Hi. On Sun, Dec 14, 2003 at 10:58:06PM -0800, AthlonRob wrote: > The box is a Slackware 8.1 box with GCC 2.95. I couldn't get it > compiled on there, even with GCC 3.2.1,
You probably need to tell configure about where to find needed libraries and include files. Send us the end of the output where it fails. > it doesn't seem PAM is required It isn't. Binc uses the checkpassword authentication scheme. See http://cr.yp.to/checkpwd.html and http://cr.yp.to/checkpwd/interface.html > I copied over the config file, made a .pem (BTW, as far as I've seen, RH > is the only one who does the cd /usr/share/ssl/certs && make), put them > in /usr/etc, added lines to /etc/inetd.conf, HUP'd inetd, and tried to > connect. No go. :-\ See http://lifewithbincimap.org/index.php/Main/InstallingBincIMAP for two guides on how to make a certificate authority for creating your own certificates. > It's like it doesn't see the configuration file. I modified it to call > tcpd first: > > imap2 stream tcp nowait root /usr/sbin/tcpd /usr/bin/bincimap-up > --conf=/usr/etc/bincimap.conf --logtype=syslog -- /bin/checkpassword > /usr/bin/bincimapd > > And now I'm able to at least login plaintext like. > > However, now I want to get SSL/TLS working so I can safely open it up to > the web. Here I'm definitely running in to problems. I suggest you check out daemontools and ucspi-tcp. daemontools and Slackware have been known to like each other on previous installations I've made. :) > Let's start with TLS... it seems to be most common/easiest? TLS version 1 is a superset of SSL v2 and SSL v3. They are effectively equal. > I don't know how to do TLS interactively from openssl or telnet, so See the FAQ and the mailing list archive. openssl s_client -help > ...so I'm basically not getting any useful output. :-( Did you set a passphrase for the private key in the Binc cert? Take it out. There's currently no way to specify the passphrase, hence Binc wont be able to load the cert. > I don't know where to go from there. > > Next up... SSL... > > I compiled the thing statically so SSL should all be static and not rely > on the server's SSL stuff, right? Right. > I hope so, anyway; Slackware 8.1's > SSL doesn't include as many ciphers as other distros (it was fixed in > 9.0, I understand). Doesn't matter as you've compiled statically, although I've been known to frequently add source compiled packages to my Slackware systems for this, and other, reason(s). > When I connect to the SSL port (993, same inetd entry as above except > for "--ssl " before the --conf) KMail errors out with "could not connect > to host mail.axpr.net" and my syslog shows: > > Dec 14 22:51:25 linuxbox bincimap-up[31626]: Error initializing Binc > IMAP: SSL negotiation failed: SSL error: cipher list undefined > > The bincimap.conf file can be found at http://rob.axpr.net/bincimap.conf > FWIW. Hm, did you change the cipher list from the sample config? Try using what's shown in my DIYCA guide.. Furthermore, I don't know whether Binc requires access to the CA cert in order to run or not, but entering the filename wont hurt, that's for sure. (OpenSSL doesn't care, Binc might, although shouldn't when verify peer=no.) > 1) Verify I can use Postfix and regular Maildir boxes with Binc Yes. (<rant>Note that procmail can't make more than 10 deliveries of the same mail to the same folder - after that it breaks. Also, procmail doesn't use correct filenames for delivering to Maildirs, exactly because it's possible to deliver a message more than once to the same folder, and the didn't want to fork() per delivery, I guess. Blech, the procmail code is awful.</rant>) > 2) Figure out how to get TLS and SSL working The openssl tool is your friend. openssl help and openssl command -help. You could also, and I suggest you do, read one or both of the CA guides on LWBI even if you don't intend to set up your own CA, to get to know openssl a little better. > 3) Provide a few pointers for future googlers running Slackware/Postfix I'm also a slackware->gentoo user. Dunno. Still think I prefer Slackware on a server.. But I'm not sure. Oh well, that's another discussion. //Peter
