September 04, 2003

SquirrelMail and OS X — an update

Last year I posted some details on running the SquirrelMail (SM) webmail system under Mac OS X. These have been read by a great many — which is very gratifying — and I have had some very positive feedback via email: many thanks!

The instructions I gave were for SquirrelMail 1.2.7 running under OS X 10.1.x. Both SM and OS X have upgraded since then. This has introduced a major new issue (SSL) but has otherwise simplified installation. The notes below are intended to update my previous instructions, and are good for both Jaguar (10.2) and Panther (10.3). As before, they relate primarily to using the UW IMAP server, but using a different server (e.g. Cyrus) should not be a problem: just make sure the SM configuration knows which server you are using.

Get IMAP working first

You must install a working IMAP server and test it before running SquirrelMail: this will save headaches later! I recommend you ensure that the setup works with mail.app or Entourage clients (but see comments on SSL below).

Once you have a working IMAP server, then installing SM is now pretty straightfoward.

Secure authentication

The current version of UW imapd follows the current IESG security requirements and by default builds with plaintext password authentication (port 143) disabled, and SSL enabled (port 993).

OS X 10.2.x (Jaguar) and 10.3.x (Panther) have SSL already installed, and there is no problem building and deploying imapd with SSL. There are excellent instructions here, including how to create the necessary security certificate. You will of course have to configure your IMAP client to use SSL on port 993. There are options for this in mail.app and Entourage. Unfortunately, however, SquirrelMail doesn't 'do' SSL and some strategy or other is necessary to get them working together.

The advice from the SM site is to use stunnel or an SSH tunnel to listen for material on 143 and forward it using SSL to 993. I have not tried this, and reportedly it has a significant performance overhead.

The approach I have taken is simply to build imapd with SSL but allow plain password authenticated sessions on port 143:

# make osx SSLTYPE=unix

This gives you the best of both worlds, provided you can firewall off external access to port 143 on the machine(s) running SM and imapd.

Apache and PHP

OS X comes with a functional Apache server, but this needs to be updated to run PHP. Marc Linyage's excellent package does this simply and perfectly. It also installs a php.ini that works fine for SM.

Apache and SSL

The benefits of having your IMAP server work via SSL are rather wasted if your web session does not, so it is advisable to set up a secure server. There are good instructions for doing so here.

Install SquirrelMail

The directions on the SM site seem to work fine. I will not attempt to repeat them here as your webserver directory structure will probably differ from mine.

Outgoing mail

SM will need to access to an SMTP server in order to send mail to others: this can be a local or remote server. The SM config script allows you to choose between calling sendmail (running on the same machine) directly, or SMTP in which case you need to supply the address of the SMTP server. this of course may be running on the same machine (it might even be sendmail) in which case you can specify localhost.

Prior to Panther, OS X came wih Sendmail installed (but usually not correctly configured). With Panther, Apple has switched to Postfix. (I don't use either, and prefer Exim, for reasons outlined elsewhere). Whichever you use, you should test it properly with a regular mail client before trying to send mail from SM. Whether or not it is running on the same machine as SM, I recommend configuring SM to use SMTP, not sendmail directly.

Note the you may have to configure your SMTP server explicitly to accept (relay) mail from the SM machine, even if it is localhost.

If you have MySQL installed and want to use it as a backend to SM for address book and user preferences storage, there are instructions here.

Good luck!

[Updated 17/04/2004; 20/05/2004]

Posted by Chris Bunch at September 4, 2003 01:36 PM
Comments

When I try to send mail using SM on OSX Server 10.2.8 I get a 553 error ( not allowing relay )

I have this set up for pop and smtp users so their account has to be valid.

But using SM there does not seem to be any plave to make it act correctly

Any Ideas?


Thanks in advance

Gino

Posted by: Gino pacitti at November 28, 2003 04:19 PM

When I try to send mail using SM on OSX Server 10.2.8 I get a 553 error ( not allowing relay )

This sounds like a configuration problem on your SMTP server, rather than an SM problem. What are you running? Sendmail? PostFix?

Is SM installed on the same machine? If so you may have to configure the SMTP server explicitly to relay from localhost.

C

Posted by: Chris Bunch at November 28, 2003 05:06 PM

Update for 10.3 (Panther)

You must use the latest DEV tarball for the UW IMAP server for use with Panther. As of 11/30/2003 you can use:

curl ftp://ftp.cac.washinton.edu/imap/imap-2003.DEV.tar.Z > ~/imap-2003.DEV.tar.Z


Then you need to compile the IMAP server with

make oxp SSLTYPE=unix SSLCERTS=(your cert directory)

to get it to work.

Further, you need to add two files to the /etc/xinetd.d directory, thusly

cd /etc/xinet.d
sudo cp login imap
sudo cp login imaps

then edit those files changing the first line to "service imap" (or imaps, depending)

and change the "server" line to point to your compiled imapd.

Then, you need to

sudo /sbin/service imap start
sudo /sbin/service imaps start

regards,

-Ian

Posted by: Ian Smith at November 30, 2003 07:04 PM

Thanks Ian. The background to this is that Apple changed two things in Panther that impact on the workings of UW-imap: (1) they introduced pluggable authentication module (pam) authentication; and (2) they switched from inetd to xinetd.

The pam switch took a lot of us by surprise and various workarounds appeared on the mailing lists, some of which only worked for a short time. Mark Crispin came to the rescue with a new dev port for OS X Panther, which at the moment, is the download Ian mentions above. Note that if you are recompiling imapd you should first do a make clean and then make oxp (not make osx, as previously). As this is presently a development tarball, things may change so keep an eye on the UW site and the c-client mailing list.

You will also need to do sudo cp /etc/pam.d/login /etc/pam.d/imap to make pam accept logins for imap.

Compiling imapd with SSLTYPE=unix is not a good idea: at allows traditional, passwords-in-the-clear authentication as well as by SSL. It is unsafe since if anyone installs a sniffer on your network they can steal passwords. However, I have not been able to get SM to work with SSL (if anyone has, please post a comment here). I run SM on the same box as imapd so routing is via localhost. I therefore compiled impad with SSLTYPE=unix and firewalled off external access to port 143 on the server. External, non-SM users can access vial SSL on port 993, whilst SM (PHP under Apache, actually) can access via port 143. However, if you run imapd and SM on different machines then you are putting yourself at risk unless you can set up a secure tunnel between the two.

As shipped, Panther (client, at least) does not have imap (or pop) set up as a service under xinetd. Ian's instructions above show you how to add an imap service (but it should say cd /etc/xinetd.d

Posted by: Chris Bunch at December 1, 2003 12:19 AM

Hello, thanks for all the great info. I was hoping I might get a pointer on one small issue I am running into. I am using MacOS X Server 10.3 to host a webmail page that points to another IMAP server. I have it working to log into the account, retrieve email, but when I send the email I run into a small problem. When I click the send button the email sends just fine through the other server, but the webpage never refreshes and the server logs this Apache error "Invalid Method Request \x80m\x01\x03\x01." Like I said the email sends with out issue, but I can't figure out why it gets stuck on the send page when I click send. Thanks for any suggestions.

Posted by: Cory Loken at December 4, 2003 06:23 PM

I am using MacOS X Server 10.3 to host a webmail page that points to another IMAP server.....When I click the send button the email sends just fine through the other server

Cory, I don't quite follow. Sending mail does not involve an IMAP server: it requires a mail transport agent (MTA, aka an SMTP server). Examples are Sendmail, Exim, Postfix, Qmail, etc.

When SM sends mail, depending on its configuration, it either invokes sendmail directly (I presume on the local machine - I haven't looked into this) or it connects to an SMTP server (also specified in the configuration: it could be localhost or another server). Either way, the MTA (sendmail, local or remote SMTP server) should be configured so it works correctly for incoming and outgoing mail.

I presume your secondary machine is running an SMTP server for your domain, and that it is successfully receiving incoming mail and placing it in the relevant mailboxes on that machine, for IMAP to serve up to SM? Have you confirmed that mail is actually being sent, in the sense that it reaches its destination? If these two assumptions are correct and your only problem is the Apache error, then I should look both at the SMTP server logs and the Apache log. You could also run tcpflow to check the dialog between your two servers. hth

Posted by: Chris Bunch at December 5, 2003 11:09 PM

I am experiencing the same problem Cory is experiencing with Squirrel Mail in OS X. I have Panther Server running and recently activated WebMail on the URL referred to above. Unlike Cory, I have only one mail server - the server on this particular machine - and it is properly configured to send mail via SMTP and recevie via both POP and IMAP. The WebMail seems to work just fine, with one exception. When I compose a message and send it, the message sends BUT THE SCREEN DOES NOT REFRESH WITH A PAGE SHOWING THAT IT SENT or with the inbox listing or whatever is supposed to show up after SENDING a message using the WebMail (which I understand is a SquirrelMail implementation). I am relatively certain that all e-mail is sent via postfix in Panther Server. However, that is not the problem. Postfix seems to send the message that I compose just fine (I have sent test messages to several addresses inside and outside my network successfuylly). The ONLY problem seems to be that the "compose" page gives no indication that it has successfully sent the message.

When I check the log for the Mac OS X web service, I see the same messages as Cory reported:

In the Access log:

"POST /webmail/src/compose.php HTTP/1.1" 302 5
"\x80m\x01\x03\x01" 501 -

And in the Error log:

Invalid method in request \x80m\x01\x03\x01

It is my understanding that the 501 error message is a "not authorized" error. Not sure what 302 is. Is this a permissions problem somewhere? If so, WHERE is the problem?

Posted by: Ed Marod at December 6, 2003 06:16 PM

"POST /webmail/src/compose.php HTTP/1.1" 302 5 is the normal Apache/PHP/SM response when sending mail from SM. The HTTP code 302 indicates that the requested resource is somewhere else and the command has been 'redirected' by Apache: in this case to the SMTP server. Normally, SM should return you to the message list page, but it looks as though it is waiting for an OK response to be passed back by the SMTP server, and this is not happening.

The 501 SMTP response is reporting a syntax error. I believe that Panther uses Postfix for SMTP: I have no experience of Postfix (I use Exim) and therefore cannot advise you whether this is an SM or Postfix problem. I suggest that you look at and/or post the problem on the SM, Postfix and Apple discussion forums to see if this is a recognised problem, hopefully with a fix!

I should be interested to hear if there is a resolution.

Posted by: Chris Bunch at December 6, 2003 07:51 PM

After investigating this problem both here and at the Squirrelmail.org site and at apple.com, I got a recommendation from a Cory as follows:

You have to have SSL turned on. To create a certificate to test
with you can follow the instructions at:

http://developer.apple.com/internet/macosx/modssl.html.

Since you are using 10.3 Server ignore all the Apache stuff at
the bottom. That is all activated by just turning on SSL from
the Server Settings app. Basically once you get to the lines
below, follow these commands and then go no further in the
instructions:

sudo cp server.key server.key.original
sudo openssl rsa -in server.key.original -out server.key

This apparently worked for Cory. I never got to try it because I accidentally fixed my problem by making an adjustment to the NAT settings on my SDSL router. Specifically, I simply opened port 443 (the SSL port) and pointed it to the machine that has both the webserver and the mailserver running on it. Admittedly, I have the SSL module running on the webserver, but I have done none of the things suggested for the fix. In particular, no SSL certificate, and none of the other things recommended in the manuals for SSL.

Go figure.

Posted by: Ed Marod at December 10, 2003 05:38 AM

Just to clear up any confusion here, you do not need SSL turned on in Apache to use SquirrelMail with UW -imapd. The earlier posts in this thread cover the issues related to SSL in imapd. The two are separate. However, usiing SSL with Apache as well is an excellent idea as otherwise your login dialog will be 'in the clear' even if the rest of the interaction with imapd is secure.

Posted by: Chris Bunch at December 10, 2003 07:55 PM

I am looking for assistance on a problem I am having setting up a mail server on our DMZ. I am using the latest version of Panther server OS 10.3.X. When I telnet to our server through our firewall IP i.e demo.com on port 25 and 110 SMTP and POP respectively I get the appropriate responses.

Connected to www.demo.com.
Escape character is '^]'.
220 mailserver ESMTP Postfix

Connected to www.demo.com.
Escape character is '^]'.
+OK mailserver Cyrus POP3 v2.1.13 server ready 1627319619.1073182311@mailserver


However when I try to send mail to myself i.e. mclean@demo.com I get the following return message reply:

The original message was received at Sat, 3 Jan 2004 18:30:45 -0800 (PST)
from smtpin08-en2 [10.13.10.153]

----- The following addresses had permanent fatal errors -----

(reason: 554 : Relay access denied)

----- Transcript of session follows -----
... while talking to demo.com.:
DATA
: Relay access denied
554 5.0.0 Service unavailable
: Relay access denied
Last-Attempt-Date: Sat, 3 Jan 2004 18:30:49 -0800 (PST)

Any help with this problem would be appreciated. I know that I am missing something, but what I do not know.
Thanks in advance,
Paul

Posted by: Paul McLean at January 4, 2004 02:38 AM

Your SMTP server (Postfix) is, quite correctly, refusing to be an open mail relay. There will be a runtime configuration file somewhere that you will need to modify to include the IP addresses from which it is allowed to accept mail. I use Exim for SMTP, so I can't be any more specific about Postfix.

hth.

Posted by: Chris Bunch at January 4, 2004 08:30 AM

Hi,
Sorry for my bad english , i'm french. I have a problem whith SM under os x server 10.2.8. SM work fine in the LAN. But i can't access to webmail from the WAN. I think that is not a DNS problem because the mail service run OK on the same server.SM run on port 8080 (because i have another webserver under IIS)On the router i make NAT for port 8080 and 143 to my xserve whith squirrelmail is there another port to translate ?
Thanks
Very nice site

Posted by: gammaray at March 27, 2004 06:10 PM

i am running sendmail 8.12.5 with squirrelmail 1.4.2
all is fine except the delivery receipts are not received and on sending a read receipt error 553 is reported
please help

Posted by: navy at April 12, 2004 06:52 AM

I am running sendmail 8.12.5 with squirrelmail 1.4.2
all is fine except the delivery receipts are not received and on sending a read receipt error 553 is reported

The 553 error is probably an SMTP error from sendmail. It often means that sendmail is refusing to relay the message. If you have SM and sendmail running on the same box you may have to configure sendmail explicitly to relay from localhost.

Can you send mail OK from SM? Does your sendmail work correctly with regular email clients (e.g. Entourage?). I do not use sendmail, for reasons I have discussed elsewhere, and strongly recommend Exim.

Posted by: Chris Bunch at April 12, 2004 11:03 AM

Apparently, none of the install instructions mention that SquirrelMail doesn't automatically setup your MySQL db tables. Apparently you have to insert the tables and fields yourself after you create the db. In fact, there is no documentation telling me what fields to create for the addressbook table! Huh?

Posted by: Glenn Batuyong at May 20, 2004 12:02 AM

none of the install instructions mention that SquirrelMail doesn't automatically setup your MySQL db tables

MySQL is not necessary for the successful operation of SquirrelMail, but can be used as a 'backend' for managing the address book and user preferences. This could be useful in a large scale installation, especially where MySQL is operational for other reasons, but is probably overkill otherwise.

Posted by: Chris Bunch at May 20, 2004 04:45 AM

squirrelmail: i don't seem to be nutty enough to make this work under OS X 10.2.8 Server.

everything looks right but when i try to go to my host/WebMail i get an error_log entry telling me the file index.php does not exist in /Library/WebServer/Documents, which of course it does not. do i need to edit the
header("Location:../index.php"); line in index.php. tried it a couple ways to no avail. php is running, i can get to host/info.php. Apple's hideous documentation is of no help. thanks for any help.

Posted by: Owen Wooding at May 25, 2004 05:10 PM

squirrelmail: i don't seem to be nutty enough to make this work under OS X 10.2.8 Server.

Well, OS X server is certainly a different breed of nut. I don't use OS X Server (all the stuff above relates to running SM under OS X client) so I can't really advise you directly. However the folks at afp548 have an excellent website dedicated to OS X server which has this article on SquirrelMail installation which may be of help.

Let us know if it helps. If it doesn't, my inclination would be to upgrade to Panther and see if that fixes it.

Posted by: Chris Bunch at May 25, 2004 07:12 PM

Cna ayone please help a newbie? I am trying to get my new X Serve G5 to serve as the mail server for the sites I am hosting. I am very new to this having used IMail on W2K prior to this. Please, please, somebody help. This is way over my head.

Posted by: Derrick at November 4, 2004 07:04 PM
Post a comment









Remember personal info?