TLS fails on imaps port

Bob Dye bobdye at vintagefactor.com
Mon Jan 25 18:07:09 EST 2010


Andrew Morgan wrote:
> On Mon, 25 Jan 2010, Bob Dye wrote:
>
>> Andrew Morgan wrote:
>>> On Sat, 23 Jan 2010, Bob Dye wrote:
>>>
>>>> I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
>>>>
>>>> TLS works fine if I connect to the imap port (143). If I try to 
>>>> connect instead via the imaps port (993), the attempt times out and 
>>>> I get the following in the log:
>>>>
>>>> imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
>>>> imaps[27170]: Fatal error: tls_start_servertls() failed
>>>>
>>>> Any ideas?
>>>
>>> Try the command line openssl client and see if it can negotiate 
>>> SSL/TLS. Something like this:
>>>
>>>   openssl s_client -connect your_server_dns_name:993 -CApath 
>>> /etc/ssl/certs
>>>
>>> CApath should be the path to your local CA certificates directory, 
>>> /etc/ssl/certs on Debian Linux.  You could also add -debug to get a 
>>> hex dump of the traffic.
>>>
>>> Can you post your imapd.conf file (sanitized)?
>>>
>>>     Andy
>> The openssl client connects successfully with TLSv1, AES256-SHA 
>> cipher, and
>>
>> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN 
>> AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com 
>> Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
>>
>> I have a very standard imap.conf except for the use of SQL:
>>
>> configdirectory: /var/lib/imap
>> partition-default: /var/spool/imap
>> admins: cyrus root
>> sievedir: /var/lib/imap/sieve
>> sendmail: /usr/sbin/sendmail
>> hashimapspool: true
>> sasl_log_level: 10
>> sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
>> sasl_pwcheck_method: auxprop
>> sasl_auxprop_plugin: sql
>> sasl_sql_engine: mysql
>> sasl_auto_transition: no
>> sasl_sql_hostnames: mail-db.vintagefactor.com
>> sasl_sql_user: mail
>> sasl_sql_passwd: xxxxxxxx
>> sasl_sql_database: mail
>> sasl_sql_statement: SELECT password FROM accountuser WHERE username = 
>> '%u'
>> allowplaintext: yes
>> unixhierarchysep: yes
>> tls_require_cert: false
>> tls_imap_require_cert: true
>> tls_cert_file: /usr/share/ssl/certs/xxx.crt
>> tls_key_file: /usr/share/ssl/private/xxx.key
>> tls_ca_file: /usr/share/ssl/xxx.crt
>
> It sounds like a client configuration problem then.  You should choose 
> "SSL" when connecting to port 993 and "TLS" when connecting to port 143.
>
>     Andy
OK. Thanks.

But it does seem odd that it supports STARTTLS on 143 but not 993.

-- 

Bob Dye
Vintagefactor
P.O. Box 852
St. Helena, CA 94574-0852
Cell: 707.738.9919
Tel: 707.963.6045
Fax: 707.967.5578
www.vintagefactor.com <http://www.vintagefactor.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100125/0a3818a7/attachment.html 


More information about the Info-cyrus mailing list