Andrew Morgan wrote: AM> Does the mupdate process in a Cyrus murder actually use TLS? AM> And.... after a lot of digging I see that this is a known bug: AM> https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3119 AM> Never mind! This sounds like an very complicated problem Not particularly - it's quite a small patch which goes onto 2.3.14 and current CVS HEAD cleanly. If there's any extra work required for it to be applied upstream, I'm happy to do that. AM> so I'll just stay away from TLS for mupdate. Although I don't AM> understand why mupdate isn't having problems for me right now, AM> since mupdate seems to be advertising STARTTLS in the AM> capability string. If your config allows the Mupdate server to advertise a usable SASL mech without doing a "STARTTLS", then backend_authenticate() won't bother. We've deployed Murder Classic with TLS everywhere and client cert authentication between all the systems using this patch plus the client certs one (bug #3133). On the Mupdate box we have something like: allowplaintext: no sasl_mech_list: EXTERNAL tls_require_cert: true tls_ca_file: /etc/ssl/certs/client-internal-CA.pem mupdate_admins: fe1.client.dom fe2.client.dom fe3.client.dom \ fe4.client.dom fe5.client.dom fe6.client.dom \ be1.client.dom be2.client.dom be3.client.dom Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
