Re: CalDAV with https + DIGEST-MD5 fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 12 Nov 2022, at 8:25 PM, cyrus@xxxxxxxxxxx wrote:
 But yes, basic + https will work, since this is a new CalDAV install.  I was previously using the same imapd.conf file with both imapd/pop3d and httpd, but I've now created a custom conf file for httpd. 

Changing to plain + STARTTLS for all imap/pop3 clients would be more difficult, given how many clients (Outlook!) are already using DIGEST-MD5 there, but I should probably get started on that.

Even in the same install, with the same config, you should be able to configure it differently for different services.  I don't exactly remember the specifics (so please cross reference the documentation), but the approximate shape is something like this...

In your cyrus.conf, you'll have an entry under SERVICES for each service.  Your https service, for example, might look something like this:

https cmd="httpd -s" listen="https" prefork=0

That word on the left hand side ("https") is a name for the service, that you choose.  It's usually named after the protocol it serves, but it can be anything you want.

In your imapd.conf, most (all?) entries can be prefixed with one of these names to provide a configuration that is specific for the named service only.  So as a contrived example, your imapd.conf could contain:

debug: no
dbgimap_debug: yes

And if you then had a SERVICES entry like:

dbgimap cmd=imapd listen=2993 prefork=0

That service would run with "debug: yes" instead of the "debug: no" that's configured for everything else, and imap clients connecting to port 2993 would have their actions logged at the higher logging level.

In your specific case, there's some SASL option that you put in your imapd.conf that controls which mechs are supported -- it's something like "sasl_mech_list" but I don't remember exactly offhand.  Anyway, assuming your https service is named "https", you could have something like this in your imapd.conf:

sasl_mech_list: [whatever you need for imap/pop/etc]
https_sasl_mech_list: [whatever you need for https]

And then you'd be able to configure your https with whatever auth configuration it needs, without needing to change how your other services are auth'd.  Hope this is useful somehow :)

Cheers,

ellie
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux