Jeff Blaine wrote, at 01/21/2009 01:36 PM: > bash-2.05# su cyrus -c "/imapsrv/mail/cyrus/bin/imtest -t > /var/imap/server.pem imapsrv" My understanding is that you only specify a keyfile if you're testing client certificate authentication. For a normal test of TLS encryption, it should be empty (but quoted): imtest -u bob -a bob -t "" mail.example.com You'll still see this: > S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN > SASL-IR] imapsrv.our.com Cyrus IMAP v2.3.13 server ready > C: S01 STARTTLS > S: S01 OK Begin TLS negotiation now > verify error:num=20:unable to get local issuer certificate > verify error:num=27:certificate not trusted > verify error:num=21:unable to verify the first certificate But you shouldn't see this: > SSL_connect error 0 > SSL session removed > failure: TLS negotiation failed! If it works, you'll see this instead: TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) C: C01 CAPABILITY ... BTW, you probably shouldn't be advertising AUTH=PLAIN pre-STARTTLS. Try something like this in imapd.conf, adjusted for the mechanisms you support: # authentication sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 allowplaintext: no # use this to enforce TLS with plaintext mechanisms sasl_minimum_layer: 128 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
