SSL with OperaMail leads to STARTTLS negotiation failed in the logs ?

Christian Schulte cs at
Sat May 10 23:07:44 EDT 2003

Stephen L. Ulmer wrote:

> "cs" == Christian Schulte <cs at> writes:
>  cs> Hello, I just installed Opera on Windows because someone
>  cs> reported problems with Opera's imapclient M2 if used with
>  cs> SSL. Enabling the "use TLS" checkbox in Opera's account
>  cs> configuration dialog does not lead to Opera using the desired
>  cs> port 993 ! Opera remains using port 143 and then fails to
>  cs> connect. In the logfiles I see entries like:
>If Opera is using TLS (as opposed to IMAP over SSL) then it *should*
>be connecting to port 143, then issuing a STARTTLS.
I just read that in RFC2595. So normally Opera should not have any 
problems with STARTTLS on port 143 and something really is wrong with my 

>By chance is your IMAP server trying to use the TLS client cert for
Don't know! Here is my imapd.conf:
smtp:/var/httpd/CS20020307/pub/ cat 
configdirectory: /var/imap
partition-default: /var/spool/imap
sievedir: /var/spool/sieve
servername: somename
admins: someadmins
defaultdomain: somedomain
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: mysql
sasl_allowanonymouslogin: no
sasl_allowplaintext: yes
sasl_mech_list: PLAIN LOGIN
sasl_mysql_user: someuser
sasl_mysql_passwd: somepass
sasl_mysql_hostnames: localhost
sasl_mysql_database: admin
sasl_mysql_statement: select password from SASLUser where login='%u' and 
domain='%r' and IMAP='YES'
tls_cert_file: /var/imap/imap.crt
tls_key_file: /var/imap/imap.key
tls_ca_file: /usr/lib/ssl/demoCA/cacert.pem
idlesocket: /var/imap/socket/idle
unixhierarchysep: yes
virtdomains: yes
altnamespace: on
sharedprefix: Teamordner
userprefix: Accounts
unix_group_enable: 0
umask: 007
imapidresponse: no
logtimestamps: 1
lmtp_over_quota_perm_failure: 1
autocreatequota: -1

How can it be configured then ?

>If you haven't issues the certs for that purpose
>(like we haven't here at UF, no PKI) then that would fail.
The only thing which deals with certificate type in my openssl.cnf is

# This is OK for an SSL server.
nsCertType                      = server

but this is only relevant for netscape 4 I think.

>I think I remember seeing that a self-signed client cert would fail
>TLS negotiation because a failed TLS authentication would cause the
>whole negotiation to fail.  Now I can't remember why I was even
>looking at it...
I have setup a demoCA with openssl. I configured openssl.cnf to make 
valid certificates which work even in netscape 4. I even plublish the 
crl and have crlDistributionPoints set correctly in openssl.cnf. I 
created new certificates using -newreq-nodes for cyrus and signed 
them with the demoCA cacert. So nothing self-signed for now, or ?

tls_cert_file: /var/imap/imap.crt = the certificate signed by tls_ca_file
tls_key_file: /var/imap/imap.key = the corressponding key unencrypted
tls_ca_file: /usr/lib/ssl/demoCA/cacert.pem = the ca certificate with 
which all certificates get signed

So I have a self-signed ca certificate then and you mean that could be 
the problem ?


More information about the Info-cyrus mailing list