On Mon, 15 Nov 2004, OpenMacNews wrote:
> SERVICES {
> # imap cmd="imapd" listen="imap" prefork=0
> imaps cmd="imapd -s" listen="imaps" prefork=0
That's not what you want. Enable both services, and configure
sasl_minimum_layer to 128 (or is that 64? I forgot. See the SASL docs for
the correct value).
imapd -s is for IMAP connections that are externally wrapped by SSL (bad).
imapd is for non-encrypted IMAP connections, and IMAP connections that use
TLS (good). sasl_minimum_layer tells Cyrus what you require of the
connection.
> however, if i instead login to with server ==
> mail2.internal.testdomain.com:993 and security == STARTTLS-TLSv1, no
> connection occurs, and the attempt times out after the tls_session_timeout
> (60 seconds).
Because you effectively connected without SSL to a SSL port. TLS starts with
plaintext, and goes to encryption early (before any sensitive information is
exchanged, but *after* important stuff that could be useful to select
encryption/authentication keys like the server name is exchanged).
BTW add this to imapd.conf:
tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
That will disable all weak ciphers, and leave you with medium grade and high
grade ciphers. Try openssl cipher -v '<what you have in tls_cipher_list>'
to see what you get. If you can get away with it, remove SSLv2 (add !SSLv2
after ALL:) too. man ciphers (openssl ciphers) to see how this works.
And try to have both sides of the connection authenticated (require client
certificates with a certification path known to the server).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
