is TLS/SSL selection/connection ONLY via port 993?

OpenMacNews cyrus-info.20.openmacnews at spamgourmet.com
Mon Nov 15 23:43:53 EST 2004 

hi all,

on a MacOSX 10.3.6 sys with:

    cyrus-imap 2.2.8
    cyrus-sasl 2.1.20

i've a canoncial server:

   testserver.internal.testdomain.com

and a virtual domain:

   mail2.internal.testdomain.com

i'm currently auth'ing PLAINTEXT via auxprop+sql (MySQL 4.1.7)

i've setup cyrus.conf to LISTEN *only* on the imaps svc (port 993)
    ...
    SERVICES {
#    	imap          cmd="imapd" listen="imap" prefork=0
    	imaps		   cmd="imapd -s" listen="imaps" prefork=0
    ...

and, imapd.conf to include:
    ...
    sasl_mech_list: PLAIN LOGIN
    sasl_password_format: crypt
    sasl_minimum_layer: 0
    sasl_maximum_layer: 1024
    ...
    tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
    tls_require_cert: 0
    tls_session_timeout: 60
    ...

using my imap client (mulberry), i can successfully login to an account, 
'testuser' in the virtual domain, with server == 
mail2.internal.testdomain.com:993 and security == SSLv3.

however, if i instead login to with server == mail2.internal.testdomain.com:993 
and security == STARTTLS-TLSv1, no connection occurs, and the attempt times out 
after the tls_session_timeout (60 seconds).

if i then drop back to listen ONLY on imap service, i.e. cyrus.conf:
    ...
    SERVICES {
    	imap          cmd="imapd" listen="imap" prefork=0
#    	imaps		   cmd="imapd -s" listen="imaps" prefork=0
    ...

i can successfully make connections to port server:143 with security == NO 
SECURITY !!or!! security == STARTTLS-TLSv1 !!or!! security == SSLv3.  i.e., TLS 
negotiated sessions are occuring over to port 143 -- the 'wrong' port.

bottom line:

    client to server:143, security = NO SECURITY           --> OK (right)
    client to server:143, security = SSLv3, STARTTLS-TLSv1 --> OK (wrong)
    client to server:993, security = NO SECURITY           --> NO CONNECTION 
(right)
    client to server:993, security = SSLv3                 --> OK (right)
    client to server:993, security = STARTTLS-TLSv1        --> NO CONNECTION 
(wrong)

#####################
## QUESTION
    i don't think this is right, is it?  aren't TLS & SSL sessions ONLY 
supposed to connect to port 993, and sessions with no-security ONLY to port 143?

or, have i misunderstood how this is supposed to operate?

threads here:

http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19483
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg02411.html

have me suspecting this may be the client ...

thanks,

richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list