Cyrus Imap Configuration (With LDAP support)

Step by step configuration of Cyrus imap.

Install cyrus imap and supporting packages using yum.


Step I
Enable logging
by adding the following lines to /etc/syslog.conf:
local6.debug    /var/log/imapd.log
auth.debug      /var/log/auth.log
Create the log files
#touch /var/log/imapd.log /var/log/auth.log
#service syslog restart
Step II
Create the file “/etc/imapd.conf”.
Sample file
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
#sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN


Step III
Create the following directories
#cd /var/lib
#mkdir imap (if this dir is already there means no need to create)
#chown cyrus:mail imap
#chmod 750 imap
#cd /var/spool
#mkdir imap (if this dir is already there means no need to create)
#chown cyrus:mail imap
#chmod 750 imap
#su – cyrus
#cd /usr/lib/cyrus-imapd
#cd /var/lib/imap
#chattr +S user quota user/* quota/*
#chattr +S /var/spool/imap /var/spool/imap/*
Step VI
Add the following lines to the “/etc/services” file if they aren’t already there:
pop3      110/tcp
imap      143/tcp
imsp      406/tcp
acap      674/tcp
imaps     993/tcp
pop3s     995/tcp
kpop      1109/tcp
sieve     2000/tcp
lmtp      2003/tcp
fud       4201/udp
Step V
Configuring the Master Process


Choose a configuration from the master/conf directory:
bare-bones server supporting IMAP and POP
server supporting IMAP, POP, the SSL wrapped versions, and the Sieve script management protocol
The same configuration as above, but with some preforked processes for faster processing.
Our configuration (for Murder Backend / typical IMAP servers)
Our configuration (for Murder Frontend servers)
To use normal.conf, do:
#cp /usr/share/doc/cyrus-imapd-x.x.x/conf/normal.conf  /etc/cyrus.conf
Optionally, you can edit /etc/cyrus.conf to disable or enabling certain services, or to tune the number of preforked copies. Be sure not to remove the entries that are labeled required.
Step VI
Configuring Cyrus with OpenSSL
#openssl req -new -nodes -out req.pem -keyout key.pem
#openssl rsa -in key.pem -out new.key.pem
#openssl x509 -in req.pem -out ca-cert -req
-signkey new.key.pem -days 999
#cp new.key.pem /etc/pki/cyrus-imapd/server.pem (or)
#cat ca-cert >> /etc/pki/cyrus-imapd/server.pem
#chown cyrus:mail /etc/pki/cyrus-imapd/server.pem
#chmod 600 /etc/pki/cyrus-imapd/server.pem # Your key should be protected
#echo tls_ca_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf
#echo tls_cert_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf
#echo tls_key_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf
Start saslauthd and imap:
#service saslauthd start
#service cyrus-imapd start
Add an SASL password for cyrus to /etc/sasldb2
#saslpasswd2 cyrus
#chown cyrus:mail /etc/sasldb2
Create mailboxes to match the user accounts
(username1, username2, username3 in this example):
#cyradm –user cyrus localhost
localhost> cm user.username1
localhost> cm user.username2
localhost> cm user.username3
localhost> exit
Step VII
Implementing Cyrus on Redhat with an LDAP backend
Note: It is assumed that you already have an LDAP backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid “cyrus” user though.
Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
Edit /etc/imapd.conf – ensure sasl_pwcheck_method is set to saslauthd. That’s right. EVEN though you will be using pam!
Edit /etc/sysconfig/saslauthd, and add the line MECH=”pam”
Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:
auth        sufficient   /lib/security/
account     sufficient   /lib/security/
Edit /etc/openldap/ldap.conf and add the following lines:
Note: Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid
Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on).
Start both services (service saslauthd start && service cyrus-imapd start).
That’s it – you can now create mailboxes, and auth to them using your LDAP accounts.
Configuring the Mail Transfer Agent
Edit /etc/mail/
DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl
define(`CYRUSV2_MAILER_ARGS’, `FILE /var/lib/imap/socket/lmtp’)dnl
Edit /etc/mail/access
Restart Sendmail and cyrus-imapd services
#service sendmail restrt
#service cyrus-imapd restart
Detailed configuration files of cyrus.conf, imapd.conf and are posted separately.


1 thought on “Cyrus Imap Configuration (With LDAP support)

Leave a Reply

Your email address will not be published. Required fields are marked *