On 16 Jun 2008, at 19:07, Andrew Morgan wrote: > Does the mupdate process in a Cyrus murder actually use TLS? Almost certainly. mupdate_connect devolves to backend_connect, the same routine that cyrus routinely uses throughout for proxy connections. Also, the mupdate server pays attention to the "allowplaintext" configuration, so if you're not using TLS and aren't permitting plaintest, passwords don't work. Are you using GSSAPI? > The 'mupdatetest' binary doesn't seem to support it. The --help > doesn't > list TLS as an option, and if I use "-t ''", it just hangs during TLS > negotiation. I see that imtest / mupdatetest specifically doesn't mention -t wrt mupdate. But imtest's TLS support is pretty broken, AFAIK. In particular, there's not way at all to set a CA location. In any case, mupdatetest -t "" does in fact work for me, tho it gives errors about self-signed certificates. With no CA, self-signed certs are kind of a given. > It seems like it should work because mupdated lists STARTTLS in the > capability string, but none of the hosts in my Cyrus murder try to > use TLS > as far as I can tell. If you don't want them to, don't configure certificates for your mupdate master. Personally, I'm using GSSAPI everywhere, so I prefer not to have certificates configured where they aren't going to provide me with much (if any) benefit. If you do configure them, they are used. :wes ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
