I want to have a mail-installation based on the following components:

• sendmail 8.14
• sasl2
• postgres8
• cyrus-imapd 2.x
• openssl

postgres shall hold all the userinformation (username,password) and sendmail should query this for relaying mails and cyrus for authentication of its users. I dont want to involve PAM in this and I dont need saslauthd

NOTE : on my system postgresql also holds the relation of emailadresses <-> mailbox but sendmail delivers all mails to a perlscript/perlmailer that queries the database and delivers the mails to the correct mailbox. This process is not part of this howto, although there is a reference to the process at the end of this script !!!


This is tested with Ubuntu 7.10 and Ubuntu 8.04LTS


sasl2 is installed on ubuntu anyway, so here we start:

First we install sendmail and postgres and try to make this part working

you need to install the following packages:

• apt-get install libsasl2 libsasl2-modules-sql sasl2-bin libsasl2-dev libsasl2-modules libssl-dev libssl0.9.8 m4 libdb4.6 libdb4.6-dev
• then of course you need to install postgresql8. By hand or - as I did - apt-get install postgresql-8.2

• create a database and a user to hold the needed information
• create a table to hold the userinformation. This is mostly a uid,login,passwd and some optional features like a REALM, additional flags like smtp_allowed or whatever you like. On my system I dont use REALMs. If you dont know what REALMS are dont use them. (and read about sasl-realms). The format of the table can be as you like.
• allow your user to access the database via tcp from localhost by adding this to your pg_hba.conf : “host all all 127.0.0.1 255.255.255.255 password”

Note that the postgres-table will hold the passwords in plaintext !!

download the source and install it by your bare hands. Sendmail is great but its definitely not friendly. So I would never thrust a sendmail-package.

• download, untar it
• edit devtools/Site/site.config.m4 :

APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')

APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
APPENDDEF(`confLIBDIRS', `-L/usr/lib/sasl2')
APPENDDEF(`confINCDIRS', `-I/usr/include') 

APPENDDEF(`conf_sendmail_ENVDEF',`-DMILTER')

APPENDDEF(`confMAPDEF', `-DNEWDB')

You can leave out the milter-stuff if you dont intend to use milters.

• sh Build -c and check output for even minor errors and fix them
• test the resulting sendmail
• sh Build install

That really depends on your system. My config can be found below. Important lines in sendmail.mc are:

TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')
define(`confAUTH_MECHANISMS', `PLAIN LOGIN CRAM-MD5 SSAPI DIGEST-MD5')

define(`confCACERT_PATH', `/data/ssl/')
define(`confCACERT', `/data/ssl/ca-crt')
define(`confSERVER_CERT', `/data/ssl/server.pem')
define(`confSERVER_KEY', `/data/ssl/server.pem')

Create sendmail-certificates is a mysterious progress and only openssl-gurus and wizards know about it :) I personally use the same certificates that I use for the imap-server (see howto below) - assuming they have the same hostname (otherwise you have to create a second set). The ca-crt and the server.pem are exactely the very same files that I created below for imap !!

Note : sendmail needs a user smmsp and /var/spool/mqueue and /var/spool/clientmqueue that should be fully accessible by root:mail and noone else, so be sure to provide these. Ubuntu does not have a smmsp-user per default.

Thats the most important part. There is a Sendmail.conf and noone is exactely sure where to put it.

• /usr/lib/sasl2/Sendmail.conf
• /usr/local/lib/sasl2/Sendmail.conf
• /etc/sasl/Sendmail.conf note that we have sasl here and not sasl2

My sendmail complained when I did not have it on the /etc/sasl - location so I put a symlink there to the /usr/lib/sasl2-location and I dont have the /usr/local/lib/sasl2-location which probably is the location to use when you build sasl2 on your own.

And now the content of the file

     log_level: 7
     pwcheck_method: auxprop
     auxprop_plugin: sql
     sql_engine: pgsql
     sql_user: USERNAME
     sql_passwd: PASSWORD
     sql_hostnames: 127.0.0.1:5432
     sql_database: DATABASE
     sql_statement: SELECT passwd FROM accounts WHERE login ='%u'
     sql_verbose: true

you fill in your own values here and especially the sql_statement can be customized in any form:
examples:
(untested)

select passwd from myusers where login='%u' and realm='%r' and smtp='t' and valid>current_timestamp; 
SELECT password FROM mailbox WHERE email='%u@%r'

Here your find a list of all options of Sendmail.conf

Thats it - you should be able to relay mails via your sendmail now providing username/passwort-combinations stored in your postgres-database.


Please Note that if you misspell the database or username or password in Sendmail.conf you wont see any warning in the logs about it. You’ll just see logentries that the user or the secret cannot be found !!

Now after we have installed sendmail, we want to install cyrus-imapd and get it working with sasl2 too. Again no PAM wanted, but we want to use the same userdb as with sendmail.

I installed cyrus manually from the source cause I wanted to go for the 2.3-version and ubuntu only has reliable 2.2-sources and Ubuntu 6.06 had a bad eyewatering bug in its 2.2-cyrus.

1. Download from http://cyrusimap.web.cmu.edu/downloads.html#imap
2. untar
3. read the perfect documentation in doc/index.html
4. ./configure --enable-replication --enable-idled
5. make
6. make install
7. and now read the perfect documentation in doc/index.html about how to configure and do it. (but read on the next chapters to see where I did different or what I think is important to know)

DO NOT FORGET to add lmpt as port 2003 in /etc/services or cyrus-imapd will refuse to listen on this port later

LMTP: if you plan using lmtp as your local mail-delivery then you must enable it in /etc/cyrus.conf and be sure to add the -a flag to lmtpd to disable authentication. Of course you should lmtpd have only listening on local interface then. My line looks like:

 
lmtp          cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=20

SOCKETS if your are using sockets vor lmtpd or idled be sure that the lmtp-socket in cyrus.conf and imap.conf are the same !! and it seems that the socket-directory has to be a subfolder of your config-directory !!

I only did the certification-part different. I used the way described here :

openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 99999 

cp new.key.pem /data/imap/server.pem
rm new.key.pem
cat ca-cert >> /data/imap/server.pem

chown cyrus:mail /data/imap/server.pem
chmod 600 /data/imap/server.pem # Your key should be protected

its exactely the same as Sendmail.conf, but the parameters goes in /etc/imapd.conf now (beside many other cyrus-parameters that goes there) and the parameter-names have sasl_ in front.

So the sasl-part in my imapd.conf reads like:

sasl_log_level: 7
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: pgsql
sasl_sql_user: account
sasl_sql_passwd: xxxxx
sasl_sql_hostnames: 127.0.0.1:5432
sasl_sql_database: accounts
sasl_sql_statement: SELECT passwd FROM accounts WHERE login ='%u'
sasl_sql_verbose: true

my imapd.conf looks like:

configdirectory: /data/imap/config
partition-default: /data/imap/spool/mail
admins: cyrus postmaster
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
allowanonymouslogin: no
popminpoll: 5
autocreatequota: -1
umask: 077
sieveusehomedir: false
sievedir: /data/imap/sieve
hashimapspool: true
allowplaintext: yes
sendmail: /usr/sbin/sendmail
sasl_auto_transition: no
sasl_log_level: 7
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: pgsql
sasl_sql_user: account
sasl_sql_passwd: xxxxxx
sasl_sql_hostnames: 127.0.0.1:5432
sasl_sql_database: accounts
sasl_sql_statement: SELECT passwd FROM accounts WHERE login ='%u'
sasl_sql_verbose: true
tls_ca_file: /data/imap/server.pem
tls_cert_file: /data/imap/server.pem
tls_key_file: /data/imap/server.pem
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /data/imap/config/socket/lmtp
idlemethod: idled
idlesocket: /var/run/cyrus/socket/idle
syslog_prefix: cyrus

START {
  recover       cmd="ctl_cyrusdb -r"
  idled         cmd="idled"
}
SERVICES {
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=0
  lmtp          cmd="lmtpd" listen="localhost:lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/data/imap/config/socket/lmtp" prefork=1
}
EVENTS {
  checkpoint    cmd="ctl_cyrusdb -c" period=30
  delprune      cmd="cyr_expire -E 3" at=0400
  tlsprune      cmd="tls_prune" at=0400
}

• if you had an old cyrus-imap-installation or installed and removed the ubuntu-imap-packages then you have old cyrus.conf. Remove it and replace it with the the config in master/conf/prefork.conf (or another one) as explained in the documentation !!!
• after setting up all configs, dont forget to run tools/mkimap (tools-folder is in the sourcecode) to build up all needed subfolders
• use imtest for testing : imtest -m login -a USERNAME localhost
• never use a normal user as imap-admin : this will cause big troubles when this user tries accessing his mailbox, cause admin dont access the user.USERNAME - namespace but the root-namespace. So if they create a subbox everyone else can see it :)
• my admin is not a system-user but only in the postgres-db as all other users I have a systemuser called cyrus for imapd to run and a imap-user (stored in postgresdb) called cyrus as well to be my imap-admin. They can have different passwords and everything.
• cyradm : cyradm --user cyrus --authz cyrus -auth login localhost (where cyrus is my admin and a user in my postgresqldb, not the systemuser with same name)