Scott Adkins wrote:
>
> Okay, we just got bitten by the Eudora 5.x STARTTLS problem that was
> discussed last month. We have the same problem where only those clients
> cannot negotiate a TLS connection properly, and thus fails to login at
> all. So...
>
> Ken suggested removing or commenting out the following lines:
>
> if (tlsonly) {
> off |= SSL_OP_NO_SSLv2;
> off |= SSL_OP_NO_SSLv3;
> }
>
> I am wondering exactly what effect this will have on us... how does this
> affect clients that *do* TLS just fine, such as Mulberry, for instance?
> Would the other clients still use TLS and Eudora use SSLv3?
I would like to think that a TLS capabable client would continue to use
TLSv1 even if the server offered SSLv2/v3. But in any case, it
shouldn't break anything.
> For my next question, I am curious if there is a way to turn off the
> STARTTLS capability on the main imap port, but still allow the use of
> the alternate IMAP SSL port. I don't see this capability in the server,
> appearing to be an all or nothing type thing based onthe tls options
> listed in the imapd.conf file. Using stunnel to wrap imap on an imaps
> port is not really an option here, but I know that is one way to do it.
Use two config files: imapd.conf WITHOUT any tls_* options and an
imaps.conf WITH the tls_* options. For example
imap cmd="imapd" listen="imap"
imaps cmd="imapd -s -C /etc/imaps.conf" listen="imaps"
Note that this would also disable STARTTLS for pop3, lmtp and sieve as
well. But, you can mix and match config files all you like.
Hmm. It would be nice to have an #include facility for the config
files, so that you wouldn't have to keep common options in sync between
two or more config files. Probably more trouble that its worth, though.
Ken
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
