Marten Lehmann wrote:
Hello,
Configure TLS. "man imapd.conf",
./doc/(text/)install-configure(.html), ...
I already have TLS resp. SSL (on separate ports)! But STARTTLS is an
extension so you can use SSL through the common pop3 or imap port (not
the special SSL one), because with STARTTLS you can open a SSL
connection within the common pop3 or imap session. I haven't found an
option how to enable the STARTTSL extension.
There is no explicit on/off toggle for TLS. From the imapd.conf man page:
tls_cert_file: <none>
File containing the certificate presented for server authentication
during STARTTLS. A value of "disabled" will disable SSL/TLS.
tls_key_file: <none>
File containing the private key belonging to the server certificate.
A value of "disabled" will disable SSL/TLS.
So, as Andreas indicated, configuring TLS should be enough to offer
STARTTLS. The only configuration I needed to do was to add something
like this to imapd.conf (Cyrus-IMAPD 2.3.7):
# TLS
tls_cert_file: /etc/ssl/certs/imap.crt
tls_key_file: /etc/ssl/certs/imap.key
tls_ca_file: /etc/ssl/certs/ca-bundle.crt
This assumes that Cyrus IMAPD was compiled with openssl support (the
default) and that you haven't somehow overridden the defaults with
further configuration. It's possible that some distros divide Cyrus
IMAPD into several smaller packages, so if you're using a package-based
system, be sure you've installed everything you need.
I compile Cyrus IMAPD from source, and it includes a nice utility called
imtest that allows you interact directly with an IMAP server even if it
uses STARTTLS or the imaps port. Therefore, it's a lot more convenient
than telnet. I recommend installing it if you don't have it.
Now you need to prove that you have properly configured TLS:
imtest -a marten mail.example.com
Some servers will include the CAPABILITY in the banner, but imtest will
also issue the CAPABILITY command. Look for STARTTLS in the list. If
it's not there, you need to check your installation or configuration.
For more help from this list, you should include your imapd.conf and any
relevant errors from your log.
To close the imtest session, type:
. logout
You can also test your imaps configuration:
imtest -a marten -s mail.example.com
This will *not* offer STARTTLS, as the connection is already encrypted.
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
