Sync and TLS
Andrew Heagle
andrew at logaan.com
Mon Jul 21 15:22:17 EDT 2008
Hello,
Not sure if I have something misconfigured or what, but I can't seem to
force the sync_server or sync_client to use TLS at all.
I ran tcpdump on the sync_server and I can see it is all in plain text. I
can even use telnet to login to the sync server and it will authenticate
me without and encryption at all. (feel free to point our any other
problems you think I may have with my configs as well, thanks).
Here are is the version I am running:
# rpm -qa | grep cyrus-imap
cyrus-imapd-perl-2.3.12p2-1
cyrus-imapd-2.3.12p2-1
cyrus-imapd-utils-2.3.12p2-1
cyrus.conf file on the master server:
>>>>>>>>>>>>>>>>Start Cyrus.conf<<<<<<<<<<<<<<<<<
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
syncclient cmd="/usr/lib/cyrus-imapd/sync_client -t 60 -d 10 -r -F
/etc/cyrus/stop_sync_client"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
nntp cmd="nntpd" listen="nntp" prefork=3
nntps cmd="nntpd -s" listen="nntps" prefork=1
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=200
fud cmd="fud" listen="fud" proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
>>>>>>>>>>>>>>>>Stop Cyrus.conf<<<<<<<<<<<<<<<<<
imapd.conf file on Master server
>>>>>>>>>>>>>>>>Start imapd.conf<<<<<<<<<<<<<<<<<
###IMAP Settings
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sendmail: /usr/sbin/sendmail
hashimapspool: true
servername: imap.dom
autocreatequota: 1073741824
autocreateinboxfolders: Trash | Sent | Drafts
autosubscribeinboxfolders: Trash | Sent | Drafts
autosubscribe_all_sharedfolders: 1
###Sieve Settings
sievedir: /var/lib/imap/sieve
postuser: cyrus
sharedprefix: shared
allowplaintext: 1
sieve_tls_cert_file: disabled
###Auth Settings
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
force_sasl_client_mech: PLAIN
loginrealms: REALM
###TLS/SSL Settings
tls_cert_file: /etc/pki/cyrus-imapd/server.crt
tls_key_file: /etc/pki/cyrus-imapd/server.key
tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem
tls_cipher_list: TLSv1 :SSLv3 : !DES : !LOW :@STRENGTH
###NNTP Settings
newsprefix: news
partition-news: /var/spool/news
nntp_tls_cert_file: disabled
###General Options
singleinstancestore: 1
admins: cyrus
allowanonymouslogin: 0
allowusermoves: 1
altnamespace: 1
expunge_mode: delayed
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1
normalizeuid: 1
###Replication
sync_host: replica-host
sync_authname: csync-user
sync_realm: REALM
sync_password: XXXXXXXXXXXX
sync_log: 1
sync_repeat_interval: 10
sync_shutdown_file: /etc/cyrus/stop_sync_client
guid_mode: sha1
>>>>>>>>>>>>>>>>Stop imapd.conf<<<<<<<<<<<<<<<<<
cyrus.conf file on the replica server:
>>>>>>>>>>>>>>>>Start Cyrus.conf<<<<<<<<<<<<<<<<<
[root at BMP-346-MS512 cyrus]# cat cyrus-replica.conf
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
syncserver cmd="/usr/lib/cyrus-imapd/sync_server -p 256" listen="csync"
fud cmd="fud" listen="fud" proto="udp" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
>>>>>>>>>>>>>>>>Stop Cyrus.conf<<<<<<<<<<<<<<<<<
imapd.conf on replica server
>>>>>>>>>>>>>>>>Start imapd.conf<<<<<<<<<<<<<<<<<
###IMAP Settings
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sendmail: /usr/sbin/sendmail
hashimapspool: true
servername: imap.dom
autocreatequota: 1073741824
autocreateinboxfolders: Trash | Sent | Drafts
autosubscribeinboxfolders: Trash | Sent | Drafts
autosubscribe_all_sharedfolders: 1
###Sieve Settings
sievedir: /var/lib/imap/sieve
postuser: cyrus
sharedprefix: shared
###Auth Settings
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
###TLS/SSL Settings
tls_cert_file: /etc/pki/cyrus-imapd/server.pem
tls_key_file: /etc/pki/cyrus-imapd/server.key
tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem
tls_cipher_list: TLSv1 :SSLv3 : !DES : !LOW :@STRENGTH
###NNTP Settings
newsprefix: news
partition-news: /var/spool/news
###General Options
singleinstancestore: 1
admins: cyrus csync
allowanonymouslogin: 0
allowusermoves: 1
altnamespace: 1
expunge_mode: delayed
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1
normalizeuid: 1
###Stop Replica Clients
sync_shutdown_file: /etc/cyrus/stop_sync_client
guid_mode: sha1
>>>>>>>>>>>>>>>>Stop imapd.conf<<<<<<<<<<<<<<<<<
Tcpdump output:
* SASL PLAIN
* STARTTLS
* OK imap.afilias.info Cyrus sync server v2.3.12p2-Invoca-RPM-2.3.12p2-1
AUTHENTICATE PLAIN AaAGNsazeW35675jAFN5b2bfmNFUjBGHSMyMQ==
OK Success (no protection)
Thanks,
Andrew
More information about the Info-cyrus
mailing list