Installing Cyrus¶
This guide assumes you have already compiled Cyrus.
Install Cyrus¶
The --prefix
option given to configure
(during compilation) sets where Cyrus is installed to.
If unspecified, it will go to whatever destination is your system default (often /usr/local
).
To check: the final output of the configure step will display where a make install
will install to.
make install # optional if you're just developing on this machine
make install-binsymlinks # Only needed if you're testing older Cyrus versions
Optional Components¶
Setting up syslog¶
A lot of Cyrus’s debugging information gets logged with syslog
, so you’ll want to be able to capture it and find it later (especially when debugging cassandane tests)
Find the correct place to edit syslog config for your system (for me, I needed to create
/etc/rsyslog.d/cyrus.conf
)Add lines like
local6.* /var/log/imapd.log
auth.debug /var/log/auth.log
Restart the rsyslog service
sudo /etc/init.d/rsyslog restart
Arrange to rotate
/var/log/imapd.log
so it doesn’t get stupendously large. Create/etc/logrotate.d/cyrus.conf
with content like:/var/log/imapd.log { rotate 4 weekly missingok notifempty compress delaycompress sharedscripts postrotate invoke-rc.d rsyslog rotate > /dev/null endscript }
Create Cyrus environment¶
Set up the cyrus:mail user and group¶
Now let’s create a special user account just for the Cyrus server
to sandbox Cyrus: called cyrus
. We’ll also create a mail
group
as well. This allows Cyrus to give other programs some permissions if
they are run under the mail
group, again, without causing a Cyrus
bug to delete all of your cat pictures. Disaster!
If you have installed from packages, your package vendor may have already done this for you. To check, use these commands:
$ getent group mail
mail:x:8:
$ getent passwd cyrus
cyrus:x:999:8:Cyrus IMAP Server:/var/lib/imap:/bin/bash
Example group and user creation commands for GNU/Linux:
groupadd -fr mail
useradd -c "Cyrus IMAP Server" -d /var/lib/imap -g mail -s /bin/bash -r cyrus
The var/lib/imap
directory above is an example. Use the same directory
specified in the configdirectory
option in imapd.conf(5).
If your installation uses system locations for things like SSL
certificates (i.e. /etc/ssl/certs /etc/ssl/private
), then you should
also add the cyrus
user to the appropriate group to gain access to
the PKI files. On Debian/Ubuntu systems, for example, this group is
ssl-cert
:
usermod -aG ssl-cert cyrus
Authentication with SASL¶
Now, let’s set up SASL. This will allow you to connect to your local IMAP server and login, just like any IMAP user would before checking for new emails.
Create a saslauth
group and add the cyrus
user to the group, so
Cyrus can access SASL. (on Debian, this group is called ‘sasl’: adjust
the following commands to suit.)
groupadd -fr saslauth
usermod -aG saslauth cyrus
- Change the default SASL configuration in
/etc/default/saslauthd
. Make sure that the
START
option is set to yes(START=yes)
andSet the``MECHANISMS`` option to sasldb
(MECHANISMS="sasldb")
.
Start the SASL auth daemon:
/etc/init.d/saslauthd start
Now, we’ll create the IMAP user inside SASL. This is the user you’ll use to login to the IMAP server later on.
echo 'secret' | saslpasswd2 -p -c imapuser
You can replace secret
with a more suitable password you want and
imapuser
with the username you want. Once this is done, check that
the user exists and is set up correctly:
testsaslauthd -u imapuser -p secret
You should get an 0: OK "Success."
message.
Mail delivery from your MTA¶
Your Cyrus IMAP server will want to receive the emails accepted by your SMTP server (ie Sendmail, Postfix, etc). In Cyrus, this happens via a protocol called LMTP, which is usually supported by your SMTP server.
Install Sendmail¶
We’ll set up LMTP with the Sendmail SMTP server.
sudo apt-get install -y sendmail
We need to make Sendmail aware of the fact we are using the Cyrus IMAP server: modify the /etc/mail/sendmail.mc
file. Add this line before the MAILER_DEFINITIONS
section:
define(`confLOCAL_MAILER', `cyrusv2')dnl
And right below MAILER_DEFINITIONS
, add this:
MAILER(`cyrusv2')dnl
This enables the cyrusv2 mailer for local mail delivery. This is a sendmail property that tells sendmail it’s talking to Cyrus. (Cyrus 3.x works with this property, despite the naming confusion.)
Next, we run a script that takes the /etc/mail/sendmail.mc
file and and prepares it for use by Sendmail. This may take some time.
sudo sendmailconfig
Sendmail communication¶
One last thing we need to do for LMTP to work with Sendmail is to create a folder that will contain the UNIX socket used by Sendmail and Cyrus to deliver/receive emails:
sudo mkdir -p /var/run/cyrus/socket
sudo chown cyrus:mail /var/run/cyrus/socket
sudo chmod 750 /var/run/cyrus/socket
Protocol ports¶
The Cyrus IMAP server provides service interfaces via either TCP/IP
ports or Unix domain sockets. For the former, Cyrus requires that there
are proper entries in the host’s /etc/services
file. The following
are required for any host using the listed services:
pop3 110/tcp # Post Office Protocol v3
nntp 119/tcp # Network News Transport Protocol
imap 143/tcp # Internet Mail Access Protocol rev4
imsp 406/tcp # Internet Message Support Protocol (deprecated)
nntps 563/tcp # NNTP over TLS
imaps 993/tcp # IMAP over TLS
pop3s 995/tcp # POP3 over TLS
kpop 1109/tcp # Kerberized Post Office Protocol
lmtp 2003/tcp # Lightweight Mail Transport Protocol service
smmap 2004/tcp # Cyrus smmapd (quota check) service
csync 2005/tcp # Cyrus replication service
mupdate 3905/tcp # Cyrus mupdate service
sieve 4190/tcp # timsieved Sieve Mail Filtering Language service
Make sure that these lines are present or add them if they are missing.
Cyrus config files¶
Set up a simple directory structure for Cyrus to store emails, owned by
the cyrus
user and group mail
:
sudo mkdir -p /var/lib/cyrus /var/spool/cyrus
sudo chown -R cyrus:mail /var/lib/cyrus /var/spool/cyrus
sudo chmod 750 /var/lib/cyrus /var/spool/cyrus
The /var/spool/cyrus
directory is the
partition where Cyrus will store
mail and must be allocated sufficient storage. The exact location can be
configured in imapd.conf(5) in the partitions options.
Let’s add some basic configuration for the Cyrus IMAP server. Two files
have to be added: /etc/imapd.conf
and /etc/cyrus.conf
. There
are several examples included with the software, in doc/examples/
.
Pick one each from the imapd_conf
and cyrus_conf
directories,
or create your own.
For imapd.conf(5), let’s start with the normal.conf
example:
# Suggested minimal imapd.conf
# See imapd.conf(5) for more information and more options
# Space-separated users who have admin rights for all services.
# NB: THIS MUST BE CONFIGURED
admins: cyrus
###################################################################
## File, socket and DB location settings.
###################################################################
# Configuration directory
configdirectory: /var/lib/cyrus
# Directories for proc and lock files
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
# Locations for DB files
# The following DB are recreated upon initialization, so should live in
# ephemeral storage for best performance.
duplicate_db_path: /run/cyrus/deliver.db
ptscache_db_path: /run/cyrus/ptscache.db
statuscache_db_path: /run/cyrus/statuscache.db
tls_sessions_db_path: /run/cyrus/tls_sessions.db
# Which partition to use for default mailboxes
defaultpartition: default
partition-default: /var/spool/cyrus/mail
# If sieveusehomedir is false (the default), this directory is searched
# for Sieve scripts.
sievedir: /var/spool/sieve
###################################################################
## Important: KEEP THESE IN SYNC WITH cyrus.conf
###################################################################
lmtpsocket: /run/cyrus/socket/lmtp
idlesocket: /run/cyrus/socket/idle
notifysocket: /run/cyrus/socket/notify
# Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap
# etc.)
syslog_prefix: cyrus
###################################################################
## Server behaviour settings
###################################################################
# Space-separated list of HTTP modules that will be enabled in
# httpd(8). This option has no effect on modules that are disabled at
# compile time due to missing dependencies (e.g. libical).
#
# Allowed values: caldav, carddav, domainkey, ischedule, rss
httpmodules: caldav carddav
# If enabled, the partitions will also be hashed, in addition to the
# hashing done on configuration directories. This is recommended if one
# partition has a very bushy mailbox tree.
hashimapspool: true
# Enable virtual domains
# and set default domain to localhost
virtdomains: yes
defaultdomain: localhost
###################################################################
## User experience settings
###################################################################
# Minimum time between POP mail fetches in minutes
popminpoll: 1
###################################################################
## User Authentication settings
###################################################################
# Allow plaintext logins by default (SASL PLAIN)
allowplaintext: yes
###################################################################
## SASL library options (these are handled directly by the SASL
## libraries, refer to SASL documentation for an up-to-date list of
## these)
###################################################################
# The mechanism(s) used by the server to verify plaintext passwords.
# Possible values are "saslauthd", "auxprop", "pwcheck" and
# "alwaystrue". They are tried in order, you can specify more than one,
# separated by spaces.
sasl_pwcheck_method: saslauthd
# If enabled, the SASL library will automatically create authentication
# secrets when given a plaintext password. Refer to SASL documentation
sasl_auto_transition: no
###################################################################
## SSL/TLS Options
###################################################################
# File containing the global certificate used for ALL services (imap,
# pop3, lmtp, sieve)
#tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
# File containing the private key belonging to the global server
# certificate.
#tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
# File containing one or more Certificate Authority (CA) certificates.
#tls_client_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
# Path to directory with certificates of CAs.
tls_client_ca_dir: /etc/ssl/certs
# The length of time (in minutes) that a TLS session will be cached for
# later reuse. The maximum value is 1440 (24 hours), the default. A
# value of 0 will disable session caching.
tls_session_timeout: 1440
Note that configdirectory and partition-default are set to the folders we just created.
Note
The admin user is the imapuser
created earlier for
authentication against sasl. Change this value if you named your user
something different.
For cyrus.conf(5), again we’ll start with the
normal.conf
example:
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
}
# UNIX sockets start with a slash and are put into /run/cyrus/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3 cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=0
# nntps cmd="nntpd -s" listen="nntps" prefork=0
# these are only necessary if using HTTP for CalDAV, CardDAV, or RSS
http cmd="httpd" listen="http" prefork=0
https cmd="httpd -s" listen="https" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=0
# this is requied if using socketmap
# smmap cmd="smmapd" listen="/run/cyrus/socket/smmap" prefork=0
# this is required if using notifications
# notify cmd="notifyd" listen="/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# Expire data older than 28 days.
deleteprune cmd="cyr_expire -E 4 -D 28" at=0430
expungeprune cmd="cyr_expire -E 4 -X 28" at=0445
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
DAEMON {
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
}
Before you launch Cyrus for the first time, create the Cyrus directory structure: use mkimap(8).
sudo -u cyrus ./tools/mkimap
Optional: Setting up SSL certificates¶
Create a TLS certificate using OpenSSL. Generate the certificate and store it in the /var/lib/cyrus/server.pem file:
sudo openssl req -new -x509 -nodes -out /var/lib/cyrus/server.pem \
-keyout /var/lib/cyrus/server.pem -days 365 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost"
This creates a TLS certificate (-out) and private key (-keyout) in the X.509 format (-x509). The certificate is set to expire in 365 days (-days) and has default information set up (-subj …). The contents of the -subj is non-trivial and defined in RFC 5280, a brief summary is available on stackoverflow which is enough to decode our sample above.
Great! You should now have a file at /var/lib/cyrus/server.pem. Give Cyrus access to this file:
sudo chown cyrus:mail /var/lib/cyrus/server.pem
Awesome! Almost done. We will now configure the Cyrus IMAP server to
actually use this TLS certificate. Open your Cyrus configuration file
/etc/imapd.conf
and add the following two lines at the end of it:
tls_server_cert: /var/lib/cyrus/server.pem
tls_server_key: /var/lib/cyrus/server.pem
This tells the server where to find the TLS certificate and the key. It may seem weird to specify the same file twice, but since the file has the x509 format, the server will know what to do. Cyrus is there for you, always (unless your hard drive burns down) ! :-)
The other configuration file we have to edit is /etc/cyrus.conf
.
Open it up with your favorite text editor and in the SERVICES
section, add (or uncomment) this line:
imaps cmd="imapd" listen="imaps" prefork=0
Notice the s at the end of imaps. This says we are using TLS. Similar such lines may be used for pop3s, lmtps and other protocols. See Protocol Ports, above, for more information on these.
If you now restart (or start) your Cyrus server, you should have Cyrus listening on port 993 (the IMAPS port) with the STARTTLS IMAP extension enabled. You can check that TLS works as expected with the following command:
imtest -t "" -u imapuser -a imapuser -w secret localhost
Make sure to replace imapuser with whatever user you set up with saslpasswd2 before, and to replace secret with the actual password you set for that user.
Prepare ephemeral (run-time) storage directories¶
If you will be using ephemeral (run-time) storage locations on an OS or distro on which the directory skeleton does not persist over reboots, you will need to use your distro’s standard method to ensure that any such directories your installation depends upon exist prior to launching the daemon.
Here’s how to do so for Debian/Ubuntu. Use the provided
statoverride
facility to manage the ownership and permissions of
these directories:
sudo dpkg-statoverride cyrus mail 755 /run/cyrus
sudo dpkg-statoverride cyrus mail 750 /run/cyrus/socket
Then you can use something like this in your init script (like those packaged by Debian team):
dir=$(dpkg-statoverride --list /var/run/cyrus)
[ -z "$dir" ] || createdir $dir
where the createdir()
shell function looks like this:
createdir() {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ "$VERBOSE" = "yes" ] && OPT="-c"
[ -d "$4" ] || mkdir -p "$4"
chown $OPT -h "$1:$2" "$4"
chmod $OPT "$3" "$4"
}
Putting it all together, this blob from the stock Debian packaging would go between pre-flight checks (checking for config sanity, file locations, etc.) and initialization:
createdir() {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ "$VERBOSE" = "yes" ] && OPT="-c"
[ -d "$4" ] || mkdir -p "$4"
chown $OPT -h "$1:$2" "$4"
chmod $OPT "$3" "$4"
}
missingstatoverride () {
echo "$0: You are missing a dpkg-statoverride on $1. Add it." >&2
exit 1
}
fixdirs () {
dir=$(dpkg-statoverride --list /run/cyrus) \
|| missingstatoverride /run/cyrus
[ -z "$dir" ] \
|| createdir $dir
dir=$(dpkg-statoverride --list /run/cyrus/socket) \
|| missingstatoverride /run/cyrus/socket
[ -z "$dir" ] \
|| createdir $dir
}
Launch Cyrus¶
sudo ./master/master -d
Check /var/log/syslog
for errors so you can quickly understand any
problems.
When you’re ready, you can create init scripts to start and stop your daemons. This https://www.linux.com/learn/managing-linux-daemons-init-scripts is old, but has a good explanation of the concepts required.
Send a test email¶
We will send a test email to our local development environment to check if:
The SMTP server* accepts the incoming email,
LMTP transmits the email to Cyrus IMAP,
You can see the email stored on your filesystem.
Note
*SMTP servers are also often called an “MTA,” for Mail Transport Agent
But first, create a mailbox to send the test email to. We’ll call this test mailbox example@localhost.
echo 'createmailbox user/example@localhost' | cyradm -u imapuser -w secret localhost
We seem to be creating a mailbox named user/example@localhost
. In
fact, Cyrus understands this to be a user called example@localhost
.
As usual, adjust the password via the -w
option to the password you
set above.
If you have explicitly disabled unixhierarchysep
in
/etc/imapd.conf
(it is enabled by default in 3.0+), you should
replace user/example@localhost
with user.example@localhost
. You
can read more about unixhierarchysep
in imapd.conf(5).
The command will produce the following output:
localhost> localhost>
This happens because cyradm is normally used interactively, with a prompt. We aren’t using a prompt, so this output is expected.
Now that the mailbox exists, we can send an email using telnet with raw SMTP commands.
First, connect to the MTA:
telnet localhost smtp
You should see a prompt appear:
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ... ESMTP Sendmail ...
Now, we’ll send the SMTP commands to the server. These are responsible for ordering the MTA to store an email:
EHLO localhost
MAIL FROM:<hello@localhost>
RCPT TO:<example@localhost>
DATA
Hello world!
.
QUIT
If you are using Sendmail as your SMTP server, you should be able to safely copy and paste this bit into the terminal before hitting your ENTER key. If not, you may want to paste these commands one by one (or make sure you enable PIPELINING in the SMTP config).
If you see a message like 250 2.0.0 … Message accepted for delivery, you did it! You should now have a file called 1. in the /var/spool/cyrus/user/example directory, with the content of the email you sent just before.
If not, you may want to check syslog to see if any error messages show up and go through the previous steps again.
To let the example user log in via IMAP on a normal mail client, you need to add them to SASL (as before):
echo 'mypassword' | saslpasswd2 -p -c example
Check your two users are there:
sasldblistusers2
You can now configure a mail client to access your new mailserver and connect to the mailbox for example@localhost via IMAP and see the message.
Checking CardDAV and CalDAV¶
Modify /etc/cyrus.conf
and add (or uncomment) this line in the
SERVICES section:
http cmd="httpd" listen="http" prefork=0
Modify /etc/imapd.conf
and add (or uncomment) this line:
httpmodules: caldav carddav
Running the following commands should return you sample entry addressbook and calendar entry for the sample example user:
curl -u example@[hostname]:mypassword -i -X PROPFIND -H 'Depth: 1' http://localhost:8080/dav/addressbooks/user/example@[hostname]/Default
curl -u example@[hostname]:mypassword -i -X PROPFIND -H 'Depth: 1' http://localhost:8080/dav/principals/user/example@[hostname]/
Troubleshooting¶
Some common issues are explained below.
I have all kinds of weird Perl errors when running cyradm
The solution is to set the Perl library path right. To be honest, I was too lazy to figure out exactly which path was right, so I added this snippet to my ~/.bashrc
file:
export PERL5LIB="$PERL5LIB:$(find path/to/cyrus/perl -type d | tr "\\n" ":")"
Just make sure to change path/to/cyrus to the actual path to the Cyrus source code directory. This should be something like /home/jack/cyrus-src/perl
.
I can’t connect to the IMAP server
Make sure that the SASL auth daemon is running. You can start it with this command:
/etc/init.d/saslauthd start
You can safely run this command even if you don’t know whether the SASL auth daemon is already running or not.
Emails are not being delivered to Cyrus
Make sure that you have started Sendmail, which you can do like this:
/etc/init.d/sendmail start
My IMAP server (master) can’t authenticate users to SASL
Check that the groups setting on your cyrus user is correct.
Ubuntu uses saslauth group, Debian uses sasl group.
Check the output of groups cyrus to see what groups it currently belongs to.
Incorrect groups settings results in saslauthd reporting permission failures:
SASL cannot connect to saslauthd server: Permission denied
SASL unable to open Berkeley db /etc/sasldb2: Permission denied
Master will need to be restarted if you needed to change the groups.
Something is not working but I can’t figure out why
More information is almost always logged to syslog. Make sure you start syslog with this command before starting the Cyrus server:
/etc/init.d/rsyslog start
My question isn’t answered here
Join us on the mailing lists if you need help or just want to chat about Cyrus, IMAP, etc.