Hi! I seem to be missing some context, but I might have a usable suggestion or two for you anyway.
On Thu, Dec 11, 2003 at 12:47:50PM +0100, Paolo Nesti Poggi wrote: > > >Then I tryed the ssl way as described on > > >http://lifewithbincimap.org/index.php/Main/DoItYourselfCertificat > > eAuthority > > > > Did this work? If not, what happened? > > I went through the whole process, produced a cacert.crt that was installed > in Netscape 7, however nothing happens when I try and connect with an IMAP > client in ssl mode And I assume also the bincimap.pem for Binc. (On another note, I just restored my version of that page, and added Stefano's version right next to it, and changed the link on the LWBI HomePage, and added a short text about certificates with Binc on InstallingBincIMAP.) > As I wrote I don't get anything inside the log. I thought that it might be > normal behaviour, that the log only shows what happens *after* the > connection succeed. > But if you ask, I have to believe that something *should* be logged also > during the connection negotiation, even in the case where the negotiation > fails due to a misconfiguration. > > Am I right? If this is true then he problem might easily not be ssl > configuration but something that happens before. Yes. You should have log output even before anyone actually succeeds to log in. Binc wont work properly if it can't log output, so this is important to check, and possibly fix. > About logging then, I was used to daemontools with dnscache and tinydns and > in those cases I get a message inside the log whenever I restart the > service, it is not the case here (both for ssl and no ssl), is it normal? There are no messages in the log when starting or shutting down Binc. You should get a "..Client connected.." message in the log whenever someone connects to the tcpserver process, though. (Before login and authentication.) > With bincimap (no ssl) in the beginning I didn't get anything in the log > file eather, but I solved that changing permissions and/or ownership, > for logging root is the owner > > I'm pasting a snapshot of permissions of my log files: Looks ok. Verify that svscan is run by root and that no setuidgid calls are made in /service/bincimap-ssl/log/run > I hope you can give me some ideas about how I can go on in troubleshooting. > For instance, I would like to try and connect to port 993 from the comand > line and I remember an example for doing this on your website, however I've > not been able to find it again. telnet localhost 993 This might cause messages in the log, even if the telnet client doesn't know SSL. Otherwise, use the openssl s_client command: openssl s_client -connect localhost:993 -CAfile CADIR/cacert.crt (replace CADIR/cacert.crt with /etc/opt/bincimap/diy_ca.cert if using my DIYCA description) Please also not that it is far from ideal to have a CA on a networked system. If someone gains access to your CA private key, there is no security in the entire PKI anymore. I recommend the CA to be on a disconnected system. Hope this helps! //Peter
