Cyrus 2.2.12 / TLS problems (SSL working) / Thunderbird - kontact

Goetz Babin-Ebell goetz at shomitefo.de
Wed Jul 5 14:55:19 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Denis Sacchet schrieb:
> Hi,
Hello Denis,

> I've got since 1 or 2 month problems with TLS connection to my cyrus
> server in IMAP. I will try to explain the configuration and the problem.
> 
> First of all, here is my cyrus.conf and imapd.conf :
> 
> /ETC/CYRUS.CONF :
> 
> START {
>   recover       cmd="ctl_cyrusdb -r"
> }
> SERVICES {
>   imap          cmd="imapd -p 2 -s -U 1 -T 60" listen="143" prefork=8
                                  ^^
You aren't doing TLS here, but imap encapsulated in SSL...

>   imaps         cmd="imapd -p 2 -s -U 1 -T 60" listen="993" prefork=1
>   cyradm        cmd="imapd -p 0 -U 1 -T 60" listen="8143" prefork=1
>   sieve         cmd="timsieved" listen="127.0.0.1:2000" prefork=0
>   lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
> }

[...]

> Here is the result of the imtest in TLS (-s on the port 143) :
> 
> imtest -p 143 -s -a XXXX at XXXX.XXX 127.0.0.1
> verify error:num=19:self signed certificate in certificate chain
> TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
[...]

Please read the output:
you do IMAP encapsulated in SSL...

On a proper configured IMAP port 143 imaptest with -s will fail:

imtest -a XXXX -s -p 143 imapserver
SSL_connect error 0 SSL error: ok
SSL session removed
failure: TLS negotiation failed!

> The same thing with the s_client of openssl :
> 
> openssl s_client -host 127.0.0.1 -port 143 -tls1
> CONNECTED(00000003)
> depth=1 /C=FR/ST=Lorraine/L=Nancy/O=XXXX.XXX/OU=XXXX.XXX/CN=OUBA.ORG
> C.A./emailAddress=XXXX at XXXX.XXX
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
[...]
Also:
An unpatched OpenSSL s_client is not able to do TLS (STARTTLS)
on an IMAP server.

You are confused by the 2 different meanings of the acronym TLS here:
* In the SSL / OpenSSL context TLS is for the reimplemented
  SSL protocol with the name TLS
* In the IMAP environment the meaning of the acronym TLS is:
  Inside of an existing IMAP connection an TLS (the protocol) session
  is started with the STARTTLS command.

> So, it seems eveything works fine, now try to connect with thunderbird
> with a fresh new profile :

> But if I switch to TLS on port 143, after a while (about 2 or 3 minutes):
> 
> ==> err.log <==
> Jul  5 14:11:05 smtp imap[27757]: Fatal error: tls_start_servertls() failed

That is because your server speaks SSL encapsulated IMAP on
the port Thunderbird expects IMAP with STARTTLS...

[...]
> Do you think the problems come from Thunderbird or from Cyrus.

Your problem is your broken server configuration.

With TLS the handshake should look like:

imtest -a goetz -m EXTERNAL -t goetz.pem -F cacert.pem imapserver
S: * OK imapserver Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT
LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
Enter PEM pass phrase:
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
AUTH=PLAIN AUTH=OTP AUTH=DIGEST-MD5 AUTH=CRAM-MD5 AUTH=EXTERNAL
SASL-IR LISTEXT LIST-SUBSCRIBED X-NETSCAPE
S: C01 OK Completed
C: A01 AUTHENTICATE EXTERNAL Z29ldHo=
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.

With the exception that an unpatched imtest doesn't support the
EXTERNAL authentication method...

By the way:
I really hope your real user name is not ouba at ouba.org
with a password that begins with lgW ...


Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFErAsW2iGqZUF3qPYRAr3NAJ9zr2gq2vuVXjIBobK/JKruKQE2nQCfQvvX
gehDJKt4AKgqeRP7YLMaHiE=
=3MyG
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list