Thanks for the quick response Ellie. Appending /tls to the defined port worked and replication over TLS appears to work fine. This will come in quite handy where private links are not possible or cost prohibiting. I haven’t tested this in anger or attempted to get mutual authentication working but if I can get it functioning and tested as desired, will feed some “how tos” back.
Interesting that appending /tls was the toggle, who would have thought ;) Thanks for the observation on versioning. It turns out that the version that ships with the @appstream repo is well behind in its versioning. I’ll definitely be taking the time to re-compile/build using the latest version. Probably steering away from Centos 8 at this point, seems like it’s going to be more problematic than what its worth. cyrus-imapd.x86_64 3.0.7-19.el8 @appstream Appreciate the quick response, will feed any doc improvements through as I go along. Cheers, Andrew > On 19/05/2021, at 12:15 PM, ellie timoney <[email protected]> wrote: > > Hi, > > I haven't seen "fossies.org <http://fossies.org/>" before, but the canonical > 3.4.1 sync_client source can be found here: > https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c > > <https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c> > > But you won't find TLS handling code in that file, because it just calls down > to backend_connect() to do the heavy lifting, which is in: > https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c > > <https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c> > > It looks like if you provide a "/tls" flag in the port/service name > specification, then it will try to do TLS. So where you've specified "993", > maybe "993/tls" will do the trick? It looks like "noauth" is another > possible flag here, which is news to me. Some of this stuff isn't very well > documented, sorry. > > I think we might assume that replication mostly occurs over a private network > -- either a physical one within the same datacentre, or over VPN to a remote > one -- but if you don't have these luxuries it makes sense that you'd want to > use TLS for the connection. I don't know if anyone is using it like this, > but it ought to work fine since it just uses the same backend module as > everything else. If you get it working, it'd be great if you could send > through some notes that we could integrate into the docs! > > > 3.0.7-19.el8 Fedora server ready > > Ohhh... it's interesting that you're looking at the 3.4.1 sources, but > actually running 3.0.7. Everything I've described above _should_ work for > 3.0, as in, I don't believe the /tls flag is a new feature (otherwise I'd > probably recognise it). But I've been looking at the 3.4.1 sources, not the > 3.0.7 ones, so your mileage may vary. For what it's worth, 3.0.7 is two > major releases out of date (the current stable series is 3.4; the previous > stable series was 3.2). If you can manage to run something newer, you should. > > Cheers, > > ellie > > On Tue, 18 May 2021, at 5:17 AM, andrewhardy via Info wrote: >> Hi there, >> >> I was hoping to verify with a source of truth whether >> sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has implicit TLS >> support. (I assume it came bundled with Cyrus install - haven’t validated >> that - Centos 8). >> I manage to track down a sync_client.c file found at the URL below and it >> doesn’t appear to offer starttls or >> implicit TLS support within the connect code (unless I’m missing something >> obvious) and it doesn’t appear to >> make use of the TLS settings contained within imapd.conf file. >> - https://fossies.org/linux/cyrus-imapd/imap/sync_client.c >> <https://fossies.org/linux/cyrus-imapd/imap/sync_client.c> >> Is this correct assertion or am I missing something obvious? Sync Client is >> working fine over IMAP TCP/143 but when changed to TCP 993, fails. >> >> Was hoping to get this configured for mutual authentication between Cyrus >> servers for secure replication given it’s a privileged account being passed >> over the wire. >> Is this something that is supported using the sync_client utility at present >> or are there alternative Cyrus >> mailbox synchronisation tools out there that would enable secure >> transmission of replication data? Unfortunately >> cannot find any documentation that would hint at TLS support and I “assumed” >> that it’d honour the client/server >> authentication certificates and configuration in imapd.conf. Believe this >> was an incorrect assumption on my part. >> I must admit from what I have seen so far, Cyrus is a pretty cool >> application. Thanks for developing this. >> ——— >> On the service side, I get the following failure: >> cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10] >> On the client side, using openssl s_client -connect testimapserver:993 >> returns a successful TLSv1.3 connection >> with Cipher TLS_AES_256_GCM_SHA384 with the server response being: >> * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] >> testimapserver Cyrus IMAP >> 3.0.7-19.el8 Fedora server ready >> ——— >> If you could please confirm my suspicion and let me know if TLS support is >> considered in a potential future >> release, that would be greatly appreciated. If I’ve got it wrong and it is >> supported but its a configuration >> issue on my part, apologies. >> > > Cyrus <https://cyrus.topicbox.com/latest> / Info / see discussions > <https://cyrus.topicbox.com/groups/info> + participants > <https://cyrus.topicbox.com/groups/info/members> + delivery options > <https://cyrus.topicbox.com/groups/info/subscription>Permalink > <https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-Mf38c1a2f6ce579778a2c436c> ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-M9cb3e9a945091ddb23d1664c Delivery options: https://cyrus.topicbox.com/groups/info/subscription
