CYRUS: BUILD YOUR TUTORIAL OWN EMAIL SERVER Don’T Trust Google? We’Ll Help You Navigate the Sea of JOHN LANE Acronyms to Build Your Own Mailserver
Total Page:16
File Type:pdf, Size:1020Kb
TUTORIAL MAILSERVER CYRUS: BUILD YOUR TUTORIAL OWN EMAIL SERVER Don’t trust Google? We’ll help you navigate the sea of JOHN LANE acronyms to build your own mailserver. ou can’t beat the convenience and ease of use access their mail by connecting to the server using WHY DO THIS? offered by Gmail. But unfortunately, all that any IMAP-capable email client application. • Take control of your Yfree storage comes at a price: your privacy. You will need a, preferably new, server for this email provision. Spam, intrusive adverts and snooping from unnamed project and you’ll need root access to it. Our examples • Stop outside agencies government agencies are the inevitable downside of use Arch Linux, and we created a new virtual server. from scanning the using someone else’s service for free. So why not Begin by installing Cyrus (build the Arch User content of your emails. build your own email server including anti-spam, Repository package first – see the boxout below-right): • Get webmail without advertising. anti-virus and webmail? $ pacman -U ~build/cyrus-imapd/cyrus-imapd-2.4.17-5-x86_64. You can use your own server to retrieve messages pkg.tar.xz from other mailservers, such as those provided by The default configuration writes data to /var/imap internet service providers, or other services like those and user mailboxes to /var/spool/imap. You can from Google and Yahoo. But you don’t need to rely on change this if you prefer another location; we’ll others if you have your own server. If you have a configure our server to use /srv/mail/cyrus to domain name that you control, and if you can give your illustrate this. If you follow suit, you can also delete the server a static public IP address then you can receive default locations: email directly. rm -r /var/spool/imap /var/imap We’re going to implement a sealed server, which Some command line tools are installed to /usr/lib/ means that users cannot cyrus/bin so it’s worth extending your PATH (do it in log in to it. They have /etc/profile to make this permanent): “Why not build your own email email accounts that are export PATH=”$PATH”:/usr/lib/cyrus/bin only accessible using There are two configuration files, and the first of server, including anti-spam, client applications that these is /etc/cyrus/cyrus.conf. It defines the services anti-virus and webmail?” connect to the server that the server will offer, and the default file is generally using IMAP, the Internet acceptable unless, like us, you want to change the data Message Access path. This requires one entry in the file to be altered: Protocol (we could, but won’t, also use the older Post lmtpunix cmd=”lmtpd” listen=”/srv/mail/cyrus/socket/lmtp” Office Protocol, POP). prefork=0 You can give your test account a meaningful At the heart of the system is the IMAP server, Cyrus. The listen argument points to the Unix domain name and enter your This accepts messages using a protocol called the socket where the server accepts LMTP protocol own name in the identity Local Mail Transfer Protocol, or LMTP, and stores them connections. We change this to be in a subdirectory of section. in mailboxes – it’s a mail delivery agent. Users can our chosen data path. You can also take this opportunity to disable unwanted services; we commented out pop3 and pop3s because we plan to offer IMAP-only access. The second file, /etc/cyrus/imapd.conf, configures the IMAP server and needs to be written from scratch. The following example will get you started, but you may want to read the documentation and configure it to meet your needs. configdirectory: /srv/mail/cyrus partition-default: /srv/mail/cyrus/mail admins: cyrus sasl_pwcheck_method: saslauthd sasl_saslauthd_path: /var/run/saslauthd/mux sasl_mech_list: PLAIN allowplaintext: yes altnamespace: yes unixhierarchysep: yes virtdomains: userid 90 www.linuxvoice.com MAILSERVER TUTORIAL defaultdomain: mydomain.com hashimapspool: true sieve_admins: cyrus sievedir: /srv/mail/cyrus/sieve This tells Cyrus to use /srv/mail/cyrus for its configuration and, within that, a mail subdirectory where it should store mail. Virtual domains allows domain-specific mailboxes – you can have accounts for [email protected] and alice@example- two.com. The defaultdomain is the domain that unqualified user accounts, like “alice”, belong to. To improve the end-user experience, we set altnamespace so that users’ email folders appear alongside, rather than within, their inbox, and unixhierarchysep delimits mail folders with slashes instead of the default, which is to use a period. SASL Our configuration uses SASL for authentication. This . logout You can specify the server is the Simple Authentication and Security Layer, and If everything went well, the server responses will by its host name or IP was automatically installed as a dependency of the begin with * OK. You can now set up your email client address. The username is the IMAP “testuser” IMAP server. We just use the default configuration to connect to the IMAP account, but it doesn’t have account that we set up on here, which passes plain-text passwords to the any folders yet. The cyradm tool is used to create the server. saslauthd daemon that, in the default configuration mailboxes, and the minimum is an inbox: on Arch Linux, uses PAM for authentication. This is $ su cyrus -c ‘cyradm -u cyrus -w cyrus localhost acceptable for a test system, but you should consider localhost.localdomain> cm user/testuser configuring SASL to use more secure methods that You can then use your email client to create satisfy your own security requirements. subfolders, or you can use cyradm – cm creates So, create a test account for testing and verify that mailboxes (folders) and lm lists them: SASL can authenticate it. The default SASL localhost.localdomain> cm user/testuser/Sent PRO TIP configuration authenticates system users so we use a localhost.localdomain> lm Cyrus documentation is nobody account that can be authenticated but cannot user/testuser (\HasChildren) available at http://cyrusimap.org/ be used to log in to the server. user/testuser/Sent (\HasNoChildren) docs/cyrus-imapd. $ useradd -c ‘Test email account’ -u 99 -o -g nobody -d /dev/null user/testuser/Trash (\HasNoChildren) -s /bin/false testuser You can now send a message to the test user. $ echo testuser:testpass | chpasswd Create a test message in a file (call it testmessage) Start saslauthd (also enable it so that it starts on with the following contents (the empty line is required boot) and test that SASL authentication works for the – it marks the beginning of the message body). new test user: From: Test Message <[email protected]> $ systemctl enable saslauthd Subject: This is a test message $ systemctl start saslauthd This is a basic test e-mail message $ testsaslauthd -u testuser -p testpass To send the message into Cyrus, use the deliver tool 0: OK “Success.” The installation also created a cyrus user, and the server’s processes run as this user. We can also use it A virtual mailserver for administrative tasks if we set its home directory, shell and password: We used Linux Containers to create a virtual $ pacman -S base-devel devtools server to implement our mailserver on. Here’s $ useradd -c ‘Build Account’ -m -g users -d / $ usermod -s /bin/bash -d /srv/mail/cyrus cyrus what we did. As root, on any host machine home/build -s /bin/bash build $ echo cyrus:cyrus | chpasswd (ours runs Arch Linux): $ echo build:build | chpasswd To complete the configuration, make the required lxc-create -n mailserver -t archlinux -- -P $ echo ‘build ALL=(ALL) NOPASSWD: ALL’ >> / directories and build the IMAP folders: dhcpcd,openssh,wget --ewnable_units etc/sudoers dhcpcd,sshd.socket -r mysecret To build a package, log on as the “build” $ mkdir -p -m 750 /srv/mail/cyrus/mail lxc-start -n mailserver user, download and extract the package’s $ chown -R cyrus:mail /srv/mail/cyrus You can then log in with ssh AUR tarball and use makepkg to build it. $ su cyrus -c ‘mkimap /etc/cyrus/imapd.conf’ root@mailserver using mysecret as Further instructions are available on the Arch Now start the server the password. Linux website. Here is an example: $ systemctl enable cyrus-master Some of the packages that we will use $ wget https://aur.archlinux.org/packages/cy/ aren’t in the repositories, but they can be cyrus-imapd/cyrus-imapd.tar.gz $ systemctl start cyrus-master built from the Arch User Repository, AUR. We $ tar xf cyrus-imapd.tar.gz Test IMAP access for the test user created a build account on our new server for $ cd cyrus-imapd $ telnet localhost imap building these packages. $ makepkg -s . login testuser testpass www.linuxvoice.com 91 TUTORIAL MAILSERVER MXToolbox.com can test from Gmail: your server from outside… poll poll imap.gmail.com protocol imap user [email protected] there pass abc123 is alice here user [email protected] there pass secretword is alice here user [email protected] there pass secretword is jane here and similar examples for Yahoo and Microsoft mail accounts: poll pop.mail.yahoo.com protocol pop3 user johndoe there pass mypassword is john here ssl poll pop3.live.com protocol pop3 user [email protected] there pass 123abc is bob here ssl You can fetch mail on demand (the optional -v makes it verbose): $ fetchmail -v -f /etc/fetchmailrc Or, what you will most likely want to do is start it as a daemon that regularly polls for available messages. The daemon on Arch Linux runs as the fetchmail user and requires that it owns the /etc/fetchmail file.