j’ai installé les différents paquets relatifs à postfix cyrus sasl, mais ct un peu chaud;en gros voila ce que j’ai fait (mais j ai pas fini : sieve, spamassassin, tls, antivirus…) et une inscription gratuite à no-ip.org; bon courage
/etc/postfix/main.cf
See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
myhostname = mail.domain.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = domain.fr
mydestination = mail.domain.fr, domain.fr, localhost
mydomain = domain.fr
mynetworks = 192.168.0.0/24,127.0.0.0/8
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
recipient_delimiter = +
inet_interfaces = all
##################################################################
default_transport = smtp
#strict_rfc821_envelopes = no
##################################################################
reecriture adr recue par postfix de l’ext
virtual_alias_domains = oldpc.no-ip.org # firewall en entrée du réseau
virtual_alias_maps = hash:/etc/postfix/virtual
##################################################################
smtp_generic_maps = hash:/etc/postfix/generic
##################################################################
sasl
/usr/share/doc/cyrus-doc-2.2/README.postfix.gz
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
##############################################################################
/etc/postfix/master.cf
Postfix master process configuration file. For details on the format
of the file, see the Postfix master(5) manual page.
==========================================================================
service type private unpriv chroot wakeup maxproc command + args
(yes) (yes) (yes) (never) (100)
==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
-o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
====================================================================
Interfaces to non-Postfix software. Be sure to examine the manual
pages of the non-Postfix software to find out what options it wants.
Many of the following services use the Postfix pipe(8) delivery
agent. See the pipe(8) man page for information about ${recipient}
and other message envelope options.
====================================================================
maildrop. See the Postfix MAILDROP_README file for details.
Also specify in main.cf: maildrop_destination_recipient_limit=1
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
See the Postfix UUCP_README file for configuration details.
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
Other external delivery methods.
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
##############################################################################
/etc/default/saslauthd
This needs to be uncommented before saslauthd will be run automatically
START=yes
You must specify the authentication mechanisms you wish to use.
This defaults to “pam” for PAM support, but may also include
“shadow” or “sasldb”, like this:
MECHANISMS=“pam shadow”
MECHANISMS=“pam sasldb”
/etc/cyrus.conf
Debian defaults for Cyrus IMAP server/cluster implementation
see cyrus.conf(5) for more information
All the tcp services are tcpd-wrapped. see hosts_access(5)
$Id: cyrus.conf 306 2006-03-04 23:30:43Z sven $
START {
# do not delete this entry!
recover cmd="/usr/sbin/ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# this is NOT to be enabled right now in Debian builds
#idled cmd="idled"
# this is useful on backend nodes of a Murder cluster
# it causes the backend to syncronize its mailbox list with
# the mupdate master upon startup
#mupdatepush cmd="/usr/sbin/ctl_mboxlist -m"
# this is recommended if using duplicate delivery suppression
delprune cmd="/usr/sbin/ctl_deliver -E 3"
# this is recommended if caching TLS sessions
tlsprune cmd="/usr/sbin/tls_prune"
}
UNIX sockets start with a slash and are absolute paths
you can use a maxchild=# to limit the maximum number of forks of a service
you can use babysit=true and maxforkrate=# to keep tight tabs on the service
most services also accept -U (limit number of reuses) and -T (timeout)
SERVICES {
# — Normal cyrus spool, or Murder backends —
# add or remove based on preferences
imap cmd=“imapd -U 30” listen=“imap” prefork=0 maxchild=100
#imaps cmd=“imapd -s -U 30” listen=“imaps” prefork=0 maxchild=100
pop3 cmd=“pop3d -U 30” listen=“pop3” prefork=0 maxchild=50
#pop3s cmd=“pop3d -s -U 30” listen=“pop3s” prefork=0 maxchild=50
nntp cmd=“nntpd -U 30” listen=“nntp” prefork=0 maxchild=100
#nntps cmd=“nntpd -s -U 30” listen=“nntps” prefork=0 maxchild=100
# At least one form of LMTP is required for delivery
# (you must keep the Unix socket name in sync with imap.conf)
#lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20
lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
# ----------------------------------------------
# useful if you need to give users remote access to sieve
# by default, we limit this to localhost in Debian
sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
# this one is needed for the notification services
notify cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
# --- Murder frontends -------------------------
# enable these and disable the matching services above,
# except for sieve (which deals automatically with Murder)
# mupdate database service - must prefork at least 1
# (mupdate slaves)
#mupdate cmd="mupdate" listen=3905 prefork=1
# (mupdate master, only one in the entire cluster)
#mupdate cmd="mupdate -m" listen=3905 prefork=1
# proxies that will connect to the backends
#imap cmd="proxyd" listen="imap" prefork=0 maxchild=100
#imaps cmd="proxyd -s" listen="imaps" prefork=0 maxchild=100
#pop3 cmd="pop3proxyd" listen="pop3" prefork=0 maxchild=50
#pop3s cmd="pop3proxyd -s" listen="pop3s" prefork=0 maxchild=50
#lmtp cmd="lmtpproxyd" listen="lmtp" prefork=1 maxchild=20
# ----------------------------------------------
}
EVENTS {
# this is required
checkpoint cmd="/usr/sbin/ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="/usr/sbin/ctl_deliver -E 3" at=0401
# this is only necessary if caching TLS sessions
tlsprune cmd="/usr/sbin/tls_prune" at=0401
# indexing of mailboxs for server side fulltext searches
# reindex changed mailboxes (fulltext) approximately every other hour
#squatter_1 cmd="/usr/bin/nice -n 19 /usr/sbin/squatter -s" period=120
# reindex all mailboxes (fulltext) daily
#squatter_a cmd="/usr/sbin/squatter" at=0517
}
##############################################################################
/etc/imapd.conf
Debian Cyrus imapd.conf
$Id: imapd.conf 321 2006-03-27 23:15:15Z astronut $
See imapd.conf(5) for more information and more options
Configuration directory
configdirectory: /var/lib/cyrus
Which partition to use for default mailboxes
defaultpartition: default
partition-default: /var/spool/cyrus/mail
News setup
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
Alternate namespace
If enabled, activate the alternate namespace as documented in
/usr/share/doc/cyrus-doc-2.2/html/altnamespace.html, where an user’s
subfolders are in the same level as the INBOX
See also userprefix and sharedprefix on imapd.conf(5)
altnamespace: no
UNIX Hierarchy Convention
Set to yes, and cyrus will accept dots in names, and use the forward
slash “/” to delimit levels of the hierarchy. This is done by converting
internally all dots to “^”, and all “/” to dots. So the “rabbit.holes”
mailbox of user “helmer.fudd” is stored in “user.elmer^fud.rabbit^holes”
unixhierarchysep: no
Rejecting illegal characters in headers
Headers of RFC2882 messages must not have characters with the 8th bit
set. However, too many badly-written MUAs generate this, including most
spamware. Enable this to reject such messages.
#reject8bit: yes
Munging illegal characters in headers
Headers of RFC2882 messages must not have characters with the 8th bit
set. However, too many badly-written MUAs generate this, including most
spamware. If you kept reject8bit disabled, you can choose to leave the
crappage untouched by disabling this (if you don’t care that IMAP SEARCH
won’t work right anymore.
#munge8bit: no
Forcing recipient user to lowercase
Cyrus 2.2 is case-sensitive. If all your mail users are in lowercase, it is
probably a very good idea to set lmtp_downcase_rcpt to true. This is set by
default, per RFC2821. This was not set by default in debian versions up to
and including 2.2.12-4.
lmtp_downcase_rcpt: yes
Uncomment the following and add the space-separated users who
have admin rights for all services.
admins: cyrus
Space-separated list of users that have lmtp “admin” status (i.e. that
can deliver email through TCP/IP lmtp) in addition to those in the
admins: entry above
#lmtp_admins: postman
Space-separated list of users that have mupdate “admin” status, in
addition to those in the admins: entry above. Note that mupdate slaves and
backends in a Murder cluster need to autenticate against the mupdate master
as admin users.
#mupdate_admins: mupdateman
Space-separated list of users that have imapd “admin” status, in
addition to those in the admins: entry above
#imap_admins: cyrus
Space-separated list of users that have sieve “admin” status, in
addition to those in the admins: entry above
#sieve_admins: cyrus
List of users and groups that are allowed to proxy for other users,
seperated by spaces. Any user listed in this will be allowed to login
for any other user. Like “admins:” above, you can have imap_proxyservers
and sieve_proxyservers.
#proxyservers: cyrus
No anonymous logins
allowanonymouslogin: no
Minimum time between POP mail fetches in minutes
popminpoll: 1
If nonzero, normal users may create their own IMAP accounts by creating
the mailbox INBOX. The user’s quota is set to the value if it is positive,
otherwise the user has unlimited quota.
autocreatequota: 0
umask used by Cyrus programs
umask: 077
Sendmail binary location
DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 3.
For now, to work around the bug, set this to a wrapper that calls
/usr/sbin/sendmail -dropcr instead if you use Exim 3.
#sendmail: /usr/sbin/sendmail
If enabled, cyrdeliver will look for Sieve scripts in user’s home
directories: ~user/.sieve.
sieveusehomedir: false
If sieveusehomedir is false, this directory is searched for Sieve scripts.
sievedir: /var/spool/sieve
notifyd(8) method to use for “MAIL” notifications. If not set, “MAIL”
notifications are disabled. Valid methods are: null, log, zephyr
#mailnotifier: zephyr
notifyd(8) method to use for “SIEVE” notifications. If not set, “SIEVE”
notifications are disabled. This method is only used when no method is
specified in the script. Valid methods are null, log, zephyr, mailto
#sievenotifier: zephyr
DRAC (pop-before-smtp, imap-before-smtp) support
Set dracinterval to the time in minutes to call DRAC while a user is
connected to the imap/pop services. Set to 0 to disable DRAC (default)
Set drachost to the host where the rpc drac service is running
#dracinterval: 0
#drachost: localhost
If enabled, the partitions will also be hashed, in addition to the hashing
done on configuration directories. This is recommended if one partition has a
very bushy mailbox tree.
hashimapspool: true
Allow plaintext logins by default (SASL PLAIN)
allowplaintext: yes
Force PLAIN/LOGIN authentication only
(you need to uncomment this if you are not using an auxprop-based SASL
mechanism. saslauthd users, that means you!). And pay attention to
sasl_minimum_layer and allowapop below, too.
sasl_mech_list: PLAIN
Allow use of the POP3 APOP authentication command.
Note that this command requires that the plaintext passwords are
available in a SASL auxprop backend (eg. sasldb), and that the system
can provide enough entropy (eg. from /dev/urandom) to create a challenge
in the banner.
allowapop: no
The minimum SSF that the server will allow a client to negotiate. A
value of 1 requires integrity protection; any higher value requires some
amount of encryption.
sasl_minimum_layer: 0
The maximum SSF that the server will allow a client to negotiate. A
value of 1 requires integrity protection; any higher value requires some
amount of encryption.
#sasl_maximum_layer: 256
List of remote realms whose users may log in using cross-realm
authentications. Seperate each realm name by a space. A cross-realm
identity is considered any identity returned by SASL with an “@” in it.
NOTE: To support multiple virtual domains on the same interface/IP,
you need to list them all as loginreals. If you don’t list them here,
(most of) your users probably won’t be able to log in.
#loginrealms: example.com
Enable virtual domain support. If enabled, the user’s domain will
be determined by splitting a fully qualified userid at the last ‘@’
or ‘%’ symbol. If the userid is unqualified, and the virtdomains
option is set to “on”, then the domain will be determined by doing
a reverse lookup on the IP address of the incoming network
interface, otherwise the user is assumed to be in the default
domain (if set).
#virtdomains: userid
The default domain for virtual domain support
If the domain of a user can’t be taken from its login and it can’t
be determined by doing a reverse lookup on the interface IP, this
domain is used.
#defaultdomain:
SASL library options (these are handled directly by the SASL libraries,
refer to SASL documentation for an up-to-date list of these)
The mechanism(s) used by the server to verify plaintext passwords. Possible
values are “saslauthd”, “auxprop”, “pwcheck” and “alwaystrue”. They
are tried in order, you can specify more than one, separated by spaces.
Do note that, since sasl will be run as user cyrus, you may have a lot of
trouble to set this up right.
#sasl_pwcheck_method: saslauthd auxprop pwcheck
#sasl_pwcheck_method: auxprop
#sasl_pwcheck_method: pwcheck
j ajoute auxprop sinon cyradm --user cyrus localhost ne marche pas
sasl_pwcheck_method: saslauthd auxprop
What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
by default, all plugins are tried (which is probably NOT what you want).
sasl_auxprop_plugin: sasldb
If enabled, the SASL library will automatically create authentication secrets
when given a plaintext password. Refer to SASL documentation
sasl_auto_transition: no
SSL/TLS Options
File containing the global certificate used for ALL services (imap, pop3,
lmtp, sieve)
#tls_cert_file: /etc/ssl/certs/cyrus-global.pem
File containing the private key belonging to the global server certificate.
#tls_key_file: /etc/ssl/private/cyrus-global.key
File containing the certificate used for imap. If not specified, the global
certificate is used. A value of “disabled” will disable SSL/TLS for imap.
#tls_imap_cert_file: /etc/ssl/certs/cyrus-imap.pem
File containing the private key belonging to the imap-specific server
certificate. If not specified, the global private key is used. A value of
“disabled” will disable SSL/TLS for imap.
#tls_imap_key_file: /etc/ssl/private/cyrus-imap.key
File containing the certificate used for pop3. If not specified, the global
certificate is used. A value of “disabled” will disable SSL/TLS for pop3.
#tls_pop3_cert_file: /etc/ssl/certs/cyrus-pop3.pem
File containing the private key belonging to the pop3-specific server
certificate. If not specified, the global private key is used. A value of
“disabled” will disable SSL/TLS for pop3.
#tls_pop3_key_file: /etc/ssl/private/cyrus-pop3.key
File containing the certificate used for lmtp. If not specified, the global
certificate is used. A value of “disabled” will disable SSL/TLS for lmtp.
#tls_lmtp_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
File containing the private key belonging to the lmtp-specific server
certificate. If not specified, the global private key is used. A value of
“disabled” will disable SSL/TLS for lmtp.
#tls_lmtp_key_file: /etc/ssl/private/cyrus-lmtp.key
File containing the certificate used for sieve. If not specified, the global
certificate is used. A value of “disabled” will disable SSL/TLS for sieve.
#tls_sieve_cert_file: /etc/ssl/certs/cyrus-sieve.pem
File containing the private key belonging to the sieve-specific server
certificate. If not specified, the global private key is used. A value of
“disabled” will disable SSL/TLS for sieve.
#tls_sieve_key_file: /etc/ssl/private/cyrus-sieve.key
File containing one or more Certificate Authority (CA) certificates.
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
Path to directory with certificates of CAs.
tls_ca_path: /etc/ssl/certs
The length of time (in minutes) that a TLS session will be cached for later
reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will
disable session caching.
tls_session_timeout: 1440
The list of SSL/TLS ciphers to allow, in decreasing order of precedence.
The format of the string is described in ciphers(1). The Debian default
selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
from the list (because they provide no defense against man-in-the-middle
attacks). It also orders the list so that stronger ciphers come first.
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
#tls_require_cert: false
Require a client certificate for imap ONLY.
#tls_imap_require_cert: false
Require a client certificate for pop3 ONLY.
#tls_pop3_require_cert: false
Require a client certificate for lmtp ONLY.
#tls_lmtp_require_cert: false
Require a client certificate for sieve ONLY.
#tls_sieve_require_cert: false
Cyrus Murder cluster configuration
Set the following options to the values needed for this server to
autenticate against the mupdate master server:
mupdate_server
mupdate_port
mupdate_username
mupdate_authname
mupdate_realm
mupdate_password
mupdate_retry_delay
KEEP THESE IN SYNC WITH cyrus.conf
Unix domain socket that lmtpd listens on.
lmtpsocket: /var/run/cyrus/socket/lmtp
Unix domain socket that idled listens on.
idlesocket: /var/run/cyrus/socket/idle
Unix domain socket that the new mail notification daemon listens on.
notifysocket: /var/run/cyrus/socket/notify
Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap etc.)
syslog_prefix: cyrus
DEBUGGING
Debugging hook. See /usr/share/doc/cyrus-common-2.2/README.Debian.debug
Keep the hook disabled when it is not in use
gdb Back-traces
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
system-call traces
#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 &
library traces
#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 &