Mail server environment for django-cyradm¶
This documentation is for Debian 10 Busters. This part assumes you have completed GETTING STARTED and are using mysql. The steps for postgresql are similar but not documented here. The document might be helpfull for other linux and BSD systems as well. Please search for other postgresql specific documentation, if you choose to use postgresl.
OVERVIEW¶
pam_sql is used as backend for saslauthd, in order to make saslauthd lookup authentication data in the django-cyradm database. More specific in the djcyardm_mailsers table. The users are virtual users e.g not getting an unix account. The pw_check method of cyrus-imap and postfix is then set to saslauthd. Postfix needs lookup tables, so the postfix installation must support the database of the django-app.
INSTALLATION¶
Installing and configuring pam sql backend¶
sudo apt-get install libpam-mysql
Change the file /etc/pam-mysql.conf ensure the following values are set to match your database settings from earlier.
users.host=localhost
users.database=mail
users.db_user=mail
users.db_passwd=secret
users.table=djcyradm_mailusers
users.user_column=username
users.password_column=password
users.where_clause = is_active=1
users.password_crypt=1
Installing and configuring saslauthd¶
Note that saslauthd caches credentials as default for half an hour to 8 hours depeding on version. So if you need deactivated users to be deactived fast restart saslauthd, or use the -t option or remove the -c option. see man saslauthd. Note that the webinterface does not cache credentials.
sudo apt-get install sasl2-bin
Edit /etc/default/saslauthd and set START to yes and add the -r option
START=yes
OPTIONS="-c -r -m /var/run/saslauthd"
Create /etc/pam.d/imap with the following content:
auth required pam_mysql.so config_file=/etc/pam-mysql.conf
account sufficient pam_mysql.so config_file=/etc/pam-mysql.conf
Restart saslauthd
sudo systemctl restart saslauthd
Test if the cyrus user can authenticate with testsaslauthd, use your cyrus credentials from ADMINUSER and ADMINPASS in settings
sudo /usr/sbin/testsaslauthd -u cyrus -p cyrus -s imap
it should output
0: OK "Success."
Installing and configuring cyrus imapd¶
sudo apt-get install cyrus-imapd
In order to allow cyrus to use the default test cert do:
sudo usermod cyrus -g ssl-cert
Note enter N to keep your modifed /etc/pam.d/imap file when asked edit /etc/imapd.conf ensure that the following options are set
allowplaintext: yes
sasl_mech_list: LOGIN PLAIN
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
defaultdomain: YOUR FQDN
virtdomains: userid
admins: cyrus
Installing and configuring postifx¶
See also: https://wiki.debian.org/PostfixAndSASL#Using_saslauthd_with_PAM
sudo apt-get install postfix postfix-mysql
Create a file /etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Copy /etc/default/saslauthd to /etc/default/saslauthd-postfix
sudo cp /etc/default/saslauthd /etc/default/saslauthd-postfix
edit the options in /etc/default/saslauthd-postfix to set the socket in the postfix chroot
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"
Create required subdirectories in postfix chroot directory:
sudo dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Add the user “postfix” to the group “sasl”:
sudo adduser postfix sasl
restart saslauthd
systemctl restart saslauthd
Configure postfix to use authentication and to require tls to enable auth (smtpd_tls_auth_only = yes)
sudo postconf -e 'smtpd_tls_auth_only = yes'
sudo postconf -e 'smtpd_sasl_local_domain = $myhostname'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
restart postfix
sudo systemctl restart postfix
copy the imap pam file to smtp
sudo cp /etc/pam.d/imap /etc/pam.d/smtp
Configure postmap lookup tables¶
sudo postconf -e 'virtual_mailbox_domains = mysql:/etc/postfix/virtual_mailbox_domains.cf'
sudo postconf -e 'virtual_alias_domains= mysql:/etc/postfix/virtual_alias_domains.cf'
sudo postconf -e 'virtual_alias_maps = mysql:/etc/postfix/virtual_alias_maps.cf'
Create the following files:
/etc/postfix/virtual_mailbox_domains.cf
hosts = localhost
dbname = mail
user = mail
password = secret
query = select domain_name from djcyradm_domains where domain_name = '%s' and is_alias_domain !=1;
/etc/postfix/virtual_alias_domains.cf
hosts = localhost
dbname = mail
user = mail
password = secret
query = select domain_name from djcyradm_domains where domain_name = '%s' and is_alias_domain=1;
/etc/postfix/virtual_alias_maps.cf:
hosts = localhost
dbname = mail
user = mail
password = secret
query = select full_dest from djcyradm_virtualdelivery where alias = '%s' and is_active = 1;
restart postfix
sudo systemctl restart postfix
Configure postfix to deliver to cyrus over lmtp¶
in /etc/cyrus.conf set
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
lmtpchroot cmd="lmtpd" listen="/var/spool/postfix/var/imap/socket/lmtp" prefork=0 maxchild=20
create the cyrus socket dir in the postfix chroot
sudo mkdir -p /var/spool/postfix/var/imap/socket/
sudo chown -R root:postfix /var/spool/postfix/var/imap/
set the lmtp socket and mailbox_transport in postfix
sudo postconf -e 'mailbox_transport = lmtp:unix:/var/imap/socket/lmtp'
sudo postconf -e 'virtual_transport = $mailbox_transport'
restart postfix and cyrus-imap
sudo systemctl restart postfix cyrus-imapd
set DJCYRADM_SYNCIMAP to True in cyradm/settings.py
Important you need the iso-8559-1 locales on your system, at least da_DK.ISO-8859-1 and en_US.ISO-8859-1
Thats it start testing and create your users: http:/127.0.0.1:8000/djcyradm/mail-users
remember to use uwsgi in prodcution and to set DEBUG=False in cyradm/settings.py
https://uwsgi-docs.readthedocs.io/en/latest/
If using nginx be sure to use ssl and set proxy_set_header X-Forwarded-Proto $scheme in order for urls send in recovery and confirmation emails to be correct
BUGS¶
Use the issue tracker at https://github.com/jsm222/django-cyradm