Discussion:
TLS fails on imaps port
Bob Dye
2010-01-24 00:54:54 UTC
Permalink
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.

TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
following in the log:

imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed

Any ideas?
--
Bob Dye
Vintagefactor

<http://www.vintagefactor.com/>
Joseph Brennan
2010-01-24 02:24:12 UTC
Permalink
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.


Joseph Brennan
Columbia University Information Technology
Bob Dye
2010-01-24 14:39:31 UTC
Permalink
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".

Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
--
Bob Dye
Vintagefactor

<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
Patrick Boutilier
2010-01-24 21:21:31 UTC
Permalink
Post by Bob Dye
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".
Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
Assuming you are running imapd -s on port 993, from the man page for imapd:

-s Serve IMAP over SSL (imaps). All data to and from imapd is
encrypted using the Secure Sockets Layer.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Bob Dye
2010-01-25 15:51:56 UTC
Permalink
Post by Patrick Boutilier
Post by Bob Dye
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".
Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
-s Serve IMAP over SSL (imaps). All data to and from imapd is
encrypted using the Secure Sockets Layer.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Yes, those are the words on the man page. I am reluctant to simply
accept that as true because:

1. The man page does not say anything about TLS. It is difficult to draw
conclusions from lack of documentation. You might assume that it does
not support TLS at all, but it definitely does. I have seen a number of
cases where software documentation has not been updated to reflect TLS
(vs. SSL).

2. The error message ("imaps TLS negotiation failed") implies that
cyrus-imapd is trying to support TLS and failing. If it supported only
SSL, it would presumably not try TLS.
--
Bob Dye
Vintagefactor

<http://www.vintagefactor.com/>
Patrick Boutilier
2010-01-25 17:31:26 UTC
Permalink
Post by Bob Dye
Post by Patrick Boutilier
Post by Bob Dye
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".
Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
-s Serve IMAP over SSL (imaps). All data to and from imapd is
encrypted using the Secure Sockets Layer.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
Yes, those are the words on the man page. I am reluctant to simply
1. The man page does not say anything about TLS. It is difficult to draw
conclusions from lack of documentation. You might assume that it does
not support TLS at all, but it definitely does. I have seen a number of
cases where software documentation has not been updated to reflect TLS
(vs. SSL).
2. The error message ("imaps TLS negotiation failed") implies that
cyrus-imapd is trying to support TLS and failing. If it supported only
SSL, it would presumably not try TLS.
What IMAP client are you using? Sounds like you are trying to use STARTTLS.

http://sial.org/howto/openssl/tls-name/
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Bob Dye
2010-01-25 18:26:04 UTC
Permalink
Post by Patrick Boutilier
Post by Bob Dye
Post by Patrick Boutilier
Post by Bob Dye
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".
Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
-s Serve IMAP over SSL (imaps). All data to and from imapd is
encrypted using the Secure Sockets Layer.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
Yes, those are the words on the man page. I am reluctant to simply
1. The man page does not say anything about TLS. It is difficult to draw
conclusions from lack of documentation. You might assume that it does
not support TLS at all, but it definitely does. I have seen a number of
cases where software documentation has not been updated to reflect TLS
(vs. SSL).
2. The error message ("imaps TLS negotiation failed") implies that
cyrus-imapd is trying to support TLS and failing. If it supported only
SSL, it would presumably not try TLS.
What IMAP client are you using? Sounds like you are trying to use STARTTLS.
http://sial.org/howto/openssl/tls-name/
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Patrick,

I use Mozilla Thunderbird.
--
Bob Dye
Vintagefactor

<http://www.vintagefactor.com/>
Patrick Boutilier
2010-01-25 18:29:39 UTC
Permalink
Post by Bob Dye
Post by Patrick Boutilier
Post by Bob Dye
Post by Bob Dye
Post by Joseph Brennan
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Normal. It should fail. 993 requires SSL.
Joseph Brennan
Columbia University Information Technology
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
993 (the port) does not require SSL. The official IANA definition is
"imap4 protocol over TLS/SSL".
Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some
reason?
-s Serve IMAP over SSL (imaps). All data to and from imapd is
encrypted using the Secure Sockets Layer.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/> <http://www.vintagefactor.com/>
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
----
Cyrus Home Page:http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki
List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html
Yes, those are the words on the man page. I am reluctant to simply
1. The man page does not say anything about TLS. It is difficult to draw
conclusions from lack of documentation. You might assume that it does
not support TLS at all, but it definitely does. I have seen a number of
cases where software documentation has not been updated to reflect TLS
(vs. SSL).
2. The error message ("imaps TLS negotiation failed") implies that
cyrus-imapd is trying to support TLS and failing. If it supported only
SSL, it would presumably not try TLS.
What IMAP client are you using? Sounds like you are trying to use STARTTLS.
http://sial.org/howto/openssl/tls-name/
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Patrick,
I use Mozilla Thunderbird.
Use SSL/TLS instead of STARTTLS for connection security.
Post by Bob Dye
--
Bob Dye
Vintagefactor
<http://www.vintagefactor.com/>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Andrew Morgan
2010-01-25 17:28:30 UTC
Permalink
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Any ideas?
Try the command line openssl client and see if it can negotiate SSL/TLS.
Something like this:

openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs

CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a hex
dump of the traffic.

Can you post your imapd.conf file (sanitized)?

Andy
Patrick Boutilier
2010-01-25 17:33:31 UTC
Permalink
Post by Andrew Morgan
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Any ideas?
Try the command line openssl client and see if it can negotiate SSL/TLS.
openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a hex
dump of the traffic.
Can you post your imapd.conf file (sanitized)?
Just for reference, the above error happens when you try STARTTLS on
port 993:


# telnet student.ednet.ns.ca 993
Trying 142.227.51.32...
Connected to student.ednet.ns.ca.
Escape character is '^]'.
starttls

* BYE Fatal error: tls_start_servertls() failed
Connection closed by foreign host.
Post by Andrew Morgan
Andy
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Bob Dye
2010-01-25 18:25:07 UTC
Permalink
Post by Andrew Morgan
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to
connect instead via the imaps port (993), the attempt times out and I
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Any ideas?
Try the command line openssl client and see if it can negotiate
openssl s_client -connect your_server_dns_name:993 -CApath
/etc/ssl/certs
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a
hex dump of the traffic.
Can you post your imapd.conf file (sanitized)?
Andy
The openssl client connects successfully with TLSv1, AES256-SHA cipher, and

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready

I have a very standard imap.conf except for the use of SQL:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_log_level: 10
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_auto_transition: no
sasl_sql_hostnames: mail-db.vintagefactor.com
sasl_sql_user: mail
sasl_sql_passwd: xxxxxxxx
sasl_sql_database: mail
sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
allowplaintext: yes
unixhierarchysep: yes
tls_require_cert: false
tls_imap_require_cert: true
tls_cert_file: /usr/share/ssl/certs/xxx.crt
tls_key_file: /usr/share/ssl/private/xxx.key
tls_ca_file: /usr/share/ssl/xxx.crt
--
Bob Dye
Vintagefactor

<http://www.vintagefactor.com/>
Joseph Brennan
2010-01-25 19:00:52 UTC
Permalink
Examples:

[1] openssl s_client -connect mail.columbia.edu:993
[2] openssl s_client -connect mail.columbia.edu:143 -starttls imap
[3] openssl s_client -connect mail.columbia.edu:993 -starttls imap


[1] and [2] should work ; [3] fails.

The U Wash IMAP server gives the same results.

These alternatives are commonly called "ssl" and "tls", but the actual
distinction is whether the starttls command is used to get Transport
Layer Security. First described in RFC 2595.


Joseph Brennan
Columbia University Information Technology
Andrew Morgan
2010-01-25 20:01:00 UTC
Permalink
Post by Bob Dye
Post by Andrew Morgan
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to connect
instead via the imaps port (993), the attempt times out and I get the
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Any ideas?
Try the command line openssl client and see if it can negotiate SSL/TLS.
openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a hex
dump of the traffic.
Can you post your imapd.conf file (sanitized)?
Andy
The openssl client connects successfully with TLSv1, AES256-SHA cipher, and
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4
v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_log_level: 10
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_auto_transition: no
sasl_sql_hostnames: mail-db.vintagefactor.com
sasl_sql_user: mail
sasl_sql_passwd: xxxxxxxx
sasl_sql_database: mail
sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
allowplaintext: yes
unixhierarchysep: yes
tls_require_cert: false
tls_imap_require_cert: true
tls_cert_file: /usr/share/ssl/certs/xxx.crt
tls_key_file: /usr/share/ssl/private/xxx.key
tls_ca_file: /usr/share/ssl/xxx.crt
It sounds like a client configuration problem then. You should choose
"SSL" when connecting to port 993 and "TLS" when connecting to port 143.

Andy
Bob Dye
2010-01-25 23:07:09 UTC
Permalink
Post by Andrew Morgan
Post by Bob Dye
Post by Andrew Morgan
Post by Bob Dye
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system.
TLS works fine if I connect to the imap port (143). If I try to
connect instead via the imaps port (993), the attempt times out and
imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx]
imaps[27170]: Fatal error: tls_start_servertls() failed
Any ideas?
Try the command line openssl client and see if it can negotiate
openssl s_client -connect your_server_dns_name:993 -CApath
/etc/ssl/certs
CApath should be the path to your local CA certificates directory,
/etc/ssl/certs on Debian Linux. You could also add -debug to get a
hex dump of the traffic.
Can you post your imapd.conf file (sanitized)?
Andy
The openssl client connects successfully with TLSv1, AES256-SHA cipher, and
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN
AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com
Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus root
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_log_level: 10
sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_sql_engine: mysql
sasl_auto_transition: no
sasl_sql_hostnames: mail-db.vintagefactor.com
sasl_sql_user: mail
sasl_sql_passwd: xxxxxxxx
sasl_sql_database: mail
sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u'
allowplaintext: yes
unixhierarchysep: yes
tls_require_cert: false
tls_imap_require_cert: true
tls_cert_file: /usr/share/ssl/certs/xxx.crt
tls_key_file: /usr/share/ssl/private/xxx.key
tls_ca_file: /usr/share/ssl/xxx.crt
It sounds like a client configuration problem then. You should choose
"SSL" when connecting to port 993 and "TLS" when connecting to port 143.
Andy
OK. Thanks.

But it does seem odd that it supports STARTTLS on 143 but not 993.
--
Bob Dye
Vintagefactor
P.O. Box 852
St. Helena, CA 94574-0852
Cell: 707.738.9919
Tel: 707.963.6045
Fax: 707.967.5578
www.vintagefactor.com <http://www.vintagefactor.com/>
Andrew Morgan
2010-01-25 23:12:45 UTC
Permalink
Post by Bob Dye
OK. Thanks.
But it does seem odd that it supports STARTTLS on 143 but not 993.
The IMAP command "STARTTLS" is only offered by the server when the
connection is currently unencrypted, such as when you first connect to
port 143. Port 993 is an SSL port, so by the time you see the CAPABILITY
string from the server, SSL negotiation has already happened.

Andy
Patrick Boutilier
2010-01-25 23:14:25 UTC
Permalink
Post by Andrew Morgan
Post by Bob Dye
OK. Thanks.
But it does seem odd that it supports STARTTLS on 143 but not 993.
The IMAP command "STARTTLS" is only offered by the server when the
connection is currently unencrypted, such as when you first connect to
port 143. Port 993 is an SSL port, so by the time you see the CAPABILITY
string from the server, SSL negotiation has already happened.
Right, which is explained at http://sial.org/howto/openssl/tls-name/
Post by Andrew Morgan
Andy
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Vincent Fox
2010-01-25 23:16:53 UTC
Permalink
Post by Bob Dye
But it does seem odd that it supports STARTTLS on 143 but not 993.
This is not odd, this is working as specified.

TLS is enabling encryption on a connection that
has started without it.

There's a cogent argument that 993 should be depecrated
as the vestige of "stunnel days" that it is.
Duncan Gibb
2010-01-26 10:09:47 UTC
Permalink
BD> But it does seem odd that it supports STARTTLS on 143 but not 993.

VF> This is not odd, this is working as specified.

Indeed.

VF> TLS is enabling encryption on a connection that
VF> has started without it.

Maybe people would be less confused if "TLS" were only used to mean the
more secure socket-layer encryption which succeeded SSL, and upgrading
from unencrypted to encrypted during an existing session were only
referred to as "STARTTLS". That seems to have been the cause of
confusion in this thread.


VF> There's a cogent argument that 993 should be depecrated
VF> as the vestige of "stunnel days" that it is.

I'd caution against that. Around here the convention is that
user-facing front-ends listen _only_ on 993 in order to prevent users
attempting to send their credentials over insecure connections.


Duncan
--
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
Loading...