STARTTLS on Cyrus IMAPd 2.3.11

Andrew Morgan morgan at orst.edu
Wed Mar 19 18:57:46 EDT 2008 

On Wed, 19 Mar 2008, Jorey Bump wrote:

> Andrew Morgan wrote, at 03/19/2008 12:41 PM:
>
>> Maybe I missed it earlier in the thread - can you post your imapd.conf 
>> file?
>
> It's pretty simple, and identical to the 2.3.7 instance that's running 
> without any problems:
>
> # /etc/imapd.conf
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> defaultdomain: mail.example.net
> servername: mail.example.net
> lmtp_downcase_rcpt: true
> admins: cyrus
> sasl_pwcheck_method: auxprop
> sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> allowplaintext: no
> sasl_minimum_layer: 128
> tls_cert_file: /etc/ssl/certs/mail.crt
> tls_key_file: /etc/ssl/certs/mail.key
> tls_ca_file: /etc/ssl/certs/local-ca-bundle.crt
>
> Here's my cyrus.conf, which contains nothing radical:
>
> # standard standalone server implementation
>
> START {
>  # do not delete this entry!
>  recover       cmd="ctl_cyrusdb -r"
>
>  # this is only necessary if using idled for IMAP IDLE
>  idled         cmd="idled"
> }
>
> # UNIX sockets start with a slash and are put into /var/imap/socket
> SERVICES {
>  # add or remove based on preferences
>  imap          cmd="imapd" listen="imap" prefork=0
>  imaps         cmd="imapd -s" listen="imaps" prefork=0
>  pop3          cmd="pop3d" listen="pop3" prefork=0
>  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
>  sieve         cmd="timsieved" listen="sieve" prefork=0
>
>  # these are only necessary if receiving/exporting usenet via NNTP
> #  nntp         cmd="nntpd" listen="nntp" prefork=0
> #  nntps                cmd="nntpd -s" listen="nntps" prefork=0
>
>  # at least one LMTP is required for delivery
> #  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
>  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
>
>  # this is required if using notifications
> #  notify       cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" 
> prefork=1
> }
>
> EVENTS {
>  # this is required
>  checkpoint    cmd="ctl_cyrusdb -c" period=30
>
>  # this is only necessary if using duplicate delivery suppression,
>  # Sieve or NNTP
>  delprune      cmd="cyr_expire -E 3" at=0400
>
>  # this is only necessary if caching TLS sessions
>  tlsprune      cmd="tls_prune" at=0400
> }
>
>

Those look fine to me.  I'm not sure about the sasl_minimum_layer setting. 
Have you tried setting that to 0?

Otherwise, I guess I would start with Wireshark captures of imtest using 
TLS, comparing the working and non-working tests.

 	Andy

More information about the Info-cyrus mailing list