mupdate TLS
Duncan Gibb
Duncan.Gibb at SiriusIT.co.uk
Thu May 14 06:08:14 EDT 2009
Andrew Morgan wrote:
AM> Does the mupdate process in a Cyrus murder actually use TLS?
AM> And.... after a lot of digging I see that this is a known bug:
AM> https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3119
AM> Never mind! This sounds like an very complicated problem
Not particularly - it's quite a small patch which goes onto 2.3.14 and
current CVS HEAD cleanly. If there's any extra work required for it to
be applied upstream, I'm happy to do that.
AM> so I'll just stay away from TLS for mupdate. Although I don't
AM> understand why mupdate isn't having problems for me right now,
AM> since mupdate seems to be advertising STARTTLS in the
AM> capability string.
If your config allows the Mupdate server to advertise a usable SASL mech
without doing a "STARTTLS", then backend_authenticate() won't bother.
We've deployed Murder Classic with TLS everywhere and client cert
authentication between all the systems using this patch plus the client
certs one (bug #3133). On the Mupdate box we have something like:
allowplaintext: no
sasl_mech_list: EXTERNAL
tls_require_cert: true
tls_ca_file: /etc/ssl/certs/client-internal-CA.pem
mupdate_admins: fe1.client.dom fe2.client.dom fe3.client.dom \
fe4.client.dom fe5.client.dom fe6.client.dom \
be1.client.dom be2.client.dom be3.client.dom
Cheers
Duncan
--
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
More information about the Info-cyrus
mailing list