is TLS/SSL selection/connection ONLY via port 993?

Henrique de Moraes Holschuh hmh at debian.org
Tue Nov 16 02:18:43 EST 2004


On Mon, 15 Nov 2004, OpenMacNews wrote:
>    SERVICES {
> #    	imap          cmd="imapd" listen="imap" prefork=0
>    	imaps		   cmd="imapd -s" listen="imaps" prefork=0

That's not what you want.  Enable both services, and configure
sasl_minimum_layer to 128 (or is that 64? I forgot. See the SASL docs for
the correct value).

imapd -s is for IMAP connections that are externally wrapped by SSL (bad).
imapd is for non-encrypted IMAP connections, and IMAP connections that use
TLS (good).  sasl_minimum_layer tells Cyrus what you require of the
connection.

> however, if i instead login to with server == 
> mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no 
> connection occurs, and the attempt times out after the tls_session_timeout 
> (60 seconds).

Because you effectively connected without SSL to a SSL port. TLS starts with
plaintext, and goes to encryption early (before any sensitive information is
exchanged, but *after* important stuff that could be useful to select
encryption/authentication keys like the server name is exchanged).

BTW add this to imapd.conf:
tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

That will disable all weak ciphers, and leave you with medium grade and high
grade ciphers.  Try openssl cipher -v '<what you have in tls_cipher_list>'
to see what you get.  If you can get away with it, remove SSLv2 (add !SSLv2
after ALL:) too.  man ciphers (openssl ciphers) to see how this works.

And try to have both sides of the connection authenticated (require client
certificates with a certification path known to the server).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list