Paranoid Penguin - Secure Mail with LDAP and IMAP, Part II

An IMAP mail server with an LDAP directory makes things simple, secure and easy for the user. Now Mick explains the tricky parts to make you the company e-mail guru.

Notice the localhost> prompt after a successful login: I'm now logged in to a cyradm shell session. To see a complete list of available commands, all I need to do is type ? or help. There are 20 commands in all, and each can be abbreviated, sometimes in two different ways. The help screen lists all versions of each command.

Creating Mailboxes with cyradm

To create a mailbox, I can use the command createmailbox. Alternatively, I can use the abbreviation create or even a simple cm, like this:

localhost> cm user.bwooster
localhost>

This is the very model of command-line efficiency, but notice that the user name corresponding to our new mailbox isn't really user.bwooster—it's simply bwooster. The user. prefix must be used for all mailboxes you create in Cyrus IMAP. Thus, to create a mailbox for the user bubba, I'd use the command cm user.bubba. To then create subdirectories for that mailbox, I'd use cm user.bubba.sent, cm user.bubba.drafts and so forth.

This user. prefix is visible only to Cyrus and to its administrators. In fact, when our user Bubba connects to the server with Evolution or some other IMAP client, rather than user.bubba he simply sees a folder named Inbox, even though its real name is user.bubba. Similarly, submailboxes appear as sent, drafts and so on, indented beneath Inbox.

Another thing worth noting about the e-mail account creation command is the lack of any feedback whatsoever from Cyrus upon successful completion. If you're like me, you find this unnerving; you periodically want to use the listmailbox command, lm for short, to see what you have:

   localhost> lm
   user.bwooster (\HasNoChildren)

Believe it or not, this is all we need to do with Cyrus IMAP to allow user bwooster to receive and read his e-mail, assuming there's an LDAP record with a UID of bwooster. In Cyrus IMAP, creating a new user mailbox has the effect of creating that user's IMAP account. But before I move on to the topic of configuring the Postfix MTA to deliver e-mail to Cyrus IMAP, a few words about Cyrus IMAP ACLs.

Cyrus IMAP ACLs

Each mailbox in a Cyrus IMAP system can have one or more ACLs associated with it in which each ACL defines which actions a given user may perform on the referenced mailbox or folder. By default, a new mailbox has only one ACL, one that grants the mailbox's owner full administrative rights over the mailbox.

Interestingly, administrators by default have only lookup and administer rights on the new mailbox. You can look up the name of the mailbox using the listmailbox command, and you can set ACLs on it. But if you need to delete the mailbox, you first must create an ACL for the mailbox that grants your administrative account administrative rights. This is a feature, not a bug; it helps prevent things from getting deleted accidentally.

Continuing with our example, below are the commands for removing the mailbox we just created, using our administrative account mick_admin:

$ cyradm -u mick_admin localhost
IMAP Password: *****

localhost> setaclmailbox user.bwooster mick_admin all
localhost> deletemailbox user.bwooster

The second command issued here is of particular note; it begins with the cyradm command setaclmailbox, which may be abbreviated as sam or setacl. This is followed by the mailbox in question (user.bwooster), in turn followed by the account name to which we wish to grant (or deny) access, mick_admin in this case. Finally, either a group of permission codes or a special string is indicated. In this example, we have the special string all, which is short for all permissions. To delete the user.bwooster mailbox, it would have been sufficient simply to specify c, for create or delete mailbox or submailboxes. Other possible ACL permissions are listed in Table 1.

Table 1. cyradm ACL Permission Codes (adapted from the cyradm(1) man page)

PermissionDescription
lLookup (visible to LIST/LSUB/UNSEEN)
rRead (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
sSeen (STORE \SEEN)
wWrite flags other than \SEEN and \DELETED
iInsert (APPEND, COPY destination)
pPost (send mail to mailbox)
cCreate and Delete mailbox (CREATE new submailboxes, RENAME or DELETE mailbox)
dDelete (STORE \DELETED, EXPUNGE)
aAdminister (SETACL)
noneSpecial string meaning no permissions
readSpecial string meaning lrs
postSpecial string meaning lrsp
appendSpecial string meaning lrsip
writeSpecial string meaning lrswipcd
allSpecial string meaning lrswipcda

ACLs are covered in detail in the cyradm(1) man page and are explained in Cyrus IMAP's HTML documentation. I highly recommend that you get into the habit of at least reviewing, if not always customizing, the ACLs on each mailbox you create with cyradm. On some sites, it may not be necessary for users to retain the default permission c. If all user submailboxes (user.whomever.sent, user.whomever.saved and so on) are created for them by you, for example, you may prefer that they not have the ability to create new ones or delete them accidentally.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix