Hi Stephen, Am Dienstag, den 18.02.2014, 22:33 -0800 schrieb Stephen Ingram: > On Tue, Feb 18, 2014 at 4:16 PM, Marcus Schopen <lists@xxxxxxxxxxxx> > wrote: > Hi, > > how do I figure out if master and replica are talking via TLS? > Certs are > installed on both servers. Telnet on the replica shows: > > ------------ > ~# telnet replica 2005 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > * SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN > * STARTTLS > * COMPRESS DEFLATE > * OK tripp Cyrus sync server v2.4.12-Debian-2.4.12-2 > ------------ > > When starting the master, login and replication is working, > but it seems > not working on TLS: > > Feb 19 01:11:24 replica cyrus/syncserver[22175]: accepted > connection > Feb 19 01:11:24 replica cyrus/syncserver[22175]: cmdloop(): > startup > Feb 19 01:11:24 replica cyrus/syncserver[22175]: login: server > [xxx] > syncuser DIGEST-MD5 User logged in > > > Marcus- > > > It doesn't look like your sync server is using TLS. You'll see > references to it in the logs on both the master and the replica as the > connection is established like: > > > sync_client[25615]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA > (256/256 bits new client) no authentication, > > > then you should see the authentication begin. > > > Does your imapd.conf file on both master and replica specify the > certificate, key and CA? Do the users the processes run as have access > to these? I feed the master via LMT over TCP from a remote sendmail and this connection is using TLS. I can see it in the logs. And I can connect the Master via SSL on IMAPs Port. Therefore I think the certificates are correctly installed on the master. I set tls_cert_file, tls_key_file and tls_ca_file. And on replica a synctest shows ----------- synctest -a syncadmin -u syncamdin -t '' server Feb 19 02:23:57 tripp cyrus/master[22549]: about to exec /usr/lib/cyrus/bin/sync_server Feb 19 02:23:57 tripp cyrus/syncserver[22549]: executed Feb 19 02:23:57 tripp cyrus/syncserver[22549]: accepted connection Feb 19 02:23:57 tripp cyrus/syncserver[22549]: cmdloop(): startup Feb 19 02:23:57 tripp cyrus/syncserver[22549]: imapd:Loading hard-coded DH parameters Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() incomplete -> wait Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() succeeded -> done Feb 19 02:23:57 tripp cyrus/syncserver[22549]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Feb 19 02:23:59 tripp cyrus/syncserver[22549]: login: server [xxx] syncamdin DIGEST-MD5+TLS User logged in ----------- So I think TLS configuration on replica is fine too. But the master seems not to use TLS when conecting via sync_client to the replica. Is there an option to force using TLS or should the master connect using TLS as soon as the replica offers it? Ciao Marcus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
