Cyrus imap TLS and SSL

Keith Nunn kapn at kapn.net
Mon Feb 14 09:14:59 PST 2005 

I'm new to e-mail setups at this level, but have some familiarity with 
the basics.  I've spent days poring over what docs I can find and HOWTOs 
for any number of setups involving Cyrus IMAP.  What I have been utterly 
unable to figure out is how to get secure connections working on my 
machine. 

The relevant entries for imapd offer valid certificates and TLS is 
working for Sendmail. 
imapd.conf:
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5
tls_cert_file: /usr/local/certs/cyrus-global.pem
tls_key_file: /usr/local/certs/private/cyrus-global.key
tls_ca_file: /usr/local/certs/cyrus-global.pem
tls_ca_path:  /usr/local/certs/
tls_session_timeout: 1440
tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH



CAPABILITY reports:
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS 
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND 
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE 
STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR

a local test with:
imtest -s -a kapn -m login -p imap -v localhost

fails thus:
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
write to 080652C0 [08083000] (100 bytes => 100 (0x64))
0000 16 03 01 00 5f 01 00 00|5b 03 01 42 10 db e2 13
0010 57 f9 cb 4d 90 42 67 d2|d4 31 46 5f 8a ec a5 69
0020 ec da 60 3e f9 fa 5d 0c|38 92 49 00 00 34 00 39
0030 00 38 00 35 00 16 00 13|00 0a 00 33 00 32 00 2f
0040 00 66 00 05 00 04 00 63|00 62 00 61 00 15 00 12
0050 00 09 00 65 00 64 00 60|00 14 00 11 00 08 00 06
0060 00 03 01
0064 - <SPACES/NULS>

SSL_connect:SSLv3 write client hello A
read from 080652C0 [0807A000] (5 bytes => 5 (0x5))
0000 2a 20 4f 4b
0005 - <SPACES/NULS>

write to 080652C0 [08089000] (7 bytes => 7 (0x7))
0000 15 20 4f 00 02 02 46
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read server hello A -1
SSL_connect error -1
SSL session removed
failure: TLS negotiation failed!


I'm more than willing to be told I'm a dope and am missing obvious, but 
I'd really love suggestions if you have any.

kapn

More information about the freebsd-isp mailing list