Preface Ed's FreeBSD postfix+cyrus+sasl2+mysql Virtual Mail How-To cd /usr/ports/databases/mysql41-server make && make install && make clean Add the following to your /etc/rc.conf to enable MySQL to be started: QUOTE: mysql_enable="yes" Go ahead and kick mysql off: QUOTE: /usr/local/etc/rc.d/mysql-server.sh start cyrus-sasl2 Get the cyrus-sasl2 crypt patches from http://frost.ath.cx/software/cyrus-sasl- patches/. You might want to add this link to your list of reference material. Follow the directions there to apply them to your cyrus-sasl2 source. Basicly you're going to take all of the FreeBSD patch files and dump them into the /usr/ports/security/cyrus-sasl2/files/ dir. Now compile with MySQL support: QUOTE: make -DWITHOUT_OTP=YES -DWITHOUT_NTLM=YES -DWITHOUT_GSSAPI=YES -DWITH_MYSQL If the compile succeeds, do the following to finish up: QUOTE: make install && make clean Don't bother to follow the config options on the frost page, just patch the source - we'll be covering the config later on. Cyrus You'll be using Cyrus 2.3.x for this Get the Autocreate INBOX patch for Cyrus files from http://email.uoa.gr/projects/cyrus/autocreate/ for your version of Cyrus and save them in your homedir. You should bookmark this link for future reference as well. Obviously if the version of Cyrus 2.3.x is not 2.3.3 then you should fetch the appropriate versions of the patches you need. Compile and install cyrus: Now extract, patch, and compile cyrus (in this case, 2.3.3): QUOTE: cd /usr/ports/mail/cyrus-imapd23/ make patch cd work/cyrus-imapd-2.3.3/ patch -p1 < ~/cyrus-imapd-2.3.3-autocreate-0.10-0.diff patch -p1 < ~/cyrus-imapd-2.3.3-autosieve-0.6.0.diff cd ../.. make Depending on your version more or less patch files may be required. Just apply all of them. Assuming everything goes well, make install && make clean Note that later when a new version is released you'll have to do all of this over again - portupgrade will not apply these patches for you w/o additional configuration to /usr/local/etc/pkgtools.conf Create the dir where all of our sealed cyrus files will reside: QUOTE: mkdir /usr/local/imap Note that this differs from the default install paths but will bring things together nicely. Do not use /usr/local/cyrus/ which is where the cyrus programs are installed! Create an ssl certificate named cyrus.pem for cyrus: QUOTE: openssl req -new -x509 -nodes -out /usr/local/imap/cyrus.pem -keyout /usr/local/imap/cyrus.pem -days 365 Find and set the following in /usr/local/etc/imapd.conf: QUOTE: configdirectory: /usr/local/imap partition-default: /usr/local/imap/spool unixhierarchysep: yes servername: domain1.tld admins: cyrus autocreatequota: 102400 sieveusehomedir: false sievedir: /usr/local/imap/sieve sasl_pwcheck_method: auxprop tls_cert_file: /usr/local/imap/cyrus.pem tls_key_file: /usr/local/imap/cyrus.pem lmtpsocket: /usr/local/imap/socket/lmtp idlesocket: /usr/local/imap/socket/idle notifysocket: /usr/local/imap/socket/notify I realize it says servername which should be the FQDN and I'm telling you to use domain1.tld instead. Thing is, something is weird about the handling of domains and this seems to get around it. This could be a bug in cyrus22 or a bug because of the way I'm doing things, but using domain1.tld seems to do the trick for me. Your mileage might vary. The autocreatequota option is set to 100MB in this example and you might want to bump that up. If you have a CA file for your SSL/TLS cert, then be sure to set tls_ca_file to point at it as well in the part above. Add the following to the end of imapd.conf: QUOTE: virtdomains: yes defaultdomain: domain1.tld allowusermoves: yes sasl_auxprop_plugin: sql sasl_sql_user: postfix sasl_sql_passwd: password sasl_sql_database: postfix sasl_sql_hostnames: localhost sasl_sql_select: SELECT password FROM mailbox WHERE username='%u@%r' AND active='1' sasl_sql_verbose: yes sasl_sql_engine: mysql sasl_mech_list: plain login sasl_password_format: crypt createonpost: yes autocreateinboxfolders: spam autosubscribeinboxfolders: spam autocreate_sieve_script: /usr/local/imap/phpscript autocreate_sieve_compiledscript: /usr/local/imap/phpscript.bc generate_compiled_sieve_script: yes Create /usr/local/imap/phpscript and populate it with the following: QUOTE: # This script has been automatically generated by avelsieve # (Sieve Mail Filters Plugin for Squirrelmail) #AVELSIEVE_VERSIONYTo0OntzOjU6Im1ham9yIjtpOjE7czo1OiJtaW5vciI7aTo5O3M6NzoicmVsZWFz ZSI7aToyO3M6Njoic3RyaW5nIjtzOjU6IjEuOS4yIjt9 #AVELSIEVE_CREATED1111802924 #AVELSIEVE_MODIFIED1111803314 require ["fileinto","reject","vacation","imapflags","relational","comparator-i;ascii- numeric","regex","notify"]; if #START_SIEVE_RULEYTo3OntzOjY6ImhlYWRlciI7YToxOntpOjA7czoxMToiWC1TcGFtLUZsYWciO31zO jk6Im1hdGNodHlwZSI7YToxOntpOjA7czoyOiJpcyI7fXM6MTE6ImhlYWRlcm1hdGNoIjthOjE6e2k6MDt zOjM6IllFUyI7fXM6NDoidHlwZSI7czoxOiIyIjtzOjY6ImFjdGlvbiI7czoxOiI1IjtzOjY6ImZvbGRlc iI7czoxMDoiSU5CT1gvc3BhbSI7czo0OiJzdG9wIjtzOjI6Im9uIjt9END_SIEVE_RULE header :is "X-Spam-Flag" "YES" { fileinto "INBOX/spam"; stop; } This sieve script will be copied to newly created users, compiled into bytecode, and run against every message that is delivered to the user. All this one does is check to see if the X- Spam-Flag header is present and set to YES. If it is, then the message is deposited to the spam folder which was also auto-created (if for some reason it doesn't exist it will go to the INBOX instead). When a message is found to be spam by SpamAssassin it gets this header. Obviously that's something extra you'll have to add yourself as I'm not covering it in this document. If using this sieve script doesn't work later on you'll just have to create one with your test user and copy the phpscript.script to phpscript, blow away your user and their sieve dir ("How do I delete a user from my system entirely?"), then try again. Note: If you'll have any users using POP3 instead of IMAP then you'll probably want to not do any of the automatic sieve scripting settings. The reason being that, unless I'm mistaken, POP3 will only get mail from the Inbox and not other folders (such as the spam folder). Set permissions on the cyrus imap dir: QUOTE: chown -R cyrus:cyrus /usr/local/imap chmod o-rwx /usr/local/imap Find and fix the socket paths in cyrus.conf: QUOTE: lmtpunix cmd="lmtpd" listen="/usr/local/imap/socket/lmtp" prefork=0 notify cmd="notifyd" listen="/usr/local/imap/socket/notify" proto="udp" prefork=1 You'll also need to change the sieve listen line to make it use port 2000 instead of sieve which does not exist in /etc/services (there is "callbook" which you could use instead of 2000, but why?). Editing this line is better than editing a standard system file which you'll end up updating someday anyway. QUOTE: sieve cmd="timsieved" listen="2000" prefork=0 Create the fancy cyrus paths and files: QUOTE: sudo -u cyrus /usr/local/cyrus/bin/mkimap This will spew a few lines saying that it created some files/dirs. If there are any errors, take care of them and try again. mkimap can only be run as the cyrus user, thus using sudo to run it as the cyrus user is required. Make it so that cyrus will be started with the system by adding the following to the end of /etc/rc.conf: QUOTE: cyrus_imapd_enable="YES" Start cyrus-imapd22: /usr/local/etc/rc.d/imapd.sh start If you go back and look in /usr/local/imap/ you'll notice some more files have been created there just now. postfix Compile and install postfix 2.3.x Compile postfix: QUOTE: cd /usr/ports/mail/postfix make A menu will appear asking you to select various options. This is mostly up to your own needs, but you'll want to make sure you select the TLS, SASL2, DB3 (provided SASL2 was built with it, which it is by default), and MySQL options at the very least. Make sure the "disable PCRE" option is not checked. I also use SPF but that patch has sometimes needed a little reworking in the past to make it work with other options and I won't cover that or how to configure for SPF in this document. Install postfix: QUOTE: make install At this point you'll be asked if you want to replace sendmail to which you need to answer Yes. Once done it will then mention two different sets of lines to add to your /etc/rc.conf. One set would be good if your postfix didn't depend on anything else, and another more suited to our needs. Make sure QUOTE: sendmail="none" is set in in your /etc/rc.conf file. The reason for this line is because our postfix will depend on a MySQL server having been started at (or about) the same time. Make it so postfix will start with the system: ln -s /usr/local/sbin/postfix /usr/local/etc/rc.d/postfix.sh You will also be asked to add the following to your /etc/periodic.conf : QUOTE: daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" Clean up after the mess we've made: make clean Create an SSL key and certificate (self-signed is fine) and place them both in the /usr/local/etc/postfix/postfix.pem file. I can't find the link I last used to generate a self-signed cert and key, but a quick search on Yahoo or Google will turn up a ton of them for you. Once your postfix.pem file has been created, set permissions on it: QUOTE: chown root:wheel postfix.pem chmod o-rwx postfix.pem Find and set the following in main.cf: QUOTE: mydestination = $myhostname, localhost.$mydomain local_recipient_maps = $alias_maps relay_domains = $mydestination $transport_maps alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases recipient_delimiter = + mailbox_transport