From owner-freebsd-isp@FreeBSD.ORG Mon Feb 14 17:14:59 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3730D16A4CE for ; Mon, 14 Feb 2005 17:14:59 +0000 (GMT) Received: from xenon.xe.com (smtp1.xe.net [216.220.37.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id B355543D4C for ; Mon, 14 Feb 2005 17:14:58 +0000 (GMT) (envelope-from kapn@kapn.net) Received: from [192.168.1.102] (ws-gw.tor.xe.net [216.220.37.73]) (authenticated bits=0) by xenon.xe.com (8.13.1/8.13.1) with ESMTP id j1EHEqAY028518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 14 Feb 2005 12:14:57 -0500 (EST) (envelope-from kapn@kapn.net) Message-ID: <4210DCEB.5010909@kapn.net> Date: Mon, 14 Feb 2005 12:16:27 -0500 From: Keith Nunn User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Cyrus imap TLS and SSL X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 17:14:59 -0000 I'm new to e-mail setups at this level, but have some familiarity with the basics. I've spent days poring over what docs I can find and HOWTOs for any number of setups involving Cyrus IMAP. What I have been utterly unable to figure out is how to get secure connections working on my machine. The relevant entries for imapd offer valid certificates and TLS is working for Sendmail. imapd.conf: sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN DIGEST-MD5 CRAM-MD5 tls_cert_file: /usr/local/certs/cyrus-global.pem tls_key_file: /usr/local/certs/private/cyrus-global.key tls_ca_file: /usr/local/certs/cyrus-global.pem tls_ca_path: /usr/local/certs/ tls_session_timeout: 1440 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH CAPABILITY reports: S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR a local test with: imtest -s -a kapn -m login -p imap -v localhost fails thus: starting TLS engine setting up TLS connection SSL_connect:before/connect initialization write to 080652C0 [08083000] (100 bytes => 100 (0x64)) 0000 16 03 01 00 5f 01 00 00|5b 03 01 42 10 db e2 13 0010 57 f9 cb 4d 90 42 67 d2|d4 31 46 5f 8a ec a5 69 0020 ec da 60 3e f9 fa 5d 0c|38 92 49 00 00 34 00 39 0030 00 38 00 35 00 16 00 13|00 0a 00 33 00 32 00 2f 0040 00 66 00 05 00 04 00 63|00 62 00 61 00 15 00 12 0050 00 09 00 65 00 64 00 60|00 14 00 11 00 08 00 06 0060 00 03 01 0064 - SSL_connect:SSLv3 write client hello A read from 080652C0 [0807A000] (5 bytes => 5 (0x5)) 0000 2a 20 4f 4b 0005 - write to 080652C0 [08089000] (7 bytes => 7 (0x7)) 0000 15 20 4f 00 02 02 46 SSL3 alert write:fatal:protocol version SSL_connect:error in SSLv3 read server hello A -1 SSL_connect error -1 SSL session removed failure: TLS negotiation failed! I'm more than willing to be told I'm a dope and am missing obvious, but I'd really love suggestions if you have any. kapn