HOWTO: Cyrus + Sendmail + Mysql
Este HOWTO explica como instalar Cyrus con soporte para autenticación en mysql en RHEL 5.
Instalar paquetes (via yum):
cyrus-imapd, cyrus-imapd-perl, cyrus-imapd-utils, cyrus-sasl-sql
mysql-server
service mysqld start
service cyrus-imapd start
service cyrus-imapd start
Configurando mysql
Crear base de datos y administrador:
CREATE DATABASE cyrus;
USE cyrus;
CREATE TABLE user (user varchar(100), password varchar(100), domain varchar(100), PRIMARY KEY(user,domain));
INSERT INTO user VALUES ('cyrus','secret','host.example.com');
GRANT SELECT ON cyrus.* TO cyrus@localhost IDENTIFIED BY 'secret';
USE cyrus;
CREATE TABLE user (user varchar(100), password varchar(100), domain varchar(100), PRIMARY KEY(user,domain));
INSERT INTO user VALUES ('cyrus','secret','host.example.com');
GRANT SELECT ON cyrus.* TO cyrus@localhost IDENTIFIED BY 'secret';
Crear otros usuarios:
INSERT INTO user VALUES ('alice','secret','example.com');
INSERT INTO user VALUES ('bob','secret','example.com');
INSERT INTO user VALUES ('bob','secret','example.com');
Nota: es buena idea activar log de queries en mysql log=/var/log/mysql.log en /etc/my.cnf para depurar en caso de problemas.
Configurar cyrus: /etc/imapd.conf
imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
#sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# auth
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_sql_hostnames: example.com
sasl_sql_database: dbname
sasl_sql_user: dbuser
sasl_sql_passwd: dbsecret
sasl_sql_select: SELECT password FROM user WHERE user = '%u' AND domain = '%r'
sasl_sql_verbose: yes
# otras opciones
altnamespace: yes
unixhierarchysep: yes
servername: host.example.com
virtdomains: userid
defaultdomain: example.com
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
#sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# auth
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_sql_hostnames: example.com
sasl_sql_database: dbname
sasl_sql_user: dbuser
sasl_sql_passwd: dbsecret
sasl_sql_select: SELECT password FROM user WHERE user = '%u' AND domain = '%r'
sasl_sql_verbose: yes
# otras opciones
altnamespace: yes
unixhierarchysep: yes
servername: host.example.com
virtdomains: userid
defaultdomain: example.com
Crear usuarios con administrador CLI cry-adm:
cyr-adm --user cyrus localhost cm user/bob@examle.com cm user/alice@example.com
Nota: En caso de ser el defaultdomain, no es necesario poner example.com
Nota: El uso de "/" o "." como separador depende de unixhierarchysep.
Configuración de sendmail: /etc/mail/sendmail.mc
Debe definirse cyrusv2 como local mailer, y modificar la ruta de FILE ya que no coincide con la que viene por defecto con cyrusv2. Finalmente cambiar a procmail por cyrusv2 como mailer.sendmail.mc
define(`confLOCAL_MAILER', `cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl MAILER(procmail)dnl
MAILER(cyrusv2)dnl
define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl MAILER(procmail)dnl
MAILER(cyrusv2)dnl
Nota: normalmente basta con descomentar las 3 lineas de cyrus y comentar la 1 de procmail.
El problema es que sendmail quita el dominio al momento de pasarlo a cyrus, entonces no hay soporte para dominios virtuales, se puede modificar el mailer /usr/share/sendmail-cf/mailer/cyrusv2.m4 para que soporte esto:
27c27 < S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n, --- > S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n,
O se instala cyrusv2d, como documentado en una pagina que ya no existe http://anfi.homeunix.net/sendmail/cyrusv2.html
Ver: http://cyrusimap.web.cmu.edu/imapd/install-virtdomains.html
Configurar autenticación mysql en Sendmail
Es necesario editar /usr/lib/sasl2/Sendmail.conf para que no use saslauthd sino auxprop cob el plugin sql./usr/lib/sasl2/Sendmail.conf
#pwcheck_method:saslauthd
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_database: dbname
sql_user: dbuser
sql_passwd: dbsecret
sql_select: SELECT password FROM user WHERE user = '%u' and domain = '%r'
sql_verbose: yes
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_database: dbname
sql_user: dbuser
sql_passwd: dbsecret
sql_select: SELECT password FROM user WHERE user = '%u' and domain = '%r'
sql_verbose: yes
Algunas modificaciones mas a /etc/sendmail.mc, agregar al final del archivo:
LOCAL_CONFIG ESASL_PATH=/usr/lib/sasl2
Consejo: instalar certificados y configurar autenticación en sendmail.mc:
define(`confAUTH_OPTIONS', `A y p')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
CategorySysAdmin
