Hi there. I am running IMAP 1.6.22 of FreeBSD 4.2 with SASL 1.5.24_3. I can access EVERYTHING ok when I use imap(port 143) non-encrypted. My imapd.conf file: ==== configdirectory: /usr/local/etc/imap partition-default: /var/spool/imap admins: root defaultacl: anyone none tls_CA_path: /usr/local/etc/imap/certs tls_CA_file: /usr/local/etc/imap/certs/ca-kcis-010109.pem tls_key_file: /usr/local/etc/imap/certs/kcis-010109.pem tls_cert_file: /usr/local/etc/imap/certs/kcis-010109.pem ===== When I try to access using TLS I am having some dificulty. My imapd.log file when I connect using Mulbery from Cyrusoft.com: ===== Jan 10 11:01:46 gw imapd[1916]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) no authentication Jan 10 11:01:52 gw imapd[1916]: PROTERR: Connection reset by peer ===== But, when I run IMTEST: ==== imtest -m login -a usernamehere -u usernamehere -t "" -p 993 localhost C: C01 CAPABILITY S: * OK gw.kcis.com Cyrus IMAP4 v1.6.22 server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS X-NON-HIERARCHICAL-RENAME NO_AT OMIC_RENAME STARTTLS AUTH=DIGEST-MD5 AUTH=CRAM-MD5 UNSELECT S: C01 OK Completed S01 OK Begin TLS negotiation now verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) C: C01 CAPABILITY S: S01 BAD Please login first S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS X-NON-HIERARCHICAL-RENAME NO_AT OMIC_RENAME STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 UNSELECT S: C01 OK Completed Password: + go ahead L01 OK User logged in Authenticated. Security strength factor: 0 + go ahead L01 OK User logged in Authenticated. Security strength factor: 0 ==== So the IMTEST seems OK, when I look at the imapd.conf log file, ===== Jan 10 10:55:11 gw imapd[1891]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) no authentication Jan 10 10:56:21 gw imapd[1891]: login: localhost.kcis.com[127.0.0.1] usernamehere plaintext ===== and this seems OK too. So, does anyone have any ideas ??? I have considered upgrading to Cyrus 2.0.9 but that is a task better left until much safer time. Maybe when we build a new system. -------------------------------------------------------------------------------- Jerry T. Kendall, CISSP The Canada Life Assurance Company Security Architect 330 University Avenue E-Business, Technology Services Toronto, Ontario, M5G 1R8, CANADA http://www.CanadaLife.com Tel: +1.416.597.1440 x5608 [EMAIL PROTECTED] Fax: +1.416.597.6900 --------------------------------------------------------------------------------
