Jorey Bump wrote:
> Jeff Blaine wrote, at 01/16/2009 10:12 AM:
>> With the tls_ca_file line removed, Thunderbird asked me
>> to specify a client certificate, I chose my cert and
>> entered my password to access it.
>
> That sounds backwards. My understanding is that setting tls_ca_file is
> what will cause some clients to prompt for a client certificate, and
> that commenting out the setting avoids this problem if you don't use
> client certs.
>
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 921384 local6.debug] accepted
>> connection
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 636471 local6.notice] TLS
>> server engine: cannot load CA data
>
> That's fine. It's a spurious log message as a result of removing
> tls_ca_file.
>
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 286863 local6.notice]
>> imapd:Loading hard-coded DH parameters
>
> This is also normal, nothing to worry about.
>
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 277171 local6.error] TLS server
>> engine: No CA file specified. Client side certs may not work
>
> More harmless noise from the removal of tls_ca_file.
>
>> Jan 16 10:08:33 imapsrv imap[15668]: [ID 574029 local6.debug]
>> SSL_accept() incomplete -> wait
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 160154 local6.debug] Doing a
>> peer verify
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 227675 local6.error] verify
>> error:num=20:unable to get local issuer certificate
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 192010 local6.debug] no
>> certificate returned in SSL_accept() -> fail
>> Jan 16 10:08:43 imapsrv imap[15668]: [ID 239158 local6.notice] STARTTLS
>> negotiation failed: bva-172.our.com
>
> This is probably related to your client certificate, now that you don't
> have a CA store for verification. I don't know why Thunderbird prompted
> you for a certificate, though. You might want to test from another
> Thunderbird with no client certs installed.
>
> In any case, this might be easier to troubleshoot if you post your
> imapd.conf (and maybe even cyrus.conf). I found it was a little tricky
> going upgrading within 2.3.x due to some TLS changes, but I still
> managed to maintain a very simple configuration. Yours just might need a
> couple of tweaks.
Here ya go:
allowplaintext: true
configdirectory: /var/imap
defaultpartition: default
partition-default: /var/spool/imap
imap_admins: root cyrus
sasl_pwcheck_method: saslauthd
unix_group_enable: 0
sieveusehomedir: true
autocreatequota: 200000
duplicate_db: skiplist
annotation_db: skiplist
mboxkey_db: skiplist
mboxlist_db: skiplist
tlscache_db: skiplist
tls_session_timeout: 0
tls_cert_file: /var/imap/ca.crt
tls_key_file: /var/imap/server.pk
START {
recover cmd="ctl_cyrusdb -r"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=5 proto=tcp4
imaps cmd="imapd -s" listen="imaps" prefork=1 proto=tcp4
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=10
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
