<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Andrew Morgan wrote:
<blockquote
cite="mid:alpine.DEB.2.00.1001251159530.11527@shell.onid.oregonstate.edu"
type="cite">On Mon, 25 Jan 2010, Bob Dye wrote:
<br>
<br>
<blockquote type="cite">Andrew Morgan wrote:
<br>
<blockquote type="cite">On Sat, 23 Jan 2010, Bob Dye wrote:
<br>
<br>
<blockquote type="cite">I'm running Cyrus-imapd 2.3.7 on a Redhat
Enterprise Linux 5 system.
<br>
<br>
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
following in the log:
<br>
<br>
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
<br>
imaps[27170]: Fatal error: tls_start_servertls() failed
<br>
<br>
Any ideas?
<br>
</blockquote>
<br>
Try the command line openssl client and see if it can negotiate
SSL/TLS. Something like this:
<br>
<br>
openssl s_client -connect your_server_dns_name:993 -CApath
/etc/ssl/certs
<br>
<br>
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a hex
dump of the traffic.
<br>
<br>
Can you post your imapd.conf file (sanitized)?
<br>
<br>
Andy
<br>
</blockquote>
The openssl client connects successfully with TLSv1, AES256-SHA cipher,
and
<br>
<br>
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
<br>
<br>
I have a very standard imap.conf except for the use of SQL:
<br>
<br>
configdirectory: /var/lib/imap
<br>
partition-default: /var/spool/imap
<br>
admins: cyrus root
<br>
sievedir: /var/lib/imap/sieve
<br>
sendmail: /usr/sbin/sendmail
<br>
hashimapspool: true
<br>
sasl_log_level: 10
<br>
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
<br>
sasl_pwcheck_method: auxprop
<br>
sasl_auxprop_plugin: sql
<br>
sasl_sql_engine: mysql
<br>
sasl_auto_transition: no
<br>
sasl_sql_hostnames: mail-db.vintagefactor.com
<br>
sasl_sql_user: mail
<br>
sasl_sql_passwd: xxxxxxxx
<br>
sasl_sql_database: mail
<br>
sasl_sql_statement: SELECT password FROM accountuser WHERE username =
'%u'
<br>
allowplaintext: yes
<br>
unixhierarchysep: yes
<br>
tls_require_cert: false
<br>
tls_imap_require_cert: true
<br>
tls_cert_file: /usr/share/ssl/certs/xxx.crt
<br>
tls_key_file: /usr/share/ssl/private/xxx.key
<br>
tls_ca_file: /usr/share/ssl/xxx.crt
<br>
</blockquote>
<br>
It sounds like a client configuration problem then. You should choose
"SSL" when connecting to port 993 and "TLS" when connecting to port
143.
<br>
<br>
Andy
<br>
</blockquote>
OK. Thanks.<br>
<br>
But it does seem odd that it supports STARTTLS on 143 but not 993.<br>
<br>
<div class="moz-signature">-- <br>
<div
style="margin: 0pt; font-family: black Arial,Helvetica,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
<p>Bob Dye<br>
Vintagefactor<br>
P.O. Box 852<br>
St. Helena, CA 94574-0852<br>
Cell: 707.738.9919<br>
Tel: 707.963.6045<br>
Fax: 707.967.5578<br>
<a href="http://www.vintagefactor.com/">www.vintagefactor.com</a></p>
</div>
</div>
</body>
</html>