mupdate TLS

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Thu May 14 06:08:14 EDT 2009


Andrew Morgan wrote:

AM> Does the mupdate process in a Cyrus murder actually use TLS?

AM> And....  after a lot of digging I see that this is a known bug:

AM>    https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3119

AM> Never mind!  This sounds like an very complicated problem

Not particularly - it's quite a small patch which goes onto 2.3.14 and
current CVS HEAD cleanly.  If there's any extra work required for it to
be applied upstream, I'm happy to do that.


AM> so I'll just stay away from TLS for mupdate.  Although I don't
AM> understand why mupdate isn't having problems for me right now,
AM> since mupdate seems to be advertising STARTTLS in the
AM> capability string.

If your config allows the Mupdate server to advertise a usable SASL mech
without doing a "STARTTLS", then backend_authenticate() won't bother.


We've deployed Murder Classic with TLS everywhere and client cert
authentication between all the systems using this patch plus the client
certs one (bug #3133).  On the Mupdate box we have something like:

  allowplaintext:     no
  sasl_mech_list:     EXTERNAL

  tls_require_cert:   true
  tls_ca_file:        /etc/ssl/certs/client-internal-CA.pem

  mupdate_admins: fe1.client.dom fe2.client.dom fe3.client.dom \
                  fe4.client.dom fe5.client.dom fe6.client.dom \
                  be1.client.dom be2.client.dom be3.client.dom


Cheers


Duncan

-- 
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/


More information about the Info-cyrus mailing list