# Postfix, Cyrus-imapd, SASL, MySQL, Dspam and friends...

## overkll

I'm setting up an email system and I'd like to get some feedback.  There are many howto's on the subject, but most are using postfixadmin or courier, which I DON"T want to use.  I've already one system that uses Postfix, cyrus-sasl via pam, ldap-auth via pam (nss_ldap), cyrus-imapd, amavisd-new, clamav, postgrey, dspam and squirrelmail.  It works great!   :Very Happy: 

On the new system, this is what I'd like to do:

Postfix - smtpauth via ssl (cyrus-sasl using mysql for users)

Cyrus-Imapd - all user mail, inbox, imap-folders to be managed by cyrus, not postfix vda, virtual, .maildir, or mbox.  Cyrus will offer up pop3 and imap in plain for local connections and ssl/tls for none local connections.  Cyrus to authenticate against SASL using mysql user table.

Dspam - I'll fit that in.  I've done it before, however, I'd like the cgi web interface (apache) to use the same myql user table for authentication as Postfix and Cyrus

Squirrelmail - Will auth against imap, so no problem there, or is it?  I'll use one of the plugins so the user can change their password.  It'd be nice if the user's real name and email address could be automatically added to the user's squirrelmail config on first login.

Web interface for admin of users - This gets sketchy.  I'd like a central interface to manage users (mysql table) and their mailboxes (quota, permissions, etc via cyrus-imap-admin or something similar).  I've look around but didn't find anything satisfactory.  Web-cyradm is about the closest that I've found, but it uses a funky "prefix" attribute for the domains, then uses an alias to map the readable username (johndoe) to the funky auto-real-username-scheme (user.001 IIRC).

Now for the questions:

MYSQL: (kind of noob in this area   :Embarassed:   )

What fields are required in a mysql table for SASL/Postfix/Cyrus?

Are UID's/GID's necessary since they are virtual users?

homedirs and shells aren't necessary either, are they?  virtual users shouldn't have access to a homedir per say, and definitely no shell.

What's the best db type to use? MyISAM?

Can I do this without involving PAM, or will it be necessary to use pam_mysql or the like?

Dspam:

I'm guessing I'll need to use the "virtual-users" use flag with dspam.  Is this the best way or can one point dspam to the central users db?

Migration:

Any wonderful, up 2 date scripts to facilitate moving users mail/folders from mbox into cyrus?

Feel free to comment or punch holes in my goals.

----------

## overkll

Hmmmm....

Anyone tryout openmailadmin?  If so, please comment.

It looks promising

----------

## centran

The how-to's have been really upsetting for me as well.

I have built and re-built a couple mail systems. Everytime it is a big hassle of gathering information from several different sources just don't cut it.

The gentoo doc for virtual mailhosting was what I first started off with.

http://www.gentoo.org/doc/en/virt-mail-howto.xml

I am now trying to re-build my home mailserver because I never built in spam protection. I find myself once again gathering information from several places.

OpenMailAdmin looks promising. I will have to check it out.

As for the admin side I just use postfixadmin and have all users as virtual users. I use MySql.

For IMAP I have switched to dovecot. I ran into some weird problems with courier in the past but DoveCot has been good so far. The config file is a bit much but once you get over the vastness it is pretty easy.

As for web interface I have switched from squirrelmail to Roundcube. http://roundcube.net/

For spam/virus amavis , clamav, spamassassin

I am thinking of writing a gentoo-wiki.com article when I re-build it.

----------

## overkll

I think I'm going to give openmailadmin a try.  It's up to date, pretty well documented and can use PHP5 and Cyrus 2.3.9.

The thing is, I just want an admin interface that leaves my postfix/cyrus/etc. config files alone.  I can manage those manually and once they're set up, they don't need to be fiddled with.  Same goes for a webmail client.  Most users won't even use the webmail, so I don't need to have anything too fancy or complex.  I came across roundcube as well, but squirrelmail is tried and true for me - no fancy graphics or applets to slow it down or hog bandwidth.

I moved from uw-imap (ugh) to courier (better, but had issues) to cyrus.  So far cyrus has performed very well.  It's also much easier to configure shared folders/mailboxes and can keep track of message status for multiple users accessing the same folder.  I hear dovecot is good as well, but I'm sold on cyrus for now.

Right now, my personal setup is Postfix->Amavisd-new(spam filtering turned off)+clamav->Postfix->Dspam->Cyrus.  It hauls ass!, and the spam filtering with dspam is much faster AND more accurate than spamassassin will ever be, not to mention a sweet spam admin/user webgui.

Basically I'd like to stick with what I know works well.  All I really want to change is a central point of user/mailbox administration.  Looks like OpenMailAdmin might be the solution to my problem.  I may try roundcube at a later date.

----------

## overkll

OK, did some testing wrt SMTP and cyrus authentication without PAM (pam_mysql or /etc/passwd).  I was seeking answers to my MySQL/Pam/Auth questions in my original post.  Thought I'd share my findings, and have a post for future reference.

NOTE that this is just for testing.  UID or other fields/tables may be necessary for a fully functional Postfix MTA.

MySQL testing db has one table - virtusers, with 3 fields:

user varchar(100) - username

realm varchar(100) - for domain

pass varchar(100) - clear text password

Relevant Postfix config for smtp auth using cyrus sasl:

```
smtpd_sasl_auth_enable = yes

smtpd_sasl_path = smtpd

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

#smtpd_sasl_local_domain = 

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes
```

Postfix SMTP auth can be configured two ways - auxprop or saslauthd.

1) auxprop:  uses sql plugin and mysql engine and can do PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5.  auxprop accesses the virtusers table directly via mysql and does not require saslauthd to be running.

2) saslauthd required Cyrus' /etc/imapd.conf file to be configured and both saslauthd and cyrus must be up and running.  saslauthd is only capable of PLAIN and LOGIN auth methods.  Postfix smtp auth will use imap's LOGIN feature via saslauthd, which in turn uses Cyrus' config to access mysql via auxprop.

Clear as mud?  OK.

========================================================

1) Using auxprop

========================================================

/etc/sasl2/smtp.conf for auxprop:

```
pwcheck_method:auxprop

auxprop_plugin:sql

#mech_list:plain login

sql_engine: mysql

sql_hostnames: localhost

sql_user: mailadmin

sql_passwd: mailadmin

sql_database: mailtest

sql_select: SELECT pass FROM virtusers WHERE user = '%u'
```

========================================================

2) Using saslauthd

========================================================

/etc/sasl2/smtp.conf for saslauthd:

```
pwcheck_method:saslauthd

mech_list:plain login
```

/etc/conf.d/saslauthd: uses rimap NOT pam

```
# Config file for /etc/init.d/saslauthd

# Initial (empty) options.

SASLAUTHD_OPTS=""

# Specify the authentications mechanism.

# **NOTE** For a list see: saslauthd -v

# Since 2.1.19, add "-r" to options for old behavior,

# ie. reassemble user and realm to user@realm form.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam -r"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a rimap"

# Specify the hostname for remote IMAP server.

# **NOTE** Only needed if rimap auth mechanism is used.

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, set cache size and timeout.

# **NOTE** Size is measured in kilobytes. 

#          Timeout is measured in seconds.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"
```

========================================================

/etc/imapd.conf - settings for both methods and very basic for testing purposes

```
# Don't forget to use chattr +S (if you are using ext[23]) 

# when you change these directories (read the docs).

configdirectory:        /var/imap

partition-default:      /var/spool/imap

sievedir:               /var/imap/sieve

tls_ca_path:            /etc/ssl/certs

tls_cert_file:          /etc/ssl/cyrus/server.crt

tls_key_file:           /etc/ssl/cyrus/server.key

# Don't use an everyday user as admin.

admins:                 cyrus

hashimapspool:          yes

allowanonymouslogin:    no

allowplaintext:         yes

duplicatesuppression:   0

# Allow renaming of top-level mailboxes.

#allowusermoves:         yes

# Use this if sieve-scripts could be in ~user/.sieve.

#sieveusehomedir:       yes

# Use saslauthd if you want to use pam for imap.

# But be warned: login with DIGEST-MD5 or CRAM-MD5 

# is not possible using pam.

#sasl_pwcheck_method:   saslauthd

####################################################

## This is a recommended authentication method if you

## emerge cyrus-sasl with 'postgres' or 'mysql'

## To use with mysql database uncomment those lines below.

sasl_pwcheck_method: auxprop

sasl_auxprop_plugin: sql

## possible values for sasl_auxprop_plugin 'mysql', 'pgsql', 'sqlite'.

sasl_sql_engine: mysql

## all possible values.

#sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 NTLM

sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5

## or limit to CRAM-MD5 only

#sasl_mech_list: CRAM-MD5

## change below to suit your setup.

sasl_sql_user: mailadmin

sasl_sql_passwd: mailadmin

sasl_sql_database: mailtest

sasl_sql_hostnames: localhost

sasl_sql_select: SELECT pass FROM virtusers WHERE user = '%u'
```

----------

