Cyrus IMAPD Virtual Hosts - FreeBSD

Share on:

Continiung from my earlier post on Postfix Virtual Domain Hosting, I will complete the Cyrus IMAPD configuration here. In a sense this completes the earier post, however if you want a reliable, secure mail server, there is still more to do and I will cover topics such as Mail Relays & Spam Prevention in future posts.

Again this post is an extension of the notes that I have taken and hope they will be useful to someone, if not my "future self", as a quick jump start guide. You should use the Cyrus IMAPD Official Documentation to make sure the directives being set are what you would want for your circumstances.


Install Cyrus-IMAPD

Installation of Cyrus IMAPD is trivial under FreeBSD.

1# pkg install cyrus-imapd32
2# sysrc cyrus_imapd_enable="YES"

Add Configuration

Similar to my previous post on Postfix, it is just a matter of appending to the Cyrus IMAP configuration file. The configuration file to append to is /usr/local/etc/imapd.conf.

While I have made some inline comments, it is strongly advised to reference the Cyrus IMAPD imapd.conf man page to get a full understanding of these directives.

 3# --------------------------------
 5# --------------------------------
 6# Use the UNIX separator character '/' for delimiting levels of mailbox hierarchy.
 7# This will be a matter of preference and you may wish to toggle this either on or off.
 9unixhierarchysep: 1
11# Allow plaintext for tools such as cyradm. Clients will be connecting via imaps, which
12# implements a TLS/SSL encryption layer before any authentication takes place.
14allowplaintext: yes
16# Name of the Cyrus IMAPD Administrator
18admins: cyrus
21# --------------------------------
23# --------------------------------
24# Determine the users domain by splitting the users login with the '@' character.
25# This is the recommended configuration for all deployments.
27virtdomains: userid
29# The default domain to deliver mail to if the userid domain cannot be determined.
31defaultdomain: internal
33# Note: Both these directives are the defaults, however these have been added for clarity.
36# --------------------------------
38# --------------------------------
39# Password check method
40# This should be entered previously, however has been added here for clarity.
41# Do not uncomment unless it is *not* previously entered.
43#sasl_pwcheck_method: auxprop
45# Sasl Mechanisms
47sasl_mech_list: PLAIN LOGIN
50# --------------------------------
52# --------------------------------
53# TLS Certificate & Cipher Settings
55tls_server_cert: /etc/pki/tls/certs/
56tls_server_key: /etc/pki/tls/private/
57tls_client_ca_file: /etc/pki/tls/certs/letsencrypt-chain.pem
58tls_ciphers: EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3

It is possible to print configuration details with the following commands:

1# /usr/local/cyrus/sbin/cyr_info conf
2# /usr/local/cyrus/sbin/cyr_info conf-default

Where conf prints what is present in imapd.conf & conf-default prints what is the default.

Enable/Disable Ports & Services for Cyrus IMAPD

We can edit /usr/local/etc/cyrus.conf to toggle ports & services for Cyrus IMAPD.

The following settings will enable the services we are interested in for the purposes of this post.

 1# Disable Services that we do not want to provide
 2  imap          cmd="imapd" listen="localhost:imap" prefork=0       
 3  imaps         cmd="imapd -s" listen="imaps" prefork=0    
 4#  pop3          cmd="pop3d" listen="pop3" prefork=0       
 5#  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0   
 6  sieve         cmd="timsieved" listen="sieve" prefork=0   
 9# these are only necessary if using HTTP for CalDAV, CardDAV, or RSS
10# http          cmd="httpd" listen="http" prefork=0
11# https         cmd="httpd -s" listen="https" prefork=0
14# Enable IMAP IDLE
16# this is only necessary if using idled for IMAP IDLE
17  idled         cmd="idled"

NOTE: As per RFC 8314 I have enabled imaps on port 993. imap has also been enabled but only on the localhost, so as to allow access to the cyradm & sieveshell tools that do not use encryption and would be unsafe to use over a public network.

Run mkimap & Start Cyrus-IMAPD

mkimap is a (small) Perl script to aid in creating spool and configuration directories for Cyrus IMAP installations. This needs to be run prior to the first time we start Cyrus IMAPD.

The output should be as follows:

1# /usr/local/cyrus/sbin/mkimap 
2reading configure file /usr/local/etc/imapd.conf...
3i will configure directory /var/imap.
4i saw partition /var/spool/imap.
6configuring /var/imap...
7creating /var/spool/imap...

Then it is just a simple matter of starting the daemon:

1# service imapd start 

Now we have configured everything that is neccessary for the Cyrus IMAPD server. However we still have a couple of tasks to complete before we can receive email.

Add Cyrus Administrator

In the imapd.conf file, we specified the administrator cyrus, when we entered admins: cyrus. Here we need to setup authenication for this administrator, by means of the saslpasswd2 command.

1# saslpasswd2 cyrus

Note: Accounts that have email addresses should not be administrators. That is, if the user "pbd" is a user reading mail, then this user should not be listed as an administrator.

Create Mailboxes

With our new admistrator, we can log into the Cyrus IMAPD service and create mailboxes for the users we created in my previous Postfix post, when we used the saslpasswd2 command.

1# cyradm -u cyrus localhost
3localhost> createmailbox user/
4localhost> createmailbox user/
5localhost> createmailbox user/
6localhost> quit

The format here uses the unixhierarchysep: 1 directive. Should we have this toggled off, then we would provide the users mailbox as etc.

With unixhierarchysep toggled on, I find it more logical when creating accounts with dots in their username, such as

We should be able to verify the creation of the users by seeing if the domains have been created in the spool directories:

1# ll /var/spool/imap/domain/
2total 12
3drwx------  3 cyrus  cyrus  512 Mar 23 12:14
4drwx------  3 cyrus  cyrus  512 Mar 23 12:14
5drwx------  3 cyrus  cyrus  512 Mar 23 12:14

That's it. Now we can send an email and Cyrus IMAPD will handle delivery to these sub-domains.

Test Email Delivery

By default Postfix allows us to send an email directly from the mail server, so long as we are connected directly, ie localhost.

The following is a test email so we can verify that Cyrus IMAPD will handle delivery.

 1# telnet localhost 25
 3Connected to localhost.
 4Escape character is '^]'.
 5220 freebsd13.localdomain ESMTP Postfix
 6mail from:                    < Sender
 7250 2.1.0 Ok
 8rcpt to:                         < Recipient
 9250 2.1.5 Ok
10data                                               < Start of data
11354 End data with <CR><LF>.<CR><LF>
12Subject: Postfix - Cyrus IMAPD Test                < Message subject
13Postfix - Cyrus IMAPD Test                         < Message body
14.                                                  < End of data
15250 2.0.0 Ok: queued as 43BD03D7FC
16quit                                               < Quit
17221 2.0.0 Bye
18Connection closed by foreign host.

Actual input entered has been denoted on the same line with < and a comment.

Now that should have all gone as expected, we can check the mailbox for the recipient and cat the email.

 1# cat /var/spool/imap/domain/ 
 2Return-Path: <>
 3Received: from freebsd13.localdomain ([unix socket])
 4         by freebsd13 (Cyrus 3.2.5) with LMTPA;
 5         Tue, 23 Mar 2021 12:20:11 +0000
 6X-Cyrus-Session-Id: freebsd13-1616502011-6101-2-16205649133481579916
 7X-Sieve: CMU Sieve 3.0
 8Received: from localhost (localhost [])
 9        by freebsd13.localdomain (Postfix) with SMTP id 43BD03D7FC
10        for <>; Tue, 23 Mar 2021 12:18:54 +0000 (UTC)
11Subject: Postfix - Cyrus IMAPD Test
12Message-Id: <20210323121919.43BD03D7FC@freebsd13.localdomain>
13Date: Tue, 23 Mar 2021 12:18:54 +0000 (UTC)
16Postfix - Cyrus IMAPD Test

Tada! It's easy when you know how. Now that this is confirmed as working from initial authentication under Postfix through to sending of an email and receiving it in the Cyrus IMAPD mailboxes, you should be able to set up these usesrs in a mail client such as Thunderbird without any issue.

Looking forward

While this concludes this setting up an email server, it is just the beginning of maintaining a mail server. In my next few posts I will look at setting up a Secondary MX Relay to catch any emails when the Primary Email Server is not available. I will also be looking at what can be done to prevent spam. This will cover directives that can be set in the, Postfix tools such as postscreen and external tools such as using Spamassassin with a Milter.. I plan to make a couple of further posts on Relaying Mail and Handling Spam. Stay tuned!