1######## 2Concepts 3######## 4 5This section gives an overview of several aspects of the Cyrus IMAP 6server, as they relate to deployment. In an effort to reduce 7duplication of information, we will often direct you to documentation 8in other areas. Please do follow such referrals. 9 10Access Control Lists 11******************** 12 13Access to each mailbox is controlled by access control 14lists. Access Control Lists (ACLs) provide a powerful mechanism for 15specifying the users, or groups of users, who have permission to access 16the mailboxes, and the degree of that access. 17 18An ACL is a list of zero or more entries. Each entry contains a 19mailbox, an Access Control Identifier (ACI) and a set of rights. The 20ACI specifies the user or group of users for which the entry 21applies. The set of rights is one or more letters or digits, each 22letter or digit conferring a particular privilege. 23 24Working with ACLs 25================= 26 27ACLs are manipulated via these subcommands within the 28:cyrusman:`cyradm(8)` program: 29 30 * :ref:`imap-reference-manpages-systemcommands-cyradm-setaclmailbox` 31 * :ref:`imap-reference-manpages-systemcommands-cyradm-listaclmailbox` 32 * :ref:`imap-reference-manpages-systemcommands-cyradm-deleteaclmailbox` 33 34Sample ACL 35========== 36 37A typical ACL is expressed like this: 38 39.. parsed-literal:: 40 41 **setaclmailbox** *mailbox* *id* *rights* [*id* *rights* ...] 42 43where *mailbox* is the name of the mailbox to which the ACL is applied, 44*id* is the ACI for the user or group for which the ACL applies, and 45*rights* is a concatenated list of Access Rights from the list below. 46 47A real world example may look like this: 48 49:: 50 51 setaclmailbox user/bovik/public bovik all group:users lrsp anyone lrs 52 53Here are samples illustrated via output from the ``listaclmailbox`` 54command in :cyrusman:`cyradm(8)`: 55 56.. parsed-literal:: 57 58 localhost> **listaclmamilbox tech/%** 59 tech/Commits: 60 group:tech lrswipkxtea 61 anyone lrs 62 tech/abuse: 63 group:tech lrswipkxtecda 64 anyone lrsp 65 tech/security: 66 anyone lrsp 67 group:tech lrswipkxtecda 68 tech/support: 69 group:tech lrswipkxtecda 70 anyone lrsp 71 72 localhost> **listaclmamilbox user/bovik/%** 73 user/bovik/Drafts: 74 bovik lrswipkxtecda 75 user/bovik/Sent: 76 bovik lrswipkxtecda 77 user/bovik/Sent Items: 78 bovik lrswipkxtecda 79 user/bovik/Spam: 80 anyone p 81 bovik lrswipkxtecda 82 user/bovik/Trash: 83 bovik lrswipkxtecda 84 85Access Rights 86============= 87 88The following lists Access Rights that can be used in an Access Control 89List entry. 90 91l 92 The user may see that the mailbox exists (**lookup**). 93 94r 95 The user may read the mailbox (**read**). 96 97s 98 Keep per-user seen state (i.e. modify the "Seen" flag) 99 (**setseen**). 100 101w 102 The user may modify flags and keywords other than "Seen" and 103 "Deleted". (**write**) 104 105i 106 The user may insert (append) new messages into the mailbox 107 (**insert**). 108 109p 110 The user may send email to the submission address for the mailbox 111 (**post**). 112 113c 114 [**deprecated**: see ``k`` right, below.] 115 116k 117 The user may create new mailboxes in this mailbox, delete the 118 current mailbox, or rename the mailbox (**create**). 119 120x 121 The user may delete the mailbox itself. (**deletembox**) 122 123t 124 The user may store the "Deleted" flag. In other words, delete 125 messages. 126 127e 128 The user may Expunge messages which have the "Deleted" flag already 129 set (**expunge**). 130 131d 132 This "legacy" right is treated by the software as a macro for ``te`` 133 (**deletemsg** && **expunge**). 134 135n 136 The user may store annotations for a message (**annotatemsg**) 137 138a 139 The user may change the *Access Control Information* (ACI) on the 140 mailbox (**administer**). 141 142For a complete reference to Access Rights, please see 143:ref:`imap-admin-access-control-lists-rights-reference` 144 145Rights are combined through concatenation. Please see 146:ref:`imap-admin-access-control-combining-rights` 147 148.. include:: /imap/reference/admin/access-control/defaults.rst 149 :start-after: _imap-admin-access-control-defaults: 150 151.. include:: /imap/reference/admin/access-control/identifiers.rst 152 :start-after: _imap-admin-access-control-identifiers: 153 154Negative Rights 155=============== 156 157Any of the above defined identifiers may be prefixed with a ``-`` 158character. The associated rights are then removed from that identifier. 159These are referred to as *negative rights*. 160 161Calculating a Users' Rights 162=========================== 163 164To calculate the set of rights granted to a user, the server first 165calculates the union of all of the rights granted to the user and to 166all groups the user is a member of. The server then calculates and 167removes the union of all the negative rights granted to the user and to 168all groups the user is a member of. 169 170:: 171 172 anyone lrsp 173 fred lwi 174 -anonymous s 175 176The user ``fred`` will be granted the rights ``lrswip`` and the 177anonymous user will be granted the rights ``lrp``. 178 179 180.. _imap-concepts-login-authentication: 181 182Login Authentication 183******************** 184 185This section discusses different types of authentication (ways of logging in) that can be used with Cyrus IMAP. 186 187The Cyrus IMAP server uses the Cyrus SASL library for authentication. This section describes how to configure SASL with use with Cyrus imapd. Please consult the :ref:`Cyrus SASL System Administrator's Guide <cyrussasl:sasl-index>` for more detailed, up-to-date information. 188 189Anonymous Login 190=============== 191 192Regardless of the SASL mechanism used by an individual connection, the 193server may support anonymous login. If the ``allowanonymouslogin`` 194option in :cyrusman:`imapd.conf(5)` is turned on, then the server will 195permit plaintext password logins using the user ``anonymous`` and any 196password. 197 198Additionally, the server will enable any SASL mechanisms that allow anonymous logins. 199 200Plaintext Authentication 201======================== 202 203The SASL library has several ways of verifying plaintext passwords. Plaintext passwords are passed either by the IMAP ``LOGIN`` command or by the SASL ``PLAIN`` mechanism (under a TLS layer). 204 205* PAM 206* Kerberos v4: Plaintext passwords are verified by obtaining a ticket for the server's Kerberos identity, to protect against Kerberos server spoofing attacks. 207 208* ``/etc/passwd`` 209* ``/etc/shadow``: ``sasl_auto_transition`` automatically creates secrets for shared secret authentication when given a password. 210 211The method of plaintext password verification is always through the SASL library, even in the case of the internal LOGIN command. This is to allow the SASL library to be the only source of authentication information. You'll want to look at the ``sasl_pwcheck_method`` option in the SASL documentation to understand how to configure a plaintext password verifier for your system. 212 213To disallow the use of plaintext passwords for authentication, you can set ``allowplaintext: no`` in imapd.conf. This will still allow PLAIN under TLS, but IMAP LOGIN commands will now fail. 214 215Kerberos Logins 216=============== 217 218The Kerberos SASL mechanism supports the ``KERBEROS_V4`` authentication mechanism. The mechanism requires that a ``srvtab`` file exist in the location given in the ``srvtab`` configuration option. The ``srvtab`` file must be readable by the Cyrus server and must contain a ``imap.$host@$realm`` service key, where ``$host`` is the first component of the server's host name and ``$realm`` is the server's Kerberos realm. 219 220The server will permit logins by identities in the local realm and identities in the realms listed in the ``loginrealms`` option in :cyrusman:`imapd.conf(5)`. 221 222The file ``/etc/krb.equiv`` contains mappings between Kerberos principals. The file contains zero or more lines, each containing two fields. Any identity matching the first field of a line is permitted to log in as the identity in the second field. 223 224If the ``loginuseacl`` configuration option is turned on, than any Kerberos identity that is granted the ``a`` right on the user's ``INBOX`` is permitted to log in as that user. 225 226Shared Secrets Logins 227===================== 228 229Some mechanisms require the user and the server to share a secret (generally a password) that can be used for comparison without actually passing the password in the clear across the network. For these mechanism (such as CRAM-MD5 and DIGEST-MD5), you will need to supply a source of passwords, such as the sasldb (which is described more fully in the :ref:`Cyrus SASL distribution <cyrussasl:sasl-index>`) 230 231Quotas 232****** 233 234Quotas allow server administrators to limit resources used by hierarchies of mailboxes on the server. 235 236Working with Quotas 237=================== 238 239Quotas are manipulated via these subcommands within the 240:cyrusman:`cyradm(8)` program: 241 242 * :ref:`imap-reference-manpages-systemcommands-cyradm-setquota` 243 * :ref:`imap-reference-manpages-systemcommands-cyradm-listquota` 244 * :ref:`imap-reference-manpages-systemcommands-cyradm-listquotaroot` 245 246.. include:: /imap/reference/admin/quotas.rst 247 :start-after: _imap-admin-quotas-repair: 248 :end-before: _imap-admin-quotas-config: 249 250.. include:: /imap/reference/admin/quotas/quotatypes.rst 251 :start-after: _imap-admin-quotas-types: 252 253.. include:: /imap/reference/admin/quotas/quotaroots.rst 254 :start-after: _imap-admin-quotas-roots: 255 256Controlling Quota Behavior 257========================== 258 259How restrictive quotas will be may be tailored to the needs of different 260sites, via the use of several settings in :cyrusman:`imapd.conf(5)`. 261 262Please consult the :ref:`imap-admin-quotas-config` section of the Cyrus 263IMAP Administrator Guide for complete details. 264 265Mail Delivery Behavior 266====================== 267 268Mailboxes Near Quota 269-------------------- 270 271Normally, in order for a message to be *appended* into a mailbox, the 272quota root for the mailbox must have enough unused storage that 273appending the message will not cause the quota to go over limit. 274 275Mail delivery (posting) is a special case. In order for a message to be 276delivered to a mailbox, the quota root for the mailbox merely need not 277already be over the limit *in the default configuration*. 278 279As long as usage is not over the limit, new messages may be delivered 280regardless of size, unless ``lmtp_strict_quota: on`` is set in 281:cyrusman:`imapd.conf(5)`. In that case, delivery of messages will be 282rejected would such delivery exceed quota. 283 284If a delivery puts the mailbox's usage over the quota, the server will 285issue an alert notifying the user that usage is close to or over the 286limit, permitting them to correct it. If delivery were not permitted in 287this case, the user would have no practical way of knowing that there 288was mail that could not be delivered. 289 290.. note:: 291 292 While the Cyrus IMAP server may from time to time issue alerts, 293 there is great variability in how IMAP clients handle these. 294 Further, such alerts are only visible to users *while they are 295 connected*. 296 297 Therefore, many sites find it preferable to install cron jobs which 298 use the :cyrusman:`quota(8)` command to produce periodic reports of 299 users at or near quota, so administrators may nag them or so that 300 warnings may be issued to users via some other mechanism. 301 302Mailboxes Over Quota 303-------------------- 304 305If the usage is over the limit, mail delivery will fail with a temporary 306error (LMTP error 452), unless ``lmtp_over_quota_perm_failure: on`` 307is set in :cyrusman:`imapd.conf(5)` in which case a permanent error 308(LMTP error 552) will be returned. 309 310A temporary error will *typically* cause the delivery system to requeue 311the message and re-attempt delivery for a few days (permitting the user 312time to notice and correct the problem) before returning the mail to 313the sender. 314 315.. Note:: 316 317 Such requeuing behaviour is controlled by the MTA (i.e. Sendmail, 318 EXIM or Postfix) and as such is outside the purview of this 319 document. 320 321Quota Warnings Upon Select When User Has ``d`` Rights 322===================================================== 323 324When a user selects a mailbox whose quota root has usage that is close to or over the limit and the user has ``d`` rights on the mailbox, the server will issue an alert notifying the user that usage is close to or over the limit. The threshold of usage at which the server will issue quota warnings is set by the ``quotawarn`` configuration option. 325 326The server only issues warnings when the user has ``d`` rights because only users with ``d`` rights are capable of correcting the problem. 327 328Quotas and Partitions 329===================== 330 331Quota roots are independent of partitions. A single quota root can apply to mailboxes in different partitions. 332 333.. include: /imap/reference/admin/quotas.rst 334 :start-after:`_imap-admin-quotas-database:` 335 :end-before:`_imap-admin-quotas-convert-db:` 336 337 338New Mail Notification 339********************* 340 341The Cyrus IMAP server comes with a notification daemon which supports 342multiple mechanisms for notifying users of new mail. Notifications can 343be configured to be sent upon normal delivery (``MAIL`` class) and/or 344sent as requested by a Sieve script (``SIEVE`` class). 345 346By default, both types of notifications are disabled. Notifications are 347enabled by using one or both of the following configuration options: 348 349* the ``mailnotifier`` option selects the :cyrusman:`notifyd(8)` method 350 to use for ``MAIL`` class notifications 351 352* the ``sievenotifier`` option selects the :cyrusman:`notifyd(8)` 353 method to use for ``SIEVE`` class notifications (when no method is 354 specified by the Sieve action) 355 356 357Partitions 358********** 359 360Partitions allow administrators to store different mailboxes in different parts of the Unix filesystem. This is intended to be used to allow hierarchies of mailboxes to be spread across multiple disks. 361 362Specifying Partitions with "create" 363=================================== 364 365When an administrator creates a new mailbox, the name of the partition for the mailbox may be specified using an optional second argument to the "create" command. Non-administrators are not permitted to specify the partition of a mailbox. If the partition is not specified, then the mailbox inherits the partition of its most immediate parent mailbox. If the mailbox has no parent, it gets the partition specified in the "defaultpartition" configuration option. 366 367The optional second argument to the "create" command can usually be given only when using a specialized Cyrus-aware administrative client such as ``cyradm``. 368 369Changing Partitions with "rename" 370================================= 371 372An administrator may change the partition of a mailbox by using the 373rename command with an optional third argument. When a third argument 374to rename is given, the first and second arguments can be the 375same; this changes the partition of a mailbox without changing its 376name. If a third argument to rename is not given and the first 377argument is not ``INBOX``, the partition of a mailbox does not change. 378If a third argument to rename is not given and the first argument is 379``INBOX``, the newly created mailbox gets the same partition it would 380get from the ``create`` command. 381 382News 383***** 384 385Cyrus has the ability to export Usenet via IMAP and/or export shared 386IMAP mailboxes via an NNTP server which is included with Cyrus. 387 388POP3 Server 389*********** 390 391The Cyrus IMAP server software comes with a compatibility POP3 server. 392Due to limitations in the POP3 protocol, the server can only access a 393user's ``INBOX`` and only one instance of a POP3 server may exist for any 394one user at any time. While a POP3 server has a user's ``INBOX`` open, 395expunge operations from any concurrent IMAP session will fail. 396 397When Kerberos login authentication is being used, the POP3 server 398uses the server identity 399``pop.host@realm`` instead of 400``imap.host@realm``, where 401``host`` is the first component of the server's host 402name and ``realm`` is the server's Kerberos realm. 403When the POP3 server is invoked with the ``-k`` switch, the 404server exports MIT's KPOP protocol instead of generic POP3. 405 406The syslog facility 407******************* 408 409The Cyrus IMAP server software sends log messages to the ``local6`` 410syslog facility. The severity levels used are: 411 412* **CRIT** - Critical errors which probably require prompt administrator action 413* **ERR** - I/O errors, including failure to update quota usage. The syslog message includes the specific file and Unix error. 414* **WARNING** - Protection mechanism failures, client inactivity timeouts 415* **NOTICE** - Authentications, both successful and unsuccessful 416* **INFO** - Mailbox openings, duplicate delivery suppression 417 418Mail Directory Recovery 419*********************** 420 421This section describes the various databases used by the Cyrus IMAP 422server software and what can be done to recover from various 423inconsistencies in these databases. 424 425Reconstructing Mailbox Directories 426================================== 427 428The largest database is the mailbox directories. Each 429mailbox directory contains the following files: 430 431message files 432 There is one file per message, containing the message in :rfc:`822` format. Lines in the message are separated by CRLF, not just LF. The file name of each message is the message's UID followed by a dot (.). 433 434 In netnews newsgroups, the message files instead follow the format and naming conventions imposed by the netnews software. 435 436``cyrus.header`` 437 This file contains a magic number and variable-length information about the mailbox itself. 438 439``cyrus.index`` 440 This file contains fixed-length information about the mailbox itself and each message in the mailbox. 441 442``cyrus.cache`` 443 This file contains variable-length information about each message in the mailbox. 444 445``cyrus.seen`` 446 This file contains variable-length state information about each reader of the mailbox who has ``s`` permissions. 447 448The ``reconstruct`` program can be used to recover from 449corruption in mailbox directories. If ``reconstruct`` can find 450existing header and index files, it attempts to preserve any data in 451them that is not derivable from the message files themselves. The 452state ``reconstruct`` attempts to preserve includes the flag 453names, flag state, and internal date. ``Reconstruct`` 454derives all other information from the message files. 455 456An administrator may recover from a damaged disk by restoring message 457files from a backup and then running reconstruct to regenerate what it 458can of the other files. 459 460The ``reconstruct`` program does not adjust the quota usage 461recorded in any quota root files. After running reconstruct, it is 462advisable to run ``quota -f`` (described below) in order to fix 463the quota root files. 464 465Reconstructing the Mailboxes File 466================================= 467 468.. note:: 469 470 CURRENTLY UNAVAILABLE 471 472The mailboxes file in the configuration directory is the most critical 473file in the entire Cyrus IMAP system. It contains a sorted list of 474each mailbox on the server, along with the mailboxes quota root and 475ACL. 476 477To reconstruct a corrupted mailboxes file, run the ``reconstruct 478-m`` command. The ``reconstruct`` program, when invoked 479with the ``-m`` switch, scavenges and corrects whatever data it 480can find in the existing mailboxes file. It then scans all partitions 481listed in the imapd.conf file for additional mailbox directories to 482put in the mailboxes file. 483 484The ``cyrus.header`` file in each mailbox directory stores a 485redundant copy of the mailbox ACL, to be used as a backup when 486rebuilding the mailboxes file. 487 488Reconstructing Quota Roots 489========================== 490 491.. note:: 492 493 The following instructions are valid where ``quota_db: quotalegacy`` 494 is set in :cyrusman:`imapd.conf(5)`. If your site uses a different 495 quota DB type, then these steps do not apply. 496 497The subdirectory ``quota`` of the configuration directory (specified in 498the ``configdirectory`` configuration option) contains one file per 499quota root, with the file name being the name of the quota root. These 500files store the quota usage and limits of each of the quota roots. 501 502The ``quota`` program, when invoked with the ``-f`` 503switch, recalculates the quota root of each mailbox and the quota 504usage of each quota root. 505 506Removing Quota Roots 507==================== 508 509To remove a quota root, remove the quota root's file. Then run 510``quota -f`` to make the quota files consistent again. 511 512Subscriptions 513============= 514 515The subdirectory ``user`` of the configuration directory contains user 516subscriptions. There is one file per user, with a filename of the 517userid followed by ``.sub``. Each file contains a sorted list of 518subscribed mailboxes. 519 520There is no program to recover from damaged subscription files. A 521site may recover from lost subscription files by restoring from backups. 522 523Configuration Directory 524*********************** 525 526Many objects in the configuration directory are discussed in 527the Database Recovery section. This section documents two 528other directories that reside in the configuration directory. 529 530Log Directory 531============= 532 533The subdirectory ``log`` under the configuration directory permits 534administrators to keep protocol telemetry logs on a per-user basis. 535 536If a subdirectory of ``log`` exists with the same name as a user, the 537IMAP and POP3 servers will keep a telemetry log of protocol sessions 538authenticating as that user. The telemetry log is stored in the 539subdirectory with a filename of the server process-id and starts with 540the first command following authentication. 541 542Proc Directory 543============== 544 545The subdirectory ``proc`` under the configuration directory 546contains one file per active server process. The file name is the ASCII 547representation of the process id and the file contains the following 548tab-separated fields: 549 550* hostname of the client 551* login name of the user, if logged in 552* selected mailbox, if a mailbox is selected 553 554The file may contain arbitrary characters after the first newline 555character. 556 557The ``proc`` subdirectory is normally be cleaned out on 558server reboot. 559 560Message Delivery 561**************** 562 563Mail transport agents such as Sendmail, Postfix, or Exim communicate 564with the Cyrus server via LMTP (the Local Mail Transport Protocol) 565implemented by the LMTP daemon. This can be done either directly by the 566MTA (prefered, for performance reasons) or via the ``deliver`` LMTP 567client. 568 569Local Mail Transfer Protocol (lmtp) 570=================================== 571 572LMTP, the Local Mail Transfer Protocol, is a variant of SMTP design for 573transferring mail to the final message store. LMTP allows MTAs to deliver 574"local" mail over a network. This is an easy optimization so that the 575IMAP server doesn't need to maintain a queue of messages or run an 576MTA. 577 578The Cyrus server implements LMTP via the ``lmtpd`` daemon. LMTP 579can either be used over a network via TCP or local via a UNIX domain 580socket. There are security differences between these two alternatives; read 581more below. 582 583For final delivery via LMTP over a TCP socket, it is necessary to use 584LMTP AUTH. This is accomplished using SASL to authenticate the delivering 585user. If your mail server is performing delivery via LMTP AUTH (that is, 586using a SASL mechanism), you will want their authentication id to be an 587LMTP admins (either via the ``admins`` imapd.conf option or via the 588``<service>_admins`` option, typically ``lmtp_admins``). 589 590Alternatively you may deliver via LMTP to a unix domain socket, and the 591connection will be preauthenticated as an administrative user (and access 592control is accomplished by controlling access to the socket). 593 594Note that if a user has a sieve script, the sieve script runs authorized 595as *that* user, and the rights of the posting user are ignored for the purposes 596of determining the outcome of the sieve script. 597 598Single Instance Store 599===================== 600 601If a delivery attempt mentions several recipients (only possible if 602the MTA is speaking LMTP to ``lmtpd``), the server attempts to 603store as few copies of a message as possible. It will store one copy 604of the message per partition, and create hard links for all other 605recipients of the message. 606 607Single instance store can be turned off by using the 608"singleinstancestore" flag in the configuration file. 609 610Duplicate Delivery Suppression 611============================== 612 613A message is considered a duplicate if two copies of a message with 614the same message-id and the same envelope recipient are received. 615Cyrus uses the duplicate delivery database to hold this information, 616and it looks approximately 3 days back in the default install. 617 618Duplicate delivery suppression can be turned off by using the 619"duplicatesuppression" flag in the configuration file. 620 621Sieve, a Mail Filtering Language 622******************************** 623 624Sieve is a mail filtering language that can filter mail into an appropriate 625IMAP mailbox as it is delivered via lmtp. 626 627Cyrus Murder, the IMAP Aggregator 628********************************* 629 630Cyrus now supports the distribution of mailboxes across a number of IMAP 631servers to allow for horizontal scalability. 632