#################################################################### Postfix-Cyrus-Web-cyradm-HOWTO (RedHat 9 / Fedora Core 1 Specific) This HOWTO explains in bare-bones detail how to get Web-cyradm setup and running on a RedHat 9 or Fedora Core 1 server. I wanted a solution that used as many RPM packages to work with the native packaging system to avoid having multiple complied and RPM versions of the same software on the machine. Following these steps will give you IMAP & IMAPS, SMTP with AUTH & SMTPS with AUTH, and a nifty web interface to manage accounts that can be accessed over an SSL connection. The SSL certificates demonstrated in this are basic, no frills ones. If you want a certificate most all browsers and email clients will recognize, I highly recommend http://www.freessl.org Their certificates work in just about everything and they are cheap compared to the rest of the SSL cert vendors out there. If you run into problems, please post to the Web-cyradm mailing list. I hang out there so I can see your help request and so will others so you can get the most help possible. Go here to signup for the list: http://www.web-cyradm.org/mailman/listinfo/web-cyradm Cheers, Tim Schaab tim@madtown.cc Updated copy of this can be found at: http://madweb.org/web-cyradm-rh9-fc1-howto.txt #################################################################### Revisions 1.0 - 10-Apr-04 -- Initial Release #################################################################### TODO -- Integrating Anti-Virus & SpamAssassin #################################################################### Building Confirm RPMS Installed: mysql mysql-devel db4 db4-devel cyrus-sasl cyrus-sasl-devel gettext pam-devel Upgrade cyrus-sasl Download new cyrus-sasl SRPM from http://rpmdfind.net -- Only needed for Redhat 9, can skip on Fedora Code 1 -- Get Fedora Core 1 Sources srpm -- ftp://fr2.rpmfind.net/linux/fedora/core/1/SRPMS/cyrus-sasl-2.1.15-6.src.rpm -- RUN -- wget ftp://fr2.rpmfind.net/linux/fedora/core/1/SRPMS/cyrus-sasl-2.1.15-6.src.rpm rpm -ivh cyrus-sasl-2.1.15-6.src.rpm rpmbuild -bb /usr/src/redhat/SPECS/cyrus-sasl.spec rpm -Uvh /usr/src/redhat/RPMS/i386/cyrus-sasl-[2dpm]*.rpm -- DONE -- Install cyrus-imap - ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.2.3.tar.gz Setup User: -- RUN -- useradd -u 96 -d /usr/cyrus -r -g mail cyrus -s /bin/bash -- END -- Configure cyrus-imap: -- RUN -- tar xzf cyrus-imapd-2.2.3.tar.gz cd cyrus-imapd-2.2.3 export CPPFLAGS="-I/usr/include/et -I/usr/kerberos/include" ./configure \ --with-sasl=/usr/lib \ --with-perl \ --with-auth=unix \ --with-openssl=/usr/ \ --without-ucdsnmp make make install -- END -- Create /etc/init.d/cyrus -- START /etc/init.d/cyrus -- #! /bin/bash # # cyrus-imap - Starts up saslauthd and imap # # chkconfig: - 95 05 # description: customized for web-cyradm # processname: master # Source function library. . /etc/init.d/functions # Source our configuration file for these variables. case "$1" in start) # Starting SASL saslauthdaemon /etc/init.d/saslauthd start # Starting Cyrus IMAP Server /usr/cyrus/bin/master & ;; stop) # Stopping SASL saslauthdaemon /etc/init.d/saslauthd stop # Stopping Cyrus IMAP Server killall master ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac -- END -- Make script startup automatically -- RUN -- chmod 755 /etc/init.d/cyrus chkconfig --add cyrus chkconfig cyrus on -- END -- Configure saslauthd, edit /etc/sysconfig/saslauthd -- START /etc/sysconfig/saslauthd -- SOCKET=/var/run/saslauthd/mux MECH=pam -- END -- Download the special postfix SRPM from http://postfix.wl0.org/ - http://ftp.wl0.org/SRPMS/postfix-2.0.19-2.src.rpm -- RUN -- rpm -ivh postfix-2.0.19-2.src.rpm export POSTFIX_MYSQL_REDHAT=1 export POSTFIX_SASL=2 export POSTFIX_TLS=1 sh /usr/src/redhat/SOURCES/make-postfix.spec cd /usr/src/redhat/SPECS rpmbuild -ba postfix.spec rpm -Uvh /usr/src/redhat/RPMS/i386/postfix-2.0.19-2.*.i386.rpm rpm -e sendmail -- DONE -- Install pam_mysql Get source from http://sourceforge.net/projects/pam-mysql/ -- RUN -- tar xzf pam_mysql-0.5.tar.gz cd pam_mysql make cp pam_mysql.so /lib/security -- DONE -- Install & Configure Apache & PHP & mod_ssl get Source RPM (SRPM) for OpenSSL: http://rpmfind.net -- RUN -- rpm -ivh openssl-0.9.7a-20.2.src.rpm export PATH=$PATH:/usr/kerberos/bin/ rpmbuild -bc /usr/src/redhat/SPECS/openssl.spec -- DONE -- get Apache: http://httpd.apache.org -- Get 1.3.29, avoid Apache 2 when using PHP get PHP: http://www.php.net get mod_ssl: http://www.modssl.org -- RUN -- tar xzf mod_ssl-2.8.16-1.3.29.tar.gz tar xzf apache_1.3.29.tar.gz tar xzf php-4.3.5.tar.gz cd apache_1.3.29 ./configure cd ../mod_ssl-2.8.16-1.3.29 ./configure \ --with-apache=../apache_1.3.29 cd ../php-4.3.5 ./configure \ --with-apache=../apache_1.3.29 \ --with-mysql=/usr --with-gettext make make install cd ../apache_1.3.29 SSL_BASE=/usr/src/redhat/BUILD/openssl-0.9.7a CFLAGS="-I/usr/kerberos/include/" ./configure \ --prefix=/www \ --enable-module=rewrite \ --enable-module=expires \ --enable-module=mime_magic \ --enable-module=speling \ --enable-module=info \ --enable-module=usertrack \ --enable-module=so \ --enable-module=proxy \ --enable-module=unique_id \ --enable-module=ssl \ --activate-module=src/modules/php4/libphp4.a make make install -- DONE -- get Web-Cyradm: http://www.web-cyradm.org -- RUN -- tar -xvzf web-cyradm-0.5.4.tar.gz mv web-cyradm-0.5.4 /www/htdocs/cyradm touch /var/log/web-cyradm.log chown nobody /var/log/web-cyradm.log ## CHANGE DEFAULT PASSWORD OF mail MYSQL USER ## pico -w /www/htdocs/cyradm/scripts/insertuser_mysql.sql ## CHANGE DEFAULT PASSWORD OF admin AND cyrus USERS ## pico -w /www/htdocs/cyradm/scripts/create_mysql.sql mysql -u root < /www/htdocs/cyradm/scripts/insertuser_mysql.sql mysql mail -u mail -p < /www/htdocs/cyradm/scripts/create_mysql.sql -- DONE -- Configure PAM Make /etc/pam.d/imap /etc/pam.d/smtp /etc/pam.d/sieve all with same content -- FILE -- #%PAM-1.0 auth sufficient pam_mysql.so user=mail passwd=cyradmpass host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 sqllog=0 account required pam_mysql.so user=mail passwd=cyradmpass host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 sqllog=0 -- END -- Configure Postfix Changes in master.cf -- CHANGE -- #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # Cyrus 2.1.5 (Amos Gouaux) cyrus unix - n n - - pipe user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -- TO -- smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes old-cyrus unix - n n - - pipe flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user} # Cyrus 2.1.5 (Amos Gouaux) cyrus unix - n n - - pipe user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user} -- END -- Variables to set in main.cf -- LOCATE & CHANGE -- myhostname=your.hostname.org mydestination=$myhostname, $mydomain, mysql:/etc/postfix/mysql-mydestination.cf mailbox_transport = cyrus -- END -- -- ADD -- virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf -- END -- Make /etc/postfix/mysql-virtual.cf -- START /etc/postfix/mysql-virtual.cf -- # # mysql config file for alias lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = mysqlpass # the database name on the servers dbname = mail # the table name table = virtual # select_field = dest where_field = alias additional_conditions = and status = '1' -- END -- make /etc/postfix/mysql-canonical.cf -- START /etc/postfix/mysql-canonical.cf -- # mysql config file for canonical lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = mysqlpass # the database name on the servers dbname = mail # the table name table = virtual # select_field = alias where_field = username # Return the first match only additional_conditions = and status = '1' limit 1 -- END -- Make /etc/postfix/mysql-mydestination.cf -- START /etc/postfix/mysql-mydestination.cf -- # mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = mysqlpass # the database name on the servers dbname = mail # the table name table = domain # select_field = domain_name where_field = domain_name -- END -- Add to /etc/postfix/main.cf -- ADD -- smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_helo_required = yes smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated smtpd_tls_cert_file = /etc/postfix/ssl/crt/your.hostname.cc.crt smtpd_tls_key_file = /etc/postfix/ssl/key/your.hostname.cc.key smtpd_use_tls = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_loglevel = 0 -- END -- Make /usr/lib/sasl2/smtpd.conf -- START /usr/lib/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: plain login -- END -- -- RUN -- ln -s /var/run/saslauthd /var/run/sasl2 -- END -- Add to /etc/services -- ADD -- sieve 2000/tcp -- END -- Make /etc/imapd.conf -- START /etc/imapd.conf -- postmaster: postmaster configdirectory: /var/imap partition-default: /var/spool/imap # admins: cyrus # no admins! allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: your.hostname.org autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sievedir: /usr/sieve sendmail: /usr/sbin/sendmail sieve_maxscriptsize: 32 sieve_maxscripts: 5 unixhierarchysep: yes # Comment out prev line if you do not want # user.domain.cc usernams -- END -- Make /etc/imapd-local.conf -- START /etc/imapd-local.conf -- postmaster: postmaster configdirectory: /var/imap partition-default: /var/spool/imap admins: cyrus allowanonymouslogin: no allowplaintext: yes sasl_mech_list: PLAIN servername: servername autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sievedir: /usr/sieve sendmail: /usr/sbin/sendmail sieve_maxscriptsize: 32 sieve_maxscripts: 5 unixhierarchysep: yes # Comment out prev line if you do not want # user.domain.cc usernams -- Make SSL Certificate -- RUN -- openssl req -new -nodes -out req.pem -keyout key.pem openssl rsa -in key.pem -out new.key.pem openssl x509 -in req.pem -out ca-cert -req \ -signkey new.key.pem -days 999 mkdir /var/imap cp new.key.pem /var/imap/server.pem cat ca-cert >> /var/imap/server.pem chown cyrus:mail /var/imap/server.pem chmod 600 /var/imap/server.pem echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf cp ca-cert /www/conf/ssl.crt/your.hostname.cc.crt cp new.key.pem /www/conf/ssl.key/your.hostname.cc.key mkdir -p /etc/postfix/ssl/crt mkdir -p /etc/postfix/ssl/key cp ca-cert /etc/postfix/ssl/crt/your.hostname.cc.crt cp new.key.pem /etc/postfix/ssl/key/your.hostname.cc.key chmod 600 new.key.pem -- END -- Make /etc/cyrus.conf ## Change 192.168.0.1 to your IP address ## -- START /etc/cyrus.conf -- # standard standalone server implementation START { # do not delete this entry! recover cmd="ctl_cyrusdb -r" # this is only necessary if using idled for IMAP IDLE # idled cmd="idled" } # UNIX sockets start with a slash and are put into /var/imap/socket SERVICES { # add or remove based on preferences imap cmd="imapd" listen="192.168.0.1:imap" prefork=0 imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0 imaps cmd="imapd -s" listen="192.168.0.1:imaps" prefork=0 imapslocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0 # pop3 cmd="pop3d" listen="pop3" prefork=0 # pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="192.168.0.1:sieve" prefork=0 sievelocal cmd="timsieved -C /etc/imapd-local.conf listen="127.0.0.1:sieve" prefork=0 # at least one LMTP is required for delivery # lmtp cmd="lmtpd" listen="lmtp" prefork=0 lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 # this is only necessary if using notifications # notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1 } EVENTS { # this is required checkpoint cmd="ctl_cyrusdb -c" period=30 # this is only necessary if using duplicate delivery suppression delprune cmd="ctl_deliver -E 3" period=1440 # this is only necessary if caching TLS sessions tlsprune cmd="tls_prune" period=1440 } -- END -- Change directory Settings. -- RUN -- cd /var chown cyrus:mail imap chmod 750 imap cd /var/spool mkdir imap chown cyrus:mail imap chmod 750 imap cd /usr mkdir sieve chown cyrus:mail sieve chmod 750 sieve -- END -- Run mkimap. Resides in the cyrus-imapd source, under tools directory -- RUN -- su - cyrus /usr/local/cyrus-imapd-2.2.3/tools/mkimap exit -- END -- Setup Web-cyradm -- RUN -- cd /www/htdocs/cyradm/config cp conf.php.dist conf.php touch /var/log/web-cyradm-login.log chown nobody /var/log/web-cyradm-login.log -- END -- Edit config.php -- EDIT -- #The Cyrus login stuff $CYRUS = array( 'HOST' => 'localhost', 'PORT' => 143, 'ADMIN' => 'cyrus', 'PASS' => 'YourCyrusPassword' ); $DB = array( 'TYPE' => 'mysql', 'USER' => 'mail', 'PASS' => 'YourMySQLPassword', 'PROTO' => 'unix', // set to "tcp" for TCP/IP 'HOST' => 'localhost', 'NAME' => 'mail' ); $DOMAIN_AS_PREFIX = 1; -- END -- Configure Apache -- CHANGE /www/conf/httpd.conf -- # ServerName www.example.com DirectoryIndex index.html SSLCertificateFile /www/conf/ssl.crt/server.crt SSLCertificateKeyFile /www/conf/ssl.key/server.key -- TO -- ServerName your.hostname.cc DirectoryIndex index.php index.html SSLCertificateFile /www/conf/ssl.crt/your.hostname.cc.crt SSLCertificateKeyFile /www/conf/ssl.key/your.hostname.cc.key -- END -- -- ADD TO /www/conf/httpd.conf -- AddType application/x-httpd-php .php -- END -- Make /etc/init.d/apache -- START /etc/init.d/apache -- #!/bin/bash # # Startup script for the Apache Web Server # # chkconfig: - 85 15 # description: Apache is a World Wide Web server. It is used to serve \ # HTML files and CGI. # processname: httpd # pidfile: /www/logs/httpd.pid # config: /www/conf/httpd.conf # Source function library. . /etc/rc.d/init.d/functions # Path to the apachectl script, server binary, and short-form for messages. apachectl=/www/bin/apachectl httpd=${HTTPD-/www/bin/httpd} prog=httpd RETVAL=0 start() { echo -n $"Starting $prog: " $apachectl start RETVAL=$? echo [ $RETVAL = 0 ] && touch /var/lock/subsys/httpd return $RETVAL } stop() { echo -n $"Stopping $prog: " $apachectl stop RETVAL=$? echo [ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd } reload() { echo -n $"Reloading $prog: " $apachectl reload RETVAL=$? echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) $apachectl status RETVAL=$? ;; restart) $apachectl restart ;; reload) reload ;; graceful|help|configtest|fullstatus) $apachectl $@ RETVAL=$? ;; *) echo $"Usage: $prog {start|stop|restart|reload|status|fullstatus|graceful|help|configtest}" exit 1 esac exit $RETVAL -- END -- -- RUN -- chkconfig --add apache chkconfig apache on chmod 755 /etc/init.d/apache -- END -- Disable default httpd script. -- RUN -- chkconfig httpd off /etc/init.d/httpd stop -- END -- Start things up, hope for the best. -- RUN -- /etc/init.d/apache start /etc/init.d/cyrus start /etc/init.d/mysql restart /etc/init.d/postfix restart -- END -- Log onto web-cyradm: https://your.hostname.cc/cyradm Create a domain for your email server and a few users for that domain. Try to connect and send messages between the users. Will have to use SMTP Auth to send messages. If it works, celebrate with a Guinness. Maybe buy me one too. :)