Am Mittwoch, den 19.02.2014, 02:28 +0100 schrieb Marcus Schopen: > Am Mittwoch, den 19.02.2014, 01:16 +0100 schrieb Marcus Schopen: > > Hi, > > > > how do I figure out if master and replica are talking via TLS? Certs are > > installed on both servers. Telnet on the replica shows: > > > > ------------ > > ~# telnet replica 2005 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > * SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN > > * STARTTLS > > * COMPRESS DEFLATE > > * OK tripp Cyrus sync server v2.4.12-Debian-2.4.12-2 > > ------------ > > > > When starting the master, login and replication is working, but it seems > > not working on TLS: > > > > Feb 19 01:11:24 replica cyrus/syncserver[22175]: accepted connection > > Feb 19 01:11:24 replica cyrus/syncserver[22175]: cmdloop(): startup > > Feb 19 01:11:24 replica cyrus/syncserver[22175]: login: server [xxx] > > syncuser DIGEST-MD5 User logged in > > Certificates seems to be fine. A synctest from the master to the replica > (= server) looks like this: > > synctest -a syncadmin -u syncamdin -t '' server > > ----------- > Feb 19 02:23:57 tripp cyrus/master[22549]: about to > exec /usr/lib/cyrus/bin/sync_server > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: executed > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: accepted connection > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: cmdloop(): startup > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: imapd:Loading hard-coded > DH parameters > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() incomplete > -> wait > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() succeeded -> > done > Feb 19 02:23:57 tripp cyrus/syncserver[22549]: starttls: TLSv1 with > cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication > Feb 19 02:23:59 tripp cyrus/syncserver[22549]: login: server [xxx] > syncamdin DIGEST-MD5+TLS User logged in > ----------- > > Restarting Cyrus on the master comes up with this login without TLS on > the replica: > > ----------- > Feb 19 02:24:55 tripp cyrus/syncserver[22549]: accepted connection > Feb 19 02:24:55 tripp cyrus/syncserver[22549]: cmdloop(): startup > Feb 19 02:24:55 tripp cyrus/syncserver[22549]: login: server [xxx] > syncadmin DIGEST-MD5 User logged in > ----------- > > Ciao! Playing around with imap.conf Test 1: Ubuntu 12.04 LTS default imap.conf: #sasl_mech_list: PLAIN allowplaintext: yes comes up with this banner root@replicaserver:/etc# telnet localhost 2005 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN * STARTTLS * COMPRESS DEFLATE * OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2 Log entry on replica Feb 19 15:30:31 replicaserver cyrus/syncserver[23528]: login: masterserver [192.168.0.100] testsyncuser DIGEST-MD5 User logged Test 2: set sasl_mech_list to PLAIN allowplaintext: yes sasl_mech_list: PLAIN comes up with this banner root@replicaserver:/etc# telnet localhost 2005 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * SASL PLAIN * STARTTLS * COMPRESS DEFLATE * OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2 Log entry on replica Feb 19 15:32:17 replicaserver cyrus/syncserver[23573]: login: masterserver [192.168.0.100] testsyncuser PLAIN User logged in Test 2: set sasl_mech_list to PLAIN and allowplaintext to no allowplaintext: no sasl_mech_list: PLAIN comes up with this banner root@replicaserver:/etc# telnet localhost 2005 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * STARTTLS * COMPRESS DEFLATE * OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2 Log entry on replica Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: imapd:Loading hard-coded DH parameters Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: SSL_accept() incomplete -> wait Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: SSL_accept() succeeded -> done Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: login: masterserver [192.168.0.100] testsyncuser PLAIN+TLS User logged in I like this :) Seems that the master doesn't use TLS as long as the replica offers SASL mechanisms. Ciao! ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
