Re: STARTTLS available?
Marten Lehmann wrote: Hello, Good, now show us your imapd.conf and any tls errors that appear in your log. configdirectory: /cyrus/config partition-default: /cyrus/spool admins: cyrus sievedir: /cyrus/config/sieve sendmail: /usr/sbin/sendmail altnamespace: true hashimapspool: true unixhierarchysep: true virtdomains: userid allowusermoves: true sasl_pwcheck_method: getpwent auxprop saslauthd sasl_mech_list: PLAIN servername: test imaps_tls_cert_file: /cyrus/certs/imap.crt imaps_tls_key_file: /cyrus/certs/imap.key pop3s_tls_cert_file: /cyrus/certs/pop3.crt pop3s_tls_key_file: /cyrus/certs/pop3.key lmtp_over_quota_perm_failure: true munge8bit: true username_tolower: true You have not configured tls_cert_file or tls_key_file, only TLS for the imaps (normally port 993) and pop3s (normally port 995) services. There are no tls errors as TLS is working fine. Remember: pop3s is running with ssl on port 995 all the time, same with imaps on port 993. Whereas pop3 on port 110 and imap on port 143 are usually not encrypted. But with STARTTLS you can encrypt the session while still connecting to port 110/143, while you usually have to connect to the special ports to get encrypted connections. However, the server must show that he supports STARTTLS by mentioning it on the CAPABILITIES list, otherwise clients aren't trying to use it. Configure tls_cert_file and tls_key_file, which will be shared by imap, imaps, pop3, and pop3s by default. Unless you have a compelling reason for offering different certificates, delete your (imaps|pop3s)_tls_* entries from imapd.conf. When you enable these services in cyrus.conf, they will use the key/cert specified in tls_(key|cert)_file, unless overridden with the prefix of the service name used in cyrus.conf, as you have done. Remember, imaps and pop3s (started with -s) do not use or offer STARTTLS, and configuration settings applied to them will have no effect on the standard imap or pop3 services. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Hello, Good, now show us your imapd.conf and any tls errors that appear in your log. configdirectory: /cyrus/config partition-default: /cyrus/spool admins: cyrus sievedir: /cyrus/config/sieve sendmail: /usr/sbin/sendmail altnamespace: true hashimapspool: true unixhierarchysep: true virtdomains: userid allowusermoves: true sasl_pwcheck_method: getpwent auxprop saslauthd sasl_mech_list: PLAIN servername: test imaps_tls_cert_file: /cyrus/certs/imap.crt imaps_tls_key_file: /cyrus/certs/imap.key pop3s_tls_cert_file: /cyrus/certs/pop3.crt pop3s_tls_key_file: /cyrus/certs/pop3.key lmtp_over_quota_perm_failure: true munge8bit: true username_tolower: true There are no tls errors as TLS is working fine. Remember: pop3s is running with ssl on port 995 all the time, same with imaps on port 993. Whereas pop3 on port 110 and imap on port 143 are usually not encrypted. But with STARTTLS you can encrypt the session while still connecting to port 110/143, while you usually have to connect to the special ports to get encrypted connections. However, the server must show that he supports STARTTLS by mentioning it on the CAPABILITIES list, otherwise clients aren't trying to use it. Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Marten Lehmann wrote: Hello, So, as Andreas indicated, configuring TLS should be enough to offer STARTTLS. The only configuration I needed to do was to add something like this to imapd.conf (Cyrus-IMAPD 2.3.7): again: TLS/SSL works! But Cyrus doesn't offer STARTTLS (using cyrus-imapd-2.2.12-3.RHEL4.1). $ telnet imap 143 Trying 1.2.3.4... Connected to imap (1.2.3.4). Escape character is '^]'. * OK imap Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 server ready x capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE Good, now show us your imapd.conf and any tls errors that appear in your log. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Hello, So, as Andreas indicated, configuring TLS should be enough to offer STARTTLS. The only configuration I needed to do was to add something like this to imapd.conf (Cyrus-IMAPD 2.3.7): again: TLS/SSL works! But Cyrus doesn't offer STARTTLS (using cyrus-imapd-2.2.12-3.RHEL4.1). $ telnet imap 143 Trying 1.2.3.4... Connected to imap (1.2.3.4). Escape character is '^]'. * OK imap Cyrus IMAP4 v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 server ready x capability * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE x OK Completed x logout * BYE LOGOUT received x OK Completed Connection closed by foreign host. $ telnet pop3 110 Trying 1.2.3.4... Connected to pop3 (1.2.3.4). Escape character is '^]'. +OK imap Cyrus POP3 v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 server ready <[EMAIL PROTECTED]> capa +OK List of capabilities follows EXPIRE NEVER LOGIN-DELAY 0 TOP UIDL PIPELINING RESP-CODES AUTH-RESP-CODE USER IMPLEMENTATION Cyrus POP3 server v2.2.12-Invoca-RPM-2.2.12-3.RHEL4.1 . quit +OK Connection closed by foreign host. Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Marten Lehmann wrote: Hello, Configure TLS. "man imapd.conf", ./doc/(text/)install-configure(.html), ... I already have TLS resp. SSL (on separate ports)! But STARTTLS is an extension so you can use SSL through the common pop3 or imap port (not the special SSL one), because with STARTTLS you can open a SSL connection within the common pop3 or imap session. I haven't found an option how to enable the STARTTSL extension. There is no explicit on/off toggle for TLS. From the imapd.conf man page: tls_cert_file: File containing the certificate presented for server authentication during STARTTLS. A value of "disabled" will disable SSL/TLS. tls_key_file: File containing the private key belonging to the server certificate. A value of "disabled" will disable SSL/TLS. So, as Andreas indicated, configuring TLS should be enough to offer STARTTLS. The only configuration I needed to do was to add something like this to imapd.conf (Cyrus-IMAPD 2.3.7): # TLS tls_cert_file: /etc/ssl/certs/imap.crt tls_key_file: /etc/ssl/certs/imap.key tls_ca_file: /etc/ssl/certs/ca-bundle.crt This assumes that Cyrus IMAPD was compiled with openssl support (the default) and that you haven't somehow overridden the defaults with further configuration. It's possible that some distros divide Cyrus IMAPD into several smaller packages, so if you're using a package-based system, be sure you've installed everything you need. I compile Cyrus IMAPD from source, and it includes a nice utility called imtest that allows you interact directly with an IMAP server even if it uses STARTTLS or the imaps port. Therefore, it's a lot more convenient than telnet. I recommend installing it if you don't have it. Now you need to prove that you have properly configured TLS: imtest -a marten mail.example.com Some servers will include the CAPABILITY in the banner, but imtest will also issue the CAPABILITY command. Look for STARTTLS in the list. If it's not there, you need to check your installation or configuration. For more help from this list, you should include your imapd.conf and any relevant errors from your log. To close the imtest session, type: . logout You can also test your imaps configuration: imtest -a marten -s mail.example.com This will *not* offer STARTTLS, as the connection is already encrypted. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
> > Configure TLS. "man imapd.conf", ./doc/(text/)install-configure(.html), ... > I already have TLS resp. SSL (on separate ports)! But STARTTLS is an > extension so you can use SSL through the common pop3 or imap port (not > the special SSL one), because with STARTTLS you can open a SSL > connection within the common pop3 or imap session. I haven't found an > option how to enable the STARTTSL extension. Then it is ON. TLS is supported in Cyrus IMAP. Try it with Thuderbird, set your encryption to TLS. Nix. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Hello, Configure TLS. "man imapd.conf", ./doc/(text/)install-configure(.html), ... I already have TLS resp. SSL (on separate ports)! But STARTTLS is an extension so you can use SSL through the common pop3 or imap port (not the special SSL one), because with STARTTLS you can open a SSL connection within the common pop3 or imap session. I haven't found an option how to enable the STARTTSL extension. Regards Marten Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: STARTTLS available?
Am Saturday 21 October 2006 19:08 schrieb Marten Lehmann: > I have some users that are used to use POP3 and IMAP with STARTTLS. It > was available in dovecot but it doesn't seem to be available in Cyrus by > default. Can it be enabled somehow? Or isn't it implemented for certain > reasons? Configure TLS. "man imapd.conf", ./doc/(text/)install-configure(.html), ... -- Andreas Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html