Because you are using MySQL to authenticate users, you need to restrict network access to Port 3306.
I suggest to just bind mysql to the loopback-interface 127.0.0.1. This makes sure nobody can connect to your MySQL-Daemon via the network.
edit /etc/init.d/mysql.server and edit line 107 as following:
Original line:
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file& |
Changed line:
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file \ --bind-address=127.0.0.1& |
(Re-)start your MySQL-Daemon by issuing /etc/init.d/mysql.server start
To ensure the configuration-change was successful issue: netstat -an|grep LISTEN. The Output should be looking similar to this:
bond:~ # netstat -an|grep LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN |
Now we need to create the database and tables for postfix and web-cyradm and add a user to the database
Web-cyradm comes with two SQL-files: insertuser.sql and create.sql The first inserts the Database user to the database »mysql«, the second creates the database »mail« and the needed tables.
The password for the user "mail" in this example is "secret" please insert whatever user and password you like
First you must add the user by executing /usr/local/mysql/bin/mysql < insertuser.sql After the new DB-user is successfully added, you need to reload mysql with mysqladmin reload
To create the needed tables in the database:
/usr/local/mysql/bin/mysql mail -u mail -p < \ /usr/local/apache/htdocs/web-cyradm/create.sql |
Now lets populate our tables, and insert the first admin-user. This user is needed to login to Web-cyradm
Execute /usr/local/mysql/bin/mysql mail -p And type the following SQL query:
insert into adminuser (username, password) values ('admin', 'test'); |
Please note, this setup for web-cyradm is fully compatible with replex, another project. Please see http://www.replex.org for more details.
Now we need to get sure that PAM knows how to authenticate the Cyrus users
You have to create the file /etc/pam.d/imap with the following entries:
auth sufficient pam_mysql.so user=mail passwd=secret host=localhost db=mailadmin table=accountuser usercolumn=username passwdcolumn=password crypt=0 auth sufficient pam_unix_auth.so account required pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=0 account sufficient pam_unix_acct.so |
The lines containing pam_unix_auth.so and pam_unix_acct.so are only needed if you are migrating from wu-IMAP to cyrus. This way the users can be authenticate with its old unix-password and its new mysql-based password
If you will use Cyrus also for POP-Service just cp /etc/pam.d/imap /etc/pam.d/pop
Postfix needs two major config files: main.cf and master.cf. Both needs now our attention.
You need to change just one line:
old:
argv=/cyrus/bin/deliver |
new:
argv=/usr/cyrus/bin/deliver |
Here you need to change some more things like hostname, relaying, alias-lookups etc.
First change hostname:
myhostname = foo.bar.org |
mydestination
Here you have to put all domainnames that are local (corresponding to sendmail's /etc/mail/sendmail.cw) If you have multiple domains separate them with comma
mydestination = foo.bar.org, example.com, furchbar-grausam.ch, whatever.domain.tld |
relayhost
Here you define where to deliver outgoing mails. If you do not provide any host. mails are delivered directly to the destination smtp host. Usually your relayhosts are your providers smtp-server
relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net |
mailtransport
Here you define how the mails accepted for local delivery should be handled. In our situation mails should be delivered by the cyrus delivery-program
mailbox_transport = cyrus |
At the end of file you need to add:
virtual_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf |
Outgoing addresses should be rewritten from i.e test0002@domain to user.name@virtualhost.com. This is important if you like to use a webmail interface.
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf |
Now you need to create the file /etc/postfix/mysql-virtual.cf:
# # mysql config file for alias lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = secret # the database name on the servers dbname = mailadmin # the table name table = virtual # select_field = dest where_field = alias additional_conditions = and status = '1' |
And the file /etc/postfix/mysql-canonical.cf:
# mysql config file for canonical lookups on postfix # comments are ok. # # the user name and password to log into the mysql server hosts = localhost user = mail password = secret # the database name on the servers dbname = mail # the table name table = virtual # select_field = alias where_field = username # Return the first match only additional_conditions = and status = '1' limit 1 |
There is only little changes needed. Edit /etc/imapd.conf and take care that the following entry is done
sasl_pwcheck_method: pam |
This tells the Cyrus IMAP to authenticate using PAM
If you want to enable Cyrus' TLS/SSL facilities you have to create a certificate first. This requires an OpenSSL installation
openssl req -new -nodes -out req.pem -keyout key.pem openssl rsa -in key.pem -out new.key.pem openssl x509 -in req.pem -out ca-cert -req \ -signkey new.key.pem -days 999 cp new.key.pem /var/imap/server.pem echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf |
If you like to use sieve (A Mail Filtering Language), you must change an entry in /etc/services. Add or change the following line:
sieve 2000/tcp |
You just need to do some changes in /usr/local/apache/htdocs/web-cyradm/config.inc.php
cp config.inc.php-dist config.inc.php |
Edit the file and change the password and databasename to the appropriate values