FreeBSD で Cyrus IMAP を使う

前提条件

Cyrus IMAP 2.5
ユーザはPAMで認証

過去のCyrus IMAP 2.3のインストールはこちら

Cyrus IMAP 2.5 のインストール

pkgを使ってインストールします。

# pkg install cyrus-sasl-saslauthd
# pkg install cyrus-imapd25

/usr/local/etc/cyrus.conf

# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled                cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=0
  imaps         cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=0
#  nntps                cmd="nntpd -s" listen="nntps" prefork=0

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0

  # this is required if using notifications
  notify       cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

/usr/local/etc/imapd.conf

admins: cyrusadmin
configdirectory: /var/imap
partition-default: /var/spool/imap
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop saslauthd
sasl_auxprop_plugin: sasldb
sasl_ldapdb_uri: ldap://127.0.0.1
unixhierarchysep: yes
sievedir: /var/imap/sieve
sieveusehomedir: true
tls_client_ca_file: /etc/mail/certs/cacert.pem
tls_client_ca_dir: /etc/mail/certs
tls_server_key: /etc/mail/certs/host.key2
tls_server_cert: /etc/mail/certs/host.cert
tls_ciphers: HIGH:MEDIUM:-SSLv3:-SSLv2

PKI証明書の用意

CA証明書とサーバー証明書をSendmailと共用しますので、秘密鍵のみコピーして専用に用意します。

# cd /etc/mail/certs      
# cp -p host.key host.key2
# chmod 640 host.key2
# chown cyrus:cyrus host.key2

Sendmailの設定

sendmail.mcに以下を追加します。

define(`confLOCAL_MAILER',`cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS', `FILE /var/imap/socket/lmtp')dnl
MAILER(cyrusv2)

sendmail.cfを作り直します。

# cd /etc/mail
# make sendmail.cf

ディレクトリ作成

# /usr/local/cyrus/bin/mkimap
# chmod 750 /var/spool/imap

管理ユーザ作成

# saslpasswd2 -c cyrusadmin
Password: ********
Again (for verification): ********
# chown cyrus:cyrus /usr/local/etc/sasldb2.db

起動

/etc/rc.confに以下を追加します。

sendmail_enable="YES"
saslauthd_enable="YES"
cyrus_imapd_enable="YES"

各daemonを起動します。

# service sendmail restart
# service saslauthd start
# service imapd start

ユーザスプール作成

管理モードに入ってユーザメールボックスを作成します。

# cyradm --user cyrusadmin localhost
Password: ******
localhost> cm user/username
localhost> quit

PAM 経由の LDAP 認証

/etc/pam.d/imap

#
# PAM configuration for the "imap" service
#

# auth
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		sufficient	pam_ldap.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
#account	required	pam_nologin.so
account		sufficient	pam_ldap.so
account		required	pam_unix.so

saslauthdユーザ認証テスト

saslauthd経由で認証できるかテストします。

# testsaslauthd -u username -p password
0: OK "Success."

TLSでの動作確認

opensslで確認してみます。

% openssl s_client -connect imap.next-hop.net:993 -CAfile /usr/local/etc/letsencrypt/live/imap.next-hop.net/fullchain.pem
...<省略>
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR] imap Cyrus IMAP 2.5.10 server ready

参考

RFC3028 - Sieve: A Mail Filtering Language