The Ultimate Business Machine - Archives
List of Categories : Commentary * Database * Singapore * Technology * Travel *
Sat 10 Jan 2004
Apple's Open Directory
Category : Technology/openDir.txt
The ability to support SMTP-AUTH on a mail server is so important because it means you can open up the server for (legitimate) remote users to send mail through it without making it an Open Relay. It's the difference between a toy server and one that is considered industrial-strength. Even Linux users struggle to set this up. Definitely it's no cakewalk if you're still using sendmail.
Shin-ichi YOSHIMOTO, who has a Postfix for Mac OS X Users site (in Japanese), has been investigating how SMTP authentication got done on Panther.
This is his finding, summarised here in case others are also curious.
In Postfix on Panther, if "smtpd_use_pw_server=yes", SMTP-AUTH appears to be be done through Apple's Open Directory framework.
The Open Directory authentication service supports the following types of authentication :
(Basic) login, plain,
(Password Server Authentication) cram-md5, gssapi
These are the values we can use for the "smtpd_pw_server_security_options".
A plain-vanilla OS X Panther machine can only use the basic options - login and plain - because, according to Shin-ichi's findings, PasswordService.8, which is the Password Server daemon, is distributed only as part of Mac OS X Server.
That's why we set "smtpd_pw_server_security_options=plain,login".
So, in conclusion, SMTP-AUTH on Panther skips past the need to set anything up on /usr/lib/sasl2 or on /etc/pam.d
Actually, now that we know the way to do it (again, thanks to the information provided originally by Andy Black), SMTP-AUTH on Postfix on Panther is really very simple. And credit has got to go to Apple's engineers who designed it this way.
It's easy to underestimate how hard it could have been to do this. You only have to do a search on Google with the key words (SASL, SMTP-AUTH, Cyrus, PAM, etc...) to see how many hoops people working on the other *nix'es have to go through to get SMTP-AUTH to work, if at all.
It makes me wonder, all those guys who strut their stuff with their command-line knowledge on VersionTracker. If it's so clear how it's done, how come I never saw any of their stuff in months of looking up Google for the answer?