2. Technologies

2.1. The Postfix MTA

 

Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.

 
--www.postfix.org 

Figure 1. Postfix - the big picture

Doesn't it look impressive? - It looks much more complicated than it is. Postfix is indeed nice to configure and handle.

Unlike sendmail, postfix is not one monolithic program, it is a compilation of small programs, each of which has a specialized function. At this point I don't what to go into details about what each program does what. If you are interested how Postfix works, please see the documentation at http://www.postfix.org/docs.html

In this document you will find the information needed to get the system running in conjunction with the other components of a full e-mail setup.

2.2. Cyrus IMAP

Cyrus IMAP is developed and maintained by Carnegie Mellon University.

Unlike the WU-IMAPd package, Cyrus uses its own method to store the user's mail. Each message is stored in its own file. The benefit of using separate files is improved reliability since only one message is lost if there is a filesystem error. Metadata such as the status of a message (seen, etc) is stored in a database. Additionally, the messages are indexed to improve Cyrus performance, specially with lots of users and/or lots of big emails. There is nothing else as fast as the Cyrus IMAP-server.

Another very important feature is that you don't need a local Un*x user for each account. All users are authenticated by the IMAP-Server. This makes it a great solution when you have a really huge number of users.

User administration is done by special IMAP-commands. This allows you to either use the commandline interface or use one of the available Web interfaces. This method is much more secure than a Webinterface to /etc/passwd.

Starting from Cyrus 2.1, SASL-lib version 2 is used for authentication. For the setup described in this HOWTO, a tree-layer authentication is implemented. Cyrus authenticates with saslauthdaemon which forwards the request to pam_mysql which finally looks up the user information in the MySQL-table.

Since CMU changed the license policy for Cyrus, this software is going to be used by many more users.

2.3. Cyrus SASL

SASL means »Simple Authentication and Security Layer«. It is standardized by the IETF (Internet Engineering Taskforce). SASL is used by network servers (in this case Cyrus-IMAP) to handle authentication requests from clients.

Cyrus SASL is a extensive software, and sometimes not easy to understand. Even I have just the minimum knowledge needed to write this HOWTO.

2.4. OpenSSL

OpenSSL is a library needed by SASL for encryption of the data-stream. It is used by almost all opensource software that need encryption. Most or all Un*x distributions come with a pre-installed OpenSSL. Be sure to also install the appropriate devel-package. If you like, you can compile OpenSSL by yourself. This will be required if you need to fix a security hole.

2.5. MySQL Database

MySQL is a very fast, powerful and very easy to use database.

Since Cyrus can authenticate its users with pam, you can use pam_mysql as a connector to the user database stored in MySQL. This allows you to create a nice Webinterface for your users for changing passwords, defining and deleting aliases and more.

2.6. pam_mysql

pam means "Pluggable Authentication module" and was originally proposed by some people at Sun. In meantime a lot of modules have been developed. One of them is an interface to MySQL

With pam_mysql you store the users password in a MySQL database. Further, Postfix is able to lookup aliases from a MySQL-table. At the end of the day, you have a base for all administrative tasks to be done by the postmaster.

You will be able to delegate some tasks to powerusers. For example, tasks such as creating accounts, changing passwords and creating new aliases can be delegated to an administrator for a particular domain. At the end of the day, you, as a sysadmin, will have the time to do some more productive tasks or write a HOWTO for the Linux Documentation Project.

2.7. Web-cyradm Webinterface

Figure 2. Web-cyradm Domain administration

Web-cyradm is the webinterface that allows you to perform the administrative tasks required to maintain the mail system. This screenshot shows the domain administration part of Web-cyradm.

Web-cyradm is written in PHP, the most sophisticated html-preprocessor language. If you don't have a webserver with php installed, I would like to refer you to my Apache-Compile-HOWTO. This document describes how to set up Apache with PHP and other modules.

Web-cyradm is under active development from people around the globe. The list of features grows with each release. If you would like to contribute to web-cyradm, or you have a nice idea, feel free to contact the mailinglist on http://www.web-cyradm.org

The following is a partial list of features:

Web-cyradm supports different roles of its users. If you plan to use it as a frontend for your powerusers, please notice that security may be a problem. The role based stuff needs a security review.