STARTTLS on Cyrus IMAPd 2.3.11

Jorey Bump list at joreybump.com
Tue Mar 18 16:11:08 EDT 2008 

I'm migrating from Cyrus IMAPd 2.3.7 to 2.3.11. I've moved all the data 
to the new environment and rebuilt the necessary databases. Everything 
seems to be working fine, with the exception of STARTTLS connections to 
port 143 from *remote* machines.

The following imtest logins work fine when run on the local machine 
(mail.example.net):

  imtest -u jorey -a jorey -t "" localhost
  imtest -u jorey -a jorey -s localhost
  imtest -u jorey -a jorey -t "" mail.example.net
  imtest -u jorey -a jorey -s mail.example.net

The following works when run remotely (imaps, port 993):

  imtest -u jorey -a jorey -s mail.example.net

But STARTTLS on port 143 fails remotely:

  imtest -u jorey -a jorey -t "" mail.example.net

Output of imtest:

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED 
AUTH=DIGEST-MD5 SASL-IR] mail.example.net Cyrus IMAP4 v2.3.11 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS LOGINDISABLED 
AUTH=DIGEST-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY 
SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE 
CATENATE CONDSTORE IDLE URLAUTH
S: C01 OK Completed
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain

Odd, because it's a commercial certificate, but this error is also 
present in successful logins on the local machine, so it shouldn't be a 
showstopper.

 From /var/log/imapd.log:

Mar 18 15:51:13 mail imap[6203]: STARTTLS negotiation failed: [10.1.10.94]

Thunderbird 2.0.0.12 produces this error, twice in a row for a single 
attempt to access a mailbox:

  Thunderbird can't connect securely to mail.example.net because
  the site uses a security protocol which isn't enabled.

My Cyrus IMAPd 2.3.7 installations work fine. Has there been a change to 
the way 2.3.11 handles STARTTLS on port 143? Is there a new default I 
have to override in imapd.conf? Do I need to explicitly set a cipher 
list? Any tips concerning this issue would be appreciated.

More information about the Info-cyrus mailing list