TLS fails on imaps port

Andrew Morgan morgan at orst.edu
Mon Jan 25 15:01:00 EST 2010 

On Mon, 25 Jan 2010, Bob Dye wrote:

> Andrew Morgan wrote:
>> On Sat, 23 Jan 2010, Bob Dye wrote:
>> 
>>> I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
>>> 
>>> TLS works fine if I connect to the imap port (143). If I try to connect 
>>> instead via the imaps port (993), the attempt times out and I get the 
>>> following in the log:
>>> 
>>> imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
>>> imaps[27170]: Fatal error: tls_start_servertls() failed
>>> 
>>> Any ideas?
>> 
>> Try the command line openssl client and see if it can negotiate SSL/TLS. 
>> Something like this:
>>
>>   openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs
>> 
>> CApath should be the path to your local CA certificates directory, 
>> /etc/ssl/certs on Debian Linux.  You could also add -debug to get a hex 
>> dump of the traffic.
>> 
>> Can you post your imapd.conf file (sanitized)?
>>
>>     Andy
> The openssl client connects successfully with TLSv1, AES256-SHA cipher, and
>
> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 
> AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 
> v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
>
> I have a very standard imap.conf except for the use of SQL:
>
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus root
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_log_level: 10
> sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: sql
> sasl_sql_engine: mysql
> sasl_auto_transition: no
> sasl_sql_hostnames: mail-db.vintagefactor.com
> sasl_sql_user: mail
> sasl_sql_passwd: xxxxxxxx
> sasl_sql_database: mail
> sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
> allowplaintext: yes
> unixhierarchysep: yes
> tls_require_cert: false
> tls_imap_require_cert: true
> tls_cert_file: /usr/share/ssl/certs/xxx.crt
> tls_key_file: /usr/share/ssl/private/xxx.key
> tls_ca_file: /usr/share/ssl/xxx.crt

It sounds like a client configuration problem then.  You should choose 
"SSL" when connecting to port 993 and "TLS" when connecting to port 143.

 	Andy

More information about the Info-cyrus mailing list