On Mon, 25 Jan 2010, Bob Dye wrote: > Andrew Morgan wrote: >> On Sat, 23 Jan 2010, Bob Dye wrote: >> >>> I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. >>> >>> TLS works fine if I connect to the imap port (143). If I try to connect >>> instead via the imaps port (993), the attempt times out and I get the >>> following in the log: >>> >>> imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] >>> imaps[27170]: Fatal error: tls_start_servertls() failed >>> >>> Any ideas? >> >> Try the command line openssl client and see if it can negotiate SSL/TLS. >> Something like this: >> >> openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs >> >> CApath should be the path to your local CA certificates directory, >> /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex >> dump of the traffic. >> >> Can you post your imapd.conf file (sanitized)? >> >> Andy > The openssl client connects successfully with TLSv1, AES256-SHA cipher, and > > * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 > AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 > v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready > > I have a very standard imap.conf except for the use of SQL: > > configdirectory: /var/lib/imap > partition-default: /var/spool/imap > admins: cyrus root > sievedir: /var/lib/imap/sieve > sendmail: /usr/sbin/sendmail > hashimapspool: true > sasl_log_level: 10 > sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 > sasl_pwcheck_method: auxprop > sasl_auxprop_plugin: sql > sasl_sql_engine: mysql > sasl_auto_transition: no > sasl_sql_hostnames: mail-db.vintagefactor.com > sasl_sql_user: mail > sasl_sql_passwd: xxxxxxxx > sasl_sql_database: mail > sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' > allowplaintext: yes > unixhierarchysep: yes > tls_require_cert: false > tls_imap_require_cert: true > tls_cert_file: /usr/share/ssl/certs/xxx.crt > tls_key_file: /usr/share/ssl/private/xxx.key > tls_ca_file: /usr/share/ssl/xxx.crt It sounds like a client configuration problem then. You should choose "SSL" when connecting to port 993 and "TLS" when connecting to port 143. Andy ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
