Hi there,
I was hoping to verify with a source of truth whether
sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has implicit TLS support. (I assume it came bundled with Cyrus install - haven’t validated that - Centos 8).
I manage to track down a sync_client.c file found at the URL below and it doesn’t appear to offer starttls or
implicit TLS support within the connect code (unless I’m missing something obvious) and it doesn’t appear to
make use of the TLS settings contained within imapd.conf file.
Is this correct assertion or am I missing something obvious? Sync Client is working fine over IMAP TCP/143 but when changed to TCP 993, fails.
Was hoping to get this configured for mutual authentication between Cyrus servers for secure replication given it’s a privileged account being passed over the wire.
Is this something that is supported using the sync_client utility at present or are there alternative Cyrus
mailbox synchronisation tools out there that would enable secure transmission of replication data? Unfortunately
cannot find any documentation that would hint at TLS support and I “assumed” that it’d honour the client/server
authentication certificates and configuration in imapd.conf. Believe this was an incorrect assumption on my part.
I must admit from what I have seen so far, Cyrus is a pretty cool application. Thanks for developing this.
———
On the service side, I get the following failure:
cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10]
On the client side, using openssl s_client -connect testimapserver:993 returns a successful TLSv1.3 connection
with Cipher TLS_AES_256_GCM_SHA384 with the server response being:
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] testimapserver Cyrus IMAP
3.0.7-19.el8 Fedora server ready
———
If you could please confirm my suspicion and let me know if TLS support is considered in a potential future
release, that would be greatly appreciated. If I’ve got it wrong and it is supported but its a configuration
issue on my part, apologies.
