Hi Andrew,
The CA certificate is the same one saslauthd uses to connect to
the same ldap server (AD-DC), at the same location. Hmm, I wonder
if user cyrus can read it? It is owned by root:root (as are all
certificates on my system) but is readable by everyone so this
shouldn't be an issue. /etc/ssl/certs is mostly links, user
supplied CA certificates go in /usr/local/share/ca-certificates
and are linked from /etc/ssl/certs (with read and execute
permissions for all), the links I need are present and have the
same permissions as everything else.
I'll break this into 3 parts, first the SSL/TLS configuration in imapd.conf for the server side, i.e. for clients connecting to cyrus, which they do just fine and when everything else is working I will re-enable TLS_REQUIRED, it shortens the output to leave it off for debugging.
*************************************
#
# SSL/TLS Options
#
# File containing the global certificate used for ALL services
(imap, pop3,
# lmtp, sieve)
tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
# File containing the private key belonging to the global server
certificate.
tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
# File containing the certificate used for imap. If not specified,
the global
# certificate is used. A value of "disabled" will disable SSL/TLS
for imap.
#imap_tls_server_cert: /etc/ssl/certs/cyrus-imap.pem
# File containing the private key belonging to the imap-specific
server
# certificate. If not specified, the global private key is used.
A value of
# "disabled" will disable SSL/TLS for imap.
#imap_tls_server_key: /etc/ssl/private/cyrus-imap.key
# File containing the certificate used for pop3. If not specified,
the global
# certificate is used. A value of "disabled" will disable SSL/TLS
for pop3.
#pop3_tls_server_cert: /etc/ssl/certs/cyrus-pop3.pem
# File containing the private key belonging to the pop3-specific
server
# certificate. If not specified, the global private key is used.
A value of
# "disabled" will disable SSL/TLS for pop3.
#pop3_tls_server_key: /etc/ssl/private/cyrus-pop3.key
# File containing the certificate used for lmtp. If not specified,
the global
# certificate is used. A value of "disabled" will disable SSL/TLS
for lmtp.
#lmtp_tls_server_cert: /etc/ssl/certs/cyrus-lmtp.pem
# File containing the private key belonging to the lmtp-specific
server
# certificate. If not specified, the global private key is used.
A value of
# "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_server_key: /etc/ssl/private/cyrus-lmtp.key
# File containing the certificate used for sieve. If not
specified, the global
# certificate is used. A value of "disabled" will disable SSL/TLS
for sieve.
#sieve_tls_server_cert: /etc/ssl/certs/cyrus-sieve.pem
# File containing the private key belonging to the sieve-specific
server
# certificate. If not specified, the global private key is used.
A value of
# "disabled" will disable SSL/TLS for sieve.
#sieve_tls_server_key: /etc/ssl/private/cyrus-sieve.key
# File containing one or more Certificate Authority (CA)
certificates.
tls_client_ca_file: /etc/ssl/certs/ca-certificates.crt
# Path to directory with certificates of CAs.
tls_client_ca_dir: /etc/ssl/certs
# The length of time (in minutes) that a TLS session will be
cached for later
# reuse. The maximum value is 1440 (24 hours), the default. A
value of 0 will
# disable session caching.
tls_session_timeout: 1440
# The list of SSL/TLS ciphers to allow, in decreasing order of
precedence.
# The format of the string is described in ciphers(1). The Debian
default
# selects TLSv1 high-security ciphers only, and removes all
anonymous ciphers
# from the list (because they provide no defense against
man-in-the-middle
# attacks). It also orders the list so that stronger ciphers come
first.
#tls_ciphers: TLSv1.3:TLSv1.2:+TLSv1:+HIGH:!aNULL:@STRENGTH
# Above is our preferred cipher list, but use this one to see if
it help get things working
tls_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
# A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
starts
# with all protocols, and substracts protocols not in this list.
Newer
# versions of SSL/TLS will need to be added here to allow them to
get
# disabled. */
#tls_versions: tls1_0 tls1_1 tls1_2
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
# The per-protocol requirements below are not mentioned in the man
page
# but a global requirement to negotiate TLS before authenticating
is
# defined so lets use that since we need to send plain passwords
#tls_required: 1
# Require a client certificate for ALL services (imap, pop3, lmtp,
sieve).
#tls_require_cert: false
# Require a client certificate for imap ONLY.
#imap_tls_require_cert: false
# Require a client certificate for pop3 ONLY.
#pop3_tls_require_cert: false
# Require a client certificate for lmtp ONLY.
#lmtp_tls_require_cert: false
# Require a client certificate for sieve ONLY.
#sieve_tls_require_cert: false
*************************************
Secondly the configuration for starttls with ptclient and ldap:
*************************************
##
## Other LDAP items
## This is for AUTHORIZATION, we use saslauthd for AUTHENTICATION
##
# First we need to tell it to use ptloader for authorization
auth_mech: pts
#
# And tell ptloader to use LDAP
pts_module: ldap
ptloader_sock: /var/lib/cyrus/ptclient/ptsock
#
# The defaults for the cache settings should be fine
# db type defaults to twoskip, db_path to
configdirectory/ptscache.db
# other settings are only for kerberos module
ptscache_db: twoskip
ptscache_db_path: /var/lib/cyrus/ptclient/ptscache.db
#
# General settings
# Probably also useful to tell cyrus where the LDAP is
#ldap_uri: ldaps://DC.MyCompany.local:636
ldap_uri: ldap://DC.MyCompany.local:389
ldap_bind_dn: a-tested-bind-dn
ldap_password: very-secret
ldap_timeout: 20s
ldap_time_limit: 20s
# Don't attempt SASL for authorization, it is used for
authentication already
ldap_sasl: 0
# For start_tls we will need version 3 but it is supposed to
select automatically
ldap_version: 3
ldap_start_tls: 1
# Make sure cyrus can find the CA file to accept LDAP servers
certificate
# The CA is another windows server in our network
ldap_ca_dir: /etc/ssl/certs/
ldap_ca_file: /etc/ssl/certs/CAserver-CA-Cert.pem
# And ensure that we check the certificate
ldap_verify_peer: 1
# Might also be worth specifying the ciphers we want
ldap_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
ldap_client_cert: /etc/ssl/certs/localhost-client.pem
ldap_client_key: /etc/ssl/private/localhost-client.key
## Set a limit on number of record for single query
ldap_size_limit: 100
#
# User lookups
# Set a default search base although it looks like we can set
separately for users and groups
# This filter works to make sure the account is a user and not
disabled
ldap_base: ou=MyBusiness,dc=MyCompany,dc=local
ldap_scope: sub
ldap_filter:
(&(objectClass=person)(sAMAccountName=%u)(!(userAccountControl=514)))
# But lets have a simpler testing filter
#ldap_filter: (sAMAccountName=%U)
#
#
# Groups - we will need these for shared folder ACIs
# Set a filter to identify a group, this one ensures it is a
distribution group
# and not a security group
ldap_group_base:
ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_group_scope: sub
ldap_group_filter:
(&(objectClass=group)(!(groupType=2147483656))(!(groupType=2147483652)))
#
# Method to extract members from the group, this is poorly
documented but after much trial an
# error, the 'member' attribute in AD groups contains
distinguished names (DNs) so need to
# use a filter to return all of the group names that contain the
DN for our supplied username
# in their 'member' attribute'. %D is the token for the user dn
# The attribute for the group name we set to 'name' although
'sAMAccountName' returns the
# same value it is a bit confusing when debugging.
ldap_member_base:
ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_member_scope: sub
ldap_member_method: filter
ldap_member_filter: (member=%D)
ldap_member_attribute: name
##
##
******************************
The wireshark dump for a login attempt with these settings looks like (TCP, LDAP and TLS output only)
******************************
Transmission Control Protocol, Src Port: 60730, Dst Port: 389,
Seq: 0, Len: 0
Source Port: 60730
Destination Port: 389
[Stream index: 132]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 3651110048
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
Window: 64240
[Calculated window size: 64240]
Checksum: 0x8ed7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted,
Timestamps, No-Operation (NOP), Window scale
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60738,
Seq: 0, Ack: 1, Len: 0
Source Port: 389
Destination Port: 60738
[Stream index: 178]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 440187957
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 3706155260
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
Window: 8192
[Calculated window size: 8192]
Checksum: 0x828a [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, No-Operation (NOP),
Window scale, SACK permitted, Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389,
Seq: 1, Ack: 1, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1642813595
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2986324420
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x104d [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389,
Seq: 1, Ack: 1, Len: 31
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 31]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1642813595
[Next Sequence Number: 32 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2986324420
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x94e6 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (31 bytes)
[PDU Size: 31]
Lightweight Directory Access Protocol
LDAPMessage extendedReq(1)
messageID: 1
protocolOp: extendedReq (23)
extendedReq
requestName: 1.3.6.1.4.1.1466.20037
(LDAP_START_TLS_OID)
[Response In: 21557]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736,
Seq: 1, Ack: 32, Len: 46
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 46]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 2986324420
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 32 (relative ack number)
Acknowledgment number (raw): 1642813626
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x82b0 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (46 bytes)
[PDU Size: 46]
Lightweight Directory Access Protocol
LDAPMessage extendedResp(1)
messageID: 1
protocolOp: extendedResp (24)
extendedResp
resultCode: success (0)
matchedDN:
errorMessage:
responseName: 1.3.6.1.4.1.1466.20037
(LDAP_START_TLS_OID)
[Response To: 21556]
[Time: 0.000220000 seconds]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389,
Seq: 32, Ack: 47, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 32 (relative sequence number)
Sequence Number (raw): 1642813626
[Next Sequence Number: 32 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x0fff [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389,
Seq: 32, Ack: 47, Len: 7
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 7]
Sequence Number: 32 (relative sequence number)
Sequence Number (raw): 1642813626
[Next Sequence Number: 39 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0xdba7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (7 bytes)
Transport Layer Security
Transmission Control Protocol, Src Port: 60736, Dst Port: 389,
Seq: 39, Ack: 47, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 39 (relative sequence number)
Sequence Number (raw): 1642813633
[Next Sequence Number: 40 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x0ff7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736,
Seq: 47, Ack: 40, Len: 0
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 47 (relative sequence number)
Sequence Number (raw): 2986324466
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 40 (relative ack number)
Acknowledgment number (raw): 1642813634
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x8282 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736,
Seq: 47, Ack: 40, Len: 0
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 47 (relative sequence number)
Sequence Number (raw): 2986324466
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 40 (relative ack number)
Acknowledgment number (raw): 1642813634
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x8276 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
*************************************
Notice there is nothing showing under TLS in the 7th packet, which
I would expect to be a TLS client Hello looking at the packets
produced by ldapsearch when using -ZZ for starttls.
And for 3rd part the imapd.conf re-commented to use ldaps instead of start_tls:
*************************************
##
## Other LDAP items
## This is for AUTHORIZATION, we use saslauthd for AUTHENTICATION
##
# First we need to tell it to use ptloader for authorization
auth_mech: pts
#
# And tell ptloader to use LDAP
pts_module: ldap
ptloader_sock: /var/lib/cyrus/ptclient/ptsock
#
# The defaults for the cache settings should be fine
# db type defaults to twoskip, db_path to
configdirectory/ptscache.db
# other settings are only for kerberos module
ptscache_db: twoskip
ptscache_db_path: /var/lib/cyrus/ptclient/ptscache.db
#
# General settings
# Probably also useful to tell cyrus where the LDAP is
ldap_uri: ldaps://DC.MyCompany.local:636
#ldap_uri: ldap://DC.MyCompany.local:389
ldap_bind_dn: a-tested-bind-dn
ldap_password: very-secret
ldap_timeout: 20s
ldap_time_limit: 20s
# Don't attempt SASL for authorization, it is used for
authentication already
ldap_sasl: 0
# For start_tls we will need version 3 but it is supposed to
select automatically
#ldap_version: 3
#ldap_start_tls: 1
# Make sure cyrus can find the CA file to accept LDAP servers
certificate
# The CA is another windows server in our network
ldap_ca_dir: /etc/ssl/certs/
ldap_ca_file: /etc/ssl/certs/CAserver-CA-Cert.pem
# And ensure that we check the certificate
ldap_verify_peer: 1
# Might also be worth specifying the ciphers we want
ldap_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
ldap_client_cert: /etc/ssl/certs/localhost-client.pem
ldap_client_key: /etc/ssl/private/localhost-client.key
## Set a limit on number of record for single query
ldap_size_limit: 100
#
# User lookups
# Set a default search base although it looks like we can set
separately for users and groups
# This filter works to make sure the account is a user and not
disabled
ldap_base: ou=MyBusiness,dc=MyCompany,dc=local
ldap_scope: sub
ldap_filter:
(&(objectClass=person)(sAMAccountName=%u)(!(userAccountControl=514)))
# But lets have a simpler testing filter
#ldap_filter: (sAMAccountName=%U)
#
#
# Groups - we will need these for shared folder ACIs
# Set a filter to identify a group, this one ensures it is a
distribution group
# and not a security group
ldap_group_base:
ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_group_scope: sub
ldap_group_filter:
(&(objectClass=group)(!(groupType=2147483656))(!(groupType=2147483652)))
#
# Method to extract members from the group, this is poorly
documented but after much trial an
# error, the 'member' attribute in AD groups contains
distinguished names (DNs) so need to
# use a filter to return all of the group names that contain the
DN for our supplied username
# in their 'member' attribute'. %D is the token for the user dn
# The attribute for the group name we set to 'name' although
'sAMAccountName' returns the
# same value it is a bit confusing when debugging.
ldap_member_base:
ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_member_scope: sub
ldap_member_method: filter
ldap_member_filter: (member=%D)
ldap_member_attribute: name
##
##
*************************************
Followed by the wireshark dump when using these settings:
*************************************
Transmission Control Protocol, Src Port: 33954, Dst Port: 636,
Seq: 0, Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 4008815861
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
Window: 64240
[Calculated window size: 64240]
Checksum: 0x6076 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted,
Timestamps, No-Operation (NOP), Window scale
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954,
Seq: 0, Ack: 1, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 1061013048
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 4008815862
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
Window: 8192
[Calculated window size: 8192]
Checksum: 0x828a [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, No-Operation (NOP),
Window scale, SACK permitted, Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 33954, Dst Port: 636,
Seq: 1, Ack: 1, Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 4008815862
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1061013049
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x9547 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 33954, Dst Port: 636,
Seq: 1, Ack: 1, Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 4008815862
[Next Sequence Number: 2 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1061013049
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x9546 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954,
Seq: 1, Ack: 2, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1061013049
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 2 (relative ack number)
Acknowledgment number (raw): 4008815863
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x8282 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP),
Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954,
Seq: 1, Ack: 2, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1061013049
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 2 (relative ack number)
Acknowledgment number (raw): 4008815863
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x8276 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
*************************************
Again comparing with an ldapsearch using ldaps, I would expect the 4th packet to be a TLS Client Hello, not Fin,Ack
I have tried all sorts of combinations turning different options off and back on to no avail, and re-read every line many times looking for typos but I'm at that point where I won't see them now even if they are really obvious!
Thanks for all your help
Hi Jim,No worries, understand your requirement to keep it confidential. Have you confirmed whether the CA certificate can be found/read?Also wondering if you could perhaps just share the ldap configuration lines (cat imapd.conf | grep “ldap_”.I’m curious if you have ldap_start_tls: configured e.g have you tried toggling starttls no/yes direct tls/ssl and curious if ldap_servers: ldap://ldap.server or ldaps://ldap.server to see if behaviour changes with different combinations?RegardsAndrewOn 22/06/2021, at 03:24, jwallis@xxxxxxxxxxxxxxxxx wrote:Hi Andrew,I didn't have client certificate and key configured because I assumed ptclient would be happy just verifying the server certificate (the CA cert for it is installed and properly referenced in imapd.conf) the same as saslauthd and lpadsearch manage with. The other parameters are all configured and as far as I can see correct, i.e. the directory and file parameters point to the correct directory and file for the CA certificate.In case the client cert and key were needed, I tried initially with the snakeoil cert and key (no difference) and then just in case that wasn't set up as a client cert, I created a new request and generated a new client/server certificate on my windows CA which I re-exported and is now in the correct location and referenced properly in imapd.conf, but still no change to how either ldaps, or starttls are failing.I could share the entire impad.conf, but it is debian based so has a lot of comments and a lot of commented out options before you even get to the authorization section and I will need to be really careful to modify anything company specific, so I am trying not to share it, but will if it is the only way.ThanksJim
