Cyrus Imap Configuration (With LDAP support)

Step by step configuration of Cyrus imap.

Install cyrus imap and supporting packages using yum.

Step I

Enable logging
by adding the following lines to /etc/syslog.conf:

local6.debug    /var/log/imapd.log
auth.debug      /var/log/auth.log

Create the log files
#touch /var/log/imapd.log /var/log/auth.log
#service syslog restart 

Step II

Create the file "/etc/imapd.conf".

Sample file

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
#sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN

Step III

Create the following directories

#cd /var/lib
#mkdir imap (if this dir is already there means no need to create)
#chown cyrus:mail imap
#chmod 750 imap

#cd /var/spool
#mkdir imap (if this dir is already there means no need to create)
#chown cyrus:mail imap
#chmod 750 imap

#su - cyrus
#cd /usr/lib/cyrus-imapd
#cd /var/lib/imap
#chattr +S user quota user/* quota/*
#chattr +S /var/spool/imap /var/spool/imap/*

Step VI

Add the following lines to the "/etc/services" file if they aren't already there:
pop3      110/tcp
imap      143/tcp
imsp      406/tcp
acap      674/tcp
imaps     993/tcp
pop3s     995/tcp
kpop      1109/tcp
sieve     2000/tcp
lmtp      2003/tcp
fud       4201/udp

Step V
Configuring the Master Process

Choose a configuration from the master/conf directory:
bare-bones server supporting IMAP and POP
server supporting IMAP, POP, the SSL wrapped versions, and the Sieve script management protocol
The same configuration as above, but with some preforked processes for faster processing.
Our configuration (for Murder Backend / typical IMAP servers)
Our configuration (for Murder Frontend servers)
To use normal.conf, do:

#cp /usr/share/doc/cyrus-imapd-x.x.x/conf/normal.conf  /etc/cyrus.conf

Optionally, you can edit /etc/cyrus.conf to disable or enabling certain services, or to tune the number of preforked copies. Be sure not to remove the entries that are labeled required.

Step VI

Configuring Cyrus with OpenSSL

#openssl req -new -nodes -out req.pem -keyout key.pem 
#openssl rsa -in key.pem -out new.key.pem
#openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999

#cp new.key.pem /etc/pki/cyrus-imapd/server.pem (or)

#cat ca-cert >> /etc/pki/cyrus-imapd/server.pem

#chown cyrus:mail /etc/pki/cyrus-imapd/server.pem
#chmod 600 /etc/pki/cyrus-imapd/server.pem # Your key should be protected

#echo tls_ca_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf
#echo tls_cert_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf
#echo tls_key_file: /etc/pki/cyrus-imapd/server.pem >> /etc/imapd.conf

Start saslauthd and imap:

#service saslauthd start
#service cyrus-imapd start

Add an SASL password for cyrus to /etc/sasldb2

#saslpasswd2 cyrus
#chown cyrus:mail /etc/sasldb2

Create mailboxes to match the user accounts
(username1, username2, username3 in this example):
#cyradm --user cyrus localhost

localhost> cm user.username1
localhost> cm user.username2
localhost> cm user.username3
localhost> exit

Step VII
Implementing Cyrus on Redhat with an LDAP backend

Note: It is assumed that you already have an LDAP backend capable of authenticating via uid and userPassword attributes. This does not need to be on the same box as the cyrus imap server. It should have a valid "cyrus" user though.
Note: if you are happy without LDAP authentication, you may skip to the cyradm section below.
Edit /etc/imapd.conf - ensure sasl_pwcheck_method is set to saslauthd. That's right. EVEN though you will be using pam!
Edit /etc/sysconfig/saslauthd, and add the line MECH="pam"
Edit /etc/pam.d/imap (and pop if you wish to run that). It should only contain the following lines:
auth        sufficient   /lib/security/
account     sufficient   /lib/security/
Edit /etc/openldap/ldap.conf and add the following lines:
Note: Please see below regarding whether to modify /etc/openldap/ldap.conf or /etc/ldap.conf
host                 your.ldap.server
base                 ou=Your-Account-Container,dc=your,dc=domain,dc=components
scope                sub
pam_login_attribute  uid
Ensure saslauthd and cyrus-imapd are set to start at boot time (chkconfig saslauthd on && chkconfig cyrus-imapd on).
Start both services (service saslauthd start && service cyrus-imapd start).
That's it - you can now create mailboxes, and auth to them using your LDAP accounts.

Configuring the Mail Transfer Agent

Edit /etc/mail/

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl

Edit /etc/mail/access

Restart Sendmail and cyrus-imapd services
#service sendmail restrt
#service cyrus-imapd restart

Detailed configuration files of cyrus.conf, imapd.conf and are posted separately.

FOLLOW US :-    


  1. Hi admin,
    I want to setup a cyrus imap on centos 6. It will be authenticate against Active Directory

    Could you tell me how to step by step do that.

    Thanks admin!