The Ultimate Business Machine - Archives
List of Categories : Commentary * Database * Singapore * Technology * Travel *
Tue 16 Dec 2003
SMTP-AUTH on Panther's Postfix
Category : Technology
I hadn't realised that Panther's built-in Postfix binaries support SMTP-AUTH out-of-the-box, until I got a message from Jeff Bishop about doing an -
otool - L `which Postfix`
which results in -
/usr/sbin/postfix:/System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService (compatibility version 1.0.0, current version 1.0.0)/usr/lib/libssl.0.9.7.dylib (compatibility version 0.9.7, current version 0.9.7)/usr/lib/libsasl22.214.171.124.dylib (compatibility version 3.0.0, current version 1.0.0)/System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos (compatibility version 5.0.0, current version 5.0.0)/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 71.0.0)
which clearly shows Postfix linked against libsasl2, which is SASL's "glue" layer. I know that Panther's Postfix works with SSL, so this looked encouraging, by association.
So I looked through an old Jaguar installation that had Postfix's SMTP-AUTH mode enabled and copied over things that I needed, like saslpasswd2, sasldblistusers2 and also the old sasldb2.db file. (I couldn't build anything from the Cyrus SASL download on Panther - I keep getting compile errors that I don't think I'll ever know how to solve - will have to wait for these to be fixed.) Fortunately, the stuff from Jaguar looked like they continued to work in Panther.
At first I couldn't get it to work - puzzling over a system.log entry that says that the system can't find the sasldb plugin - until I realised that two files, libsasldb.2.so and libsasldb.la, were missing in Panther's /usr/lib/sasl2. So I copied them over from Jaguar, restarted Postfix ... and ... everything works!
Actually it was a lot more work than that. I must have tried a million combinations over the weekend when I wasn't feeling sick with flu. (I'm a Chinese of Fujian descent; so it must be the same strain that's coursing thru the Western half of the world right now; just kidding; it's a sick joke.)
Anyway, it's a nice discovery. Will this make it to Postfix Enabler? Implementing SMTP-AUTH via sasldb means having to maintain a separate password database, plus all the extra code needed to handle the user-interface. Instead, I'm trying to see if we can make SMTP authenticate against PAM, and thereby use the built-in OS X users and group password system. That'll be neater. SMTP works over SSL (TLS). So it'll probably be OK to use plain text passwords. Anyway, it's good that at least one way works. I would never have been able to do this with sendmail. Thanks to whoever at Apple was responsible for the decision to go with Postfix.