Re: TLS fails on imaps port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Morgan wrote:
On Mon, 25 Jan 2010, Bob Dye wrote:

Andrew Morgan wrote:
On Sat, 23 Jan 2010, Bob Dye wrote:

I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.

TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log:

imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed

Any ideas?

Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this:

  openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs

CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux.  You could also add -debug to get a hex dump of the traffic.

Can you post your imapd.conf file (sanitized)?

    Andy
The openssl client connects successfully with TLSv1, AES256-SHA cipher, and

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready

I have a very standard imap.conf except for the use of SQL:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_log_level: 10
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_auto_transition: no
sasl_sql_hostnames: mail-db.vintagefactor.com
sasl_sql_user: mail
sasl_sql_passwd: xxxxxxxx
sasl_sql_database: mail
sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
allowplaintext: yes
unixhierarchysep: yes
tls_require_cert: false
tls_imap_require_cert: true
tls_cert_file: /usr/share/ssl/certs/xxx.crt
tls_key_file: /usr/share/ssl/private/xxx.key
tls_ca_file: /usr/share/ssl/xxx.crt

It sounds like a client configuration problem then.  You should choose "SSL" when connecting to port 993 and "TLS" when connecting to port 143.

    Andy
OK. Thanks.

But it does seem odd that it supports STARTTLS on 143 but not 993.

--

Bob Dye
Vintagefactor
P.O. Box 852
St. Helena, CA 94574-0852
Cell: 707.738.9919
Tel: 707.963.6045
Fax: 707.967.5578
www.vintagefactor.com

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux