On Sat, 9 Dec 2006, Tom Cooper wrote:
1. How can I tell if my imap instance sees my certificates?
imapd will leave error messages in the mail syslog if there are any
certificate errors.
2. What can I do to get imaps working on Tiger?
You need to install port 993 (imaps) service as well as port 143 (imap)
service. See below.
3. Failing #2, how do I configure thunderbird to connect to port 143 and log
in? My imap server is on a firewalled LAN, and 100% of the connections to
it will be from internal addresses.
Most IMAP clients will connect to port 143 by default unless you specify
SSL. However, since TLS is required for port 143 connections, you need to
get the certificates working.
Michael Cashwell said:
What you probably want to do instead is "make oxp" which builds for
PAM. That way, any normal user account on the system will "just work".
Done. Sadly, it does not appear to "just work"
Did you follow the instructions in BUILD and SSLBUILD?
Also, if you want real SSL/TLS then you will need a server-side cert
(that's either signed by a root authority known to the clients or
self-signed with your own root cert installed on the clients).
Done, too, and copied to /System/Library/OpenSSL/certs/imapd.pem The cert
works for Apache SSL, so I think I creted it properly.
Does your certificate have a CERTIFICATE and an RSA PRIVATE KEY section?
Either you both go in the /System/Library/OpenSSL/certs/imapd.pem file, or
the CERTIFICATE goes into /System/Library/OpenSSL/certs/imapd.pem file and
the RSA PRIVATE KEY goes into /System/Library/OpenSSL/private/imapd.pem .
I can't seem to
get xinetd working properly to launch imapd when I try to telnet to the
imaps port on localhost.
Blame Apple. They half-broke xinetd when they instituted launchd. Not
fully broke, in which it won't work at all. Half-broke, as in "it works
sometimes depending upon the timing of the boot process."
It is working on port 143 - but I don't see that
as particularly helpful because I can't figure out any combination of
settings in thunderbird that will allow me to connect to the box!
I can't help you with Thunderbird; you need to talk with the developers of
that program for assistance. However, since a client needs to negotiate
TLS in order to authenticate on port 143, you need to jump the certificate
hurdle.
I've read a bit and have begun to learn about launchd (phew - pretty
different from linux-land.)
The less said about launchd, the better. I have nothing good to say about
it. Let's just say that there is a reason why the rest of the UNIX world
is not beating down Apple's door to adopt launchd.
I found a post from Mark in March on the
imap-use list that had a plist attached, so I created
/System/Library/StartupItems/imap and added both an imap script and the
plist file - then ran /sbin/SystemStarter restart imap
That plist file was sent to me as contributed code. I do not use it
myself, nor can I vouch for it. Supposedly it gets launchd to support
IMAP servers. In looking at it, it seems to be for a port 993 server
only.
bugs:/System/Library/StartupItems/imap root# telnet 192.168.100.150 imaps
Trying 192.168.100.150...
telnet: connect to address 192.168.100.150: Connection refused
telnet: Unable to connect to remote host
telnet is not a good test for imaps (port 993) since it does not negotiate
SSL. Try
openssl s_client -connect 192.168.100.150:993
instead.
bugs:/System/Library/StartupItems/imap root# telnet localhost imap
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS
LOGINDISABLED] localhost IMAP4rev1 2006c.374 at Sat, 9 Dec 2006 20:49:08 -0500
(EST)
This looks like a perfectly normal port 143 server. It should work, as
long as you have the proper certificates installed for TLS negotiation.
The LOGINDISABLED means that you can not log in until TLS is negotiated;
this is in accordance with the requirements of RFC 3501.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
