10.3: Using UW IMAP and SSL

Oct 29, '03 11:23:00PM

Contributed by: Anonymous

Upon doing a clean install of 10.3/Panther on my 800DP, I was unable to properly run UW IMAP-2002E. Although it would build clean, it didn't behave as I expected. It was unable to determine the connecting server address under xinetd, for one. Additionally, I experienced aggravating authentication issues even after following this very helpful hint.

So, after a little digging, I noticed that Apple changed the default behavior of the getpw* system calls under 10.3 to add the ';ShadowHash;' AuthenticationAuthority. What this means, as Apple so eloquently puts it, is:

By default in Mac OS X 10.3 and later all users will have an AuthenticationAuthority will contiain the value "ShadowHash;''. These users will have a visible password value of ``********''. These functions will have no access to the encrypted password whatsoever. Setting or changing an user password must be done entirely through the DirectoryService APIs for this default user.
Aha! That would be why UW IMAP is unable to authenticate users. A quick trip to Netinfo Manager takes care of this.
  1. Authenticate to Netinfo Manager
  2. Change the user needing UW IMAP's authentication_authority to ';basic;'
  3. Paste in a the crypt hash of their password (can be generated with 'openssl passwd' if necessary).
  4. Save your changes
Read the rest of the hint for the remainder of the changes...

NOTE: making the above change has the net effect of unshadowing the system password file. This leaves you with the same password file security as was found under Jaguar. You only need to change the AuthenticationAuthority for users needing UW IMAP access. There are likely other security implications as well (insert standard disclaimer).

Next, as I had no luck getting xinetd working properly with UW IMAP (you mileage may vary), I rolled back inetd. To do this, I added the following line to /etc/inetd.conf:

imaps  stream  tcp  nowait  root  /usr/libexec/tcpd  /usr/sbin/imapd
I then went into /System -> Library -> StartupItems -> IPServices, and edited IPServices to make the following change:
##
# Internet super-server.
##
ConsoleMessage "Starting internet services"
#    xinetd -inetd_compat -pidfile /var/run/xinetd.pid 
/usr/sbin/inetd
##
After a reboot, everything worked fin -- yee-haw.

Comments (13)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2003102523435492