Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Using WU-IMAP with SSL and xinetd revisited UNIX
Changing the password authentication sheme in NetInfo as described in this hint is not a good solution, since it will only last till the next password change, and lower the security level of your system. So, I decided to post additional info related to another earlier hint: Using WU-IMAP with SSL and xinetd on 10.2.

In Mac OS X Panther, the security authentication sheme changed and PAM authentication was added. Since IMAP is, by default, compiled without password type PAM, we just need to change it to PAM in the source. It is done by editing the file Makefile in the source. Change the password type to PASSWDTYPE=pam before you type make osx. You need to create a symlink befor you type make osx, too:

 % cd /usr/include/
 % sudo ln -s pam security
Now you need to setup PAM authentication for IMAP; simply type:
 % sudo cp /etc/pam.d/ftpd /etc/pam.d/imap
And if you want to use POP3, too, do this:
 % sudo cp /etc/pam.d/ftpd /etc/pam.d/pop3
Now, you can type:
 % make osx SSLTYPE=unix SSLDIR=/usr SSLCERTS=/System/Library/OpenSSL/certs
and continue with the original hint's instructions.
    •    
  • Currently 1.50 / 5
  You rated: 2 / 5 (6 votes cast)
 
[10,937 views]  

10.3: Using WU-IMAP with SSL and xinetd revisited | 11 comments | Create New Account
Click here to return to the '10.3: Using WU-IMAP with SSL and xinetd revisited' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: sjk on Dec 09, '03 07:19:02PM

The development snapshot of UW IMAP 2003 has a "oxp" Makefile target for building with PAM support on Mac OS X.

Note that adding "SSLTYPE=unix" to the make command line allows plaintext passwords in insecure sessions. Unless you really want to do that I'd use the default SSLTYPE=nopwd if you want to be compliant with IESG security requirements. See docs/SSLBUILD in the UW IMAP distribution for more details.



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: sjk on Dec 09, '03 07:25:08PM
Oh, and also see the 10.3: Using UW IMAP and SSL hint for more info about UW IMAP on 10.3. I think that hint and this one could be merged...

[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: cilly on Dec 10, '03 10:02:07AM

This hint is already mentioned in the article. Remember, that the netinfo changes only last until the next password change.

---
cilly @ http://www.cilly.dyndns.org/



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: sjk on Dec 11, '03 03:42:58PM

Doh! You're right... thanks for catching that. Hmm, maybe it was some other hint I intended to link to but it doesn't much matter now since there's plenty of info here to get UW IMAP authentication working in several ways on 10.3.



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: savowood on Dec 10, '03 01:16:48PM

If you want to read how to do this from scratch with step-by-step instructions, look at the write-up I did for 10.3 at:

this site...

or if you're still on 10.2:

try this one.

[ Reply to This | # ]

10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: sjk on Dec 11, '03 06:06:11PM

Thanks for the links, Michael. Some feedback on the Secure IMAPd for OS X 10.3 page (which I hope is okay to post here):

* You can simply run "make oxp" with the current UW IMAP 2003 snapshot to build the PAM-enabled version on 10.3.

* /usr/local/libexec is a more preferrable directory for imapd than /usr/local/bin.

* Yes, /System/Library/OpenSSL/certs is most certainly write protected on a properly configured system. :-)

* The xinetd.conf man page claims the REUSE flag in xinetd config files is deprecated.

* I wouldn't recommend creating the imaps service unless you really need it.

* Why create the /usr/include/security symlink unless you're compiling other software that uses that location?

Not sure about the PAM entries since I've never configured it before but your example worked fine so I'm satisfied for now. :-)



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: savowood on Jul 01, '04 06:15:18PM

I went in and made the changes you suggested. Yes, the libexec directory is a much better location. I hope I changed all the /usr/local/bin references. =-)

I didn't test the make oxp thing. I'm guessing someone at UW looked at my page and realized the mistakes. I had a bunch of hits from UW a while back so I think I can pinpoint to the second when they corrected it. *GRIN*

Either way, it won't hurt to specify the directories. They're probably the same anyway.

I thought I should keep the service in there. Through the process, it didn't work until I had all that stuff as set on that page. The page was initially written when the UW-IMAP was in an early stage and you had to search for the newest working version. It's much easier now. It might work with less. It does work as is so I left it that way not wanting to go through again and rewrite massive portions of the page.

I taught a class to some OS X Administrators at the NIH and used my article for a part of the class. It worked then (December 2003). If you want to test without the service, let me know how it goes and I can take it out. It'll take less time for instruction next time I teach that class.

-Michael



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: sjk on Jul 02, '04 12:26:16AM

Thanks for the feedback and corrections, Michael.



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: smapjb on Mar 23, '04 10:54:04AM

Thanks for your great article.. I got this working fine.. however I tried tyo follow through the same instructions for pop3s and couldn't get it to authenticate me.. can you think of anything else I might need to do to get pop3s working?

Yours
Phil



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: preterosso on Feb 22, '04 05:45:00PM

I'm trying to get imap going and squirrelmail. But squirrelmail says:

<i>Unable to connect to IMAP server!
TLS is enabled, but this version of PHP does not support TLS sockets, or is missing the openssl extension.</i>

I have used postfix enabler to start imap. It says its started. Many of the paths that these hints use don't seem to be there. I see in the imap configuration that the owner is root. Should it be set to my user name?

You said in your hint that Makefile needs to be edited in the source. Where is that? I know that openssl is running because I utilized the command to create a certificate, as instructed in the previous hint that you referred to.

As you can probably see, I'm pretty bewildered by this. I'm running Panther 10.3.2.


Also in the last command that you did: make osx, isn't the directory SSLCERTS=/System/Library/Openssl/certs
rather than
SSLCERTS=/System/Library/openssl/certs



[ Reply to This | # ]
10.3: Using WU-IMAP with SSL and xinetd revisited
Authored by: lnzdingo on Mar 23, '04 12:31:20PM

Did you get this figured out? You did answer your own question in a way.

the error says that PHP is missing something.
not squirrelmail and not imap, PHP.

you can try to turn TLS off or you can recompile PHP with TLS and OpenSSL support.



[ Reply to This | # ]