[pkg-kolab] r487 - kolab-cyrus-imapd/trunk/debian

Peter Eisentraut petere at alioth.debian.org
Tue Oct 31 17:07:08 CET 2006 

Author: petere
Date: 2006-10-31 17:07:08 +0100 (Tue, 31 Oct 2006)
New Revision: 487

Added:
   kolab-cyrus-imapd/trunk/debian/README.postfix
Modified:
   kolab-cyrus-imapd/trunk/debian/changelog
Log:
* Added README.postfix from original cyrus package


Added: kolab-cyrus-imapd/trunk/debian/README.postfix
===================================================================
--- kolab-cyrus-imapd/trunk/debian/README.postfix	2006-10-31 15:55:39 UTC (rev 486)
+++ kolab-cyrus-imapd/trunk/debian/README.postfix	2006-10-31 16:07:08 UTC (rev 487)
@@ -0,0 +1,143 @@
+Setting up Cyrus IMAPd for Postfix (Debian)
+$Id: README.postfix 5 2005-03-12 23:19:45Z sven $
+===========================================================
+
+Cyrus works wonderfully well with Postfix, both in single-system stores (where
+Postfix runs in the same host as Cyrus IMAPd), and remote mail stores (where
+Cyrus IMAPd is in a different host than Postfix).
+
+Delivery to Cyrus should _always_ be done through direct LMTP from Postfix.  It
+is far simpler and faster to do such delivery using Unix sockets, but Unix
+sockets are only an option for single-system stores.  Cyrdeliver is just a
+stdio-to-LMTP proxy, and it slows down mail delivery greatly.
+
+Cyrus requires LMTP deliveries to be authenticated.  It assumes that any
+deliveries done through an Unix socket are trustable, and pre-authenticates
+them as if coming from the "postman" (fictitious) user (but you _can_
+re-authenticate them as another lmtp admin user, if you wish).
+
+Deliveries done through TCP sockets are not limited to the same host, unlike
+the Unix socket ones, and can therefore be used in remote mail stores.
+However, Cyrus requires that the LMTP session be authenticated using one of the
+SASL mechs available to Cyrus (you can switch this off by giving a "-a"
+parameter to lmtpd in cyrus.conf, but that is unsafe since anyone can bypass
+any user authentication controls you might have on mail delivery, that way).
+
+TCP-socket LMTP sessions should be authenticated as one of the Cyrus LMTP
+admins, normal Cyrus users are not enough.  This requires Postfix with SASL
+support.
+
+
+Setting up Postfix for LMTP delivery to Cyrus
+=============================================
+
+Just set up a transport (either using a transport map, or the default_transport
+configuration directive of Postfix).  Do not use cyrdeliver.
+
+I suggest that the lmtp transport be duplicated and renamed to cyrus if you
+use it to talk to anything else (such as amavisd-new, or amavis-ng). That
+way, LMTP connection caching to the Cyrus store gets optimized, and you can
+use the lmtp-named LMTP transport for something else.
+
+WARNING: Postfix 2.0 does not downcase the recipient in LMTP deliveries, so if
+your users require it, you will have to set lmtp_downcase_rcpt: yes in
+imapd.conf.
+
+
+Unix sockets:
+-------------
+
+For Unix sockets, the Postfix transport is specified as
+"lmtp:unix:/var/run/cyrus/socket/lmtp", (we are using the default Cyrus unix
+socket location as an example, you can change it in /etc/cyrus.conf and
+/etc/imapd.conf). 
+
+You need a Cyrus lmtpd service listening on that socket, of course, so make
+sure something like:
+
+lmtpunix        cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp"
+
+is in the SERVICES section of the /etc/cyrus.conf file.  You also need to make
+sure both Cyrus and Postfix can talk through that socket.  Unix sockets work
+just like files, so that translates to making sure both the user "cyrus" and
+the user Postfix is using for LMTP delivery can both read and write to that
+file.
+
+WARNING:  Since Cyrus pre-auths anything coming through the Unix socket, anyone
+who can write to it will be able to inject email into Cyrus directly.
+
+Use dpkg-statoverride to make sure your configuration for the socket
+permissions will not be overwritten by the Cyrus packages.  Do remember that
+Postfix usually runs the LMTP transport as user "postfix" (configurable in
+/etc/postfix/master.cf).  Also, do not run the postfix lmtp transport chrooted
+if the socket is not inside the chroot.
+
+1. Create a lmtp group:
+	# addgroup lmtp
+
+2. Put user postfix in that group:
+	# adduser postfix lmtp
+
+3. Fix the socket directory permissions:
+	# dpkg-statoverride --force --update --add \
+	  cyrus lmtp 750 /var/run/cyrus/socket
+
+4. Restart Postfix and Cyrus IMAPd
+	# /etc/init.d/postfix restart
+	# /etc/init.d/cyrus22 restart
+
+
+TCP sockets:
+------------
+
+TCP sockets are easier on the Cyrus side, and more complicated on the Postfix
+side.  For Cyrus, it is enough to have an "lmtpd" service listening on the
+desired IP interface (or in all of them, if you leave the interface unspecified
+as in the example below), that means something like this in /etc/cyrus.conf
+SERVICES area:
+
+lmtp            cmd="lmtpd" listen="lmtp"
+
+(do note that you MUST have an lmtp entry in /etc/services for this to work).
+
+Also, remember to set the tcpwrapper permissions up (/etc/hosts.allow and
+/etc/hosts.deny), or Cyrus might refuse the connections.
+
+To configure Postfix' lmtp transport to authenticate using SASL, do the
+following:
+
+1. Configure the lmtp transport SASL layer:
+   (add to /etc/postfix/main.cf):
+   lmtp_sasl_auth_enable = yes
+   lmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+   lmtp_sasl_security_options = 
+   lmtp_destination_concurrency_limit = 100
+   lmtp_destination_recipient_limit = 0
+
+   The *_limit values should match whatever you configured as limits in
+   Cyrus.  The above configuration will allow plain text logins.
+
+   Create the password map /etc/postfix/sasl_passwd to tell postfix
+   of a Cyrus LMTP administrator user and password to use.
+
+   e.g.:
+   echo "mycyrusspool.my.domain.org postman:foobar" >sasl_passwd
+   postmap sasl_passwd
+
+2. Configure Cyrus to accept that user as a lmtp administrator
+   (add to /etc/imapd.conf)
+   lmtp_admins: postman
+
+3. Tell postfix to use the lmtp transport to deliver email using
+   transport maps or something else.  I suggest making a copy of the
+   postfix lmtp transport in master.cf, renaming it to "cyrus", and 
+   using that.
+
+4. Note that to use the new feature of virtual domains in Cyrus v2.2,
+   you need to tell postfix to use the lmtp transport as the 
+   virtual_transport. If you also want "local" mail recipients, i.e.
+   those that are addressed to hosts listed in mydestination, to
+   be delivered to Cyrus v2.2, you also need to use lmtp as the 
+   mailbox_transport.
+
+   That's it!

Modified: kolab-cyrus-imapd/trunk/debian/changelog
===================================================================
--- kolab-cyrus-imapd/trunk/debian/changelog	2006-10-31 15:55:39 UTC (rev 486)
+++ kolab-cyrus-imapd/trunk/debian/changelog	2006-10-31 16:07:08 UTC (rev 487)
@@ -8,15 +8,18 @@
     Thanks to  Martin Sín
   * Updated dutch translation (Closes: #377255)
     Thanks to Kurt De Bree
-  * Build against libdb4.3 to avoid segmentation faults 
+  * Build against libdb4.3 to avoid segmentation faults
     (Closes: #383172)
     Thanks to Florian Zschocke
 
   [ Noèl Köthe ]
   * corrected wrong patch for berkley db usage. thx Chris Halls
 
- -- Noèl Köthe <noel at debian.org>  Mon, 26 Jun 2006 13:30:32 +0200
+  [ Peter Eisentraut ]
+  * Added README.postfix from original cyrus package
 
+ -- Peter Eisentraut <petere at debian.org>  Tue, 31 Oct 2006 17:05:14 +0100
+
 kolab-cyrus-imapd (2.2.12-7)  unstable; urgency=low
 
   * debian/rules removed unneeded pts configure options

More information about the pkg-kolab-devel mailing list