sync_server and TLS
Marcus Schopen
lists at localguru.de
Wed Feb 19 10:26:26 EST 2014
Am Mittwoch, den 19.02.2014, 02:28 +0100 schrieb Marcus Schopen:
> Am Mittwoch, den 19.02.2014, 01:16 +0100 schrieb Marcus Schopen:
> > Hi,
> >
> > how do I figure out if master and replica are talking via TLS? Certs are
> > installed on both servers. Telnet on the replica shows:
> >
> > ------------
> > ~# telnet replica 2005
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > * SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
> > * STARTTLS
> > * COMPRESS DEFLATE
> > * OK tripp Cyrus sync server v2.4.12-Debian-2.4.12-2
> > ------------
> >
> > When starting the master, login and replication is working, but it seems
> > not working on TLS:
> >
> > Feb 19 01:11:24 replica cyrus/syncserver[22175]: accepted connection
> > Feb 19 01:11:24 replica cyrus/syncserver[22175]: cmdloop(): startup
> > Feb 19 01:11:24 replica cyrus/syncserver[22175]: login: server [xxx]
> > syncuser DIGEST-MD5 User logged in
>
> Certificates seems to be fine. A synctest from the master to the replica
> (= server) looks like this:
>
> synctest -a syncadmin -u syncamdin -t '' server
>
> -----------
> Feb 19 02:23:57 tripp cyrus/master[22549]: about to
> exec /usr/lib/cyrus/bin/sync_server
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: executed
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: accepted connection
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: cmdloop(): startup
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: imapd:Loading hard-coded
> DH parameters
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() incomplete
> -> wait
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: SSL_accept() succeeded ->
> done
> Feb 19 02:23:57 tripp cyrus/syncserver[22549]: starttls: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Feb 19 02:23:59 tripp cyrus/syncserver[22549]: login: server [xxx]
> syncamdin DIGEST-MD5+TLS User logged in
> -----------
>
> Restarting Cyrus on the master comes up with this login without TLS on
> the replica:
>
> -----------
> Feb 19 02:24:55 tripp cyrus/syncserver[22549]: accepted connection
> Feb 19 02:24:55 tripp cyrus/syncserver[22549]: cmdloop(): startup
> Feb 19 02:24:55 tripp cyrus/syncserver[22549]: login: server [xxx]
> syncadmin DIGEST-MD5 User logged in
> -----------
>
> Ciao!
Playing around with imap.conf
Test 1: Ubuntu 12.04 LTS default imap.conf:
#sasl_mech_list: PLAIN
allowplaintext: yes
comes up with this banner
root at replicaserver:/etc# telnet localhost 2005
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* SASL DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
* STARTTLS
* COMPRESS DEFLATE
* OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2
Log entry on replica
Feb 19 15:30:31 replicaserver cyrus/syncserver[23528]: login:
masterserver [192.168.0.100] testsyncuser DIGEST-MD5 User logged
Test 2: set sasl_mech_list to PLAIN
allowplaintext: yes
sasl_mech_list: PLAIN
comes up with this banner
root at replicaserver:/etc# telnet localhost 2005
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* SASL PLAIN
* STARTTLS
* COMPRESS DEFLATE
* OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2
Log entry on replica
Feb 19 15:32:17 replicaserver cyrus/syncserver[23573]: login:
masterserver [192.168.0.100] testsyncuser PLAIN User logged in
Test 2: set sasl_mech_list to PLAIN and allowplaintext to no
allowplaintext: no
sasl_mech_list: PLAIN
comes up with this banner
root at replicaserver:/etc# telnet localhost 2005
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* STARTTLS
* COMPRESS DEFLATE
* OK replicaserver Cyrus sync server v2.4.12-Debian-2.4.12-2
Log entry on replica
Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: imapd:Loading
hard-coded DH parameters
Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: SSL_accept()
incomplete -> wait
Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: SSL_accept()
succeeded -> done
Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: starttls: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
Feb 19 15:33:38 replicaserver cyrus/syncserver[23618]: login:
masterserver [192.168.0.100] testsyncuser PLAIN+TLS User logged in
I like this :)
Seems that the master doesn't use TLS as long as the replica offers SASL
mechanisms.
Ciao!
More information about the Info-cyrus
mailing list