Unfortunately I do not have any clients that
support secure logins except OE 5.5 and that's
not working yet. :)
So I really haven't been able to actually "use"
it yet. But the general idea is to support
as many as I can to accomodate lots of clients.
I did notice some complaints about not finding
libdes when compiling SASL and `locate libdes`
finds nothing. Is that my problem with OE 5.5?
If so how do I install libdes? It didn't
seem to install with my openssl compile.
The only AUTH methods I have are LOGIN, PLAIN,
CRAM-MD5, and DIGEST-MD5. No GSSAPI or any of
the others that I saw listed as possibilities
during compile.
-- Michael --
----- Original Message -----
From: "Jim Howell" <[EMAIL PROTECTED]>
To: "Michael Fair" <[EMAIL PROTECTED]>
Sent: Monday, December 04, 2000 4:49 AM
Subject: Re: Success 2.0.7, SSL, and SASL!
> Hi,
> So your using MD5 as your authentication mechanism?
> Jim
>
> At 06:34 PM 12/2/2000 -0800, Michael Fair wrote:
> >Hey all,
> >
> >I just wanted to celebrate the success
> >of getting my cyrus 2.0.7 installation
> >configured using SSL and sasldb. My
> >next project is to get Postfix (which
> >I've never used before) to deliver
> >the incoming mail.
> >
> >Here are my post-install notes to hopefully
> >help others trying to get 2.0.7 working
> >and having problems.
> >
> >Thanks to everyone who helped out (either
> >by sending me email this time around,
> >or posting articles in the past that
> >I looked through on the web archives).
> >
> >1) signaled to death by 11 seems to be just
> >a generic error. I encountered it when I
> >was having DB problems, and I also got it
> >when I tried to use a partition name with
> >a "." in it. I imagine that "death by 11"
> >can be caused by any number of things seeing
> >as how I got it with these two seemingly
> >unrelated problems.
> >
> >2) The error regarding "permission denied"
> >when imapd tries to open /etc/salsdb means
> >that the cyrus user does not have read/write
> >permissions on that file. I'm not sure why
> >it would need write permission, but the
> >strace shows imapd opening the file O_RDWR.
> >
> >3) I recommend using "gdbm" for SASL instead
> >of the default "berkeley". Using berkeley
> >just kept confusing things. saslpasswd would
> >set the users and passwords correctly, but
> >imapd would be unable to read them. I kept
> >getting DIGEST-MD5 and CRAM-MD5 complaining
> >about incompatible versions, and other general
> >failures any time I would try to authenticate
> >anyone.
> >
> >4) Microsoft Outlook Express' "Secure Password
> >Authentication" doesn't seem to work with cyrus.
> >It complains about CRAM-MD5 failing and thinks
> >the server doesn't support any authentication
> >that my Windows 98 machine has on it.
> >Anyone got any ideas on this one?
> >
> >5) I don't understand much about how SSL works,
> >but I know enough to know that I wanted it and
> >was trusting the docs to give me the details.
> >
> >In the install-configure docs it mentions how
> >to generate the key and certificate and says
> >how to set tls_cert_file and tls_key_file in
> >imapd.conf, but it doesn't mention tls_ca_file,
> >or tls_ca_path. While reading through posts
> >I found references that mentioned tls_ca_file
> >and tls_ca_path as being necessary to make SSL
> >work. I don't believe this is true, but you
> >will get a "TLS engine: cannot load CA data
> >message in imapd.conf" message without them.
> >This error message is not fatal and you're
> >connection will still be secured.
> >
> >Not realizing this I pursued to eliminate the
> >error. I'm not sure if I did this completely
> >right, and would appreciate an explanation of
> >what it is that I did, and how it affects my
> >system.
> >
> >I eventually chose to modify the CA.pl utility
> >in /usr/ssl/misc that came with openssl and
> >changed the directory it was looking for from
> >./demoCA to /var/imap/cyrusCA. I then created
> >/var/imap/cyrusCA and ran ./CA.pl --newca
> >I then generated the server.pem file that the
> >install docs had me make and put it in
> >/var/imap/cyrusCA/certs. I chowned it all to
> >the cyrus user and set the tls settings in
> >imapd.conf as follows:
> >tls_cert_file: /var/imap/cyrusCA/certs/server.pem
> >tls_key_file: /var/imap/cyrusCA/certs/server.pem
> >tls_ca_file: /var/imap/cyrusCA/cacert.pem
> >tls_ca_path: /var/imap/cyursCA/
> >
> >The error message went away, but in testing I
> >found out that I could comment out the last two
> >lines and the error message would return, but
> >I still got a secured connection.
> >
> >For those of you who think you understand the
> >OpenSSL stuff, I would appreciate some feedback
> >on what it I actually did. I know it works, but
> >I don't completely understand why.
> >
> >Any other comments and feedback on this, either
> >in whole, or just part of the document would
> >be very welcomed.
> >
> >Thanks again all,
> >-- Michael --
>
