<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Andrew Morgan wrote:
<blockquote
cite="mid:alpine.DEB.2.00.1001250923530.11527@shell.onid.oregonstate.edu"
type="cite">On Sat, 23 Jan 2010, Bob Dye wrote:
<br>
<br>
<blockquote type="cite">I'm running Cyrus-imapd 2.3.7 on a Redhat
Enterprise Linux 5 system.
<br>
<br>
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
following in the log:
<br>
<br>
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
<br>
imaps[27170]: Fatal error: tls_start_servertls() failed
<br>
<br>
Any ideas?
<br>
</blockquote>
<br>
Try the command line openssl client and see if it can negotiate
SSL/TLS. Something like this:
<br>
<br>
openssl s_client -connect your_server_dns_name:993 -CApath
/etc/ssl/certs
<br>
<br>
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a hex
dump of the traffic.
<br>
<br>
Can you post your imapd.conf file (sanitized)?
<br>
<br>
Andy
<br>
</blockquote>
The openssl client connects successfully with TLSv1, AES256-SHA cipher,
and<br>
<br>
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready<br>
<br>
I have a very standard imap.conf except for the use of SQL:<br>
<br>
configdirectory: /var/lib/imap<br>
partition-default: /var/spool/imap<br>
admins: cyrus root<br>
sievedir: /var/lib/imap/sieve<br>
sendmail: /usr/sbin/sendmail<br>
hashimapspool: true<br>
sasl_log_level: 10<br>
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5<br>
sasl_pwcheck_method: auxprop<br>
sasl_auxprop_plugin: sql<br>
sasl_sql_engine: mysql<br>
sasl_auto_transition: no<br>
sasl_sql_hostnames: mail-db.vintagefactor.com<br>
sasl_sql_user: mail<br>
sasl_sql_passwd: xxxxxxxx<br>
sasl_sql_database: mail<br>
sasl_sql_statement: SELECT password FROM accountuser WHERE username =
'%u'<br>
allowplaintext: yes<br>
unixhierarchysep: yes<br>
tls_require_cert: false<br>
tls_imap_require_cert: true<br>
tls_cert_file: /usr/share/ssl/certs/xxx.crt<br>
tls_key_file: /usr/share/ssl/private/xxx.key<br>
tls_ca_file: /usr/share/ssl/xxx.crt<br>
<br>
<br>
<div class="moz-signature">-- <br>
<div
style="margin: 0pt; font-family: black Arial,Helvetica,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">
<p>Bob Dye<br>
Vintagefactor<br>
<a href="http://www.vintagefactor.com/"><br>
</a></p>
</div>
</div>
</body>
</html>