Paranoid Penguin - Secure Mail with LDAP and IMAP, Part II
Notice the localhost> prompt after a successful login: I'm now logged in to a cyradm shell session. To see a complete list of available commands, all I need to do is type ? or help. There are 20 commands in all, and each can be abbreviated, sometimes in two different ways. The help screen lists all versions of each command.
To create a mailbox, I can use the command createmailbox. Alternatively, I can use the abbreviation create or even a simple cm, like this:
localhost> cm user.bwooster localhost>
This is the very model of command-line efficiency, but notice that the user name corresponding to our new mailbox isn't really user.bwooster—it's simply bwooster. The user. prefix must be used for all mailboxes you create in Cyrus IMAP. Thus, to create a mailbox for the user bubba, I'd use the command cm user.bubba. To then create subdirectories for that mailbox, I'd use cm user.bubba.sent, cm user.bubba.drafts and so forth.
This user. prefix is visible only to Cyrus and to its administrators. In fact, when our user Bubba connects to the server with Evolution or some other IMAP client, rather than user.bubba he simply sees a folder named Inbox, even though its real name is user.bubba. Similarly, submailboxes appear as sent, drafts and so on, indented beneath Inbox.
Another thing worth noting about the e-mail account creation command is the lack of any feedback whatsoever from Cyrus upon successful completion. If you're like me, you find this unnerving; you periodically want to use the listmailbox command, lm for short, to see what you have:
localhost> lm user.bwooster (\HasNoChildren)
Believe it or not, this is all we need to do with Cyrus IMAP to allow user bwooster to receive and read his e-mail, assuming there's an LDAP record with a UID of bwooster. In Cyrus IMAP, creating a new user mailbox has the effect of creating that user's IMAP account. But before I move on to the topic of configuring the Postfix MTA to deliver e-mail to Cyrus IMAP, a few words about Cyrus IMAP ACLs.
Each mailbox in a Cyrus IMAP system can have one or more ACLs associated with it in which each ACL defines which actions a given user may perform on the referenced mailbox or folder. By default, a new mailbox has only one ACL, one that grants the mailbox's owner full administrative rights over the mailbox.
Interestingly, administrators by default have only lookup and administer rights on the new mailbox. You can look up the name of the mailbox using the listmailbox command, and you can set ACLs on it. But if you need to delete the mailbox, you first must create an ACL for the mailbox that grants your administrative account administrative rights. This is a feature, not a bug; it helps prevent things from getting deleted accidentally.
Continuing with our example, below are the commands for removing the mailbox we just created, using our administrative account mick_admin:
$ cyradm -u mick_admin localhost IMAP Password: ***** localhost> setaclmailbox user.bwooster mick_admin all localhost> deletemailbox user.bwooster
The second command issued here is of particular note; it begins with the cyradm command setaclmailbox, which may be abbreviated as sam or setacl. This is followed by the mailbox in question (user.bwooster), in turn followed by the account name to which we wish to grant (or deny) access, mick_admin in this case. Finally, either a group of permission codes or a special string is indicated. In this example, we have the special string all, which is short for all permissions. To delete the user.bwooster mailbox, it would have been sufficient simply to specify c, for create or delete mailbox or submailboxes. Other possible ACL permissions are listed in Table 1.
Table 1. cyradm ACL Permission Codes (adapted from the cyradm(1) man page)
|l||Lookup (visible to LIST/LSUB/UNSEEN)|
|r||Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)|
|s||Seen (STORE \SEEN)|
|w||Write flags other than \SEEN and \DELETED|
|i||Insert (APPEND, COPY destination)|
|p||Post (send mail to mailbox)|
|c||Create and Delete mailbox (CREATE new submailboxes, RENAME or DELETE mailbox)|
|d||Delete (STORE \DELETED, EXPUNGE)|
|none||Special string meaning no permissions|
|read||Special string meaning lrs|
|post||Special string meaning lrsp|
|append||Special string meaning lrsip|
|write||Special string meaning lrswipcd|
|all||Special string meaning lrswipcda|
ACLs are covered in detail in the cyradm(1) man page and are explained in Cyrus IMAP's HTML documentation. I highly recommend that you get into the habit of at least reviewing, if not always customizing, the ACLs on each mailbox you create with cyradm. On some sites, it may not be necessary for users to retain the default permission c. If all user submailboxes (user.whomever.sent, user.whomever.saved and so on) are created for them by you, for example, you may prefer that they not have the ability to create new ones or delete them accidentally.
|Speed Up Your Web Site with Varnish||Jun 19, 2013|
|Non-Linux FOSS: libnotify, OS X Style||Jun 18, 2013|
|Containers—Not Virtual Machines—Are the Future Cloud||Jun 17, 2013|
|Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer||Jun 12, 2013|
|Weechat, Irssi's Little Brother||Jun 11, 2013|
|One Tail Just Isn't Enough||Jun 07, 2013|
- Containers—Not Virtual Machines—Are the Future Cloud
- Non-Linux FOSS: libnotify, OS X Style
- Linux Systems Administrator
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Validate an E-Mail Address with PHP, the Right Way
- Technical Support Rep
- Senior Perl Developer
- UX Designer
- Introduction to MapReduce with Hadoop on Linux
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?