Make cyradm use plain+tls

Perry Brown vbperry at hotmail.com
Tue May 2 15:24:22 EDT 2006 

Hi All,

Thank you for the suggestions. I'd love to get this working without the 
extra dependency of stunnel. Following on Patricks suggestion I modified 
imapd.conf

defaultpartition: imap1
configdirectory: /var/imap
partition-imap1: /var/spool/imap1
admins: cyrus support
srvtab: /var/imap/srvtab
quotawarn: 85
popminpoll: 0
autocreatequota: 30000
sasl_pwcheck_method: saslauthd
lmtp_over_quota_perm_failure: 1
allowusermoves: yes
proxy_authname: cyrus
proxy_password: password
tls_cert_file: /local/imap/server1.sub1.domain.com.pem (on the dest host 
this is set to server2.sub2.domain.com.pem)
tls_key_file: /local/imap/server1.sub1.domain.com.pem (changed like above.)



I log into imtest:

/opt/mail/cyrus-imapd/bin/imtest -t "" -p imap -u cyrus -a cyrus -m plain

Run
C: XFER user.vbperry server2.sub2.domain.com

and get
C: NO Server(s) unavailable to complete operation



Am I using the right auth mode? should the imtest connect or xfer command be 
formatted differently? I looking in the archives and could not locate the 
thread you mentioned, was that on list?


Thanks for the help.

perry





>
>Ken, Richard Gilbert and I had a discusion about this last week (which I'll 
>try to summarize).
>
>Here is an alternative to the stunnel stuff.
>
>1. Use imtest to issue XFER command (c: XFER user.phr2101test bacon)
>you may need to
>2. Remove 'force_sasl_client_mech: plain login' from the file. This line 
>will prevent plain+tls from happening correctly between backends when 
>issuing XFER from imtest (my understanding is that the mech list is checked 
>prior to the STARTTLS, and since PLAIN isn't advertised until afterwards, 
>Cyrus thinks the mechanism isn't available. Removing this option prevents 
>the mech list from being checked.. or something).
>
>-PAtrick
>
>
>
>On Mon, 1 May 2006, Perry Brown wrote:
>
>>>From a thread last month some fine folks on this listed suggested I set 
>>>up
>>tls for plain so that I could do an xfer of mailboxes from one host to 
>>another.
>>
>>I got that set up and I am able to do an imtest from one host to the other 
>>one and it gets authenticated with plain+tls.
>>
>>My problem now happens when going back to cyradm to do the xfer. When I 
>>log into the source host I'm authenticated with plain and when I run the 
>>xfer command it tries to connnect to the destination server as plain.
>>
>>How can I force cyradm to connect with plain+tls? Or possibly some work 
>>around using Cyrus::IMAP::Shell
>>
>>I looked at just about every news group and website and a couple of them 
>>mentioned it's not possible to force tls in cyradm but the date on those 
>>sites where from a few years ago and my hope is something has changed in 
>>the interum.
>>
>>Here is imapd.conf:
>>defaultpartition: imap1
>>configdirectory: /var/imap
>>partition-imap1: /var/spool/imap1
>>admins: cyrus support
>>srvtab: /var/imap/srvtab
>>quotawarn: 85
>>popminpoll: 0
>>autocreatequota: 30000
>>sasl_pwcheck_method: saslauthd
>>lmtp_over_quota_perm_failure: 1
>>allowusermoves: yes
>>proxy_authname: cyrus
>>proxy_password: password
>>force_sasl_client_mech: plain login
>>tls_cert_file: /local/imap/server1.sub1.domain.com.pem
>>tls_key_file: /local/imap/server1.sub1.domain.com.pem
>>
>>Thank you
>>Perry
>>
>>
>>----
>>Cyrus Home Page: http://asg.web.cmu.edu/cyrus
>>Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
>>List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>>

More information about the Info-cyrus mailing list