sync_server and TLS

Marcus Schopen lists at localguru.de
Wed Feb 19 08:55:32 EST 2014 

Hi Stephen,

Am Dienstag, den 18.02.2014, 22:33 -0800 schrieb Stephen Ingram:
> On Tue, Feb 18, 2014 at 4:16 PM, Marcus Schopen <lists at localguru.de>
> wrote:
>         Hi,
>         
>         how do I figure out if master and replica are talking via TLS?
>         Certs are
>         installed on both servers. Telnet on the replica shows:
>         
>         ------------
>         ~# telnet replica 2005
>         Trying 127.0.0.1...
>         Connected to localhost.
>         Escape character is '^]'.
>         * SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
>         * STARTTLS
>         * COMPRESS DEFLATE
>         * OK tripp Cyrus sync server v2.4.12-Debian-2.4.12-2
>         ------------
>         
>         When starting the master, login and replication is working,
>         but it seems
>         not working on TLS:
>         
>         Feb 19 01:11:24 replica cyrus/syncserver[22175]: accepted
>         connection
>         Feb 19 01:11:24 replica cyrus/syncserver[22175]: cmdloop():
>         startup
>         Feb 19 01:11:24 replica cyrus/syncserver[22175]: login: server
>         [xxx]
>         syncuser DIGEST-MD5 User logged in
> 
> 
> Marcus-
> 
> 
> It doesn't look like your sync server is using TLS. You'll see
> references to it in the logs on both the master and the replica as the
> connection is established like:
> 
> 
> sync_client[25615]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA
> (256/256 bits new client) no authentication,
> 
> 
> then you should see the authentication begin.
> 
> 
> Does your imapd.conf file on both master and replica specify the
> certificate, key and CA? Do the users the processes run as have access
> to these?

I feed the master via LMT over TCP from a remote sendmail and this
connection is using TLS. I can see it in the logs. And I can connect the
Master via SSL on IMAPs Port. Therefore I think the certificates are
correctly installed on the master. I set tls_cert_file, tls_key_file and
tls_ca_file.

And on replica a synctest shows


-----------
synctest -a syncadmin -u syncamdin -t '' server


Feb 19 02:23:57 tripp cyrus/master[22549]: about to
exec /usr/lib/cyrus/bin/sync_server
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: executed
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: accepted connection
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: cmdloop(): startup
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: imapd:Loading hard-coded
DH parameters
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() incomplete
-> wait
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() succeeded ->
done
Feb 19 02:23:57 tripp cyrus/syncserver[22549]: starttls: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 02:23:59 tripp cyrus/syncserver[22549]: login: server [xxx]
syncamdin DIGEST-MD5+TLS User logged in
-----------

So I think TLS configuration on replica is fine too.

But the master seems not to use TLS when conecting via sync_client to
the replica. Is there an option to force using TLS or should the master
connect using TLS as soon as the replica offers it?

Ciao
Marcus

More information about the Info-cyrus mailing list