Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Using WU-IMAP with SSL and xinetd on 10.2 UNIX
I decided I wanted to use WU-IMAP to provide IMAP service from my OS X 10.2 installation. In the past, doing this securely (i.e., with SSL-imap and tcpwrappers), required a cludgy workaround using stunnel (which was in turn dependent on EGD), as detailed on stepwise. Jaguar includes the xinetd internet services daemon, which allows one to work around the longstanding bug in WU-IMAP which prevents the SSL-enabled imapd from working correctly with tcp wrappers. The stunnel and egd processes would occasionally hiccup and fail without any notification.

The transition of OS X to the xinetd internet services daemon allows one to restrict service access without using tcp wrappers. Another problem I ran
into is that Graham Orndorff's excellent instructions on stepwise for building wu-imap are broken with the current release.

[Editor's note: Read the rest of the article for the instructions, which I have not tested.]

  1. Download imap to your favorite directory. Extract the contents with tar zxvf imap.tar.Z

  2. At this point (imap 2002 RC.5) source code for OS X requires one change to put OS X mail in the right spot. Since I use postfix and initially setup imap under 10.0 using the stepwise instructions, I continue to keep my imap mail in ~/Library/Mail/Mailboxes. Edit the file imap-2002.RC5 -> src -> osdep -> unix -> env_unix.c and find the line static char *mailsubdir = NIL; and change it to static char *mailsubdir = "Library/Mail/Mailboxes";. If you don't make this change, your imap listing will show your entire home subdirectory

  3. Make a SSL certificate. First cd /System/Library/OpenSSL/certs, then run the terminal command line:
     % sudo openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
  4. Now, from the imap-2002.RC5 directory, type make osx SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs

  5. Pick a spot for the imapd binary; I use /usr/local/libexec, /usr/local/sbin would work equally well. Now type cp imapd/imapd /usr/local/libexec/imapd

  6. Now you have to create an xinetd entries for the imap and imaps daemons. For example use your favorite editor, create the file /etc/xinetd.d/imaps and paste these contents into it:
    service imaps
    {
    disable = no
    socket_type = stream
    wait = no
    user = root
    groups = yes
    flags = NOLIBWRAP
    server = /usr/local/libexec/imapd
    only_from = 192.168.1.0/24 localhost
    log_on_success += DURATION USERID
    log_on_failure += USERID
    }
    The only_from attribute should be edited to reflect the machines you want to allow access; you can also use the no_access attribute to specifically deny service. The /etc/xinetd.d/imap file does need the flags = NOLIBWRAP line, and you can use tcp wrapper (/etc/hosts.allow) to restrict access. Likewise you could just copy the imaps file and change service imaps to service imap

  7. We're almost done. The /etc/services already has entries for imap and imaps at ports 143 and 993 respectively. We just need to restart the xinetd daemon using the command sudo kill -HUP `cat /var/run/xinetd.pid`.
You can test the imap configuration pretty easily using the command telnet 127.0.0.1 imap, which should give output like this:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
localhost IMAP4rev1 2002.328 at Wed, 4 Sep 2002 20:00:25 -0500 (CDT)
    •    
  • Currently 2.75 / 5
  You rated: 3 / 5 (4 votes cast)
 
[23,323 views]  

Using WU-IMAP with SSL and xinetd on 10.2 | 14 comments | Create New Account
Click here to return to the 'Using WU-IMAP with SSL and xinetd on 10.2' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A few months old...
Authored by: BraindeadMac on Dec 17, '02 11:38:32AM

I submitted this hint a few months ago, let me know if you have problems....



[ Reply to This | # ]
Better Alternative
Authored by: cjsnell on Dec 17, '02 04:40:52PM

Crickey, save yourself all the hassle and go with Courier IMAP. IMHO, it is far superiour to UW IMAP (which has had several major security holes in its history) and it supports SSL out of the box.



[ Reply to This | # ]
Better Alternative
Authored by: FACEMILK on Dec 17, '02 08:47:38PM

Has anyone done this? ie successfully installed and currently using Courier-IMAP with SSL on Jaguar? Details of your experiences are wanted.



[ Reply to This | # ]
Finally, it works!
Authored by: bmerlin on Feb 23, '03 07:21:09PM

I've tried several other howtos on this very topic (IMAP-SSL on Jaguar) and none of them have worked. Thank you to the author of this hint! (I'm running 10.2.4 w/the latest WU-IMAP as of 2-23-2003.)



[ Reply to This | # ]
DELETE log_on_success AND log_on_failure!
Authored by: JohnAlbin on Apr 16, '03 05:53:43PM

From UW IMAP’s FAQ (http://www.washington.edu/imap/IMAP-FAQs/index.html#7.24):

7.24 Why is there a long delay before I get connected to the IMAP or POP server, no matter what client I use?

[...] look for lines containing "USERID", e.g. log_on_success += USERID

Hunt down such lines, and delete them ruthlessly from all files in which they occur. Don't be shy about it.

The USERID attribute causes xinetd to do a IDENT lookup on the client. “The IDENT protocol is a well-known bad idea that does not deliver any real security.” IDENT is (thankfully) not enabled on almost all clients, so adding the log_on_success += USERID and log_on_failure += USERID lines causes a slow-down of the imap server with no benefit.

You can still add log_on_success += DURATION if you want. But, unless you plan on reading your syslog for XINETD messages, there’s no point.



[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.2
Authored by: bobthebear on Jun 16, '03 08:25:41PM

I have UW-imap installed with squirrel mail, but i cannot send or receive emails! HELP!!!! Sendmail is working, and I believe I have my MX records correct. As far as logging onto the IMAP through Mail.app, it DOES work but I still can't send or receive. But it does seem to "sync" with the IMAP server.



[ Reply to This | # ]
xinetd
Authored by: ThreeDayMonk on Jun 17, '03 01:47:50AM

I just installed this on a recent install of 10.2.6 and got it all working, thanks to the instructions. However, there's one small thing to watch out for. xinetd is not actually running on Jaguar as shipped - at least, it wasn't running on mine. The easiest way to start it is to enable FTP Access in Sharing preferences (under Services). You can disable it again afterwards.

I set up IMAP in order to transfer some Outlook Express mailboxes over. Works a treat!



[ Reply to This | # ]
xinetd
Authored by: Johnny_B on Aug 29, '03 06:47:04PM

Or you could just run this in the Terminal:

xinetd -stayalive

I thought that xinetd should start when it is needed… Anyone on this one.



[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.2
Authored by: Johnny_B on Aug 31, '03 08:48:58AM
Got it to work with POP3 through ssl to. I build it with ssl support only. /etc/xinetd.d/pop3s looks like this:

service pop3s
{
disable = no
socket_type = stream
wait = no
user = root
groups = yes
flags = NOLIBWRAP
server = /usr/local/libexec/ipop3d
inly_from= 62.73.214.89/29 localhost
log_on_success += DURATION USERID
log_on_failure += USERID
}


Ofcourse you have to have the ipop3d installed, build WU-IMAP like the author did, or follow the installers guide to not allow access without ssl like I did. Then cd to your imap build directory, then sudo cp ipopd/ipop3d /usr/local/libexec or any other place you like. Restart xinetd, ohh glory it works. Remember to open up port 995 to. You might want to make /etc/xinetd.d/pop3 to in case you might change your mind and wants to allow no ssl to, I have /etc/xinetd.d/imap to, just in case.

[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.2
Authored by: Johnny_B on Aug 31, '03 08:54:16AM

inly_from= xxxx
is
only_from= xxxx

Ofcourse



[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.2
Authored by: Johnny_B on Aug 31, '03 09:29:20AM
Hehe, you also need to make a certificat for pop3, by doing this:

sudo openssl req -new -x509 -nodes -out ipop3d.pem -keyout ipop3d.pem -days 3650

And I have one question here… How do you do this in Windows ? Or any other OS's. I want to use ssl, and turning it on in mail was like a game, but making that certificat could be trouble for some that might want to access my mail server.

[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.3
Authored by: cilly on Dec 02, '03 10:17:40AM

You can make this work in 10.3 by editing the file "Makefile" in the source:

Change the password type to

PASSWDTYPE=pam

befor you type make osx.

You need to create a symlink befor you type make osx, too:

cd /usr/include/

sudo ln -s pam security

Now you need to setup pam authentication for imap, simply type:

sudo cp /etc/pam.d/ftpd /etc/pam.d/imap

and if you want to use pop3, too:

sudo cp /etc/pam.d/ftpd /etc/pam.d/pop3

Now, you can type:

make osx SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs

and continue with the original article.

---
cilly @ http://www.cilly.dyndns.org/

[ Reply to This | # ]

Using WU-IMAP with SSL and xinetd on 10.2
Authored by: name99 on May 05, '04 04:18:19AM

<blockquote>
Edit the file imap-2002.RC5 -> src -> osdep -> unix -> env_unix.c and find the line static char *mailsubdir = NIL; and change it to static char *mailsubdir = "Library/Mail/Mailboxes";. If you don't make this change, your imap listing will show your entire home subdirectory
</blockquote>

NO NO NO!!!
If you make the change suggested you open yourself up to a whole world of hurt. You are now telling imapd to store all its data (in mbox format) in the same directory that Mail.app stores its data (in mbox format). If you ever run Mail.app, even just by mistake, on the server that is running imapd, you will land up with a mess.

A much better way to do this is to set
*mailsubdir = "Library/Mail/IMAP_SERVER_STORE"

If you do this then the following good things happen.
(1) imapd stores it data in a place that is different from Mail.app, so the two don't confuse each other, but still in a directory where you'd expect mail to be stored.
(2) Mail.app (the best written of the apps we'll discuss) just works.
(3) Zoe (if you use it) needs to the told the imap server as
localhost/INBOX
which is a bit stupid, but there you are.
(4) SquirrelMail, the most retarded of the lots, needs
(a) $default_folder_prefix = './';
in squirrelmail/config/config.php
The various sane alternatives you might try like '' or '/' or 'INBOX' (which makes sense if you know something about IMAP internals) all don't work. next, even when you have done this and start squirrelmail, you won't see any of the subfolders in your IMAP store until you click on the Folders link, go to the bottom, and "subscribe" to all the folders listed (ignoring .DS_Store). Damn, this is pretty lame --- can't handle an empty pref properly, the default should be all folders subscribed, not none, and there should be a filter that strips out crud like .DS_Store (of course Apple should stop generating these files in the first place, but that's a different argument). Anyway at this point SquirrelMail should now work.

This may seem like a hassle --- isn't the other guy's way better?
No. You will still have to use INBOX at the end of Zoe and weird ./ stuff for squirrelmail, plus you will have the joy of also sorts of folders created by Mail.app mixed up with your IMAP folders.

And for those of you using imapd from Postfix Enabler, that was compiled the way suggested above, not my way --- if you are having problems with it, now you know why.

In a week or so I will have a tutorial about all this stuff written up, at which point I'll come back here and add a link to it.



[ Reply to This | # ]
Using WU-IMAP with SSL and xinetd on 10.2
Authored by: tinker on Jun 03, '04 05:05:43PM

I'm running UW-IMAP on my desktop and accessing it with Mail.app, also on my desktop (as a way of circumventing the size restrictions on my work IMAP server: now I can just access two IMAP servers, the work one and my desktop one, wherever I am).

Questions:

(1) Is there any way to get Mail.app to stop displaying the annoying .DS_Store file?? (Or folder, rather, if Mail.app is to be believed.)

(2) Mail (or IMAP) created a file called "IMAP-myname@myhost" that's sitting in the directory too and has a mirror of whatever's in the directory (including, confusingly, itself). My guess is that the best response to this damn thing is just to ignore it, but if I'm wrong, let me know. If I'm right, then same question: how do I hide the freakin' thing??



[ Reply to This | # ]