mupdate TLS

Duncan Gibb Duncan.Gibb at
Thu May 14 06:08:14 EDT 2009

Andrew Morgan wrote:

AM> Does the mupdate process in a Cyrus murder actually use TLS?

AM> And....  after a lot of digging I see that this is a known bug:


AM> Never mind!  This sounds like an very complicated problem

Not particularly - it's quite a small patch which goes onto 2.3.14 and
current CVS HEAD cleanly.  If there's any extra work required for it to
be applied upstream, I'm happy to do that.

AM> so I'll just stay away from TLS for mupdate.  Although I don't
AM> understand why mupdate isn't having problems for me right now,
AM> since mupdate seems to be advertising STARTTLS in the
AM> capability string.

If your config allows the Mupdate server to advertise a usable SASL mech
without doing a "STARTTLS", then backend_authenticate() won't bother.

We've deployed Murder Classic with TLS everywhere and client cert
authentication between all the systems using this patch plus the client
certs one (bug #3133).  On the Mupdate box we have something like:

  allowplaintext:     no
  sasl_mech_list:     EXTERNAL

  tls_require_cert:   true
  tls_ca_file:        /etc/ssl/certs/client-internal-CA.pem

  mupdate_admins: fe1.client.dom fe2.client.dom fe3.client.dom \
                  fe4.client.dom fe5.client.dom fe6.client.dom \
                  be1.client.dom be2.client.dom be3.client.dom



Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom || t: +44 870 608 0063
Debian Cyrus Team -

More information about the Info-cyrus mailing list