Sync and TLS

Andrew Heagle andrew at logaan.com
Mon Jul 21 15:22:17 EDT 2008 

Hello,

Not sure if I have something misconfigured or what, but I can't seem to
force the sync_server or sync_client to use TLS at all.

I ran tcpdump on the sync_server and I can see it is all in plain text. I
can even use telnet to login to the sync server and it will authenticate
me without and encryption at all. (feel free to point our any other
problems you think I may have with my configs as well, thanks).

Here are is the version I am running:
# rpm -qa | grep cyrus-imap
cyrus-imapd-perl-2.3.12p2-1
cyrus-imapd-2.3.12p2-1
cyrus-imapd-utils-2.3.12p2-1

cyrus.conf file on the master server:
>>>>>>>>>>>>>>>>Start Cyrus.conf<<<<<<<<<<<<<<<<<
START {
  recover       cmd="ctl_cyrusdb -r"
  idled         cmd="idled"
  syncclient   cmd="/usr/lib/cyrus-imapd/sync_client -t 60 -d 10 -r -F
/etc/cyrus/stop_sync_client"
}

SERVICES {
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=0
  nntp          cmd="nntpd" listen="nntp" prefork=3
  nntps         cmd="nntpd -s" listen="nntps" prefork=1
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=200
  fud           cmd="fud" listen="fud" proto="udp" prefork=1
}

EVENTS {
  checkpoint    cmd="ctl_cyrusdb -c" period=30
  delprune      cmd="cyr_expire -E 3" at=0400
  tlsprune      cmd="tls_prune" at=0400
}
>>>>>>>>>>>>>>>>Stop Cyrus.conf<<<<<<<<<<<<<<<<<

imapd.conf file on Master server
>>>>>>>>>>>>>>>>Start imapd.conf<<<<<<<<<<<<<<<<<
###IMAP Settings
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sendmail: /usr/sbin/sendmail
hashimapspool: true
servername: imap.dom
autocreatequota: 1073741824
autocreateinboxfolders: Trash | Sent | Drafts
autosubscribeinboxfolders: Trash | Sent | Drafts
autosubscribe_all_sharedfolders: 1

###Sieve Settings
sievedir: /var/lib/imap/sieve
postuser: cyrus
sharedprefix: shared
allowplaintext: 1
sieve_tls_cert_file: disabled

###Auth Settings
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
force_sasl_client_mech: PLAIN
loginrealms: REALM

###TLS/SSL Settings
tls_cert_file: /etc/pki/cyrus-imapd/server.crt
tls_key_file: /etc/pki/cyrus-imapd/server.key
tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem
tls_cipher_list: TLSv1 :SSLv3 : !DES : !LOW :@STRENGTH

###NNTP Settings
newsprefix: news
partition-news: /var/spool/news
nntp_tls_cert_file: disabled

###General Options
singleinstancestore: 1
admins: cyrus
allowanonymouslogin: 0
allowusermoves: 1
altnamespace: 1
expunge_mode: delayed
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1
normalizeuid: 1

###Replication
sync_host: replica-host
sync_authname: csync-user
sync_realm: REALM
sync_password: XXXXXXXXXXXX
sync_log: 1
sync_repeat_interval: 10
sync_shutdown_file: /etc/cyrus/stop_sync_client
guid_mode: sha1
>>>>>>>>>>>>>>>>Stop imapd.conf<<<<<<<<<<<<<<<<<


cyrus.conf file on the replica server:
>>>>>>>>>>>>>>>>Start Cyrus.conf<<<<<<<<<<<<<<<<<
[root at BMP-346-MS512 cyrus]# cat cyrus-replica.conf
START {
  recover       cmd="ctl_cyrusdb -r"
  idled         cmd="idled"
}
SERVICES {
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
  syncserver   cmd="/usr/lib/cyrus-imapd/sync_server -p 256" listen="csync"
  fud           cmd="fud" listen="fud" proto="udp" prefork=1
}

EVENTS {
  checkpoint    cmd="ctl_cyrusdb -c" period=30
  delprune      cmd="cyr_expire -E 3" at=0400
  tlsprune      cmd="tls_prune" at=0400
}
>>>>>>>>>>>>>>>>Stop Cyrus.conf<<<<<<<<<<<<<<<<<


imapd.conf on replica server
>>>>>>>>>>>>>>>>Start imapd.conf<<<<<<<<<<<<<<<<<
###IMAP Settings
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sendmail: /usr/sbin/sendmail
hashimapspool: true
servername: imap.dom
autocreatequota: 1073741824
autocreateinboxfolders: Trash | Sent | Drafts
autosubscribeinboxfolders: Trash | Sent | Drafts
autosubscribe_all_sharedfolders: 1

###Sieve Settings
sievedir: /var/lib/imap/sieve
postuser: cyrus
sharedprefix: shared

###Auth Settings
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

###TLS/SSL Settings
tls_cert_file: /etc/pki/cyrus-imapd/server.pem
tls_key_file: /etc/pki/cyrus-imapd/server.key
tls_ca_file: /etc/pki/cyrus-imapd/cacert.pem
tls_cipher_list: TLSv1 :SSLv3 : !DES : !LOW :@STRENGTH

###NNTP Settings
newsprefix: news
partition-news: /var/spool/news

###General Options
singleinstancestore: 1
admins: cyrus csync
allowanonymouslogin: 0
allowusermoves: 1
altnamespace: 1
expunge_mode: delayed
lmtp_downcase_rcpt: 1
lmtp_fuzzy_mailbox_match: 1
username_tolower: 1
normalizeuid: 1

###Stop Replica Clients
sync_shutdown_file: /etc/cyrus/stop_sync_client
guid_mode: sha1
>>>>>>>>>>>>>>>>Stop imapd.conf<<<<<<<<<<<<<<<<<

Tcpdump output:
* SASL PLAIN

* STARTTLS

* OK imap.afilias.info Cyrus sync server v2.3.12p2-Invoca-RPM-2.3.12p2-1

AUTHENTICATE PLAIN AaAGNsazeW35675jAFN5b2bfmNFUjBGHSMyMQ==

OK Success (no protection)


Thanks,
Andrew

More information about the Info-cyrus mailing list