On Mon, Jul 11, 2011 at 12:57:34PM +0300, Ivan Lezhnjov Jr. wrote:
> This is a follow-up.
>
> I tried synctest and it basically pointed at the same issue.
>
> [root@imapsite-replica scripts]# synctest -a cyrusadmin -u cyrusadmin
> -t "" master
> S: * SASL PLAIN
> S: * STARTTLS
> S: * COMPRESS DEFLATE
> S: * OK imapsite-master Cyrus sync server v2.4.10-Kolab-2.4.10-1
> C: STARTTLS
> S: OK Begin TLS negotiation now
> verify error:num=18:self signed certificate
>
> I can login if I omit -t "". So, I tried to disable TLS by commenting
> out tls_* lines in imapd.conf of both hosts and starting the
> cyrus-imap to serve only imap service (disalbed imaps, pop, etc.)
>
> Now, with this TLS-less configuration B switched to master outputs to logs:
>
> Jul 11 12:51:09 imapsite-replica sync_client[1444]: couldn't
> authenticate to backend server: no mechanism available
> Jul 11 12:52:39 imapsite-replica last message repeated 2 times
>
> and A switched to replica outputs the following:
> Jul 11 12:51:09 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:51:09 imapsite-master syncserver[18209]: cmdloop(): startup
> Jul 11 12:51:39 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:51:39 imapsite-master syncserver[18209]: cmdloop(): startup
> Jul 11 12:52:39 imapsite-master syncserver[18209]: accepted connection
> Jul 11 12:52:39 imapsite-master syncserver[18209]: cmdloop(): startup
>
> Replication doesn't succeed, obviously.
Our "sync server block" looks like this:
sync_server [% CONF %] -p 1
(template toolkit magic for the configuration file paths)
The -p 1 is this:
-p ssf Tell sync_server that an external layer exists. An SSF (security strength
factor) of 1 means an integrity protection layer exists. Any higher SSF
implies some form of privacy protection.
So -p 1 allows plaintext authentication to succeed without TLS.
Bron.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
