The transition of OS X to the xinetd internet services daemon allows one to restrict service access without using tcp wrappers. Another problem I ran
into is that Graham Orndorff's excellent instructions on stepwise for building wu-imap are broken with the current release.
[Editor's note: Read the rest of the article for the instructions, which I have not tested.]
- Download imap to your favorite directory. Extract the contents with tar zxvf imap.tar.Z
- At this point (imap 2002 RC.5) source code for OS X requires one change to put OS X mail in the right spot. Since I use postfix and initially setup imap under 10.0 using the stepwise instructions, I continue to keep my imap mail in ~/Library/Mail/Mailboxes. Edit the file imap-2002.RC5 -> src -> osdep -> unix -> env_unix.c and find the line static char *mailsubdir = NIL; and change it to static char *mailsubdir = "Library/Mail/Mailboxes";. If you don't make this change, your imap listing will show your entire home subdirectory
- Make a SSL certificate. First cd /System/Library/OpenSSL/certs, then run the terminal command line:
% sudo openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
- Now, from the imap-2002.RC5 directory, type make osx SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs
- Pick a spot for the imapd binary; I use /usr/local/libexec, /usr/local/sbin would work equally well. Now type cp imapd/imapd /usr/local/libexec/imapd
- Now you have to create an xinetd entries for the imap and imaps daemons. For example use your favorite editor, create the file /etc/xinetd.d/imaps and paste these contents into it:
service imaps
The only_from attribute should be edited to reflect the machines you want to allow access; you can also use the no_access attribute to specifically deny service. The /etc/xinetd.d/imap file does need the flags = NOLIBWRAP line, and you can use tcp wrapper (/etc/hosts.allow) to restrict access. Likewise you could just copy the imaps file and change service imaps to service imap
{
disable = no
socket_type = stream
wait = no
user = root
groups = yes
flags = NOLIBWRAP
server = /usr/local/libexec/imapd
only_from = 192.168.1.0/24 localhost
log_on_success += DURATION USERID
log_on_failure += USERID
}
- We're almost done. The /etc/services already has entries for imap and imaps at ports 143 and 993 respectively. We just need to restart the xinetd daemon using the command sudo kill -HUP `cat /var/run/xinetd.pid`.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
localhost IMAP4rev1 2002.328 at Wed, 4 Sep 2002 20:00:25 -0500 (CDT)

