Chris Shenton wrote:
>
> [I apologize if you don't think this is the correct place to query
> but the software is a combination from both the qmail-ldap and
> courier-imap efforts].
>
> I'm bringing up qmail-ldap and have courier-imap working with it. I
> tried to add TLS support with Andre Oppermann's tcpserver SSL/TLS
> patch
>
> http://www.nrg4u.com/qmail/ucspi-tcp-ssl-20020705.patch.gz
>
> to the IMAP server and can get it to work as IMAPS on port 993, with
> Mozilla Mail on FreeBSD and Eudora-5.x on Windows. I run this as a
> service under svscan.
[Note: the ssl/tls patch to tcpserver has been programmed by Claudio
Jeker, not by myself, but he is working for me and it was my idea to
do it]
You have to differenciate two ways of invoking TLS:
1. You do it on the entire connection from the beginning. What
happens is TCP connect (three way handshake) and right then
the TLS negotiation. This is what happens on port 993 (IMAPSSL).
This is IMAP *over* an SSL/TLS connection. The TLS functionality
can be implemented outsite of the imap daemon. Like in this case
with SSL/TLS tcpserver.
2. TLS is a optional function on an existing port/protocol and has
to be started while already being in the protocol. By definition
IMAP on port 143 is unencrypted and has to be this way in the
beginning. If you now want to enable TLS for this connection you
have to do so within the IMAP session by requesting a STARTTLS
command. In this case the TLS functionality has to be implemented
inside the imap daemon and client. This way of doing things allows
for unencrypted and encrypted sessions on the same port.
So you have to turn off ssl/tls in the tcpserver for port 143 and
enable it within couriers imapd. On how to do that have a look in
the imapd documentation. Your run file to start imapd on 143 looks
fine except for the ssl/tls stuff.
I for myself prefer running ssl/tls stuff the first way. That is
much nicer and doesn't bloat the daemons with tls stuff. tcpserver
is exactly the right place to put ssl/tls.
--
Andre
> I cannot, however, get the clients I've tried to do
> IMAP with TLS on the normal port 143.
>
> I invoke courier-imap differently than courier's own documentation
> suggests, and more like qmail[-ldap] invokes pop3d. It's basically
> how the Life With Qmail / LDAP document recommends in section 8.3,
> using a mechanism like the qmail-pop3d-conf tool:
>
> /var/service:
> lrwxr-xr-x 1 root wheel 24 Jul 18 14:50 imapd -> /var/qmail/service/imapd
> lrwxr-xr-x 1 root wheel 25 Jul 23 16:04 imapsd -> /var/qmail/service/imapsd
> lrwxr-xr-x 1 root wheel 24 Jul 15 17:23 pop3d -> /var/qmail/service/pop3d
> lrwxr-xr-x 1 root wheel 24 Jul 15 17:24 qmail -> /var/qmail/service/qmail
> lrwxr-xr-x 1 root wheel 24 Jul 15 17:42 smtpd -> /var/qmail/service/smtpd
>
> In /var/qmail/service/imapd/run:
>
> #!/bin/sh
> exec 2>&1 \
> envdir ./env \
> sh -c '
> case "$REMOTENAME" in h) H=;; p) H=p;; *) H=H;; esac
> case "$REMOTEINFO" in r) R=;; [0-9]*) R="t$REMOTEINFO";; *) R=R;; esac
> exec \
> softlimit ${DATALIMIT+"-d$DATALIMIT"} \
> /usr/local/bin/tcpserver \
> -s \
> -vD"$H$R" \
> ${LOCALNAME+"-l$LOCALNAME"} \
> ${BACKLOG+"-b$BACKLOG"} \
> ${CONCURRENCY+"-c$CONCURRENCY"} \
> -xtcp.cdb \
> -- "${IP-0}" "${PORT-143}" \
> /usr/local/sbin/imaplogin \
> /var/qmail/bin/auth_imap \
> /usr/local/bin/imapd "${MAILDIRNAME-Maildir}"
> '
>
> This is identical to the way I run imap with the tcpserver TLS patch
> for IMAPS, but the port here is 143 instead of 993. Notice the first
> option to tcpserver is "-s" to turn on SSL; the "cert.pem" file is in
> the same dir as "run" so I don't need the "-n" flag.
>
> Mozilla doesn't have any specific TLS options, though clicking on "Use
> secure connection (SSL)" auto-selects port 993 and that's what got me
> IMAPS access.
>
> I can select "use TLS" with Eudora but when it tries to connect it
> just hangs. Ethereal shows the three-way-handshake but that's as far
> as it gets.
>
> When I telnet to port 143 there is no greeting message like I got from
> IMAP without the tcpserver TLS/SSL patch. I'm not very familiar with
> TLS and how it negotiates but just scanned RFC2246 to try and
> understand the client/server negotiation phase. If Mozilla truly
> doesn't implement TLS yet, I expect it's waiting for an IMAP prompt
> rather than sending the client TLS handshake. I don't know why
> Eudora-5 wouldn't send the client TLS handshake, or why it can't
> negotiate TLS.
>
> Can someone point me in the right direction or at docs which would
> explain what I'm missing? If IMAPS is working, what am I doing wrong
> with IMAP over TLS?
>
> Thanks.
