[Web-cyradm] how to do @ virtual domains with cyrus21 (especially on debian)

Doug Hughes doug at gblx.net
Fri Feb 25 14:33:49 CET 2005 

well, this is a bit perhaps obsolete now given the security hole, but here
it is anyway.

* I'm allowing CRAM-MD5 and DIGEST-MD5 so password are stored in mysql
with webcyradm in clear format.

(I might have missed a few things since I've been working on this over
the course of two weeks or so)

This HOWTO is geared towards debian sarge with cyrus21 installed.

packages:
	libsasl2-modules
	libsasl2-modules-sql
	cyrus21-common
	cyrus21-imapd
	cyrus21-popd
	cyrus21-doc
	cyrus21-client
	cyrus21-admin
	mysql-client
	mysql-common
	mysql-server
	postfix-mysql
	libmysqlclient
	libpam-mysql

divergences from traditional web-cyradm
	* requires use of sasl sql module with mysql instead of
saslauthd with pam and mysql. This is needed because the pam module
does not pass the realm info and the cyrus21 doesn't directly support
virtual domains.
	* small patch to newaccount.php
	* use LMTP directly instead of cyrdeliver in postfix.
	* enable sasl for smtp-auth and postfix/tls/sasl and postfix/ssl/sasl


imapd.conf:
	unixhierarchysep: yes

	robot101mode:true
	( this is a hack added by hmh at debian.org, package maintainer, and
it should be used with large blazing caveats. It is undocumented! It does,
however, allow lmtpd to work without stripping off the '@' and subsequent
domain information. This is needed for postfix to delivery to cyrus. By
enabling this flag you may be required to use IMAP folder transfers to
upgrade from 2.1 to 2.2!)

	allowplaintext: yes

	loginrealms: <stuff>
	You need to add your domain name into loginrealms for this
to work correctly. Each and every domain. This is needed because cyrus21
doesn't have the virtual domains support.

	sasl_pwcheck_method: auxprop
	sasl_auxprop_plugin: sasldb
        sasl_sql_select: SELECT password FROM accountuser WHERE username =
'%u@%r' or (username = '%u' and domain_name = '') or username = '%u.%r';
	sasl_sql_update: update users set password = '%v' where username = '%u@%r'
or (username = '%u' and domain_name = '') or username = '%u.%r';

	singleinstancestore: yes

	duplicatesuppression: yes

/etc/postfix/master.cf:
	587       inet  n       -       n       -       -       smtpd -v -o smtpd_enforce_tls=no -o smtpd_sasl_auth_enable=yes -o smtpd_sender_restrictions=permit_sasl_authenticated -o smtpd_sasl_security_options=noanonymous -o smtpd_use_tls=yes -o smtp_tls_note_starttls_offer=yes -o smtpd_tls_key_file=/etc/postfix/ssl/postal.key -o smtpd_tls_cert_file=/etc/postfix/ssl/postal.crt -o smtpd_tls_CAfile=/etc/postfix/ssl/ca.pem -o smtpd_tls_received_header=yes -o tls_random_source=dev:/dev/urandom

	smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
	tlsmgr    fifo  -       -       n       300     1       tlsmgr
	lmtp      unix  -       -       n       -       -       lmtp -v
	(comment out cyrus transport)

/etc/postfix/main.cf:
	(I honestly don't remember which things I changed in here and which things I left as is)
mydestination = $myhostname, localhost.$mydomain, $mydomain,
mysql:/etc/postfix/mysql-mydestination.cf
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
virtual_maps = mysql:/etc/postfix/mysql-virtual.cf
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
relay_domains = mysql:/etc/postfix/mysql-relay.cf
#transport_maps = mysql:/etc/postfix/mysql-transport.cf
#transport_maps = hash:/etc/postfix/transport

smtpd_client_restrictions = permit_mynetworks
smtpd_sender_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_relay_domains
smtpd_sasl_security_options = noanonymous

# ssl
smtpd_tls_key_file = /etc/postfix/sasl/postal.key
smtpd_tls_cert_file = /etc/postfix/sasl/postal.crt
smtpd_tls_CAfile = /etc/postfix/sasl/ca.der

# sasl
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes


/etc/postfix/transport:
*	lmtp:unix:/var/run/cyrus/socket/lmtp
(yes, this obviates the transport mapping in web-cyradm)


/etc/postfix/sasl/smtpd.conf:
(for postfix/sasl auth on 587 or 465(ssl))
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: mysql
sql_verbose: yes
sql_user: mail
sql_passwd: secret
sql_hostnames: localhost
sql_database: mail
sql_statement: SELECT password FROM accountuser WHERE username = '%u@%r' or (username = '%u' and domain_name = '') or username = '%u.%r';

webcyradm/config/conf.php:

$CRYPT = "plain";
# Allow @ in username to max transitioning from mirapoint style
# auth with user at domain much easier (allows users to not have to
# change all of their username settings)
$ALLOW_AT_IN_MBOX = 1;

$DOMAIN_AS_PREFIX = 1;

$PASSWORD_CHANGE_METHOD = "sql";


patch for newaccount.php (0.5.4-rc1):

*** newaccount.php.bak  Thu Feb 10 14:46:19 2005
--- newaccount.php      Wed Feb 23 17:32:15 2005
***************
*** 216,223 ****
                                }

                                $result=$handle->query($query3);

!                               $query4 = "INSERT INTO virtual (alias, dest, username, status) values ( '" . $email . "@" . $domain . "' , '$username' , '$username' , '1')";

                                $result2 = $handle->query($query4);

--- 216,230 ----
                                }

                                $result=$handle->query($query3);
+                               if ($ALLOW_AT_IN_MBOX) {
+                                       $mbox = "user" . $seperator . $email . "@" . $domain;
+                                       $dest = $email . "@" . $domain;
+                               } else {
+                                       $mbox = "user" . $seperator . $username;
+                                       $dest = $username;
+                               }

!                               $query4 = "INSERT INTO virtual (alias, dest, username, status) values ( '" . $email . "@" . $domain . "' , '$dest' , '$username' , '1')";

                                $result2 = $handle->query($query4);

***************
*** 232,238 ****
                                        <?php
                                }

!                               $result=$cyr_conn->createmb("user" . $seperator . $username);

                                if ($result){
                                        ?>
--- 239,245 ----
                                        <?php
                                }

!                               $result=$cyr_conn->createmb($mbox);

                                if ($result){
                                        ?>
***************
*** 241,248 ****
                                        </h3>
                                        <?php
                                }
!                               print $cyr_conn->setacl("user" . $seperator . $username, $CYRUS['ADMIN'], "lrswipcda");
!                               $result = $cyr_conn->setmbquota("user" . $seperator . $username, $quota);
                                include WC_BASE . "/browseaccounts.php";
                        }
                        else{ # if password and confirm_password are not the same
--- 248,255 ----
                                        </h3>
                                        <?php
                                }
!                               print $cyr_conn->setacl($mbox, $CYRUS['ADMIN'], "lrswipcda");
!                               $result = $cyr_conn->setmbquota($mbox, $quota);
                                include WC_BASE . "/browseaccounts.php";
                        }
                        else{ # if password and confirm_password are not the same

More information about the Web-cyradm mailing list