Thu - November 27, 2003

Updated packages



A couple of the software packages have been updated. BerkeleyDB is now at 4.2.50. It compiles without errors, and I have it installed, but I didn't rebuild the dependent packages yet. Cyrus IMAPD is at 2.1.16, but the SASL lib is still at 2.1.15, so I'll probably wait for that install.

INN 2.4.0 threw a couple of "incompatible pointer type" warnings, but the compile finishes. It's installed, but not configured, yet.

Majordomo looks like it's working fine.

Posted at 02:46     Read More  


Wed - November 26, 2003

Mac OS X Mail in v10.3.1 update



So, switching Cyrus IMAP to the UNIX Hierarchy Separator improves things quite a bit. (add "unixhierarchysep: yes" to imapd.conf)

Now I can create folders locally and the list updates properly. I also discovered the "Use Folder For" option in the menu, although I did end up editing Mail's .plist before I realized that fact.

Creating folders at the top level still requires an "INBOX/foldername", but any others can be done just by selecting the subfolder before choosing "new".

This will also require updating your SquirrelMail config. I changed the special folders to "INBOX/Sent", etc. There is one other thing--in the config.php file that gets built, you will need to change the "optional_delimiter" to "/". There's no option for that in the perl script, except by choosing one of the pre-configured setups.

Once that's done, everything works just fine. Now, I need to eat some dinner before I start fully documenting all of this!

Posted at 07:39     Read More  

Quickie Update OSMOSIS on Mac OS X x10.3.1



OK, just a quick update right now. Everything is working. The IMAPD auth problem was fixed by using /etc/pam.d/login as a template instead of /etc/pam.d/chkpasswd. This is due to the new implementation of ShadowHash in 10.3. Chkpasswd still seems to work OK for Sendmail, though I will experiment with login for Sendmail, as well.

So far, only one bug...apparently Mac OS X Mail on v10.3.1 won't allow me to create new folders properly from the client on the local machine. I can do it from SquirrelMail and from Mac OS X Mail on 10.2.8 remotely, so it's not really a big deal unless it also carries over to 10.3.1 Mail remotely. Users can always use cyradm to create folders locally, anyway.

A more serious problem is Mail on 10.3.1 doesn't update the folder list without quitting and relaunching (at least, on the local box).

Haven't installed Majordomo, yet, but I don't expect any problems there.

Oh, mod_php may not, in fact be enabled by default. I may have enabled it myself, but I don't have a clean build around right now to verify this. My original build was done on 25 Oct, right after the release, but I haven't gotten around to testing until now. Had to take a vacation to Italy...darn....

The URL for the NetInfo headers and resolver lib stuff.

http://golem.ph.utexas.edu/~distler/blog/archives/000243.html

I also found out that the latest development version of UW-IMAP has support for PAM under OSX. Build it for "oxp", I think. Haven't tried it yet. I only have one dev machine...

Posted at 06:04     Read More  

Updates for Mac OS X v10.3.1, etc...



OK, I just realized there's a thing or two missing from the install procedure. I'll be working on getting that updated.

At the same time, I'm working out the details of the install for Panther v10.3.1. Big changes here, so stay tuned...

First of all, under Panther, BerkeleyDB is installed by Apple. It's the same v4.1.25 as you can get from SleepyCat, so it's not really necessary to recompile. If you *do* recompile, the db_vrfy routine throws an error. I'm not sure if Apple fixed this in the pre-installed version.

Also, *do not* install dlcompat under 10.3.1--that will now break SASL and Cyrus IMAPD. The good news is Apple provides the necessary bits already, so it works OK without dlcompat. Next thing is, it looks like mod_php is already enabled in Apache's config file, so we probably don't have to install the Entropy package to get SquirrelMail to work.

So far, SASL looks pretty much the same. Cyrus-IMAPD throws a couple of new errors (TLS probably won't work).

Sendmail has problems. The NetInfo header files are missing in 10.3, so copy them from 10.2, along with the Sendmail StartupItem. Also, the resolver libs are different. I found a page with info for patching Sendmail 8.12.10, but I don't have the URL handy right now... The generic-darwin.mc file is missing, too (as is most of the /usr/share/sendmail stuff).

But so far, I have Sendmail up and running with SMTP AUTH->SASLauthd->PAM->NetInfo under 10.3.1, so I feel pretty good so far. IMAPD won't authenticate properly, so I'm working on that right now...but I have to tear apart my development iMac to stick the 10.2.8 drive back in to check a couple of things, so it will be a bit...

In the IMAPD install for 10.2.8, I missed the configure step for the makedepend, and there's a typo in the local.mc file. I'll get around to fixing it soon.

Posted at 08:17     Read More  


Mon - October 6, 2003

INN-2.4.0



I'll be adding a section to the Osmosis install procedure for using INN 2.4.0 as a conferencing server. Although the Cyrus IMAPD docs say that INN can be integrated with Cyrus, apparently the support for this has been removed from Cyrus in favor of a new LMTP feed scheme that will appear in Cyrus 2.2. And to think it only took me all night to figure it out...grrr....

Anyway, INN runs fine on Mac OS X for a private discussion server. I don't have access to a full feed anymore to test it under high load--nor do I have the hardware or bandwidth!

Posted at 03:21     Read More  


Sun - October 5, 2003

New Instructions for installation of OSMOSIS



Well, I've decided that all of this should be called the Open Source Messaging Server System, or Osmosis, for short.

Here's some updated instructions that are still a bit incomplete, but it's only the easy parts that you'll have to figure out on your own. As far as I can tell, this all works, but if anyone finds any bugs, I'd appreciate some feedback.

Installation procedure for Open Source Messaging Server System (Osmosis)

for Mac OS X v10.2.8

utilizing Sendmail v8.12.10 [SMTP]
Cyrus SASL v2.1.15 [authentication]
Cyrus IMAPD v2.1.15 or UW-IMAP v2002e [POP and IMAP]
SquirrelMail v1.4.2 [webmail]
Majordomo v1.94.5 [mailing list]

Get the following books, you'll need them:

A. Sendmail, 3rd Edition
B. Managing IMAP
C. Managing Mailing Lists
D. Mac OS X for Unix Geeks


1. Install Mac OS X v10.2
2. Install Mac OS X v10.2.8 Update
3. Install Mac OS X Developer Tools (Dec 2002)
4. Install Mac OS X Dev Tools (Aug 2003 Update)

5. Obtain the following software packages:

BerkeleyDB 4.1.25 from Sleepycat Software
http://www.sleepycat.com/
(needed for Cyrus)

dlcompat-20030629 from OpenDarwin
http://www.opendarwin.org/projects/dlcompat
(needed for Cyrus)

PHP Apache Module v4.3.3 from Entropy
http://www.entropy.ch/software/macosx/php
(needed for SquirrelMail)

Cyrus SASL v2.1.15
http://asg.web.cmu.edu/cyrus/download/
(needed for SMTP AUTH and Cyrus IMAPD)

Cyrus IMAPD v2.1.15
http://asg.web.cmu.edu/cyrus/download/

Sendmail v8.12.10
http://www.sendmail.org/

SquirrelMail v1.4.2
http://www.squirrelmail.org/

Majordomo v1.94.5
http://www.greatcircle.com/majordomo


6. Install BerkeleyDB v4.1.25 (may be skipped if you're installing UW-IMAP instead of Cyrus IMAPD, but you should probably do it anyway in case you find you need to switch later)

a. unpack the tar.gz file
tar xzvf db-4.1.25.tar.gz
b. cd db-4.1.25/build_unix
c. ../dist/configure
d. make
e. make install

7. Install dlcompat-20030629
a. unpack the tar.gz
tar xzvf dicompat-20030629.tar.gz
b. cd dlcompat-20030629
c. ./configure
d. make
e. make install

8. Install PHP Apache Module v4.3.3
a. open the .dmg
b. run the installer

9. Install Cyrus SASL v2.1.15
a. unpack the tar.gz
tar xzvf cyrus-sasl-2.1.15.tar.gz
b. cd cyrus-sasl-2.1.15.tar.gz
c. fix the PAM header location
ln -d /usr/include/pam /usr/include/security
d. ./configure --enable-login --disable-krb4 --disable-gssapi --with-bdb-libdir=/usr/local/BerkeleyDB.4.1/lib --with-bdb-incdir=/usr/local/BerkeleyDB.4.1/include
e. make
f. make install
g. fix saslpasswd2 and sasldblistusers2
i. cd utils
ii. cc saslpasswd.c -I.. -I../include -lsasl2 -I/usr/local/BerkeleyDB.4.1/include -L/usr/local/BerkeleyDB.4.1/lib -ldb-4.1 ../sasldb/.libs/libsasldb.al -o saslpasswd2
iii. cc sasldblistusers.c -I.. -I../include -lsasl2 -I/usr/local/BerkeleyDB.4.1/include -L/usr/local/BerkeleyDB.4.1/lib -ldb-4.1 ../sasldb/.libs/libsasldb.al -o sasldblistusers2
v. cp sasldblistusers2 /usr/local/sbin
vi. cp saslpasswd2 /usr/local/sbin
h. cd ../saslauthd
j. make testsaslauthd
k. cp testsaslauthd /usr/local/sbin
l. mv /usr/lib/sasl2 /usr/lib/sasl2.orig
m. ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
n. add the following line to /etc/hostconfig
SASLAUTHD=-YES-
p. copy the files in /System/Library/StartupItems/BIND and change as necessary to make a startup item for saslauthd
command to start saslauthd should be "saslauthd -a pam"

10. Install Cyrus IMAPD
a. unpack the tar.gz
tar xzvf cyrus-impad-2.1.15
b. cd cyrus-imapd-2.1.15
c. fix source code
i. chown -R root *
ii. add the following three lines to config.guess at line 977
*:Darwin:*:*)
echo powerpc-apple-darwin${UNAME_RELEASE}
exit 0 ;;
iii. cd makedepend
iv. make
v. cp makedepend /usr/bin
vi. cd ..
vii. comment out line 65 in imap/mboxlist.c
//#include <sys/msg.h>
viii. add the following line to imap/setproctitle.c at line 78
#include <sys/time.h>
ix. comment out line 65 in imap/cvt_cyrusdb.c
//#include <sys/msg.h>
x. comment out line 50 in imtest/imtest.c
//#include <sys/msg.h>
xi. comment out line 54 in perl/sieve/lib/request.c
//#include <sys/msg.h>
d. ./configure --with-bdb-libdir=/usr/local/BerkeleyDB.4.1/lib --with-bdb-incdir=/usr/local/BerkeleyDB.4.1/include
e. make depend
f. make all CFLAGS=-O
you will get two errors that can probably be safely ignored
i. ranlib: file: libimap.a(annotate.o) has no symbols
ii. fud.c:101:1: warning: "MAXLOGNAME" redefined
g. make install

OR

10. Install UW-IMAP v2002e
a. as per instructions

11. Configure Cyrus IMAPD
a. as per instructions in doc directory

12. Install Sendmail v8.12.10
a. unpack the tar.gz
tar xzvf sendmail-8.12.10.tar.gz
b. cd sendmail-8.12.10
c. gcc_select 3
d. create the file devtools/Site/site.config.m4
i. APPENDDEF(`confENVDEF', `-DSASL=20115')
ii. APPENDDEF(`conf_sendmail_LIBS', `-lsasl2.2.0.15')
iii. APPENDDEF(`confINCDIRS', `-I/usr/local/include/sasl')
iv. APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
e. ./Build -n
f. ./Build
g. ./Build install
h. cd cf/cf
j. cp /usr/share/sendmail/conf/cf/generic-darwin.mc local.mc
k. remove the following lines from local.mc
undefine(`ALIAS_FILE')
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')
FEATURE(local_procmail)
MAILER(procmail)
l. add the following lines to local.mc, plus any other local options you might need
define(`confDONT_BLAME_SENDMAIL',``GroupWritableDirPathSafe, ForwardFileInUnsafeDirPathSafe, DontWarnForwardFileInUnsafeDirPath'')
define(`ALIAS_FILE', `/etc/mail/aliases')
define(`confAUTH_OPTIONS', `A')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
define(`confTRUSTES_USERS', `majordom')
define(`confLOCAL_MAILER', `cyrusv2')
MAILER(`cyrusv2')
m. mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
n. m4 ../m4/cf.m4 local.mc > /etc/mail/sendmail.cf
p. change /etc/hostconfig to "MAILSERVER=-YES-"
q. echo "pwcheck_method: saslauthd" > /usr/lib/sasl2/Sendmail.conf
r. cp /etc/pam.d/chkpasswd /etc/pam.d/smtp
s. cp /etc/pam.d/chkpasswd /etc/pam.d/imap
t. reboot or start/restart Sendmail

13. Install Majordomo v1.94.5
a. as per the included instructions, except
b. remove the following switch from the $mailer and $bounce_mailer commands in majordomo.cf
"-oee"


14. Install SquirrelMail
a. as per instructions







Posted at 06:26     Read More  


Mon - September 29, 2003

Even more info about SASL



Well, well, well...it seems all this work this week has fried my brain a bit.

I read over all the docs I could fine about SASL again. SASL doesn't actually support any other mechanisms over PAM than the "plaintext" machanisms, PLAIN and LOGIN. If you want to use the more secure MD5 algorithm, you are required to use the sasldb pwcheck_method. Hmm. Oh, and apparently, the "pam" argument doesn't work anymore for "pwcheck_method", because PAM support has been changed in SASL so it goes through the saslauthd daemon only.

So, I guess I'm not entirely crazy...just a little disappointed.

Posted at 11:33     Read More  

Critical Update: SMTP AUTH -> NetInfo



After further testing, I've discovered that I made an error in my earlier testing. The SMTP AUTH still works, but not quite as well as we might have hoped.

Apparently, the "pwdcheck_method: pam" statement in my /usr/lib/sasl2/Sendmail.conf is incorrect. The actual keyword should be "pwcheck_method", which doesn't work with just a "pam" argument as far as I can see; however, the statement "pwcheck_method: saslauthd -a pam" works, assuming you've set up /var/state/saslauthd. What happened is that without the correct statement in the file, SASL apparently defaults back to the "sasldb" authentication method, unfortunately without any external evidence of the fact. I had created the sasldb2.db file earlier to test that functionality, but I didn't delete it, so that mechanism was still being used in my testing, unbeknownst to me at the time...

Well, the bottom line is that "sasldb" works for MD5, PLAIN, and LOGIN, but the problem with "saslauthd", as documented (somewhat) at the SASL web site, is that "saslauthd -a pam" does not work for anything besides PLAIN. It will however, work with PLAIN to authenticate to the NetInfo database via PAM.

I also discovered along the way that the "testsaslauthd" program compiles OK with GCC 3.3. Using this program, you can verify authentication via saslauthd.

So, unfortunately, this didn't turn out as well as I hoped, but it's still quite useful. Thankfully, maintaining the sasldb2.db file is pretty simple, at least for smaller groups of users. I'll be investigating some of the ideas I saw at the SquirrelMail web site for managing the database via a web page.

Posted at 06:50     Read More  


Sun - September 28, 2003

Majordomo 1.94.5 working on Mac OS X 10.2.8/Sendmail 8.12.10



If you want to use Majordomo 1.94.5 on Mac OS X 10.2.8 with Sendmail 8.12.10, you'll need to make a minor change to the majordomo.cf file.

Sendmail 8.12.10 has a problem with the $mailer and $bounce_mailer commands specified in majordomo.cf. Simply remove the "-oee" switch from each line (which is supposed to set the error handling mode of sendmail), and everything should work properly. "-oee" tells Sendmail to always exit with a zero exit status. Without the switch, Sendmail will use the default setting of "p", which means "print error messages".

Posted at 09:45     Read More  

Client tests of SMTP AUTH



Here's what I've found so far:

Outlook Express 5.0.2 doesn't work at all.
Outlook Express 5.0.6 uses the deprecated and undocumented "LOGIN" mechanism.

Entourage X (10.1.1) uses CRAM-MD5.

Mac OS X Mail (1.2.5, v552) allows you to choose from "Password" (PLAIN), "MD-5 Challenge/Response" (CRAM-MD5), Kerberos v4 or Kerberos v5 (GSSAPI). I have not been able to get the SASL libraries to compile successfully with Kerberos 4 or GSSAPI, so I can't test these two to see if they work.

Posted at 05:05     Read More  

Further testing of Sendmail-8.12.10 v. Apple's Sendmail-40


Looks like Sendmail-8.12.10 will not, in fact compile with Apple's GCC 3.3...

Further testing today proves that the standard Sendmail-8.12.10 sources will not compile with Apple's GCC 3.3 without some modifications. The first error I got was that GCC 3.3 no longer supports <varargs.h>, and the code should updated to use <stdarg.h>. I tried a multi-file find/replace with BBEdit (and copied the stdarg.h from /usr/include/gcc/darwin/3.3), but apparently there are more problems, so I'm not going to spend any more time on it--I'll leave that to the people who know better...

The Sendmail-8.12.10 sources do compile just fine with GCC 3.1, so I think that ultimately this is a better solution than patching the Apple Sendmail-40 sources with the parse8.359.2.8 patch. BTW, the patch doesn't work on the Apple sources if you follow the directions from sendmail.org, but it's easy enough to apply manually. The patch changes two lines in parseaddr.c. If you look at the original source and the patch diff side-by-side, you'll see that the changes total four characters around Lines 700-710.

If you do elect to go this route, remember to change version.c to reflect the presence of the patch.

However, I think 8.12.10 also includes other things besides the patch, so I believe it's the better path. Just run "gcc_select 3" to get back to the 3.1 compiler and let her rip...

Posted at 03:58     Read More  

Tried Sendmail 8.12.10 with GCC 3.3


Sendmail 8.12.10 sources from <http://www.sendmail.org/> apparently do not work with GCC 3.3 supplied by Apple.

So, apparently the new Sendmail sources (8.12.10), the ones with the latest security fix, don't work with Apple's new GCC 3.3. I was able to get a good compile by using "gcc_select 3" to switch back to the older compiler (GCC 3.1).

The new compiler reports that varargs.h is no longer supported by GCC 3.3. The ./Build script reports that one should use stdarg.h, instead. I tried to do a find/replace with BBEdit to change all references to varargs.h to stdarg.h, but this didn't work either. Can you tell I'm not the world's greatest programmer?

Also, I discovered that the ./Build install script doesn't replace the m4 configuration files on the box, so if you want the latest m4 configuration, you'll have to run it from the source directory.

I suppose that using GCC 3.1 is probably better than sticking with older (8.12.9) sources that have security holes, but if somebody knows differently, I'd appreciate some feedback. The Apple-supplied Sendmail 8.12.9 (Sendmail-40 from Darwin 6.8) works fine with GCC 3.3. Tomorrow morning I'll try patching Sendmail-40 with the patch from Sendmail.org to see if it still works with GCC 3.3.

I do like using the latest stable compiler...

Posted at 01:19     Read More  


Sat - September 27, 2003

Sendmail/SMTP AUTH/SASL/PAM/NetInfo on Mac OS X 10.2.8


I have been able to successfully get Sendmail (8.12.9) working with SMTP AUTH, Cyrus SASL 2.1.15, Pluggable Authentication Modules, and NetInfo on Mac OS X 10.2.8

I'm sure there's probably a few people interested in this besides myself, so I'll share what I discovered:

OK, here's the procedure:


1. Install Mac OS X 10.2.8 on your machine
a. Mac OS X 10.2.8
b. Mac OS X 10.2 Developer Tools (Dec 2002)
c. Mac OS X 10.2 Dev Tools (Aug 2003 update)

2. Download the following packages...
a. Sendmail-40 from Darwin 6.8 <http://developer.apple.com/darwin/>
i. Sendmail security patch <http://www.sendmail.org/patches/parse8.359.2.8>
b. dlcompat-20030629 from <http://www.opendarwin.org/projects/dlcompat/>
c. cyrus-sasl-2.1.15 from CMU <ftp://ftp.andrew.cmu.edu/pub/cyrus/>

3. Compile and install dlcompat-20030629
a. ./configure
b. make
c. make install

4. Compile and install cyrus-sasl-2.1.15
a. ln -s /usr/include/pam /usr/include/security
b. ./configure --enable-login --disable-krb4 --disable-gssapi
c. make
d. make install

e. the utils will not work, so following instructions from <http://sial.org/sendmail/macosx/smtpauth/>, do (if you want to use sasldb)
i. cd utils
ii. cc saslpasswd.c -I.. -I../include -lsasl ../sasldb/.libs/libsasldb.al -o saslpasswd2
iii cc sasldblistusers.c -I.. -I../include -lsasl2 ../sasldb/.libs/libsasldb.al -o sasldblistusers2
iv. you may copy these to /usr/local/sbin, if you like

NOTE: ./saslpasswd2 -a Sendmail -c userid@hostname.local. for netinfo support

5. Compile and install sendmail-40
a. make site.config.m4
i. APPENDDEF(`confENVDEF', `-DSASL=20115')
ii. APPENDDEF(`conf_sendmail_LIBS', `-lsasl2.2.0.15')
iii. APPENDDEF(`confINCDIRS', `-I/usr/local/include/sasl')
iv. APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
b. ./Build -n
c. ./Build
d. ./Build install

6. Make new sendmail.cf (with auth mechs and trust_auth_mech, etc...)

7. echo "pwdcheck_method: pam" > /usr/lib/sasl2/Sendmail.conf

8. cp /etc/pam.d/chkpasswd /etc/pam.d/smtp

9. fire up sendmail, set up client (userid must be userid@hostname.local.), send mail.

10. I have been able to successfully relay mail from Mac OS X Mail 1.2.5 (v552) using SMTP AUTH with both PLAIN and MD5 [which is CRAM-MD5]), with the regular NetInfo passwords.

Posted at 04:32     Read More  

©