-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 hi mitu,
thx for the detailed reply! 1st, my 'bottom line': imtest: i CAN login w/ TLS via STARTTLS on port 143 TBird: i CAN login w/ TLS, but no trace of STARTLS and only on port 993 details follow ... here: >> my understanding was that 'sasl_minimum_layer' >= 64 (128?) was *REQUIRED* >> for TLS protection ... > it should be required from the client's point of view and not from the > server. But sasl_minimum_layer is set up to > 64 even without encryption, > just with integrity protection (e.g. DIGEST-MD5 without TLS yields an ssf > of 128). > here is a snippet of a imtest session: > > S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS > NAMESPACE UIDPLUS ID > NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS AUTH=DIGEST-MD5 SASL-IR > S: C01 OK Completed > C: A01 AUTHENTICATE DIGEST-MD5 > [..] > S: A01 OK Success (privacy protection) > Authenticated. > Security strength factor: 128 > x logout > * BYE LOGOUT received > x OK Completed ok. with: imtest -v \ - -t "CERTS/mail.testdomain.com.CYRUSkey.rsa.pem" \ - -p imap \ - -m cram-md5 \ - -a [EMAIL PROTECTED] \ - -u [EMAIL PROTECTED] \ - -r mail.testdomain.com\ mail.testdomain.com and: sasl_minimum_layer: 128 sasl_mech_list: PLAIN CRAM-MD5 DIGEST-MD5 allowplaintext: no here's a similar snippet of mine: C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED AUTH=DIGEST-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED S: C01 OK Unknown Error Code: -1904809420 C: S01 STARTTLS S: S01 OK Begin TLS negotiation now starting TLS engine setting up TLS connection SSL_connect:before/connect initialization [..] SSL_connect:SSLv3 write client hello A [..] SSL_connect:SSLv3 read finished A subject_CN=mail.testdomain.com, issuer_CN=PRESENCE Group .network CA TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) Asking for capabilities again since they might have changed [..] C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED [..] S: C01 OK Unknown Error Code: -1904809420 C: A01 AUTHENTICATE CRAM-MD5 S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256 with LOG showing: [..] Oct 9 08:46:37 devbox DMCYRUS/imap[5319]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) authenticated as mail.testdomain.com Oct 9 08:46:46 devbox DMCYRUS/imap[5319]: login: devbox.internal.presence-group.net [172.30.11.5] [EMAIL PROTECTED] CRAM-MD5+TLS User logged in [..] ok, LOGGED in with TLS! > if I set sasl_minimum_layer to 128 then I cannot login with cram-md5 (without > SSL/TLS), here is the cyrus log: > > badlogin: host [10.1.0.3] PLAIN [SASL(-4): no mechanism available: mech > CRAM-MD5 is too weak] > and the imtest response was: > [...] > S: C01 OK Completed > C: A01 AUTHENTICATE CRAM-MD5 > S: A01 NO mechanism too weak for this user > Authentication failed. generic failure > Security strength factor: 0 > > But with SSL involved this works: > [..] > S: C01 OK Completed > C: A01 AUTHENTICATE CRAM-MD5 > S: A01 OK Success (tls protection) > Authenticated. > Security strength factor: 256 ok. withOUT tls: imtest -v \ -p imap \ -m cram-md5 \ -a [EMAIL PROTECTED] \ -u [EMAIL PROTECTED] \ -r mail.testdomain.com \ mail.testdomain.com Oct 9 08:49:04 devbox DMCYRUS/imap[5348]: badlogin: devbox.internal.presence-group.net [172.30.11.5] CRAM-MD5 [SASL(-15): mechanism too weak for this user: mech CRAM-MD5 is too weak] yup. failed as you explained/suggested. good! >> what *is* the relationship/dependency of sasl_minimum_layer & TLS? > TLS increases the SSF (security strength factor) and sasl_minimum_layer > enforces a minumum SSF. ok. clear. > Please note that > using an authentication mech that provides integrity (such as DIGEST-MD5 or > GSSAPI) increases the SSF also (see my example on DIGEST-MD5 without SSL/TLS). did not know that! fwiw, here's an add'l helpful reference: " SASL Authentication" http://java.sun.com/products/jndi/tutorial/ldap/security/sasl.html >> one 'suspect' ... to connect via TLS, TBird *requires* the following setup: [..] >> is there, perhaps, an 'issue' with the port993 use defaulting to some >> minimum_layer strength >> despite my imapd.conf setting? > Traditionally port 993 is for imaps (that it IMAP/SSL) in which the client > starts connects 'directly' over a SSL connection and negotiates encryption, > it's not like TLS/STARTTLS in which the client starts in plain text the > connection and chooses to use TLS (and issues a STARTTLS command) or not. > Try imtest, it always shows you SSF, and try to configure TB on port 143 > to see if it uses STARTTLS to encrypt the connection. looking at my FIRST result above with 'imtest', i see 'STARTTLS'. which, if i read you right here, is exactly what i should expect. > I suspect TB uses IMAPS and always negotiates SSL before atempting to > issue any IMAP commands and before even authenticating. hmmmm .... there appears to be a problem, then ... w/ TB configured as: Server Type: IMAP Mail Server Server Name: {mail.testdomain.com} Port: {993} Default: 993 [x] Use secure connection (SSL) [x] Use secure authentication i CAN LOGIN. AND is seems that TLS is *enabled*, but i do NOT SEE (!?) STARTTLS anywhere in my server capability my protocol log on connect shows: 39820288[4e64a40]: 25f5800:mail.testdomain.com:NA:CreateNewLineFromSocket: * OK mail.testdomain.com Cyrus IMAP4 v2.2.12 server ready 39756800[4e62200]: 25eae00:mail.testdomain.com:NA:CreateNewLineFromSocket: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR LISTEXT LIST-SUBSCRIBED 39756800[4e62200]: 25eae00:mail.testdomain.com:NA:SendData: 2 authenticate CRAM-MD5 39756800[4e62200]: 25eae00:mail.testdomain.com:NA:CreateNewLineFromSocket: 2 OK Success (tls protection) 38987264[4ec11b0]: 23e5600:mail.testdomain.com:NA:ProcessCurrentURL:imap://[EMAIL PROTECTED]:993/listfolder%3E%5EDrafts: = currentUrl - -1610551400[1b06cc0]: queuing @mail.testdomain.com:993/listfolder>^Drafts with cyrus log: Oct 9 09:01:04 devbox DMCYRUS/imaps[5396]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Oct 9 09:01:05 devbox DMCYRUS/imaps[5396]: login: tiedgar.presence-group.net [172.30.11.6] [EMAIL PROTECTED] CRAM-MD5+TLS User logged in =================== BUT, if i config TB -- changing the connect PORT to 143 -- as: Server Type: IMAP Mail Server Server Name: {mail.testdomain.com} Port: {143} Default: 993 [x] Use secure connection (SSL) [x] Use secure authentication my protocol log shows: - -1610551400[1b06cc0]: failed creating protocol instance to play queued url:imap://[EMAIL PROTECTED]:993/folderstatus> 39742464[4327de0]: ImapThreadMainLoop entering [this=25eb800] - -1610551400[1b06cc0]: 25eb800:mail.testdomain.com:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN 39742464[4327de0]: 25eb800:mail.testdomain.com:NA:ProcessCurrentURL: entering 39742464[4327de0]: 25eb800:mail.testdomain.com:NA:ProcessCurrentURL:imap://[EMAIL PROTECTED]:143/select%3E/INBOX: = currentUrl [..] - -1610551400[1b06cc0]: failed creating protocol instance to play queued url:imap://[EMAIL PROTECTED]@mail.testdomain.com:143/select>/ - -1610551400[1b06cc0]: queuing and just continuously 'cycles' this last statements ... and i never login/connect =================== if i config TB -- turning off SSL -- as: Server Type: IMAP Mail Server Server Name: {mail.testdomain.com} Port: {143} Default: 143 [ ] Use secure connection (SSL) [x] Use secure authentication i get an error on login attempt: "You cannot log in to mail.testdomain.com because you have enabled secure authentication and this server does not support it. To log in, turn off secure authentication for this accounts." =================== finally, if i config TB as: Server Type: IMAP Mail Server Server Name: {mail.testdomain.com} Port: {143} Default: 143 [ ] Use secure connection (SSL) [ ] Use secure authentication i get a login error of: 40109056[41e39a0]: 2668e00:mail.testdomain.com:NA:SendData: Logging suppressed for this command (it probably contained authentication information) 40109056[41e39a0]: ReadNextLine [stream=4132b88 nb=41 needmore=0] 40109056[41e39a0]: 2668e00:mail.testdomain.com:NA:CreateNewLineFromSocket: 1 NO Login only available under a layer ################################################## sooooo, here's the problem: imtest: i CAN login w/ TLS via STARTTLS on port 143 TBird: i CAN login w/ TLS, but no trace of STARTLS and only on port 993 ################################################## am i seeing a problem with Tbird, Cyrus or me? thx! richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkNJRtAACgkQGnqMy4gvZ6FmaQCdEBQHgEeQoLfJP6zGKIatSMxu 8CAAnjbFKzcZGEvyTsJ4TtxUL+VWD+Ff =11+A -----END PGP SIGNATURE----- ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html