cyrus.conf:
<snip>
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=1 proto=tcp4
imap cmd="imapd"
listen="192.168.1.230:imap" prefork=5 proto=tcp4
<snip>
imapd-local.conf
<snip>
allowplaintext: yes
<snip>
----- Message from Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx> ---------
Date: Wed, 20 Oct 2021 10:06:08 -0500
From: Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx>
Reply-To: Info <info@xxxxxxxxxxxxxxxxxx>
Subject: Re: cyradm TLS issues
To: Info <info@xxxxxxxxxxxxxxxxxx>
Simon,
Thanks for the response. I will give your solution a try.
--Ez
On Tue, Oct 19, 2021 at 4:49 PM Simon Wilson via Info
<info@xxxxxxxxxxxxxxxxxx> wrote:
_----- Message from Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx> ---------
Date: Tue, 19 Oct 2021 15:12:35 -0500
From: Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx>
Reply-To: Info <info@xxxxxxxxxxxxxxxxxx>
Subject: cyradm TLS issues
To: Info <info@xxxxxxxxxxxxxxxxxx>_
_SYSTEM INFORMATION:_
_OS: CentOS 7_
_Cyrus-Imap: RPM = cyrus-imapd-2.4.17-15.el7.x86_64_
_ _
_TLS CONFIGURATION:_
_tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt_
_tls_cipher_list:
HIGH:!aNULL:!eNULL:!LOW:!MD5:!EXPORT:!DES:!3DES:!RC4:@STRENGTH
tls_prefer_server_ciphers: 1
tls_versions: tls1_2_
_#tls_versions: tls1_0 tls1_1 tls1_2_
_ _
_PROBLEM:_
_When I attempt to login using cyradm I get SSL/TLS errors.
The only way I have been able to get this to work was to enable
TLS version 1.0. Security team won't allow less than TLS1.2 and I
am not able to move to a newer OS at this time. Is there a way to
get it working on CentOS 7 with TLSv1.2 or later? Maybe I need
different ciphers?_
_ _
_If I uncomment the last line I am able to connect and login._
_tls_versions: tls1_0 tls1_1 tls1_2_
_ _
_ERRORS:_
_:~$ cyradm --user cyrus --tlskey --auth plain localhost
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]_
_ _
_LOGS: With only TLSv1.2 enabled_
_imap[]: STARTTLS negotiation failed: localhost [127.0.0.1]_
_ _
_LOGS: With TLSv1.0 enabled_
_imap[]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits new) no authentication_
_ _
_ _
_Any assistance is appreciated._
_--Ez_
_Your error shows you are connecting from localhost. Why use TLS on
localhost... do the Security team insist on encrypted connection on
localhost? Seems like overkill.
I run a separate IMAPD with a separate config file with
'allowplaintext: yes' which listens only to localhost connection
for just this purpose. Even if you need to connect remotely, a SSH
session to localhost which is easy to secure will sort that out.
Simon._
____________
Simon Wilson
M: 0400 12 11 16_
_CYRUS[1] / Info / see discussions[2] + participants[3] +
delivery options[4] Permalink[5] _
_----- End message from Ezsra McDonald <ezsra.mcdonald@xxxxxxxxx> -----_
Links:
------
[1] https://cyrus.topicbox.com/latest
[2] https://cyrus.topicbox.com/groups/info
[3] https://cyrus.topicbox.com/groups/info/members
[4] https://cyrus.topicbox.com/groups/info/subscription
[5]
https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-M36166dffafed46f1b275df6a
--
Simon Wilson
M: 0400 12 11 16
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-M7ef0a0aaa36bb87f159f4920
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
