Re: TLS fails on imaps port
Vincent Fox wrote: Bob Dye wrote: BD But it does seem odd that it supports STARTTLS on 143 but not 993. VF This is not odd, this is working as specified. Indeed. VF TLS is enabling encryption on a connection that VF has started without it. Maybe people would be less confused if TLS were only used to mean the more secure socket-layer encryption which succeeded SSL, and upgrading from unencrypted to encrypted during an existing session were only referred to as STARTTLS. That seems to have been the cause of confusion in this thread. VF There's a cogent argument that 993 should be depecrated VF as the vestige of stunnel days that it is. I'd caution against that. Around here the convention is that user-facing front-ends listen _only_ on 993 in order to prevent users attempting to send their credentials over insecure connections. Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message (imaps TLS negotiation failed) implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On 01/25/2010 11:51 AM, Bob Dye wrote: Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message (imaps TLS negotiation failed) implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. What IMAP client are you using? Sounds like you are trying to use STARTTLS. http://sial.org/howto/openssl/tls-name/ -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html attachment: boutilpj.vcf Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On 01/25/2010 01:28 PM, Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Just for reference, the above error happens when you try STARTTLS on port 993: # telnet student.ednet.ns.ca 993 Trying 142.227.51.32... Connected to student.ednet.ns.ca. Escape character is '^]'. starttls * BYE Fatal error: tls_start_servertls() failed Connection closed by foreign host. Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html attachment: boutilpj.vcf Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy The openssl client connects successfully with TLSv1, AES256-SHA cipher, and * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready I have a very standard imap.conf except for the use of SQL: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_log_level: 10 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_auto_transition: no sasl_sql_hostnames: mail-db.vintagefactor.com sasl_sql_user: mail sasl_sql_passwd: sasl_sql_database: mail sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' allowplaintext: yes unixhierarchysep: yes tls_require_cert: false tls_imap_require_cert: true tls_cert_file: /usr/share/ssl/certs/xxx.crt tls_key_file: /usr/share/ssl/private/xxx.key tls_ca_file: /usr/share/ssl/xxx.crt -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Patrick Boutilier wrote: On 01/25/2010 11:51 AM, Bob Dye wrote: Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message (imaps TLS negotiation failed) implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. What IMAP client are you using? Sounds like you are trying to use STARTTLS. http://sial.org/howto/openssl/tls-name/ -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Patrick, I use Mozilla Thunderbird. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On 01/25/2010 02:26 PM, Bob Dye wrote: Patrick Boutilier wrote: On 01/25/2010 11:51 AM, Bob Dye wrote: Patrick Boutilier wrote: On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html Yes, those are the words on the man page. I am reluctant to simply accept that as true because: 1. The man page does not say anything about TLS. It is difficult to draw conclusions from lack of documentation. You might assume that it does not support TLS at all, but it definitely does. I have seen a number of cases where software documentation has not been updated to reflect TLS (vs. SSL). 2. The error message (imaps TLS negotiation failed) implies that cyrus-imapd is trying to support TLS and failing. If it supported only SSL, it would presumably not try TLS. What IMAP client are you using? Sounds like you are trying to use STARTTLS. http://sial.org/howto/openssl/tls-name/ -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Patrick, I use Mozilla Thunderbird. Use SSL/TLS instead of STARTTLS for connection security. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html attachment: boutilpj.vcf Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Examples: [1] openssl s_client -connect mail.columbia.edu:993 [2] openssl s_client -connect mail.columbia.edu:143 -starttls imap [3] openssl s_client -connect mail.columbia.edu:993 -starttls imap [1] and [2] should work ; [3] fails. The U Wash IMAP server gives the same results. These alternatives are commonly called ssl and tls, but the actual distinction is whether the starttls command is used to get Transport Layer Security. First described in RFC 2595. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On Mon, 25 Jan 2010, Bob Dye wrote: Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy The openssl client connects successfully with TLSv1, AES256-SHA cipher, and * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready I have a very standard imap.conf except for the use of SQL: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_log_level: 10 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_auto_transition: no sasl_sql_hostnames: mail-db.vintagefactor.com sasl_sql_user: mail sasl_sql_passwd: sasl_sql_database: mail sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' allowplaintext: yes unixhierarchysep: yes tls_require_cert: false tls_imap_require_cert: true tls_cert_file: /usr/share/ssl/certs/xxx.crt tls_key_file: /usr/share/ssl/private/xxx.key tls_ca_file: /usr/share/ssl/xxx.crt It sounds like a client configuration problem then. You should choose SSL when connecting to port 993 and TLS when connecting to port 143. Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Andrew Morgan wrote: On Mon, 25 Jan 2010, Bob Dye wrote: Andrew Morgan wrote: On Sat, 23 Jan 2010, Bob Dye wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Any ideas? Try the command line openssl client and see if it can negotiate SSL/TLS. Something like this: openssl s_client -connect your_server_dns_name:993 -CApath /etc/ssl/certs CApath should be the path to your local CA certificates directory, /etc/ssl/certs on Debian Linux. You could also add -debug to get a hex dump of the traffic. Can you post your imapd.conf file (sanitized)? Andy The openssl client connects successfully with TLSv1, AES256-SHA cipher, and * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] netserver.vintagefactor.com Cyrus IMAP4 v2.3.7-Invoca-RPM-2.3.7-7.el5_4.3 server ready I have a very standard imap.conf except for the use of SQL: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus root sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_log_level: 10 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sql sasl_sql_engine: mysql sasl_auto_transition: no sasl_sql_hostnames: mail-db.vintagefactor.com sasl_sql_user: mail sasl_sql_passwd: sasl_sql_database: mail sasl_sql_statement: SELECT password FROM accountuser WHERE username = '%u' allowplaintext: yes unixhierarchysep: yes tls_require_cert: false tls_imap_require_cert: true tls_cert_file: /usr/share/ssl/certs/xxx.crt tls_key_file: /usr/share/ssl/private/xxx.key tls_ca_file: /usr/share/ssl/xxx.crt It sounds like a client configuration problem then. You should choose SSL when connecting to port 993 and TLS when connecting to port 143. Andy OK. Thanks. But it does seem odd that it supports STARTTLS on 143 but not 993. -- Bob Dye Vintagefactor P.O. Box 852 St. Helena, CA 94574-0852 Cell: 707.738.9919 Tel: 707.963.6045 Fax: 707.967.5578 www.vintagefactor.com http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On Mon, 25 Jan 2010, Bob Dye wrote: OK. Thanks. But it does seem odd that it supports STARTTLS on 143 but not 993. The IMAP command STARTTLS is only offered by the server when the connection is currently unencrypted, such as when you first connect to port 143. Port 993 is an SSL port, so by the time you see the CAPABILITY string from the server, SSL negotiation has already happened. Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On 01/25/2010 07:12 PM, Andrew Morgan wrote: On Mon, 25 Jan 2010, Bob Dye wrote: OK. Thanks. But it does seem odd that it supports STARTTLS on 143 but not 993. The IMAP command STARTTLS is only offered by the server when the connection is currently unencrypted, such as when you first connect to port 143. Port 993 is an SSL port, so by the time you see the CAPABILITY string from the server, SSL negotiation has already happened. Right, which is explained at http://sial.org/howto/openssl/tls-name/ Andy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Bob Dye wrote: But it does seem odd that it supports STARTTLS on 143 but not 993. This is not odd, this is working as specified. TLS is enabling encryption on a connection that has started without it. There's a cogent argument that 993 should be depecrated as the vestige of stunnel days that it is. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
On 01/24/2010 10:39 AM, Bob Dye wrote: Joseph Brennan wrote: --On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page:http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ:http://cyrusimap.web.cmu.edu/twiki List Archives/Info:http://asg.web.cmu.edu/cyrus/mailing-list.html 993 (the port) does not require SSL. The official IANA definition is imap4 protocol over TLS/SSL. Perhaps you're saying that Cyrus-imapd only supports SSL on 993 for some reason? Assuming you are running imapd -s on port 993, from the man page for imapd: -s Serve IMAP over SSL (imaps). All data to and from imapd is encrypted using the Secure Sockets Layer. -- Bob Dye Vintagefactor http://www.vintagefactor.com/ http://www.vintagefactor.com/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: TLS fails on imaps port
--On Saturday, January 23, 2010 4:54 PM -0800 Bob Dye bob...@vintagefactor.com wrote: I'm running Cyrus-imapd 2.3.7 on a Redhat Enterprise Linux 5 system. TLS works fine if I connect to the imap port (143). If I try to connect instead via the imaps port (993), the attempt times out and I get the following in the log: imaps[27170]: imaps TLS negotiation failed: [xx.xx.xx.xx] imaps[27170]: Fatal error: tls_start_servertls() failed Normal. It should fail. 993 requires SSL. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html