[cshooshan]

Howdy!

Your points are well taken. Since it my inderstanding that afp548.com is intended for mutual education and benefit, you have done well by me.

When you said,”launchd is open source, so anyone who is interested can find out how it works. In briefly looking over the relevant portions it’s apparent that launchd relies upon BSD’s kqueue methods for its scheduling and watchpath functionality,” it really helped since I had missed the kqueue connection. I’ve read a lot now and more fully respect its complexity. Thanks for the education.

Here’s the deal. I thought I only needed StartInterval because right now I want this thing to run once a day and I don’t care very much what time it runs — I just want to avoid 9:00 a.m. to noon. In the future, I will probably run it from 2x to 4x per day. So, StartInterval seemed good for me. I just made the “mistake” of loading it at 10:00 a.m. the first time. So, now it runs every day at 10:00 a.m. I thought, gee, shouldn’t I be able to “seed” the start time outside my 3 hour no-run window. The answer seems to be, “No!”

I also assumed that there was a way to query launchd to find out the next time something running with StartInterval would trigger. I guess not (I am currently writing the time to a text file at the end of my script to verify run times).

Again, thank you very much,
Charlie

[cshooshan]

Because StartInterval is all I need and there should be a way to seed a job with a specific start time. Certainly unloading and loading the “job” should restart the timer but it does not.

And, as far as Apple not wanting me to muck around with it, the whole launchd process is fairly involved (no Apple GUI for launchd plist editing — Lingon is good if you need it) — if I can edit “jobs,” I think Apple would think me capable of touching other config files related to launchd.

And, mostly, I want to know how it works.

— Charlie

[cshooshan]

Thank you! That is reassuring. I’ll leave it alone and watch the occasional wacky behavior.

— Charlie

[cshooshan]

Thank you for the feedback!
I still have a couple of questions ….
> Simple method is to disallow anonymous binding in slapd.conf.
I tried this by placing “disallow bind_anon” near the end of slapd.conf. It had a strange (to me anyway) effect. It prevented users from logging in to mail through the Squirrelmail web interface. I am guessing that Squirrelmail has to bind to lookup credentials and the bind_anon somehow prevents this. Do you have any suggestions?
> For extra credit read our article on Directory Access Controls and then use those.
I started in on this but I’m not 100% sure how to substitute my site for the sample. I think I figured out that the article involves examples of access by users from one server to another. There seems to be these three distinct entities:
dc=cf1,dc=afp548,dc=com
dc=odmaster,dc=afp548,dc=com
dc=cf1,dc=jodapro,dc=com
If I have one basic XServe that is both my mail server and ODMaster, and let us say that the server is mail.mydomain.org, do I replace each of the above search strings with the one from mine:
“dc=mail,dc=mydomain,dc=org” or is it just “dc=mydomain,dc=org”?
Notes:
In Microsoft Mail or Outlook on my local LAN, I use the search base: cn=users,dc=mydomain,dc=org (there is no dc=mail).
If I authenticate (not currently required), I use the dn, as follows: uid=diradmin,cn=users,dc=mydomain,dc=org
[I can substitute any Workgroup Manager administrator and it authenticates, but not “admin” since on my XServe, root is uid 0, admin is uid 501 (netinfo only) and diradmin is uid 1000.]
Thanks again,
Charlie

[cshooshan]

One correction. The aliases file entry is not

John.Smithjohnsmith

but

John.Smith [tab character] johnsmith

[cshooshan]

Hello!

All our users have e-mail addresses in the form [email protected]. We have added every single one to the aliases file.

So, here’s our drill. Hope it helps you:

User accounts are setup, as follows:

Fullname: John Smith
Shortname: johnsmith

[We user “Passenger” to import and export users.]

We make an entry in /etc/aliases

John.Smithjohnsmith

Then, we issue the following commands:

newaliases
postfix reload

The user thinks his account is [email protected] and it works fine; but it really is [email protected] (which works, too).

The only limitation is that in Squirrelmail, users must login by shortname (Squirrelmail has its own alias plug-in for users if they want to change their login).

Also, in Squirrelmail, we make sure to configure it to force lowercase — I believe that it is:
config/conf.pl, General Options (#4), Usernames in Lowercase (#6).

This allows JohnSmith as a login (that way we can tell users to just login without the dot).

Hope this helps!

— Charlie

[cshooshan]

Success! All fixed!

Solution first:

Someone (Me! Argggggggh!) left a default setting in the Pix firewall that masquerades as "Mail Guard" — the "bad" command is: fixup protocol smtp 25

so the Pix (Cisco firewall) needed in config:

no fixup protocol smtp 25

(this used to be a problem with Microsoft Exchange but was fixed — I guess for X Serve it’s a problem).

So, even though port 25 was open, with the "fixup" command, the EHLO message wasn’t getting "heard."

Also, I did add back in plain and login so now I have:

smtpd_pw_server_security_options = plain,login,cram-md5

(in main.cf)

===========

QUESTION:

Does the order of options above matter — do some clients choose in that order (like Outlook maybe)?

===========

During my quest, I stumbled upon and enhanced this list that may be of use to someone here:
SMTP Authentication Supported by Mail Client

Apple Mail (OS X 10.1.3) LOGIN, PLAIN
Entourage 9 (Office 2001) LOGIN, PLAIN

Eudora 3.x NONE
Eudora 4.x CRAM-MD5

Netscape 3.x NONE
Netscape 4.0x LOGIN
Netscape 4.5 or above LOGIN, PLAIN

Outlook Express 4.x or above LOGIN

Outlook 97 (Office 97) NONE
Outlook 98 LOGIN, PLAIN
Outlook 2000 (Office 2000) PLAIN, ENCRYPTED
Outlook 2002 (Office XP) PLAIN, ENCRYPTED

Outlook Express 5.0.2 NONE
Outlook Express 5.0.6 LOGIN (Deprecated)

Pegasus LOGIN, CRAM-MD5
(AUTO-SELECTS CRAM-MD5 if available)

Entourage X (10.1.1) CRAM-MD5

Mac OS X Mail (10.2.5) PLAIN (Password), CRAM-MD5
(MD-5 Challenge/Response),
Kerberos v4, GSSAPI (Kerberos v5)

I hope my experience will help someone else who is scratching his or her head with this problem.

Thanks for everything,
Charlie

[cshooshan]

Dear MacTroll:

This is where I’m a bit confused so I apologize of my response is not what you need:

I have tried modifying the line:
smtpd_pw_server_security_options = cram-md5

by adding, changing order, and including / not including methods:

For example,
smtpd_pw_server_security_options = cram-md5,login,plain

smtpd_pw_server_security_options = plain,login,cram-md5

smtpd_pw_server_security_options = plain

smtpd_pw_server_security_options = login,plain

There was no change.

When I telnet to port 25, all I see is:

220 ******************************
mail from: [email protected]
250 ok
rcpt to: somebody@somewhere_else.com
554 (somebody@somewhere_else.com) Relay access denied

It doesn’t seem to even try authentication.

The OS X Server uses its own LDAP database to authenticate users. This works for pop and squirrelmail just fine.

No users have traditional home directories.

Netinfo appears turned off with respect to an alternative password store.

There is a file /etc/sasldb2.db that I cannot figure out how OS X Server updates. It’s recent (three days old) and doesn’t rebuild when I reboot, or start and stop the mail service either from the terminal or the GUI (of course, if I start and stop from the GUI, I have to copy config files back in since they are otherwise overwritten).

As far as, “Are the users PWS users?” I’m sorry but to be honest, I am not sure if I have really answered that question.

One possibility that I have seen in a few places is to try to update postfix to 2.1 (it’s now Apple’s 2.0.10 version). I am somewhat afraid that I might break something in the process and I am unclear as to how to create and update the authenticated user database so that postfix 2.1 could use it. I really don’t want to do this — there must be a way to get AUTH working in the current config.

Finally, I did compare my “postconf -n” to someone who was kind enough to e-mail me his output on the same server version that works. The only difference was, he had:

smtpd_pw_server_security_options = plain

which I mentioned that I have tried.

Thanks for listening. Any more help would be appreciated,
Charlie

[cshooshan]

Solved!

The big change for the “X Serve” was changing the order in the procmail line added to master.cf

Apple recommends:

procmail unix – n n – – pipe
user=cyrus argv=/usr/bin/procmail -t -m /etc/procmailrc USER=${user} EXTENSION=${extension}

What works:

procmail unix – n n – – pipe
user=cyrus argv=/usr/bin/procmail -t -m SENDER=${sender} USER=${user} EXTENSION=${extension} /etc/procmailrc

I also changed the deliver line in procmailrc from:

:0w
| /usr/bin/cyrus/bin/deliver -a $USER -m user/$USER

to:

:0w
| /usr/bin/cyrus/bin/deliver -r $SENDER -a $USER -m user/$USER

so as to have the returnpath header include the real sender and not [email protected] .

Hope this helps others!

— Charlie

[Author]

Posts