Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Using UW IMAP and SSL UNIX
Upon doing a clean install of 10.3/Panther on my 800DP, I was unable to properly run UW IMAP-2002E. Although it would build clean, it didn't behave as I expected. It was unable to determine the connecting server address under xinetd, for one. Additionally, I experienced aggravating authentication issues even after following this very helpful hint.

So, after a little digging, I noticed that Apple changed the default behavior of the getpw* system calls under 10.3 to add the ';ShadowHash;' AuthenticationAuthority. What this means, as Apple so eloquently puts it, is:
By default in Mac OS X 10.3 and later all users will have an AuthenticationAuthority will contiain the value "ShadowHash;''. These users will have a visible password value of ``********''. These functions will have no access to the encrypted password whatsoever. Setting or changing an user password must be done entirely through the DirectoryService APIs for this default user.
Aha! That would be why UW IMAP is unable to authenticate users. A quick trip to Netinfo Manager takes care of this.
  1. Authenticate to Netinfo Manager
  2. Change the user needing UW IMAP's authentication_authority to ';basic;'
  3. Paste in a the crypt hash of their password (can be generated with 'openssl passwd' if necessary).
  4. Save your changes
Read the rest of the hint for the remainder of the changes...

NOTE: making the above change has the net effect of unshadowing the system password file. This leaves you with the same password file security as was found under Jaguar. You only need to change the AuthenticationAuthority for users needing UW IMAP access. There are likely other security implications as well (insert standard disclaimer).

Next, as I had no luck getting xinetd working properly with UW IMAP (you mileage may vary), I rolled back inetd. To do this, I added the following line to /etc/inetd.conf:
imaps  stream  tcp  nowait  root  /usr/libexec/tcpd  /usr/sbin/imapd
I then went into /System -> Library -> StartupItems -> IPServices, and edited IPServices to make the following change:
##
# Internet super-server.
##
ConsoleMessage "Starting internet services"
#    xinetd -inetd_compat -pidfile /var/run/xinetd.pid 
/usr/sbin/inetd
##
After a reboot, everything worked fin -- yee-haw.
    •    
  • Currently 1.86 / 5
  You rated: 3 / 5 (7 votes cast)
 
[38,182 views]  

10.3: Using UW IMAP and SSL | 12 comments | Create New Account
Click here to return to the '10.3: Using UW IMAP and SSL' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Using UW IMAP and SSL
Authored by: j.marques on Oct 30, '03 03:49:57AM

Another option is to create a file called cram-md5.pwd in /etc. Each line of this file contains a userid, a tab (this is important, if you use an editor that converts tabs to spaces then this file will not work) and a plain text password (which should be different to the normal login password). The file should be readable only by root. If this file exists and is in the correct format then UW IMAP will use the password information in this file instead of the system password.



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: kashbridge on Oct 30, '03 08:53:15AM

A patch for the WU-IMAP source code has been created at:
http://www.maczipit.com/imap-osx-patch.zip

Compile using "make SSLTYPE=none osx" and WU-IMAP works perfectly (on port 143)

Its author writes (from the Apple Discussion Boards):

I have written up a fix, in the form of a new authentication module for UW imapd. I pretty much copied and pasted from the Apple Open Directory SDK.

The zip archive contains two files: ckp_osx.c and Makefile, both of which go in the imapd/src/osdep/unix/ directory.

Once you install the files in their proper location, 'make clean' then 'make osx' from the top-level source directory should do the trick.



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: Anonymous on Oct 30, '03 09:57:45AM

AHHHH!

Keep your passwords encrypted, get SSL, and don't patch UWIMAP.

Compile it with PAM and you'll get everything that you are looking for.

make osx PASSWDTYPE=pam SSLTYPE=unix SSLDIR=/usr
SSLCERTS=/System/Library/OpenSSL/certs

Joel



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: landtuna on Nov 03, '03 01:29:06PM

You should submit a hint on this if you've tested it. I've got Cyrus IMAP working with PAM, but I don't think saslauthd is very secure, and I like my IMAP folders to be of mbox format.



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: babbage on Nov 04, '03 01:26:53AM

Good advice, but I can't get it to work. Running the command "make osx PASSWDTYPE=pam SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs" fails when it gets to the first compilation line: `cat CCTYPE` -c `cat CFLAGS` `cat OSCFLAGS` -c osdep.c

I tried substituting the SSLDIR=/usr with SSLDIR=/sw, thinking maybe I could use Fink's openssl package, but that didn't get me anywhere.

Any ideas? Thanks...

---
--
DO NOT LEAVE IT IS NOT REAL


[ Reply to This | # ]

10.3: Using UW IMAP and SSL
Authored by: geoffsaulnier on Nov 05, '03 06:59:25AM
Cool - the patch works for me and fulfills my needs perfectly. Thanks for the work that went in to that!

Now, unfortunately, I have discovered that I had postfix badly configured and everything is going to PostMaster!!!

Time to look at user lists and aliases, etc.

---
___

Geoff Saulnier - Mac, *NIX, perl, hack!!

[ Reply to This | # ]

10.3: Using UW IMAP and SSL
Authored by: mike3k on Nov 16, '03 06:03:44PM

I also couldn't get it to build. I get the following errors:

osdep.c:65:31: security/pam_appl.h: No such file or directory
osdep.c: In function `checkpw_conv':
osdep.c:85: error: invalid application of `sizeof' to an incomplete type
osdep.c:86: error: dereferencing pointer to incomplete type
osdep.c:87: error: `PAM_PROMPT_ECHO_ON' undeclared (first use in this function)
osdep.c:87: error: (Each undeclared identifier is reported only once
osdep.c:87: error: for each function it appears in.)
osdep.c:88: error: invalid use of undefined type `struct pam_response'
osdep.c:88: error: dereferencing pointer to incomplete type
osdep.c:88: error: `PAM_SUCCESS' undeclared (first use in this function)
osdep.c:89: error: invalid use of undefined type `struct pam_response'
osdep.c:89: error: dereferencing pointer to incomplete type
osdep.c:91: error: `PAM_PROMPT_ECHO_OFF' undeclared (first use in this function)
osdep.c:92: error: invalid use of undefined type `struct pam_response'
osdep.c:92: error: dereferencing pointer to incomplete type
osdep.c:93: error: invalid use of undefined type `struct pam_response'
osdep.c:93: error: dereferencing pointer to incomplete type
osdep.c:95: error: `PAM_TEXT_INFO' undeclared (first use in this function)
osdep.c:96: error: `PAM_ERROR_MSG' undeclared (first use in this function)
osdep.c:97: error: invalid use of undefined type `struct pam_response'
osdep.c:97: error: dereferencing pointer to incomplete type
osdep.c:98: error: invalid use of undefined type `struct pam_response'
osdep.c:98: error: dereferencing pointer to incomplete type
osdep.c:102: error: `PAM_CONV_ERR' undeclared (first use in this function)
osdep.c:104: warning: assignment from incompatible pointer type
osdep.c: In function `checkpw':
osdep.c:116: error: `pam_handle_t' undeclared (first use in this function)
osdep.c:116: error: `hdl' undeclared (first use in this function)
osdep.c:117: error: storage size of `conv' isn't known
osdep.c:124: error: `PAM_SUCCESS' undeclared (first use in this function)
osdep.c:125: error: `PAM_RHOST' undeclared (first use in this function)
osdep.c:128: error: `PAM_ESTABLISH_CRED' undeclared (first use in this function)
osdep.c:130: error: `PAM_DELETE_CRED' undeclared (first use in this function)
osdep.c:131: error: `PAM_AUTH_ERR' undeclared (first use in this function)
make[3]: *** [osdep.o] Error 1
make[2]: *** [osx] Error 2
make[1]: *** [OSTYPE] Error 2
make: *** [osx] Error 2

I had it working previously with my password authentication set to ;basic; and the old hash, but at some random time - I <b>DIDN'T</b< change my password, panther disabled basic authentication and reverted to shadow hash only, so I was suddenly unable to connect to imapd. I ended up going with /etc/cram-md5.pw and I can now use imapd with a password separate from my login password, but I'm still not happy about having it in plain text sitting on my drive.



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: enigmamf on Dec 14, '03 05:52:34PM
I found something that fixed the problem for me at the end of the hint about using UW IMAP & SSL in 10.2:
You need to create a symlink before you type make osx, too:
cd /usr/include/
sudo ln -s pam security
Go to http://www.macosxhints.com/article.php?story=200212170535568 for the original.

[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: sjk on Dec 14, '03 08:31:51PM
You don't need the symlink to compile the development snapshot of UW IMAP; see 10.3: Using WU-IMAP with SSL and xinetd revisited.

[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: luidprand on Nov 11, '03 03:21:29PM

I've followed this hint and am having an odd problem.
We can send messages to the outside world (postfix is working)
We can send messages locally using the terminal's mail that are legible by the GUI mail clients
We can telnet into 143 and look at the IMAP server and select mailboxes
We cannot receive any mail which does not originate at the terminal
The last bit is obviously the problem. Any suggestions? We are running OS 10.3.1 and using XCode. The IMAP worked fine until upgrading, and is compiled (using the above advice) from 2002e.

Thank you,
Joseph Cadotte



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: cilly on Nov 01, '03 08:01:41AM

Ok, and how do I go back from basic to ShadowHash again?

---
cilly



[ Reply to This | # ]
10.3: Using UW IMAP and SSL
Authored by: bustthis on Nov 13, '03 03:52:44PM

this worked great for one day, now when i try to read my mail with squirrelmail or telnet localhost imap- it tells me my login failed?

i get this in mail.log - Command stream end of file, while reading line user=charlesx host=localhost [127.0.0.1]

does anyone know how to get it working again, i tried everything.

---
charles



[ Reply to This | # ]