STARTTLS available?

Jorey Bump list at joreybump.com
Sun Oct 22 13:04:22 EDT 2006 

Marten Lehmann wrote:
> Hello,
> 
>> Configure TLS. "man imapd.conf", 
>> ./doc/(text/)install-configure(.html), ...
> 
> I already have TLS resp. SSL (on separate ports)! But STARTTLS is an 
> extension so you can use SSL through the common pop3 or imap port (not 
> the special SSL one), because with STARTTLS you can open a SSL 
> connection within the common pop3 or imap session. I haven't found an 
> option how to enable the STARTTSL extension.

There is no explicit on/off toggle for TLS. From the imapd.conf man page:

  tls_cert_file: <none>
    File containing the certificate presented for server authentication
    during STARTTLS. A value of "disabled" will disable SSL/TLS.

  tls_key_file: <none>
    File containing the private key belonging to the server certificate.
    A value of "disabled" will disable SSL/TLS.

So, as Andreas indicated, configuring TLS should be enough to offer 
STARTTLS. The only configuration I needed to do was to add something 
like this to imapd.conf (Cyrus-IMAPD 2.3.7):

# TLS
tls_cert_file: /etc/ssl/certs/imap.crt
tls_key_file: /etc/ssl/certs/imap.key
tls_ca_file: /etc/ssl/certs/ca-bundle.crt

This assumes that Cyrus IMAPD was compiled with openssl support (the 
default) and that you haven't somehow overridden the defaults with 
further configuration. It's possible that some distros divide Cyrus 
IMAPD into several smaller packages, so if you're using a package-based 
system, be sure you've installed everything you need.

I compile Cyrus IMAPD from source, and it includes a nice utility called 
imtest that allows you interact directly with an IMAP server even if it 
uses STARTTLS or the imaps port. Therefore, it's a lot more convenient 
than telnet. I recommend installing it if you don't have it.

Now you need to prove that you have properly configured TLS:

  imtest -a marten mail.example.com

Some servers will include the CAPABILITY in the banner, but imtest will 
also issue the CAPABILITY command. Look for STARTTLS in the list. If 
it's not there, you need to check your installation or configuration. 
For more help from this list, you should include your imapd.conf and any 
relevant errors from your log.

To close the imtest session, type:

  . logout

You can also test your imaps configuration:

  imtest -a marten -s mail.example.com

This will *not* offer STARTTLS, as the connection is already encrypted.

More information about the Info-cyrus mailing list