On Mon, 16 Jun 2008, Wesley Craig wrote: > On 16 Jun 2008, at 19:07, Andrew Morgan wrote: >> Does the mupdate process in a Cyrus murder actually use TLS? > > Almost certainly. mupdate_connect devolves to backend_connect, the same > routine that cyrus routinely uses throughout for proxy connections. Also, > the mupdate server pays attention to the "allowplaintext" configuration, so > if you're not using TLS and aren't permitting plaintest, passwords don't > work. Are you using GSSAPI? > >> The 'mupdatetest' binary doesn't seem to support it. The --help doesn't >> list TLS as an option, and if I use "-t ''", it just hangs during TLS >> negotiation. > > I see that imtest / mupdatetest specifically doesn't mention -t wrt mupdate. > But imtest's TLS support is pretty broken, AFAIK. In particular, there's not > way at all to set a CA location. In any case, mupdatetest -t "" does in fact > work for me, tho it gives errors about self-signed certificates. With no CA, > self-signed certs are kind of a given. > >> It seems like it should work because mupdated lists STARTTLS in the >> capability string, but none of the hosts in my Cyrus murder try to use TLS >> as far as I can tell. > > If you don't want them to, don't configure certificates for your mupdate > master. Personally, I'm using GSSAPI everywhere, so I prefer not to have > certificates configured where they aren't going to provide me with much (if > any) benefit. If you do configure them, they are used. Thanks Wes. It seems that I had the permissions wrong on my private key so mupdate was unable to use TLS. Now I think I need to restart mupdate to get it working properly... Andy ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
