RPM packages of Cyrus IMAPd server
----------------------------------
Cyrus IMAPd version: 2.0.16
rpm package release: 3rm
Release date : Wed Dec 5 2001
0. Contents
(The sections marked with * were modified since the last release)
1. Intro
2. Packaging
3. Upgrade/Installation notes
3.1. For all users:
3.2. For all users upgrading from some rpm package version:
3.3. For users upgrading from a rpm package not downloaded from
this site
3.4. For users upgrading from versions < 2.0.x of Cyrus IMAPd
3.5. For users upgrading from release 2.0.9-4.62.crm of the rpm
package downloaded from this site
3.6. For users upgrading from release 2.0.11-5.62.crm of the rpm
packages downloaded from this site
4. Specific user/group creation during install
5. Installation logging
6. Build dependencies
7. Installation dependencies
8. OpenSSL notes
* 9. db3 notes
* 10. Cyrus SASL notes
* 11. Quick per-RHL version checklist
11.1. - RHL 6.2
11.2. - RHL 7
11.3. - RHL 7.1
* 11.4. - RHL 7.2
* 12. Sendmail -- optional support
13. DRACd -- optional support
14. Syslog configuration
15. Notes about user authentication methods
15.1. Default user authentication method
15.2. Common problems implementing user authentication schemes
15.2.1. Problems authenticating users against /etc/shadow
15.2.2. Using the sasldb method + Sendmail with SMTP authen-
tication enabled and experimenting problems with
/etc/sasldb permissions
16. To do list
17. Feedback
1. Intro
This set of rpm packages forked from the versions shipped with Red
Hat Linux Powertools when Cyrus IMAPd was at version 2.0.7. The
goals are a) follow more closely the Cyrus releases, b) fix bugs
and omissions and c) add the necessary features in order to facili-
tate the use of the software in a production environment with Red
Hat Linux servers. Posterior fixes from Red Hat to their packages
are being tracked and incorporated as well.
The packages were built and tested in a Red Hat Linux 6.2 system
with every relevant official errata published by Red Hat applied.
The version of rpm used is 3.0.5 (more specifically, the version of
official errata
http://www.redhat.com/support/errata/RHEA-2000-051.html, note that
I'm not yet using the recently published official update of rpm to
version 4.0.2).
IMPORTANT: It is recommendable to download the source rpm and
rebuild it with:
# rpm --rebuild
in your system. Please read all this file to understand
the reason.
I'm trying to make the packages compatible with versions 7 and 7.1
of Red Hat Linux as well (read: you should be able to download
the source rpm of Cyrus IMAPd from this site, re-build your own
set of binary rpms and install them) but I have no means to be
sure the re-build process will be successful because I do not have
yet a system running such versions of Red Hat Linux (I'm planning
to install 7.1 soon). Please share your experiences with me and
help me improve the packages.
2. Packaging
The software is split in 5 (five) packages: main package, -doc,
-devel, perl-Cyrus and -utils sub-packages. Notes:
- It is recommended to always install the -doc sub-package (you
can even install it before the main package). All the referen-
ces below to the Cyrus IMAPd documentation are to files contai-
ned in the cyrus-imapd-doc rpm.
- The main package contains the server programs.
- The -utils sub-package contains utilities needed to perform ba-
sic administrative tasks. These utilities communicate with the
server using the IMAP protocol. Install this sub-package in all
hosts of your network from where you want to perform these tasks
(including the host running the server).
- The perl-Cyrus sub-package contains the Perl modules
Cyrus::IMAP::{,Admin,IMSP,Shell} and Cyrus::SIEVE::{acap,manage-
sieve} trying to mimic the DNA CPAN rpm packages. Some utilities
in the -utils sub-package need perl-Cyrus.
The packages are GPG signed. You can download My GPG public key
from:
http://rmrpms.tripod.com/RM-GPG-KEY
or from
http://www.rmorales.com.ar/RM-GPG-KEY
3. Upgrade/Installation notes
Since version of 2.0.9 the pre-uninstall script of the main rpm
package stops unconditionally the master daemon and the
post-uninstall script does not start it automatically.
The logic behind this behavior is:
If the user is upgrading a production server she/he should get
a chance of reading the documentation and then doing all the
necessary tasks to prepare the system before starting the daemon;
the format/location of some file(s) used by the software may change
even between minor releases and running some utilities may be
necessary as a previous step to starting the new server for the
first time.
This is specially true if the previous version of Cyrus IMAPd
you have is 1.x.x (so you are doing a major version upgrade) AND
if you have installed it from a rpm package. Unfortunately in
this case the pre-uninstall of the old package is already stored
in the system and rpm will always run it, if the script does the
following checking "If an upgrade is in progress and the old dae-
mon was running then start the new daemon" it will end doing what
we are trying to avoid don't matter what we do in the install
scripts of the 2.x.x rpm packages. The only way to avoid it is by
stopping the old daemon.
Another characteristic of the rpm packages is the SysV init script
is installed but is not configured to start Cyrus automatically in
any run-level so when you are happy with your configuration don't
forget to activate it with ntsysv or chkconfig.
Taking in account these and some other issues we can build the fo-
llowing list of recommended pre-install/-upgrade tasks. Perform
the relevant ones for your case:
3.1. For all users:
The installation does not configures the system to start Cyrus
IMAPd automatically at boot-time. You can do it with your favorite
SysV run-level editor.
3.2. For all users upgrading from some rpm package version:
Stop the old daemon before the upgrade operation. It keeps the
post-uninstall script of the previous version from starting
automatically the new daemon.
3.3. For users upgrading from a rpm package not downloaded from
this site:
Please check the directories /var/imap and /var/spool/imap
and sub-directories below them with the lsattr command to be sure
some of them have the S ext2fs attribute set (read
install-configure.html in the Cyrus IMAPd documentation to find
the detailed recommendations for Linux systems). If you are doing
a fresh install or upgrading from a rpm package downloaded from
this site you can skip this manual check because the post-install
script takes care of setting the S attribute in the right directo-
ries.
3.4. For users upgrading from versions < 2.0.x of Cyrus IMAPd:
Please read the Cyrus IMAPd documentation before upgrading; the
critical files to read are:
changes.html
This file describes all functional changes.
install-configure.html
Linux-specific recommended list of directories that should get
the synchronous-write ext2fs attribute applied changed starting
with version 2 of Cyrus IMAPd.
install-upgrade.html
This file details the recommended upgrade procedures.
3.5. For users upgrading from release 2.0.9-4.62.crm of the rpm
package downloaded from this site:
The package is now split in a main package and four sub-packages:
-doc, -devel, perl-Cyrus and -utils.
After the upgrade process you will get a
/var/imap/mailboxes.db.rpmsave file, please rename the file to
/var/imap/mailboxes.db and then start the new daemon (this is
because the file was marked as an configuration file in the old
release so rpm saves it at un-install time). If you have a produc-
tion installation and want to be really safe I should not tell you
must save a backup copy of the file before the upgrade. Just don't
forget to check it is owned by user cyrus and group mail before
starting the server.
If you use timsieved, read install-upgrade.html included with the
Cyrus IMAPd documentation.
3.6. For users upgrading from release 2.0.11-5.62.crm of the rpm
packages downloaded from this site:
The package is now split in a main package and four sub-packages:
-doc, -devel, perl-Cyrus and -utils.
4. Specific user/group creation during install
This rpm creates an user "cyrus" with UID 76 and a group "shadow"
with GID 76, if the user or group already exist and they do not
use the UID/GID or if either UID or GID are already assigned to
another user/group then the installation process fails.
5. Installation logging
During installation and removal, errors in such actions as creating
or deleting the cyrus userID in /etc/passwd generate commentary
via logger(1) with syslog. In a standard Red Hat system this will
be recorded in /var/log/messages.
In case of error and in order to be able to diagnostic it, the fo-
llowing command should extract them:
grep cyrus/rpm /var/log/messages
(this feature is based in code used by Simon J. Mudd in the
Postfix rpm packages he maintains).
6. Build dependencies
This is the list of packages that must be present in the system
before you try to rebuild the Cyrus IMAPd source rpm:
rpm-build
cyrus-sasl-devel >= 1.5.24-11
e2fsprogs-devel
perl
tcp_wrappers
db3
db3-devel
openssl-devel
flex
bison
groff >= 1.15-8
sendmail-cf (if you activate support for Sendmail, see below)
dracd (if you activate support for DRACd, see below)
additionally the following programs are necessary:
/usr/sbin/useradd, /usr/sbin/groupadd, /usr/sbin/usermod
(shadow-utils package in Red Hat Linux distribution)
/usr/bin/logger
(util-linux package in Red Hat Linux distribution)
/usr/bin/id
(utils package in Red Hat Linux distribution)
NOTE: You must have the 'rpm-build' sub-package of rpm installed
to be able to (re)build rpm packages.
7. Installation dependencies
This is the list of packages that must be present in the system
before installing the Cyrus IMAPd rpm:
cyrus-sasl >= 1.5.24-11
db3
openssl
perl
tcp_wrappers
additionally the following programs are necessary:
/usr/sbin/useradd, /usr/sbin/groupadd, /usr/sbin/usermod
(shadow-utils package in Red Hat Linux distribution)
/usr/bin/logger
(util-linux package in Red Hat Linux distribution)
/usr/bin/id
(utils package in Red Hat Linux distribution)
8. OpenSSL notes
Since OpenSSL does not comes in Red Hat Linux 6.2 you can obtain
it from the official errata
https://listman.redhat.com/pipermail/redhat-announce-list/2001-July/002449.html
these packages were published in Jul 2001 (with fixes back-ported
from OpenSSL 0.9.6a and 0.9.6b)
9. db3 notes
Since db3 does not comes in Red Hat Linux 6.2 you can obtain it
from the official errata
http://www.redhat.com/support/errata/RHEA-2001-015.html
these db3 packages were published to allow the installation of
rpm 4.0.2 in Red Hat Linux 6.2.
Now you can rebuild Cyrus IMAPd in your system.
10. Cyrus SASL notes
Since Cyrus SASL does not comes included in the Red Hat Linux 6.2
distribution (the packages that comes in the Power Tools collection
are 1.5.11, a rather old and buggy version) you can obtain it
by downloading the official security-related update published in
November 2001. See
https://listman.redhat.com/pipermail/redhat-announce-list/2001-November/002542.html
NOTE: A common problem encountered is when the installed copies of
Cyrus SASL and Cyrus email server are linked against different ver-
sions of db3. I used to suggest here to avoid this problem in
RHL 6.2 by rebuilding Cyrus SASL. Later examination of the Red
Hat's Cyrus SASL specfile reveals that Red Hat forces it to link
against gdbm rather than db3 so we can use pre-compiled binaries
packages of Cyrus SASL.
11. Quick per-RHL version checklist
As a short conclusion of the above notes this is the status of the
relevant packages in different versions of Red Hat Linux. Beware I
actually only tested the packages on a RHL 6.2 system.
11.1. - RHL 6.2
db3: Not included in original distribution. Install packages
announced in
http://www.redhat.com/support/errata/RHEA-2001-015.html
be sure to install at least db3 main package and db3-devel
sub-package.
OpenSSL: Not included in original distribution. Install packages
announced in
https://listman.redhat.com/pipermail/redhat-announce-list/2001-July/002449.html
be sure to install both openssl main package and openssl-devel
sub-package.
Cyrus SASL: Not included in original distribution. download the
Power Tools oficial update announced in the security advisory
https://listman.redhat.com/pipermail/redhat-announce-list/2001-November/002542.html
install at least the cyrus-sasl and cyrus-sasl-devel packages.
11.2. - RHL 7
db3: Already included in original distribution. Be sure to ins-
tall at least db3 main package and db3-devel sub-package.
OpenSSL: Already included in original distribution but install
packages announced in
https://listman.redhat.com/pipermail/redhat-announce-list/2001-July/002449.html
be sure to install both openssl main package and openssl-devel
sub-package.
Cyrus SASL: Already included in original distribution but you
must install the packages announced in the security advisory
https://listman.redhat.com/pipermail/redhat-announce-list/2001-November/002541.html
Be sure to install at least the cyrus-sasl and cyrus-sasl-devel
packages.
11.3. - RHL 7.1
db3: Already included in original distribution. Be sure to ins-
tall at least db3 main package and db3-devel sub-package.
OpenSSL: Already included in original distribution but install
packages announced in
https://listman.redhat.com/pipermail/redhat-announce-list/2001-July/002449.html
be sure to install both openssl main package and openssl-devel
sub-package.
Cyrus SASL: Already included in original distribution but you
must install the packages announced in the security advisory
https://listman.redhat.com/pipermail/redhat-announce-list/2001-November/002541.html
Be sure to install at least the cyrus-sasl and cyrus-sasl-devel
packages.
11.4. - RHL 7.2
db3: Already included in original distribution. Be sure to ins-
tall at least db3 main package and db3-devel sub-package.
OpenSSL: Already included in original distribution.
be sure to install both openssl main package and openssl-devel
sub-package.
Cyrus SASL: Already included in original distribution but you
must install the packages announced in the security advisory
https://listman.redhat.com/pipermail/redhat-announce-list/2001-November/002541.html
Be sure to install at least the cyrus-sasl and cyrus-sasl-devel
packages.
12. Sendmail -- optional support
In this version of the rpm package, the inclusion of some files
very specific to the task of using Cyrus IMAPd with the Sendmail
MTA is selectable at build time. If you use Postfix, Exim, Qmail,
..., you are not in danger if you install a package with this op-
tion activated because no system configuration is made/modified
and you just end with a couple of extra files in your filesystem.
Additionally, you can select support of Sendmail as packaged in
Red Hat Linux 6.2, 7 or as packaged in version 7.1.
By default the specfile comes with support for Sendmail as shipped
in RHL 6.2 and 7 turned on. you can change this adding
--define 'sendmail_rhl71 1'
to the command line of rpm when you do
# rpm -bx|--recompile|--rebuild
to specify support for Sendmail shipped in RHL 7.1, or adding
--define 'disable_sendmail 1'
to disable support for Sendmail, this also deletes sendmail-cf
from the list of build dependencies.
NOTE:
If you are using Sendmail on RHL and do the Right Thing (= you
apply all the security updates published by your vendor) perhaps
you applied the update to sendmail and friends described in:
[1]http://www.redhat.com/support/errata/RHSA-2001-106.html
As the Red Hat people followed common practice and implemented
the fix by solving the security problem in the last version (the
pre RHL 7.2 branch) of the package and then back-porting this to
all the versions of RHL affected; you will find you need to pass
--define 'sendmail_rhl71 1' to rpm when you rebuild Cyrus IMPAd
from the 2.0.16-1 source rpm package with Sendmail support turned
on even when you are not using RHL 7.1. Note that this issue forces
us to deviate from the instructions given above.
I experienced this situation with my RHL 6.2 build system since I
always apply on it all the updates published by Red Hat but I'm
almost sure the same applies to RHL 7.
It is worth noting all this issue is only relevant when one is
re-building the source rpm. It does not afect you if you are just
going to use the binary rpm(s).
13. DRACd -- optional support
It is possible to add support for the DRACd (Dynamic Relay Autho-
rization Control daemon) by applying a modified version of the
relevant patch located in the contrib directory of the source
distribution of Cyrus IMAPd.
If you want to know more about DRAC see
http://mail.cc.umanitoba.ca/drac/
Activating this feature will add a build-time dependency on the
DRAC static library but will allow one to use the resultant bina-
ries even when the system where you install them does not have
DRACd installed/active because activation of this support is done
at run-time by means of setting a couple of configuration variables
in imapd.conf(5)
By default DRACd support is turned off, you can enable it adding
--define 'enable_drac 1'
to the command line of rpm when you do
# rpm -bx|--recompile|--rebuild
You can download rpm packages of DRACd packages in rpm format I
maintain from http://rmrpms.tripod.com/
14. Syslog configuration
The installation process creates an empty /var/log/imapd.log
file and logrotate is configured to rotate it. But you should
configure syslog to send the messages of local6 facility
to this file adding a line to /etc/syslog.conf like:
local6. /var/log/imapd.log
with selecting the verbosity you want (see overview.html
and install-configuration.html in the Cyrus IMAPd documentation).
Also, in the Red Hat Linux default configuration of syslog you
may get the Cyrus IMAPd messages going also to /var/log/messages,
This signifies the log messages are duplicated and if the verbosity
selected with the above line is high, it will pollute the logs in
the latter file. You can avoid it changing the /etc/syslog.conf
line that reads:
*.info;mail.none;authpriv.none /var/log/messages
to
*.info;mail.none;authpriv.none;local6.none /var/log/messages
15. Notes about user authentication methods
15.1. Default user authentication method
Just like the rpm package from Red Hat, the default authentication
method used by the server as setup by the rpm package is the sasldb
method. If you want to use another method you can change it (read
the install-auth.html file in the Cyrus IMAPd documentation to
learn about the different methods Cyrus supports).
15.2. Problems implementing user authentication schemes
We are going to describe problems people face when trying to
implement two common authentication schemes. Also we will explain
how recent modifications to the Cyrus code (applied from CVS to
version 2.0.16-2rm of the rpm packages) can hopefully provide some
help.
15.2.1. Problems authenticating users against /etc/shadow
Cyrus can be configured to use this scheme by using one of the
following methods:
o Using directly the shadow authentication method of SASL (by using
a 'sasl_pwcheck_method: shadow' line in /etc/imapd.conf).
o Or configuring SASL to use PAM (by using a
'sasl_pwcheck_method: pam' line in /etc/imapd.conf) and leaving
to the PAM libraries the task of accessing /etc/shadow (The rpm
package of Cyrus from Red Hat provides suitable
/etc/pam.d/{imap,pop} files for this and I copied them verbatim
in my package).
For either method we need that Cyrus can read /etc/shadow; so the
customary manual steps people implement are:
- Put the user 'cyrus' (the user the Cyrus daemons run as) into a
group called 'shadow' (this is done by the setup process
of my rpm package).
- Change perms of /etc/shadow from 600 root root (or 400 root root)
to 640 root shadow (or 440 root shadow).
Until now, even after these steps were implemented Cyrus kept refu-
sing to authenticate users. A bug that kept the Cyrus daemons from
using the supplementary group ('shadow') is now fixed . This should
help solve this problem.
Please see Bug #43706 in Red Hat's Bugzilla for a related bug in
the pam package affecting users of Red Hat Linux <= 7.1.
15.2.2. Using the sasldb method + Sendmail with SMTP authentication
enabled and experimenting problems with /etc/sasldb
permissions
This method implies the Sendmail MTA will be also accessing
/etc/sasldb through Cyrus SASL. Sendmail by default wants
this file owned by root and not readable by anyone else.
On the other hand, Cyrus wants the same file to be readable by the
'cyrus' user.
The customary steps people implement to try to solve this conflict
are:
o Compile Sendmail with the _FFR_UNSAFE_SASL option; this enables
an additional DontBlameSendmail GroupReadableSASLFile run-time
configuration option which allows /etc/sasldb to be group
readable.
o Since the 'cyrus' user belongs to the 'mail' group (this setup is
taken care by the installation process of the rpm package) we set
the /etc/saldb perms to 640 root mail (until version 2.0.16-1rm
it was 600 cyrus mail).
After these steps are implemented the Sendmail side of the problem
is solved but until now Cyrus kept refusing to work properly (it is
impossibe to authenticate with the server using cyradm, imtest or
a IMAP client). A bug that kept the Cyrus daemons from using
the initial login group ('mail') is now fixed. This should help
solve this problem.
16. To do list
- I added tcp_wrappers to the install time required dependencies
list, it this correct?.
- Analyze which packages should be (Build)Requires and which packa-
ges should be (Build)Prereq.
- Consider upgrading to rpm 4.0.2.
- I fiddled with the postinstall script in version 2.0.11-4.62 of
the packages because su displayed an ugly message about being
unable to open root's .bashrc. Perhaps it it a bash bug (See
Red Hat's Bugzilla entries #21806, #22174). Investigate the issue.
17. Feedback
Please send any comments, rants, bug-reports, etc. about the
packages or this file to rmrpms at usa dot net.
// -- end of file ---
|
