Re: TLS fails on imaps port
Andrew Morgan wrote: On Mon, 25 Jan 2010, Bob Dye wrote: Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy The openssl client connects successfully with TLSv1, AES256-SHA cipher, and * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready I have a very standard imap.conf except for the use of SQL: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_log_level: 10 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_auto_transition: no sasl_sql_hostnames: mail-db.vintagefactor.com sasl_sql_user: mail sasl_sql_passwd: sasl_sql_database: mail sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' allowplaintext: yes unixhierarchysep: yes tls_require_cert: false tls_imap_require_cert: true tls_cert_file: /usr/share/ssl/certs/xxx.crt tls_key_file: /usr/share/ssl/private/xxx.key tls_ca_file: /usr/share/ssl/xxx.crt It sounds like a client configuration problem then. You should choose "SSL" when connecting to port 993 and "TLS" when connecting to port 143. Andy OK. Thanks. But it does seem odd that it supports STARTTLS on 143 but not 993. -- Bob Dye Vintagefactor P.O. Box 852 St. Helena, CA 94574-0852 Cell: 707.738.9919 Tel: 707.963.6045 Fax: 707.967.5578 www.vintagefactor.com <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Patrick Boutilier wrote: On 01/25/2010 11:51 AM, Bob Dye wrote: Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is "imap4 protocol over TLS/SSL". Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> <http://www.vintagefactor.com/> Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message ("imaps TLS negotiation failed") implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. What IMAP client are you using? Sounds like you are trying to use STARTTLS. http://sial.org/howto/openssl/tls-name/ -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Patrick, I use Mozilla Thunderbird. -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy The openssl client connects successfully with TLSv1, AES256-SHA cipher, and * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready I have a very standard imap.conf except for the use of SQL: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_log_level: 10 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_auto_transition: no sasl_sql_hostnames: mail-db.vintagefactor.com sasl_sql_user: mail sasl_sql_passwd: sasl_sql_database: mail sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' allowplaintext: yes unixhierarchysep: yes tls_require_cert: false tls_imap_require_cert: true tls_cert_file: /usr/share/ssl/certs/xxx.crt tls_key_file: /usr/share/ssl/private/xxx.key tls_ca_file: /usr/share/ssl/xxx.crt -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is "imap4 protocol over TLS/SSL". Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message ("imaps TLS negotiation failed") implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is "imap4 protocol over TLS/SSL". Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
TLS fails on imaps port
I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? -- Bob Dye Vintagefactor <http://www.vintagefactor.com/> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html