The first requirement for an IMAP server is actually getting messages delivered to it. Usually, Cyrus is used as the default mailbox on the server and we will configure it as such. However, if you have a live server that is receiving mail and delivering it into another system (such as through procmail into /var/spool/mail/$USER), you might save this section for later. It is possible to selectively deliver into Cyrus for certain users which might be useful during a transition period.

To receive mail, Cyrus uses LMTP, which is a mail transfer protocol like SMTP but much lighter-weight. It is superior to simply reading pipe input because it is more rigidly defined and can more effecient. For example, being able to deliver multiple messages in one connection reduces the overhead from building and tearing down the connection.

Cyrus used to use a program called deliver, which read standard input and delivered messages into the mail spool directly. These days, deliver is just a wrapper that reads a message from standard input and delivers it via LMTP. Since deliver is now considered obsolete, it will not be covered here.

SERVICES {
# ...
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0
# ...
}

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (50)
# ==========================================================================
lmtp      unix  -       -       n       -       -       lmtp

mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp

# P=/var/lib/imap/socket/lmtp; while [ "$P" != "/" ]; do ls -ld $P; P=$(dirname $P); done
srwxrwxrwx  1 root root 0 Jun 16 00:27 /var/lib/imap/socket/lmtp
drwxr-x---  2 cyrus mail 4096 Jun 16 00:27 /var/lib/imap/socket
drwxr-x---  14 cyrus mail 4096 Jun 16 00:57 /var/lib/imap
drwxr-xr-x  18 root root 4096 Jun 16 00:25 /var/lib
drwxr-xr-x  22 root root 4096 Jun 13 10:14 /var

Cyrus IMAP supports authentication using Cyrus SASL. SASL is the Simple Authentication Security Layer, defined in RFC 2222 and other RFCs. In short, SASL does for network protocols what PAM does for system authentication. More information about Cyrus SASL is (will be) available in the Cyrus-SASL-HOWTO. This document will provide basic configuration information for a typical setup. For more complex installations, see the Cyrus-SASL-HOWTO.

The simplest configuration for the average Linux installation is to use SASL to authenticate with PAM. Cyrus SASL provides the saslauthd server which runs as root to be able to read the /etc/shadow. It listens on a UNIX domain socket, through which the client libraries pass authentication information and receive pass or fail status. Since most installations will have user accounts already stored in /etc/passwd and /etc/shadow, PAM provides a convenient mechanism.

Run the command saslauthd -v and verify that "pam", "shadow" or "getpwent" are available. "pam" is the preferred mechanism for a PAM-based system like Red Hat. "shadow" is a lower-layer directly using the shadow file. "getpwent" uses the standard UNIX function that abstracts the reading of the /etc/passwd (and shadow) and allows a modular naming system with the Name Service Switch. Of these, PAM is undoubtedly the most flexible of the mechanisms.

If you're using Red Hat, then Cyrus SASL 2.1 should already be installed with saslauthd built with PAM support. By default, however, the init script uses the shadow mechanism, which is more limited. I recommend you create /etc/sysconfig/saslauthd with the line MECH="pam" and restart with # /sbin/service saslauthd restart. Ensure that it is configured to start at boot time by running # /sbin/chkconfig saslauthd on.

You can verify that it is working with the testsaslauthd program. Simply supply a username and password for the -u and -p options, respectively.

Let's make a quick run-through of everything we'd need to do For example:

$ testsaslauthd -u joebob -p bobjoe
0: OK "Success."