Re: cyradm TLS issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Simon,
Thanks for the response. I will give your solution a try.

--Ez

On Tue, Oct 19, 2021 at 4:49 PM Simon Wilson via Info <info@xxxxxxxxxxxxxxxxxx> wrote:

----- Message from Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx> ---------
    Date: Tue, 19 Oct 2021 15:12:35 -0500
    From: Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx>
Reply-To: Info <info@xxxxxxxxxxxxxxxxxx>
Subject: cyradm TLS issues
      To: Info <info@xxxxxxxxxxxxxxxxxx>

SYSTEM INFORMATION:
OS: CentOS 7
Cyrus-Imap: RPM = cyrus-imapd-2.4.17-15.el7.x86_64
 
TLS CONFIGURATION:
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: HIGH:!aNULL:!eNULL:!LOW:!MD5:!EXPORT:!DES:!3DES:!RC4:@STRENGTH
tls_prefer_server_ciphers: 1
tls_versions: tls1_2
#tls_versions: tls1_0 tls1_1 tls1_2
 
PROBLEM:
When I attempt to login using cyradm I get SSL/TLS errors. The only way I have been able to get this to work was to enable TLS version 1.0. Security team won't allow less than TLS1.2 and I am not able to move to a newer OS at this time. Is there a way to get it working on CentOS 7 with TLSv1.2 or later? Maybe I need different ciphers?
 
If I uncomment the last line I am able to connect and login.
tls_versions: tls1_0 tls1_1 tls1_2
 
ERRORS:
:~$ cyradm --user cyrus --tlskey --auth plain  localhost
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
 
LOGS: With only TLSv1.2 enabled
imap[]: STARTTLS negotiation failed: localhost [127.0.0.1]
 
LOGS: With TLSv1.0 enabled
imap[]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
 
 
Any assistance is appreciated.
--Ez



Your error shows you are connecting from localhost. Why use TLS on localhost... do the Security team insist on encrypted connection on localhost? Seems like overkill. 

I run a separate IMAPD with a separate config file with 'allowplaintext: yes' which listens only to localhost connection for just this purpose. Even if you need to connect remotely, a SSH session to localhost which is easy to secure will sort that out.

Simon.

___________
Simon Wilson
M: 0400 12 11 16

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux