One can use tls on the alternate port (not starttls but full time tls) by
changing the eudora.ini file to add the two lines as follow:
SSLReceiveVersion=0
SSLSendVersion=0
Oct 19 16:02:44 parrot imapd[17996]: starttls: TLSv1 with cipher
DES-CBC3-SHA (168
/168 bits) no authentication
Oct 19 16:02:45 parrot imapd[17996]: login:
glock.squawk.com[208.176.124.157] nick
CRAM-MD5+TLS User logged in
SSLSendVersion is used for the smtp connection, which may not be important
to you. But it seems that if you set one you should set the other for
completeness.
Whereas this is not STARTTLS, when you set "secure sockets" to "required,
alternate port" it will make a TLS connection to the alternate port on an
unmodified Cyrus, and TLS will work. So you can push the changes to your
eudora people by telling them to make this change to their eudora.ini file.
I originally thought that this would allow starttls on the primary port,
but it won't. It will, however, negotiate TLS with an unmodified cyrus on
the alternate port if you add the above two lines to the eudora.ini file in
the settings area. Stop eudora, edit eudora.ini, start eudora again.
If you make a change to the port negotiations, and there is an active
connection, the connection will not change unless you stop and start
eudora, or maybe change the name of the machine that you are connecting
to. If you just tell it to change from "required, alternate port" to
"required, STARTTLS" it will continue to use the old connection on the
alternate port. that was why I originally thought that this change allowed
"required, STARTTLS" on the primary port to work.
ssl v3 and tls are equally strong, so far as I know, for picking the
symmetric key. The symmetric cypher mentioned above is real good, I
believe. :-)
At 09:52 AM 2001-10-19 -0400, Scott Adkins wrote:
>Okay, we just got bitten by the Eudora 5.x STARTTLS problem that was
>discussed last month. We have the same problem where only those clients
>cannot negotiate a TLS connection properly, and thus fails to login at
>all. So...
>
>Ken suggested removing or commenting out the following lines:
>
> if (tlsonly) {
> off |= SSL_OP_NO_SSLv2;
> off |= SSL_OP_NO_SSLv3;
> }
>
>I am wondering exactly what effect this will have on us... how does this
>affect clients that *do* TLS just fine, such as Mulberry, for instance?
>Would the other clients still use TLS and Eudora use SSLv3?
>
>For my next question, I am curious if there is a way to turn off the
>STARTTLS capability on the main imap port, but still allow the use of
>the alternate IMAP SSL port. I don't see this capability in the server,
>appearing to be an all or nothing type thing based onthe tls options
>listed in the imapd.conf file. Using stunnel to wrap imap on an imaps
>port is not really an option here, but I know that is one way to do it.
>
--
War is an ugly thing, but it is not the ugliest of things. The decayed and
degraded state of moral and patriotic feeling which thinks that nothing is
worth war is much worse. A man who has nothing for which he is willing to
fight, nothing he cares about more than his own personal safety, is a
miserable creature who has no chance of being free, unless made so by the
exertions of better men than himself. -- John Stuart Mill
Nick Simicich - [EMAIL PROTECTED]
