Hey all,
I just wanted to celebrate the success
of getting my cyrus 2.0.7 installation
configured using SSL and sasldb. My
next project is to get Postfix (which
I've never used before) to deliver
the incoming mail.
Here are my post-install notes to hopefully
help others trying to get 2.0.7 working
and having problems.
Thanks to everyone who helped out (either
by sending me email this time around,
or posting articles in the past that
I looked through on the web archives).
1) signaled to death by 11 seems to be just
a generic error. I encountered it when I
was having DB problems, and I also got it
when I tried to use a partition name with
a "." in it. I imagine that "death by 11"
can be caused by any number of things seeing
as how I got it with these two seemingly
unrelated problems.
2) The error regarding "permission denied"
when imapd tries to open /etc/salsdb means
that the cyrus user does not have read/write
permissions on that file. I'm not sure why
it would need write permission, but the
strace shows imapd opening the file O_RDWR.
3) I recommend using "gdbm" for SASL instead
of the default "berkeley". Using berkeley
just kept confusing things. saslpasswd would
set the users and passwords correctly, but
imapd would be unable to read them. I kept
getting DIGEST-MD5 and CRAM-MD5 complaining
about incompatible versions, and other general
failures any time I would try to authenticate
anyone.
4) Microsoft Outlook Express' "Secure Password
Authentication" doesn't seem to work with cyrus.
It complains about CRAM-MD5 failing and thinks
the server doesn't support any authentication
that my Windows 98 machine has on it.
Anyone got any ideas on this one?
5) I don't understand much about how SSL works,
but I know enough to know that I wanted it and
was trusting the docs to give me the details.
In the install-configure docs it mentions how
to generate the key and certificate and says
how to set tls_cert_file and tls_key_file in
imapd.conf, but it doesn't mention tls_ca_file,
or tls_ca_path. While reading through posts
I found references that mentioned tls_ca_file
and tls_ca_path as being necessary to make SSL
work. I don't believe this is true, but you
will get a "TLS engine: cannot load CA data
message in imapd.conf" message without them.
This error message is not fatal and you're
connection will still be secured.
Not realizing this I pursued to eliminate the
error. I'm not sure if I did this completely
right, and would appreciate an explanation of
what it is that I did, and how it affects my
system.
I eventually chose to modify the CA.pl utility
in /usr/ssl/misc that came with openssl and
changed the directory it was looking for from
./demoCA to /var/imap/cyrusCA. I then created
/var/imap/cyrusCA and ran ./CA.pl --newca
I then generated the server.pem file that the
install docs had me make and put it in
/var/imap/cyrusCA/certs. I chowned it all to
the cyrus user and set the tls settings in
imapd.conf as follows:
tls_cert_file: /var/imap/cyrusCA/certs/server.pem
tls_key_file: /var/imap/cyrusCA/certs/server.pem
tls_ca_file: /var/imap/cyrusCA/cacert.pem
tls_ca_path: /var/imap/cyursCA/
The error message went away, but in testing I
found out that I could comment out the last two
lines and the error message would return, but
I still got a secured connection.
For those of you who think you understand the
OpenSSL stuff, I would appreciate some feedback
on what it I actually did. I know it works, but
I don't completely understand why.
Any other comments and feedback on this, either
in whole, or just part of the document would
be very welcomed.
Thanks again all,
-- Michael --
