Ubuntu
******

Currently supported versions of Ubuntu include Cyrus IMAP packages in
the repositories configured on a stock system:

* Cyrus IMAP 2.4.12-2 for Ubuntu 12.04.5 (Precise Pangolin)

* Cyrus IMAP 2.4.17+caldav~beta9-3 for Ubuntu 14.04.2 (Trusty Tahr)
  (Stable)

* Cyrus IMAP 2.4.17+caldav~beta10-5 for Ubuntu 14.10 (Utopic Unicorn)

* Cyrus IMAP 2.4.17+caldav~beta10-17 for Ubuntu 15.04 (Vivid Vervet)
  (Current)

* Cyrus IMAP 2.4.17+caldav~beta10-17 for Ubuntu 15.10 (Wily Werewolf)
  (Development)

Note:

  The Cyrus project does not support running any versions of the Cyrus
  IMAP software older than the version of the software shipped with
  the operating system itself.

To install the version of Cyrus IMAP that comes with the operating
system, issue the following command:

   # **sudo apt-get install cyrus-imapd cyrus-clients-2.4 cyrus-doc-2.4 cyrus-admin-2.4 sasl2-bin**

Note:

  The cyrus-imapd meta-package will trigger installation of the
  following Cyrus packages:

  * cyrus-common (another meta-package)

  * cyrus-common-2.4

  * cyrus-imapd-2.4

Note:

  The following non-Cyrus packages are required, and will be installed
  automatically as needed:

  * db-util

  * db-upgrade-util

  * libdb5.X (where X depends on OS version)

  * libsasl2-2

  * libsasl2-modules

  * libcomerr2

  * [etc.]

Note:

  The Debian Cyrus Team packages are split based upon functional
  requirements of the installation.  Depending upon your needs, you
  may also wish to install any or all of these packages:

  * cyrus-pop3d-2.4

  * cyrus-murder-2.4

  * cyrus-replication-2.4

  * cyrus-nntpd-2.4

  * cyrus-caldav-2.4

Once you've decided which services to support (IMAP, POP3, NNTP,
CalDav), and whether those services shall be available in secured
versions, you'll need to edit "/etc/cyrus.conf" and check the
"SERVICES" section, commenting and uncommenting as needed to enable or
disable the proper versions of those services.

Here's the stock version of the "SERVICES" section of
"/etc/cyrus.conf" as shipped with these packages:

   SERVICES {
       # --- Normal cyrus spool, or Murder backends ---
       # add or remove based on preferences
       imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
       #imaps          cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
       pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
       #pop3s          cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
       nntp            cmd="nntpd -U 30" listen="nntp" prefork=0 maxchild=100
       #nntps          cmd="nntpd -s -U 30" listen="nntps" prefork=0 maxchild=100
       http            cmd="httpd -U 30" listen="8008" prefork=0 maxchild=100
       #https          cmd="httpd -s -U 30" listen="8443" prefork=0 maxchild=100


       # At least one form of LMTP is required for delivery
       # (you must keep the Unix socket name in sync with imap.conf)
       #lmtp           cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20
       lmtpunix        cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
       # ----------------------------------------------

       # useful if you need to give users remote access to sieve
       # by default, we limit this to localhost in Debian
       sieve           cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100

       # this one is needed for the notification services
       notify          cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1

       # --- Murder frontends -------------------------
       # enable these and disable the matching services above,
       # except for sieve (which deals automatically with Murder)

       # mupdate database service - must prefork at least 1
       # (mupdate slaves)
       #mupdate       cmd="mupdate" listen=3905 prefork=1
       # (mupdate master, only one in the entire cluster)
       #mupdate       cmd="mupdate -m" listen=3905 prefork=1

       # proxies that will connect to the backends
       #imap           cmd="proxyd" listen="imap" prefork=0 maxchild=100
       #imaps          cmd="proxyd -s" listen="imaps" prefork=0 maxchild=100
       #pop3           cmd="pop3proxyd" listen="pop3" prefork=0 maxchild=50
       #pop3s          cmd="pop3proxyd -s" listen="pop3s" prefork=0 maxchild=50
       #lmtp           cmd="lmtpproxyd" listen="lmtp" prefork=1 maxchild=20
       # ----------------------------------------------
   }

Note:

  The default settings, as shown above, are for non-secure protocol
  access.

Edit "/etc/imapd.conf" and change the default settings as needed.
Please consult imapd.conf(5) for details.

* You MUST, at the very least, uncomment the "admins:" line.

* As documented in the man page, "the values "yes", "on", "t", "true"
  and "1" turn the option  on,  the  values  "no",  "off", "f",
  "false" and "0" turn the option off."

* If you are NOT using SSL and/or STARTTLS, you MUST enable plain text
  logins, and set "sasl_minimum_layer: 0" for authentication to work,
  or have some other protection layer in place.

* Consider enabling the commonly used settings "altnamespace" and
  "unixhierarchysep" as these will default to "on" beginning in
  version 3.0.

* Check your "sasl_pwcheck_method" setting, as this defaults to
  "auxprop" with these packages, which is likely not what you want.
  Change it to "saslauthd" or "pwcheck" as needed.

Next, set a password for the default administrative user "cyrus". Your
choice of authentication system will dictate the proper way to do
this.  Shown below are examples for *nix password file and SASL
methods:

   # **passwd cyrus**
   Changing password for user cyrus.
   New password:
   Retype new password:
   passwd: all authentication tokens updated successfully.

   # **saslpasswd2 -c cyrus**
   Password:
   Again (for verification):

   # **sasldblistusers2**
   cyrus@newhost.example.com: userPassword

To enable *saslauthd*, edit "/etc/default/saslauthd" and set
"START=yes".  Make sure to change any other settings here as needed.

Note:

  If you're planning to integrate Cyrus with the Postfix MTA, it is
  necessary to either relocate the socket used by "saslauthd", or else
  to disable "chroot" as noted in "/etc/default/saslauthd", so the
  Postfix "smtpd" daemon can access it.

Start *saslauthd* if needed:

   # **service saslauthd start**
   * Starting SASL Authentication Daemon saslauthd              [ OK ]

You should at this moment be able to authenticate against saslauthd:

   # **testsaslauthd -u cyrus -p YOUR-PASSWORD**

Start the service, and ensure the service starts up when the system
boots:

   # **service cyrus-imapd start**
   # **update-rc.d cyrus-imapd enable**

You should now be able to login as the "cyrus" user, which is
configured by default as an administrator for Cyrus IMAP:

   # **imtest -t "" -u cyrus -a cyrus localhost**
   S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED COMPRESS=DEFLATE] newhost.example.com Cyrus IMAP v2.4.17-caldav-beta9-Debian-2.4.17+caldav~beta9-3 server ready
   C: S01 STARTTLS
   S: S01 OK Begin TLS negotiation now
   verify error:num=19:self signed certificate in certificate chain
   TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
   C: C01 CAPABILITY
   S: * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY AUTH=PLAIN SASL-IR COMPRESS=DEFLATE IDLE
   S: C01 OK Completed
   Please enter your password:
   C: A01 AUTHENTICATE PLAIN ************
   S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (tls protection)
   Authenticated.
   Security strength factor: 256
   . logout
   . LIST "" "*"
   . OK Completed (0.000 secs 1 calls)
   * BYE LOGOUT received
   . OK Completed
   Connection closed.

Next, continue with Configuring the MTA.
