Re: TLS fails on imaps port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Morgan wrote:
On Sat, 23 Jan 2010, Bob Dye wrote:

I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.

TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log:

imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed

Any ideas?

Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this:

  openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs

CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux.  You could also add -debug to get a hex dump of the traffic.

Can you post your imapd.conf file (sanitized)?

    Andy
The openssl client connects successfully with TLSv1, AES256-SHA cipher, and

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready

I have a very standard imap.conf except for the use of SQL:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_log_level: 10
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_auto_transition: no
sasl_sql_hostnames: mail-db.vintagefactor.com
sasl_sql_user: mail
sasl_sql_passwd: xxxxxxxx
sasl_sql_database: mail
sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
allowplaintext: yes
unixhierarchysep: yes
tls_require_cert: false
tls_imap_require_cert: true
tls_cert_file: /usr/share/ssl/certs/xxx.crt
tls_key_file: /usr/share/ssl/private/xxx.key
tls_ca_file: /usr/share/ssl/xxx.crt


--

Bob Dye
Vintagefactor

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux