We have a server which, among other things, runs an email service for our company. This server runs RHEL 7.9, Cyrus and Sendmail.
Now we are replacing the hardware of this server and I am configuring the new server with RHEL 9 and the correspondingly new versions of cyrus-imapd (3.4.1-7.el9), cyrus-sasl (2.1.27-20.el9) and sendmail (8.16.1-10-el9). I am not copying over configuration files but editing the new files to replicate the function of the production server.
I have encountered difficulties with getting the Cyrus IMAP service working. There are a number of messages in /var/log/maillog which hint that Cyrus cannot access the SASL password database (/etc/sdsl2/sasldb2) but I am very confused about this sequence of symptoms and cannot pose a coherent question to you.
A simpler problem, which may turn out to be primary, is that I cannot create an IMAP mailbox for any user. My steps are:
1) "cyradm -u cyrus localhost"
2) Enter password for cyrus account (previously created with saslpasswd2 and verified with sasldblistusers2)
3) "cm user/dale"
4) Output on terminal "createmailbox: System I/O error"
5) Output in /var/log/maillog
Nov 24 14:24:05 localhost cyrus/imap[2989]: SASL transitioning user cyrus
Nov 24 14:24:05 localhost cyrus/imap[2989]: SASL SASL error opening password file. Do you have write permissions?#012Have you performed the migration from db2 using cyrusbdb2current?
Nov 24 14:24:05 localhost cyrus/imap[2989]: SASL Could not open /etc/sasl2/sasldb2
Nov 24 14:24:05 localhost cyrus/imap[2989]: SASL setpass failed for cyrus
Nov 24 14:24:05 localhost cyrus/imap[2989]: login: localhost [::1] cyrus LOGIN User logged in SESSIONID=<cyrus-1669328623-2989-1-18343421046283723159>
Nov 24 14:25:38 localhost cyrus/imap[2989]: IOERROR: creating directory /home/imap/d: Permission denied
Nov 24 14:25:38 localhost cyrus/imap[2989]: IOERROR: mkdir failed: fname=</home/imap/d/user/dale/cyrus.index> syserror=<Permission denied> func=<mailbox_create>
There seems to be two problems here, a failure to access the SASL database and a failure to create the mailbox caused by "Permission denied". In other tests I changed the permission on /home/imap to allow anyone to write but still I get "Permission denied". I have also changed the permission on /etc/sasl2/sasldb2 to allow anyone to read. In either test the failure persists.
I have done a lot of searching the Red Hat Knowledge as well as general Google searchs. I have found some sites where people are asking about these particular log entries, but I have not seen one with a useful response. Generally there is simply no reply.
Below I have "sasl_pwcheck_method: saslauthd". I have also tried "auxprop" but authentication continued to fail.
Your help would be appreciated.
Both the Cyrus and SASL daemons are running.
The status of /home/imap is
[root@localhost etc]# ls -ld /home/imap
drwx------. 2 cyrus mail 6 Nov 24 00:42 /home/imap
[root@localhost etc]# ls -l /home/imap
total 0
The status of /etc/sasl2
[root@localhost etc]# ls -ld /etc/sasl2/
drwxr-xr-x. 2 root root 42 Nov 22 00:40 /etc/sasl2/
[root@localhost etc]# ls -l /etc/sasl2/
total 20
-rw-------. 1 root root 16384 Nov 19 00:02 sasldb2
-rw-r--r--. 1 root root 25 Aug 10 2021 Sendmail.conf
Contents of /etc/imapd.conf
admins: cyrus
unixhierarchysep: on
configdirectory: /var/lib/imap
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
duplicate_db_path: /run/cyrus/db/deliver.db
ptscache_db_path: /run/cyrus/db/ptscache.db
statuscache_db_path: /run/cyrus/db/statuscache.db
tls_sessions_db_path: /run/cyrus/db/tls_sessions.db
defaultpartition: default
partition-default: /home/imap
sievedir: /var/lib/imap/sieve
lmtpsocket: /run/cyrus/socket/lmtp
idlesocket: /run/cyrus/socket/idle
notifysocket: /run/cyrus/socket/notify
syslog_prefix: cyrus
httpmodules: caldav carddav domainkey freebusy ischedule rss webdav
hashimapspool: true
virtdomains: userid
popminpoll: 1
conversations: 1
conversations_db: twoskip
specialusealways: 1
allowplaintext: yes
sasl_pwcheck_method: saslauthd
sasl_auto_transition: yes
tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_client_ca_file: /etc/ssl/certs/ca-bundle.crt
tls_client_ca_dir: /etc/ssl/certs
tls_sessiontimeout: 1440
Contents of /etc/cyrus.conf
# standard standalone server implementation, with preforked processes
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
}
# UNIX sockets start with a slash and are put into /run/cyrus/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# these are only necessary if using HTTP for CalDAV, CardDAV, or RSS
# http cmd="httpd" listen="http" prefork=3
# https cmd="httpd -s" listen="https" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=1
# this is requied if using socketmap
# smmap cmd="smmapd" listen="/run/cyrus/socket/smmap" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# Expire data older than 28 days.
deleteprune cmd="cyr_expire -E 4 -D 28" at=0430
expungeprune cmd="cyr_expire -E 4 -X 28" at=0445
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
DAEMON {
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
