Using WU-IMAP with SSL and xinetd on 10.2

Dec 17, '02 08:35:56AM

Contributed by: BraindeadMac

I decided I wanted to use WU-IMAP to provide IMAP service from my OS X 10.2 installation. In the past, doing this securely (i.e., with SSL-imap and tcpwrappers), required a cludgy workaround using stunnel (which was in turn dependent on EGD), as detailed on stepwise. Jaguar includes the xinetd internet services daemon, which allows one to work around the longstanding bug in WU-IMAP which prevents the SSL-enabled imapd from working correctly with tcp wrappers. The stunnel and egd processes would occasionally hiccup and fail without any notification.

The transition of OS X to the xinetd internet services daemon allows one to restrict service access without using tcp wrappers. Another problem I ran
into is that Graham Orndorff's excellent instructions on stepwise for building wu-imap are broken with the current release.

[Editor's note: Read the rest of the article for the instructions, which I have not tested.]

  1. Download imap to your favorite directory. Extract the contents with tar zxvf imap.tar.Z

  2. At this point (imap 2002 RC.5) source code for OS X requires one change to put OS X mail in the right spot. Since I use postfix and initially setup imap under 10.0 using the stepwise instructions, I continue to keep my imap mail in ~/Library/Mail/Mailboxes. Edit the file imap-2002.RC5 -> src -> osdep -> unix -> env_unix.c and find the line static char *mailsubdir = NIL; and change it to static char *mailsubdir = "Library/Mail/Mailboxes";. If you don't make this change, your imap listing will show your entire home subdirectory

  3. Make a SSL certificate. First cd /System/Library/OpenSSL/certs, then run the terminal command line:
     % sudo openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
  4. Now, from the imap-2002.RC5 directory, type make osx SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs

  5. Pick a spot for the imapd binary; I use /usr/local/libexec, /usr/local/sbin would work equally well. Now type cp imapd/imapd /usr/local/libexec/imapd

  6. Now you have to create an xinetd entries for the imap and imaps daemons. For example use your favorite editor, create the file /etc/xinetd.d/imaps and paste these contents into it:
    service imaps
    {
    disable = no
    socket_type = stream
    wait = no
    user = root
    groups = yes
    flags = NOLIBWRAP
    server = /usr/local/libexec/imapd
    only_from = 192.168.1.0/24 localhost
    log_on_success += DURATION USERID
    log_on_failure += USERID
    }
    The only_from attribute should be edited to reflect the machines you want to allow access; you can also use the no_access attribute to specifically deny service. The /etc/xinetd.d/imap file does need the flags = NOLIBWRAP line, and you can use tcp wrapper (/etc/hosts.allow) to restrict access. Likewise you could just copy the imaps file and change service imaps to service imap

  7. We're almost done. The /etc/services already has entries for imap and imaps at ports 143 and 993 respectively. We just need to restart the xinetd daemon using the command sudo kill -HUP `cat /var/run/xinetd.pid`.
You can test the imap configuration pretty easily using the command telnet 127.0.0.1 imap, which should give output like this:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
localhost IMAP4rev1 2002.328 at Wed, 4 Sep 2002 20:00:25 -0500 (CDT)

Comments (14)


Mac OS X Hints
http://hints.macworld.com/article.php?story=200212170535568