Paranoid Penguin - Secure Mail with LDAP and IMAP, Part II

An IMAP mail server with an LDAP directory makes things simple, secure and easy for the user. Now Mick explains the tricky parts to make you the company e-mail guru.

Notice the localhost> prompt after a successful login: I'm now logged in to a cyradm shell session. To see a complete list of available commands, all I need to do is type ? or help. There are 20 commands in all, and each can be abbreviated, sometimes in two different ways. The help screen lists all versions of each command.

Creating Mailboxes with cyradm

To create a mailbox, I can use the command createmailbox. Alternatively, I can use the abbreviation create or even a simple cm, like this:

localhost> cm user.bwooster

This is the very model of command-line efficiency, but notice that the user name corresponding to our new mailbox isn't really user.bwooster—it's simply bwooster. The user. prefix must be used for all mailboxes you create in Cyrus IMAP. Thus, to create a mailbox for the user bubba, I'd use the command cm user.bubba. To then create subdirectories for that mailbox, I'd use cm user.bubba.sent, cm user.bubba.drafts and so forth.

This user. prefix is visible only to Cyrus and to its administrators. In fact, when our user Bubba connects to the server with Evolution or some other IMAP client, rather than user.bubba he simply sees a folder named Inbox, even though its real name is user.bubba. Similarly, submailboxes appear as sent, drafts and so on, indented beneath Inbox.

Another thing worth noting about the e-mail account creation command is the lack of any feedback whatsoever from Cyrus upon successful completion. If you're like me, you find this unnerving; you periodically want to use the listmailbox command, lm for short, to see what you have:

   localhost> lm
   user.bwooster (\HasNoChildren)

Believe it or not, this is all we need to do with Cyrus IMAP to allow user bwooster to receive and read his e-mail, assuming there's an LDAP record with a UID of bwooster. In Cyrus IMAP, creating a new user mailbox has the effect of creating that user's IMAP account. But before I move on to the topic of configuring the Postfix MTA to deliver e-mail to Cyrus IMAP, a few words about Cyrus IMAP ACLs.


Each mailbox in a Cyrus IMAP system can have one or more ACLs associated with it in which each ACL defines which actions a given user may perform on the referenced mailbox or folder. By default, a new mailbox has only one ACL, one that grants the mailbox's owner full administrative rights over the mailbox.

Interestingly, administrators by default have only lookup and administer rights on the new mailbox. You can look up the name of the mailbox using the listmailbox command, and you can set ACLs on it. But if you need to delete the mailbox, you first must create an ACL for the mailbox that grants your administrative account administrative rights. This is a feature, not a bug; it helps prevent things from getting deleted accidentally.

Continuing with our example, below are the commands for removing the mailbox we just created, using our administrative account mick_admin:

$ cyradm -u mick_admin localhost
IMAP Password: *****

localhost> setaclmailbox user.bwooster mick_admin all
localhost> deletemailbox user.bwooster

The second command issued here is of particular note; it begins with the cyradm command setaclmailbox, which may be abbreviated as sam or setacl. This is followed by the mailbox in question (user.bwooster), in turn followed by the account name to which we wish to grant (or deny) access, mick_admin in this case. Finally, either a group of permission codes or a special string is indicated. In this example, we have the special string all, which is short for all permissions. To delete the user.bwooster mailbox, it would have been sufficient simply to specify c, for create or delete mailbox or submailboxes. Other possible ACL permissions are listed in Table 1.

Table 1. cyradm ACL Permission Codes (adapted from the cyradm(1) man page)

lLookup (visible to LIST/LSUB/UNSEEN)
wWrite flags other than \SEEN and \DELETED
iInsert (APPEND, COPY destination)
pPost (send mail to mailbox)
cCreate and Delete mailbox (CREATE new submailboxes, RENAME or DELETE mailbox)
aAdminister (SETACL)
noneSpecial string meaning no permissions
readSpecial string meaning lrs
postSpecial string meaning lrsp
appendSpecial string meaning lrsip
writeSpecial string meaning lrswipcd
allSpecial string meaning lrswipcda

ACLs are covered in detail in the cyradm(1) man page and are explained in Cyrus IMAP's HTML documentation. I highly recommend that you get into the habit of at least reviewing, if not always customizing, the ACLs on each mailbox you create with cyradm. On some sites, it may not be necessary for users to retain the default permission c. If all user submailboxes (user.whomever.sent, user.whomever.saved and so on) are created for them by you, for example, you may prefer that they not have the ability to create new ones or delete them accidentally.


Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up now

Sponsored by Skybot