Hi,
I haven't seen "
fossies.org" before, but the canonical 3.4.1 sync_client source can be found here:
It looks like if you provide a "/tls" flag in the port/service name specification, then it will try to do TLS. So where you've specified "993", maybe "993/tls" will do the trick? It looks like "noauth" is another possible flag here, which is news to me. Some of this stuff isn't very well documented, sorry.
I think we might assume that replication mostly occurs over a private network -- either a physical one within the same datacentre, or over VPN to a remote one -- but if you don't have these luxuries it makes sense that you'd want to use TLS for the connection. I don't know if anyone is using it like this, but it ought to work fine since it just uses the same backend module as everything else. If you get it working, it'd be great if you could send through some notes that we could integrate into the docs!
> 3.0.7-19.el8 Fedora server ready
Ohhh... it's interesting that you're looking at the 3.4.1 sources, but actually running 3.0.7. Everything I've described above _should_ work for 3.0, as in, I don't believe the /tls flag is a new feature (otherwise I'd probably recognise it). But I've been looking at the 3.4.1 sources, not the 3.0.7 ones, so your mileage may vary. For what it's worth, 3.0.7 is two major releases out of date (the current stable series is 3.4; the previous stable series was 3.2). If you can manage to run something newer, you should.
Cheers,
ellie
On Tue, 18 May 2021, at 5:17 AM, andrewhardy via Info wrote:
Hi there,
I was hoping to verify with a source of truth whether
sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has implicit TLS support. (I assume it came bundled with Cyrus install - haven’t validated that - Centos 8).
I manage to track down a sync_client.c file found at the URL below and it doesn’t appear to offer starttls or
implicit TLS support within the connect code (unless I’m missing something obvious) and it doesn’t appear to
make use of the TLS settings contained within imapd.conf file.
Is this correct assertion or am I missing something obvious? Sync Client is working fine over IMAP TCP/143 but when changed to TCP 993, fails.
Was hoping to get this configured for mutual authentication between Cyrus servers for secure replication given it’s a privileged account being passed over the wire.
Is this something that is supported using the sync_client utility at present or are there alternative Cyrus
mailbox synchronisation tools out there that would enable secure transmission of replication data? Unfortunately
cannot find any documentation that would hint at TLS support and I “assumed” that it’d honour the client/server
authentication certificates and configuration in imapd.conf. Believe this was an incorrect assumption on my part.
I must admit from what I have seen so far, Cyrus is a pretty cool application. Thanks for developing this.
———
On the service side, I get the following failure:
cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10]
On the client side, using openssl s_client -connect testimapserver:993 returns a successful TLSv1.3 connection
with Cipher TLS_AES_256_GCM_SHA384 with the server response being:
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] testimapserver Cyrus IMAP
3.0.7-19.el8 Fedora server ready
———
If you could please confirm my suspicion and let me know if TLS support is considered in a potential future
release, that would be greatly appreciated. If I’ve got it wrong and it is supported but its a configuration
issue on my part, apologies.