STARTTLS available?

Jorey Bump list at joreybump.com
Mon Oct 23 14:46:07 EDT 2006 

Marten Lehmann wrote:
> Hello,
> 
>> Good, now show us your imapd.conf and any tls errors that appear in 
>> your log.
> 
> configdirectory: /cyrus/config
> partition-default: /cyrus/spool
> admins: cyrus
> sievedir: /cyrus/config/sieve
> sendmail: /usr/sbin/sendmail
> 
> altnamespace: true
> hashimapspool: true
> unixhierarchysep: true
> virtdomains: userid
> allowusermoves: true
> 
> sasl_pwcheck_method: getpwent auxprop saslauthd
> sasl_mech_list: PLAIN
> 
> servername: test
> imaps_tls_cert_file: /cyrus/certs/imap.crt
> imaps_tls_key_file: /cyrus/certs/imap.key
> pop3s_tls_cert_file: /cyrus/certs/pop3.crt
> pop3s_tls_key_file: /cyrus/certs/pop3.key
> 
> lmtp_over_quota_perm_failure: true
> munge8bit: true
> username_tolower: true

You have not configured tls_cert_file or tls_key_file, only TLS for the 
imaps (normally port 993) and pop3s (normally port 995) services.

> There are no tls errors as TLS is working fine. Remember: pop3s is 
> running with ssl on port 995 all the time, same with imaps on port 993. 
> Whereas pop3 on port 110 and imap on port 143 are usually not encrypted. 
> But with STARTTLS you can encrypt the session while still connecting to 
> port 110/143, while you usually have to connect to the special ports to 
> get encrypted connections. However, the server must show that he 
> supports STARTTLS by mentioning it on the CAPABILITIES list, otherwise 
> clients aren't trying to use it.

Configure tls_cert_file and tls_key_file, which will be shared by imap, 
imaps, pop3, and pop3s by default. Unless you have a compelling reason 
for offering different certificates, delete your (imaps|pop3s)_tls_* 
entries from imapd.conf. When you enable these services in cyrus.conf, 
they will use the key/cert specified in tls_(key|cert)_file, unless 
overridden with the prefix of the service name used in cyrus.conf, as 
you have done.

Remember, imaps and pop3s (started with -s) do not use or offer 
STARTTLS, and configuration settings applied to them will have no effect 
on the standard imap or pop3 services.

More information about the Info-cyrus mailing list