Re: cyradm and TLS 1.2

2019-10-14 Thread John Widera 
Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to
use TLSv1.  Since we're building binary RPMs from Source RPMs anyway we
modified imclient.c, rebuilt the RPMs, reinstalled the cyrus-imapd-utils
package:  Here's the patch we used: 

 

--- IMCLIENT.C.ORIG 2012-12-01 13:57:54.0 -0600
+++ IMCLIENT.C 2019-10-03 14:40:11.254566297 -0500
@@ -1695,7 +1695,7 @@
RETURN -1;
} 

- IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_CLIENT_METHOD());
+ IMCLIENT->TLS_CTX = SSL_CTX_NEW(TLSV1_2_CLIENT_METHOD());
IF (IMCLIENT->TLS_CTX == NULL) {
RETURN -1;
}; 

--- 

Maybe this helps someone else. 

Regards,

> Hi All, 
> 
> We're hoping to find some help on the list... 
> 
> We are running Cyrus-IMAP on RHEL7, using an RPM pkg 
> (CYRUS-IMAPD-2.4.17-13.EL7) built from the Red Hat SRC RPM.  We also have 
> SASL, Utils, devel etc pkgs all from RH. 
> 
> Now we're looking to finally move Cyrus completely off insecure TLS versions. 
>  But now there is a lingering issue... 
> 
> We removed tls1_0 from impad.conf, and the CYRADM shell stopped working.  We 
> can no longer connect at all: 
> 
> CYRADM -U CYRUS 
> [ SSL_CONNECT ERROR -1 ]
> [ SSL SESSION REMOVED ]
> [ TLS NEGOTIATION DID NOT SUCCEED ]
> CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS 
> 
> CYRADM -U CYRUS --NOTLS 
> [ SSL_CONNECT ERROR -1 ]
> [ SSL SESSION REMOVED ]
> [ TLS NEGOTIATION DID NOT SUCCEED ]
> CYRADM: CANNOT AUTHENTICATE TO SERVER WITH AS CYRUS 
> 
> The presumption is (as cyradm is just a wrapper script) any PERL scripts 
> calling Cyrus::IMAP::Admin over a STARTTLS connection could likewise be 
> broken (?) if we block TLS 1.0.  
> 
> cyradm is using TLSv1 per maillog: 
> 
> IMAPS[14096]: STARTTLS: TLSV1 WITH CIPHER  
> 
> Our MAN page for cyradm shows a "--notls" option, which does not work/changes 
> nothing.  Oddly, the cyradm HELP FLAG does NOT show this option, yet cyradm 
> doesn't bark when it's passed: 
> 
> USAGE: CYRADM [ARGS] SERVER
> --USER  CONNECT AS  (AUTHENTICATION NAME)
> --AUTHZ  AUTHORIZE AS 
> --[NO]RC (DO NOT) LOAD THE CONFIGURATION FILES
> --SYSTEMRC  USE SYSTEM-WIDE CONFIGURATION 
> --USERRC  USE USER CONFIGURATION 
> --PORT  CONNECT TO SERVER ON 
> --AUTH  AUTHENTICATE WITH  
> 
> A web search reveals the MAN page for cyradm in Cyrus v.3, and it shows NOTLS 
> as an option to AUTHENTICATE, after a server connection is made, so its 
> unclear to me what's going on... 
> 
> Does anyone have cyradm working with TLS1.2? 
> 
> Regards & THANKS in advance for any assistance or suggestions offered. 
> 
> -- 
> John 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: XBACKUP and backupd not backing up public folders (3.0.8)

2019-10-14 Thread Sebastian Hagedorn 
Am 14.10.19 um 03:00 schrieb Deborah Pickett:
> So how are people currently backing up shared folders, if they’re not
> using Cyrus backupd?

FWIW, we just take snapshots of the file systems and backup those. Mail
files aren't databases, so I don't think you have to worry about
corrupted files as much.

Cheers
Sebastian
-- 
   .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
  .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
<>

smime.p7s
Description: S/MIME Cryptographic Signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus