Re: STARTTLS available?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marten Lehmann wrote:
Hello,

Configure TLS. "man imapd.conf", ./doc/(text/)install-configure(.html), ...

I already have TLS resp. SSL (on separate ports)! But STARTTLS is an extension so you can use SSL through the common pop3 or imap port (not the special SSL one), because with STARTTLS you can open a SSL connection within the common pop3 or imap session. I haven't found an option how to enable the STARTTSL extension.

There is no explicit on/off toggle for TLS. From the imapd.conf man page:

 tls_cert_file: <none>
   File containing the certificate presented for server authentication
   during STARTTLS. A value of "disabled" will disable SSL/TLS.

 tls_key_file: <none>
   File containing the private key belonging to the server certificate.
   A value of "disabled" will disable SSL/TLS.

So, as Andreas indicated, configuring TLS should be enough to offer STARTTLS. The only configuration I needed to do was to add something like this to imapd.conf (Cyrus-IMAPD 2.3.7):

# TLS
tls_cert_file: /etc/ssl/certs/imap.crt
tls_key_file: /etc/ssl/certs/imap.key
tls_ca_file: /etc/ssl/certs/ca-bundle.crt

This assumes that Cyrus IMAPD was compiled with openssl support (the default) and that you haven't somehow overridden the defaults with further configuration. It's possible that some distros divide Cyrus IMAPD into several smaller packages, so if you're using a package-based system, be sure you've installed everything you need.

I compile Cyrus IMAPD from source, and it includes a nice utility called imtest that allows you interact directly with an IMAP server even if it uses STARTTLS or the imaps port. Therefore, it's a lot more convenient than telnet. I recommend installing it if you don't have it.

Now you need to prove that you have properly configured TLS:

 imtest -a marten mail.example.com

Some servers will include the CAPABILITY in the banner, but imtest will also issue the CAPABILITY command. Look for STARTTLS in the list. If it's not there, you need to check your installation or configuration. For more help from this list, you should include your imapd.conf and any relevant errors from your log.

To close the imtest session, type:

 . logout

You can also test your imaps configuration:

 imtest -a marten -s mail.example.com

This will *not* offer STARTTLS, as the connection is already encrypted.



----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux