaines virtuels, la valeur userid indiquant que le domaine doit être déterminé à partir de l’adresse mail, en s’appuyant sur le séparateur ‘@’. Si ce séparateur n’est pas présent le domaine defaultdomain est utilisé.

imapd.conf
1
2
3

# Virtual domains
defaultdomain: mail.example.com
virtdomains: userid

Sieve

Sieve allows to filter email directly at the server level and to put in place redirection or vacation messages, it needs to use sendmail.

imapd.conf
1
2
3

# Sieve
sievedir:          /var/spool/sieve
sendmail:          /usr/local/sbin/sendmail

Working directory

Hold the data and locks necessary for the good operations of the process.

imapd.conf
1
2
3

# Working directory
configdirectory:   /var/imap
mboxname_lockpath: /var/imap/lock

Email reception

No size limit is enforced at reception of the email, and deletion of identical messages is performed to only keep one copy.

Size limitation for email reception is performed upstream by the SMTP server.

imapd.conf
1
2
3

# Message reception
maxmessagesize:       0
duplicatesuppression: yes

Mailboxes

To store mailboxes, several partitions (directories on different disks) can be used, but it’s decided here to only create one called main, and to force its used as a default. Furthermore for a good management of the disk space, hard links will be created (singleinstancestore directive) so to only keep one copy of identical messages among the partition mailboxes. Finally, as it’s a Unix system, it will be possible to use ‘/’ as a hierarchy separator (unixhierarchysep directive), allowing the ‘.’ character to be present in mailbox names. When storing on disk, email and metadata are split (partition-main and metapartition-main) allowing to setup compression for the email at the file system level (zfs set compression=on).

imapd.conf
1
2
3
4
5
6
7

# Storing mailboxes
metapartition_files:  header index cache expunge squat
defaultpartition:     main
partition-main:       /var/spool/imap
metapartition-main:   /var/spool/imap-meta
singleinstancestore:  yes
unixhierarchysep:     yes

Use an alternative display of the folders, where they are in the same hierarchie level as INBOX.

imapd.conf
1
2
3
4

# Folder display
altnamespace:         yes
userprefix:           OtherUsers
sharedprefix:         SharedFolders

To get an easier folder reading, display order is slightly modified so that characters ‘ ’ and ‘-’ are dealt with the same way.

imapd.conf
1
2

# Sorting option
improved_mboxlist_sort: yes

On an already configured system, the mailbox database must be dumped before setting up the improved_mboxlist_sort option, and reloaded after the modification.

1
2
3
4
5
6
7
8

# Dumping mailbox
ctl_mboxlist -d > mb.txt

# Setting improved_mboxlist_sort option

# Importing mailbox
rm /var/imap/mailboxes.db 
ctl_mboxlist -u < mb.txt

Access rights

imapd.conf
1
2
3
4
5
6
7
8

# Security 
#
umask:               077
allowanonymouslogin: no
allowallsubscribe:   no
anyoneuseracl:       no
defaultacl:          anyone lrs
admins:              root root@example.com root@sample.com

Quota

imapd.conf
1
2

# Quota
quotawarn: 90

SNMP

Data for SNMP will be transfered using the AgentX protocol, this configuration is setup within the startup option. However by defaut, the server and SNMP clients don’t know about the MIBs, but they can be downloaded and added: CMU-MIB.txt and CYRUS-MASTER-MIB.txt

Initialisation

A few steps remain before finishing the installation and configuration:

  1. Creating directories, data structures and setting access rights:

    1

    /usr/local/cyrus/bin/mkimap

  2. Correcting access rights for the lmtp socket, to allow communication from postfix to Cyrus IMAP:

    1
2

    chown cyrus:mail /var/imap/socket/lmtp
chmod 660        /var/imap/socket/lmtp

  3. Adding membership to the agentx group to allow communication with SNMP:

    1

    pw groupmod agentx -m cyrus

Startup

To allow automatic startup, the following lines are added to the /etc/rc.conf file:

rc.conf
1
2

cyrus_imapd_enable="YES"
cyrus_imapd_flags="-d -P 20 -x /var/agentx/master"

Integration to SNMP is done through AgentX, with the -x /var/agentx/master option. If the SNMP connection was interupted, retry will occurs every 20 seconds thanks to the -P 20 option.

Tools

The following examples use the cyradm command, it is run connecting as a user with administrative privileges for the selected domain (ie: users present in the admins directive):

1

cyradm --user root@example.com imap.example.com

Creating a mailbox

1
2

create user/jdoe
setquota user/jdoe 10000

Deleting a mailbox

1
2

setacl user/jdoe root@example.com all
delete user/jdoe

Renaming a mailbox

1

rename --partition part user/jdoe user/toto