Configuration of Cyrus Murder for UCS 3.0
From Univention Wiki
Cyrus Murder is an extension for the Cyrus IMAP server which enables users to access centralized IMAP accounts on physically separated servers or geographically separated locations. In this way, users have access on their e-mail data across locations and they can easily move e-mail folders from one IMAP server to another.
The component is an extension for the standard mailstack in UCS 3.0, and is provided by the package univention-mail-cyrus-murder.
Cyrus Murder extends the standard Cyrus IMAP server with a proxy server for the IMAP, POP3 and LMTP protocolls. These proxy servers are also called frontend servers, while the Cyrus IMAP server processes which hold the data, are called backend server.
Cyrus Murder for UCS is bundled with a unified configuration. This means that each IMAP server, that has Cyrus Murder installed, also provides a backend server next to a frontend server.
To implement this technically, it is necessary to assign a separate IP address and hostname to the backend server, which the frontend server then connects to.
The users won't see the setup of the server configuration, they can only access the IMAP server by using the frontend server's web address, which then forwards the requests to the backend server.
For administrative users, the usage of the Cyrus tools changes, in particular the usage of cyradm, which now must contact the backup server's hostname or its IP address instead of localhost.
The package univention-mail-cyrus-murder and its dependencies are provided by the standard UCS repository. The packages can be installed by executing the following command:
Hint: The shipped join script is not executed automatically on any server role. Prior executing the join script, further configuration is needed and is explained in the next paragraphs.
In order for the MUPDATE master to accept requests from backend and frontend servers, it is necessary for both servers that they can authenticate themselves to the MUPDATE master. It is also important that the frontend server can authenticate itself against the backend server and (optionally) the backend servers can authenticate against each other. The involved servers' computer accounts are used for authentication.
The MUPDATE master server's hostname is broadcasted throughout the domain by the Univention Configuration Registry variable mail/cyrus/murder/master, which is inherited from the policy Cyrus Murder Master from the LDAP directory to the Univention Configuration Registry of the participating host systems. The first system to run the join script 81univention-mail-cyrus-murder.inst declares itself the MUPDATE master by setting the policy.
MUPDATE master and slave server
In general the following applies:
- Throughout the network, one MUPDATE master must be available.
- Frontend servers only communicate with a locally running MUPDATE server, which itself, as a slave, communicates with the domain MUPDATE master.
- A MUPDATE master, running on a frontend server, can replace a slave.
- The MUPDATE master is configured by the file /etc/imapd/master.conf. The MUPDATE master service works on port 3905, which must be accessible by all frontend and backend servers.
MUPDATE slave server processes are only started on a frontend server, and are therefor configured together with the frontend proxyserver through the file /etc/imapd/frontend.conf. Through the file /etc/imapd/cyrus.conf the services IMAP/IMAPS, POP3/POP3S and the LMTP proxyserver are started (proxyd, pop3proxyd and lmtpproxyd).
Mail delivery is carried out by the LMTP (proxy) service of the frontend server. The frontend server identifies the backend server, that the receiving e-mail inbox is stored on, and delivers the e-mail to its LMTP service.
The Cyrus backed processes (imapd, pop3d and lmtpd) communicate directly with the MUPDATE Master. The processes are configured in the file /etc/imapd/imapd.conf. Optionally, next to the frontend servers' e-mail IDs, the e-mail IDs from other backend servers can be added to the list proxyservers to allow subscriptions and transfer of e-mail accounts between the backend servers. The LMTP service on the backend server must be available to every frontend server, as the IMAP/IMAPS and POP3/POP3S services have to be. Each service only allows access after a successful authentication.
Configure a frontend server on a backup server
In the provided version of Cyrus Murder, it is not possible to run the backend and frontend server on the same host at the same time (among other things, proxyd and imapd's port numbers collide since they are identical).
There is a workaround for this restriction: a second network interface with its own IP address must be set up and the backend server must be configured to use the second IP address. The backend server also will need its own hostname.
The following steps are required to be executed to activate this mode prior executing the join script 81univention-mail-cyrus-murder.inst on the future host:
- For the backend server, a new DNS host-record must be added. The backend server is reachable through the IP address or its hostname. The host-record object can either be created using the Univention Management Console webfrontend or by using the commandline tool univention-directory-manager (note that the attributes a and name must be changed to reflect the correct forward zone values):
-> univention-directory-manager dns/host_record create \ --superordinate "zoneName=example.com,cn=dns,dc=example,dc=com" \ --set a=10.200.7.149 \ --set name=ucs01-backend
On the actual server, the new IP address must be mapped to a free network interface, which itself is then configured to be used by the backend server. Also, the backend server'S DNS name is set and the interface, which is used by the Murder backend services, is published:
-> univention-config-registry set \ interfaces/eth0_0/address=192.168.1.3 \ interfaces/eth0_0/network=192.168.1.0 \ interfaces/eth0_0/broadcast=192.168.1.255 \ interfaces/eth0_0/netmask=255.255.255.0 \ interfaces/eth0_0/hosts="ucs01-backend.example.com ucs01-backend"
-> univention-config-registry set \ mail/cyrus/murder/backend/interface=eth0_0 \ mail/cyrus/murder/backend/hostname=ucs01-backend.example.com
After these preparational steps are carried out, the package univention-mail-cyrus-murder can be installed. The installation can be started manually:
The join script then sets the following Univention Configuration Registry variables to default values, if they are not already set:
- mail/cyrus/murder/backend/interface: Name of the backend network interface (default: eth1)
- mail/cyrus/murder/frontend/interface: Name of the frontend networ kinterface (default: eth0)
- mail/cyrus/murder/servers: List of all servers participating in the Murder cluster (this variable is maintained automatically)
When adding a new server to the Murder cluster by running the join script, the cyrus service on all participating servers must be restarted:
-> invoke-rc.d cyrus-imapd restart
Administrating the system
After the installation is finished, it is possible to check the local backend which e-mail accounts it wants to announce to the MUPDATE master or which accounts it wants to delete, since the e-mail accounts are already known by other backend servers:
su cyrus -c "/usr/sbin/ctl_mboxlist -mw -C /etc/imapd/imapd.conf"
If the output seems to be OK, the changes can be commited by executing the folling command:
su cyrus -c "/usr/sbin/ctl_mboxlist -m -C /etc/imapd/imapd.conf"
A list of every known e-mail account (by the MUPDATE master) can be obtained by the local frontend server:
su cyrus -c "/usr/sbin/ctl_mboxlist -d -C /etc/imapd/frontend.conf"
If needed, the list of all known e-mail accounts on the MUPDATE master can be edited on a frontend server, using the command:
It is also possible to only edit the locally stored e-mail accounts on the backend server:
cyradm <backend's hostname>
As part of the package univention-mail-cyrus-murder, the script /usr/sbin/univention-cyrus-murder-movemailbox is provided, with which it is possible to move an e-mail account to another server. Please mind, that as the name of the to-be moved e-mail account the mailPrimaryAddress must be provided as e-mail address syntax.
A cronjob runs the script /usr/lib/univention-mail-cyrus-murder/coherence-check.py periodically to verify the integrity of moved e-mail accounts. If inconsistencies are found, the script sends an e-mail to the local root user and informs about the incident. The e-mail is sent to the e-mail address set in the Univention Configuration Registry variable mail/alias/root. The time, when the cronjob is run, can be changed by editing the Univention Configuration Registry variable mail/cyrus/murder/crontime. Note, that the time must be set in the cron notation.
User access on the IMAP server
The users access their e-mail accounts through the frontend server. Since the frontend server uses the official server hostname, the users don't need to change their local IMAP/POP3 settings. The only change notable to users is, that they now can access other user's e-mail accounts (if they are configured to allow access) that are located on servers at different locations.