Configuring Cyrus IMAP

Creating the config files

You have to create /etc/imapd.conf and /etc/cyrus.conf

/etc/services

If you like to use sieve (a mail filtering language), you must change an entry in /etc/services. With SuSE 8.0 take especially care about the port for sieve, they defined the wrong port. Add or change the following lines:

pop3		110/tcp
imap		143/tcp
imaps           993/tcp
pop3s           995/tcp 
sieve           2000/tcp

/etc/imapd.conf

Be sure »servername« contains your FQHN (Fully Qualified Hostname)

The parameter »unixhierarchysep: yes« is only used if you like to have usernames like »hans.mueller.somedomain.tld« see the Section called Configuring Web-cyradm for more info.

postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
# admins: cyrus # no admins!
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: servername
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
#unixhierarchysep: yes

/etc/imapd-local.conf

Be sure »servername« contains your FQHN (Fully Qualified Hostname)

The parameter »unixhierarchysep: yes« is only used if you like to have usernames like »hans.mueller.somedomain.tld« see the Section called Configuring Web-cyradm for more info.

This second file ensures, that admin users only can connect via localhost. Decide by yourself if this additional security feature is needed for your site.

postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus 
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: servername
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
#unixhierarchysep: yes

Creating the TLS/SSL Certificate

If you want to enable Cyrus' TLS/SSL facilities, you have to create a certificate first. This requires an OpenSSL installation

openssl req -new -nodes -out req.pem -keyout key.pem  
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999 

mkdir /var/imap

cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem

chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected

echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf

/etc/cyrus.conf

The other file you need to create is /etc/cyrus.conf It is the configuration file for the Cyrus master process. It defines the startup procedures, services and events to be spawned by process »master«.

# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
#  idled                cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="192.168.0.1:imap" prefork=0
  imaplocal     cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0
  imaps         cmd="imapd -s" listen="192.168.0.1:imaps" prefork=0
  imapslocal    cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="192.168.0.1:sieve" prefork=0
  sievelocal    cmd="timsieved -C /etc/imapd-local.conf listen="127.0.0.1:sieve" prefork=0

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="ctl_deliver -E 3" period=1440

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" period=1440
}

Please check your Systems IP address: In the example above the IP 192.168.0.1 is to be replaced with your systems external IP address.

Creating the directories

There must be created different directories. Additionally you should change some attributes of the filesystem

/var/imap

cd /var
mkdir imap
chown cyrus:mail imap
chmod 750 imap

/var/spool/imap

cd /var/spool
mkdir imap
chown cyrus:mail imap
chmod 750 imap

/usr/sieve

cd /usr
mkdir sieve
chown cyrus:mail sieve
chmod 750 sieve

The rest of the directories

The rest of the directories can be created by the tool mkimap

su - cyrus
/usr/local/cyrus-imapd-2.1.12/tools/mkimap

Changing the filesystem attributes

When using the ext2 filesystem, you must set an attribute, that defines, that all changes are immediately committed to the disk. With todays journaling filesystems there is no need. If you are still running ext2 filesystems, I strongly suggest to switch to ext3 filesystems. Ext2 and ext3 are fully compatible to each other.

To check what type of filesystem is used for /var issue the command mount or see your /etc/fstab. Please note that the /var could also be a part of the root or other filesystem.

cd /var/imap

chattr +S user quota user/* quota/*
chattr +S /var/spool/imap /var/spool/imap/*