Re: is TLS/SSL selection/connection ONLY via port 993?
hi again, but, why is "imapd -s is for IMAP connections that are externally wrapped by SSL" --> considered "BAD"? Because TLS allows one to select which certificate to present, and SSL doesn't. aha. SSLv2 should not be used at all if you can help it gone. i presume, then, that SSLvX *starts* encrypted ... hence the port 993. true? Yes. it's actually starting to make sense =) > BTW add this to imapd.conf: > tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did some extra reading. tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH i _thought_ the !ADH is there by default ... and i see no reason NOT to explicitly include (ALL) the high/med grade ciphers. It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the later is better). Try openssl ciphers -v, and you'll see. got it. cryptic, but with a little staring ... clear. thx! it's working perfectly now ... on to the next step. best, richard --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: is TLS/SSL selection/connection ONLY via port 993?
On Mon, 15 Nov 2004, OpenMacNews wrote: > but, why is "imapd -s is for IMAP connections that are externally wrapped > by SSL" --> considered "BAD"? Because TLS allows one to select which certificate to present, and SSL doesn't. SSLv3 is pretty much as good as TLSv1 otherwise (but I gather that TLSv1 has a better method to setup the shared symetrical key). SSLv2 should not be used at all if you can help it, it has even more weaknesses, to the point that TLS servers will effectively deny SSLv2 connections to anything they detect to support TLS :). SSLv1 is an absolute no. > i presume, then, that SSLvX *starts* encrypted ... hence the port 993. > true? Yes. > >BTW add this to imapd.conf: > >tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did some extra reading. >tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH > > i _thought_ the !ADH is there by default ... and i see no reason NOT to > explicitly include (ALL) the high/med grade ciphers. It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the later is better). Try openssl ciphers -v, and you'll see. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: is TLS/SSL selection/connection ONLY via port 993?
hi henrique! On Mon, 15 Nov 2004, OpenMacNews wrote: SERVICES { # imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 That's not what you want. aha. nice & clear again. thx! but, why is "imapd -s is for IMAP connections that are externally wrapped by SSL" --> considered "BAD"? TLS starts with plaintext, and goes to encryption early (before any sensitive information is exchanged, but *after* important stuff that could be useful to select encryption/authentication keys like the server name is exchanged). the 'starts with plaintext' explains why the UNencrypted 'imap' port (vs 'imaps') is used for the TLS connection. i presume, then, that SSLvX *starts* encrypted ... hence the port 993. true? BTW add this to imapd.conf: tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH That will disable all weak ciphers, and leave you with medium grade and high grade ciphers. Try openssl cipher -v '' to see what you get. If you can get away with it, remove SSLv2 (add !SSLv2 after ALL:) too. man ciphers (openssl ciphers) to see how this works. i actually had: tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH i _thought_ the !ADH is there by default ... and i see no reason NOT to explicitly include (ALL) the high/med grade ciphers. ok. fair enuf! And try to have both sides of the connection authenticated (require client certificates with a certification path known to the server). i already have, setting up my own local CA ... i've just removed the step from the equation for now while i step-by-step the testing/configuration ... cheers, richard --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: is TLS/SSL selection/connection ONLY via port 993?
On Mon, 15 Nov 2004, OpenMacNews wrote: >SERVICES { > # imap cmd="imapd" listen="imap" prefork=0 > imaps cmd="imapd -s" listen="imaps" prefork=0 That's not what you want. Enable both services, and configure sasl_minimum_layer to 128 (or is that 64? I forgot. See the SASL docs for the correct value). imapd -s is for IMAP connections that are externally wrapped by SSL (bad). imapd is for non-encrypted IMAP connections, and IMAP connections that use TLS (good). sasl_minimum_layer tells Cyrus what you require of the connection. > however, if i instead login to with server == > mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no > connection occurs, and the attempt times out after the tls_session_timeout > (60 seconds). Because you effectively connected without SSL to a SSL port. TLS starts with plaintext, and goes to encryption early (before any sensitive information is exchanged, but *after* important stuff that could be useful to select encryption/authentication keys like the server name is exchanged). BTW add this to imapd.conf: tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH That will disable all weak ciphers, and leave you with medium grade and high grade ciphers. Try openssl cipher -v '' to see what you get. If you can get away with it, remove SSLv2 (add !SSLv2 after ALL:) too. man ciphers (openssl ciphers) to see how this works. And try to have both sides of the connection authenticated (require client certificates with a certification path known to the server). -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
is TLS/SSL selection/connection ONLY via port 993?
hi all, on a MacOSX 10.3.6 sys with: cyrus-imap 2.2.8 cyrus-sasl 2.1.20 i've a canoncial server: testserver.internal.testdomain.com and a virtual domain: mail2.internal.testdomain.com i'm currently auth'ing PLAINTEXT via auxprop+sql (MySQL 4.1.7) i've setup cyrus.conf to LISTEN *only* on the imaps svc (port 993) ... SERVICES { # imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 ... and, imapd.conf to include: ... sasl_mech_list: PLAIN LOGIN sasl_password_format: crypt sasl_minimum_layer: 0 sasl_maximum_layer: 1024 ... tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH tls_require_cert: 0 tls_session_timeout: 60 ... using my imap client (mulberry), i can successfully login to an account, 'testuser' in the virtual domain, with server == mail2.internal.testdomain.com:993 and security == SSLv3. however, if i instead login to with server == mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no connection occurs, and the attempt times out after the tls_session_timeout (60 seconds). if i then drop back to listen ONLY on imap service, i.e. cyrus.conf: ... SERVICES { imap cmd="imapd" listen="imap" prefork=0 # imaps cmd="imapd -s" listen="imaps" prefork=0 ... i can successfully make connections to port server:143 with security == NO SECURITY !!or!! security == STARTTLS-TLSv1 !!or!! security == SSLv3. i.e., TLS negotiated sessions are occuring over to port 143 -- the 'wrong' port. bottom line: client to server:143, security = NO SECURITY --> OK (right) client to server:143, security = SSLv3, STARTTLS-TLSv1 --> OK (wrong) client to server:993, security = NO SECURITY --> NO CONNECTION (right) client to server:993, security = SSLv3 --> OK (right) client to server:993, security = STARTTLS-TLSv1--> NO CONNECTION (wrong) # ## QUESTION i don't think this is right, is it? aren't TLS & SSL sessions ONLY supposed to connect to port 993, and sessions with no-security ONLY to port 143? or, have i misunderstood how this is supposed to operate? threads here: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19483 http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg02411.html have me suspecting this may be the client ... thanks, richard --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html