-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Denis Sacchet schrieb:
> Hi,
Hello Denis,
> I've got since 1 or 2 month problems with TLS connection to my cyrus
> server in IMAP. I will try to explain the configuration and the problem.
>
> First of all, here is my cyrus.conf and imapd.conf :
>
> /ETC/CYRUS.CONF :
>
> START {
> recover cmd="ctl_cyrusdb -r"
> }
> SERVICES {
> imap cmd="imapd -p 2 -s -U 1 -T 60" listen="143" prefork=8
^^
You aren't doing TLS here, but imap encapsulated in SSL...
> imaps cmd="imapd -p 2 -s -U 1 -T 60" listen="993" prefork=1
> cyradm cmd="imapd -p 0 -U 1 -T 60" listen="8143" prefork=1
> sieve cmd="timsieved" listen="127.0.0.1:2000" prefork=0
> lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
> }
[...]
> Here is the result of the imtest in TLS (-s on the port 143) :
>
> imtest -p 143 -s -a XXXX@xxxxxxxx 127.0.0.1
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
[...]
Please read the output:
you do IMAP encapsulated in SSL...
On a proper configured IMAP port 143 imaptest with -s will fail:
imtest -a XXXX -s -p 143 imapserver
SSL_connect error 0 SSL error: ok
SSL session removed
failure: TLS negotiation failed!
> The same thing with the s_client of openssl :
>
> openssl s_client -host 127.0.0.1 -port 143 -tls1
> CONNECTED(00000003)
> depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
> C.A./emailAddress=XXXX@xxxxxxxx
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
[...]
Also:
An unpatched OpenSSL s_client is not able to do TLS (STARTTLS)
on an IMAP server.
You are confused by the 2 different meanings of the acronym TLS here:
* In the SSL / OpenSSL context TLS is for the reimplemented
SSL protocol with the name TLS
* In the IMAP environment the meaning of the acronym TLS is:
Inside of an existing IMAP connection an TLS (the protocol) session
is started with the STARTTLS command.
> So, it seems eveything works fine, now try to connect with thunderbird
> with a fresh new profile :
> But if I switch to TLS on port 143, after a while (about 2 or 3 minutes):
>
> ==> err.log <==
> Jul 5 14:11:05 smtp imap[27757]: Fatal error: tls_start_servertls() failed
That is because your server speaks SSL encapsulated IMAP on
the port Thunderbird expects IMAP with STARTTLS...
[...]
> Do you think the problems come from Thunderbird or from Cyrus.
Your problem is your broken server configuration.
With TLS the handshake should look like:
imtest -a goetz -m EXTERNAL -t goetz.pem -F cacert.pem imapserver
S: * OK imapserver Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
Enter PEM pass phrase:
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=EXTERNAL
SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE EXTERNAL Z29ldHo=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.
With the exception that an unpatched imtest doesn't support the
EXTERNAL authentication method...
By the way:
I really hope your real user name is not ouba@xxxxxxxx
with a password that begins with lgW ...
Bye
Goetz
- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFErAsW2iGqZUF3qPYRAr3NAJ9zr2gq2vuVXjIBobK/JKruKQE2nQCfQvvX
gehDJKt4AKgqeRP7YLMaHiE=
=3MyG
-----END PGP SIGNATURE-----
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
