Hi, I haven't seen "fossies.org" before, but the canonical 3.4.1 sync_client source can be found here: https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c
But you won't find TLS handling code in that file, because it just calls down to backend_connect() to do the heavy lifting, which is in: https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c It looks like if you provide a "/tls" flag in the port/service name specification, then it will try to do TLS. So where you've specified "993", maybe "993/tls" will do the trick? It looks like "noauth" is another possible flag here, which is news to me. Some of this stuff isn't very well documented, sorry. I think we might assume that replication mostly occurs over a private network -- either a physical one within the same datacentre, or over VPN to a remote one -- but if you don't have these luxuries it makes sense that you'd want to use TLS for the connection. I don't know if anyone is using it like this, but it ought to work fine since it just uses the same backend module as everything else. If you get it working, it'd be great if you could send through some notes that we could integrate into the docs! > 3.0.7-19.el8 Fedora server ready Ohhh... it's interesting that you're looking at the 3.4.1 sources, but actually running 3.0.7. Everything I've described above _should_ work for 3.0, as in, I don't believe the /tls flag is a new feature (otherwise I'd probably recognise it). But I've been looking at the 3.4.1 sources, not the 3.0.7 ones, so your mileage may vary. For what it's worth, 3.0.7 is two major releases out of date (the current stable series is 3.4; the previous stable series was 3.2). If you can manage to run something newer, you should. Cheers, ellie On Tue, 18 May 2021, at 5:17 AM, andrewhardy via Info wrote: > Hi there, > > I was hoping to verify with a source of truth whether > sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has implicit TLS > support. (I assume it came bundled with Cyrus install - haven’t validated > that - Centos 8). > I manage to track down a sync_client.c file found at the URL below and it > doesn’t appear to offer starttls or > implicit TLS support within the connect code (unless I’m missing something > obvious) and it doesn’t appear to > make use of the TLS settings contained within imapd.conf file. > - https://fossies.org/linux/cyrus-imapd/imap/sync_client.c > Is this correct assertion or am I missing something obvious? Sync Client is > working fine over IMAP TCP/143 but when changed to TCP 993, fails. > > Was hoping to get this configured for mutual authentication between Cyrus > servers for secure replication given it’s a privileged account being passed > over the wire. > Is this something that is supported using the sync_client utility at present > or are there alternative Cyrus > mailbox synchronisation tools out there that would enable secure transmission > of replication data? Unfortunately > cannot find any documentation that would hint at TLS support and I “assumed” > that it’d honour the client/server > authentication certificates and configuration in imapd.conf. Believe this was > an incorrect assumption on my part. > I must admit from what I have seen so far, Cyrus is a pretty cool > application. Thanks for developing this. > ——— > On the service side, I get the following failure: > cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10] > On the client side, using openssl s_client -connect testimapserver:993 > returns a successful TLSv1.3 connection > with Cipher TLS_AES_256_GCM_SHA384 with the server response being: > * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] > testimapserver Cyrus IMAP > 3.0.7-19.el8 Fedora server ready > ——— > If you could please confirm my suspicion and let me know if TLS support is > considered in a potential future > release, that would be greatly appreciated. If I’ve got it wrong and it is > supported but its a configuration > issue on my part, apologies. > > *Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions > <https://cyrus.topicbox.com/groups/info> + participants > <https://cyrus.topicbox.com/groups/info/members> + delivery options > <https://cyrus.topicbox.com/groups/info/subscription> Permalink > <https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-Me6ad1f333fdd609bce853079> ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-Mf38c1a2f6ce579778a2c436c Delivery options: https://cyrus.topicbox.com/groups/info/subscription
