Re: sync_client and TLS support?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the quick response Ellie. 

Appending /tls to the defined port worked and replication over TLS appears to work fine. This will come in quite handy where private links are not possible or cost prohibiting. I haven’t tested this in anger or attempted to get mutual authentication working but if I can get it functioning and tested as desired, will feed some “how tos” back.

Interesting that appending /tls was the toggle, who would have thought ;)

Thanks for the observation on versioning. 

It turns out that the version that ships with the @appstream repo is well behind in its versioning. I’ll definitely be taking the time to re-compile/build using the latest version. Probably steering away from Centos 8 at this point, seems like it’s going to be more problematic than what its worth.

cyrus-imapd.x86_64   3.0.7-19.el8   @appstream

Appreciate the quick response, will feed any doc improvements through as I go along.

Cheers,
Andrew


On 19/05/2021, at 12:15 PM, ellie timoney <ellie@xxxxxxxxxxxx> wrote:

Hi,

I haven't seen "fossies.org" before, but the canonical 3.4.1 sync_client source can be found here:

But you won't find TLS handling code in that file, because it just calls down to backend_connect() to do the heavy lifting, which is in: https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c

It looks like if you provide a "/tls" flag in the port/service name specification, then it will try to do TLS.  So where you've specified "993", maybe "993/tls" will do the trick?  It looks like "noauth" is another possible flag here, which is news to me.  Some of this stuff isn't very well documented, sorry.

I think we might assume that replication mostly occurs over a private network -- either a physical one within the same datacentre, or over VPN to a remote one -- but if you don't have these luxuries it makes sense that you'd want to use TLS for the connection.  I don't know if anyone is using it like this, but it ought to work fine since it just uses the same backend module as everything else.  If you get it working, it'd be great if you could send through some notes that we could integrate into the docs!

> 3.0.7-19.el8 Fedora server ready

Ohhh... it's interesting that you're looking at the 3.4.1 sources, but actually running 3.0.7.  Everything I've described above _should_ work for 3.0, as in, I don't believe the /tls flag is a new feature (otherwise I'd probably recognise it).  But I've been looking at the 3.4.1 sources, not the 3.0.7 ones, so your mileage may vary.  For what it's worth, 3.0.7 is two major releases out of date (the current stable series is 3.4; the previous stable series was 3.2).  If you can manage to run something newer, you should.

Cheers,

ellie

On Tue, 18 May 2021, at 5:17 AM, andrewhardy via Info wrote:
Hi there,

I was hoping to verify with a source of truth whether
sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has implicit TLS support. (I assume it came bundled with Cyrus install - haven’t validated that - Centos 8).
I manage to track down a sync_client.c file found at the URL below and it doesn’t appear to offer starttls or
implicit TLS support within the connect code (unless I’m missing something obvious) and it doesn’t appear to
make use of the TLS settings contained within imapd.conf file.
Is this correct assertion or am I missing something obvious? Sync Client is working fine over IMAP TCP/143 but when changed to TCP 993, fails.

Was hoping to get this configured for  mutual authentication between Cyrus servers for secure replication given it’s a privileged account being passed over the wire.
Is this something that is supported using the sync_client utility at present or are there alternative Cyrus
mailbox synchronisation tools out there that would enable secure transmission of replication data? Unfortunately
cannot find any documentation that would hint at TLS support and I “assumed” that it’d honour the client/server
authentication certificates and configuration in imapd.conf. Believe this was an incorrect assumption on my part.
I must admit from what I have seen so far, Cyrus is a pretty cool application. Thanks for developing this.
———
On the service side, I get the following failure:
cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10]
On the client side, using openssl s_client -connect testimapserver:993 returns a successful TLSv1.3 connection
with Cipher TLS_AES_256_GCM_SHA384 with the server response being:
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] testimapserver Cyrus IMAP
3.0.7-19.el8 Fedora server ready
———
If you could please confirm my suspicion and let me know if TLS support is considered in a potential future
release, that would be greatly appreciated. If I’ve got it wrong and it is supported but its a configuration
issue on my part, apologies.




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux