Hi Andrew,
The CA certificate is the same one saslauthd uses to connect to the same
ldap server (AD-DC), at the same location. Hmm, I wonder if user cyrus
can read it? It is owned by root:root (as are all certificates on my
system) but is readable by everyone so this shouldn't be an issue.
/etc/ssl/certs is mostly links, user supplied CA certificates go in
/usr/local/share/ca-certificates and are linked from /etc/ssl/certs
(with read and execute permissions for all), the links I need are
present and have the same permissions as everything else.
I'll break this into 3 parts, first the SSL/TLS configuration in
imapd.conf for the server side, i.e. for clients connecting to cyrus,
which they do just fine and when everything else is working I will
re-enable TLS_REQUIRED, it shortens the output to leave it off for
debugging.
*************************************
#
# SSL/TLS Options
#
# File containing the global certificate used for ALL services (imap, pop3,
# lmtp, sieve)
tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
# File containing the private key belonging to the global server
certificate.
tls_server_key: /etc/ssl/private/ssl-cert-snakeoil.key
# File containing the certificate used for imap. If not specified, the
global
# certificate is used. A value of "disabled" will disable SSL/TLS for imap.
#imap_tls_server_cert: /etc/ssl/certs/cyrus-imap.pem
# File containing the private key belonging to the imap-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for imap.
#imap_tls_server_key: /etc/ssl/private/cyrus-imap.key
# File containing the certificate used for pop3. If not specified, the
global
# certificate is used. A value of "disabled" will disable SSL/TLS for pop3.
#pop3_tls_server_cert: /etc/ssl/certs/cyrus-pop3.pem
# File containing the private key belonging to the pop3-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for pop3.
#pop3_tls_server_key: /etc/ssl/private/cyrus-pop3.key
# File containing the certificate used for lmtp. If not specified, the
global
# certificate is used. A value of "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_server_cert: /etc/ssl/certs/cyrus-lmtp.pem
# File containing the private key belonging to the lmtp-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for lmtp.
#lmtp_tls_server_key: /etc/ssl/private/cyrus-lmtp.key
# File containing the certificate used for sieve. If not specified, the
global
# certificate is used. A value of "disabled" will disable SSL/TLS for
sieve.
#sieve_tls_server_cert: /etc/ssl/certs/cyrus-sieve.pem
# File containing the private key belonging to the sieve-specific server
# certificate. If not specified, the global private key is used. A value of
# "disabled" will disable SSL/TLS for sieve.
#sieve_tls_server_key: /etc/ssl/private/cyrus-sieve.key
# File containing one or more Certificate Authority (CA) certificates.
tls_client_ca_file: /etc/ssl/certs/ca-certificates.crt
# Path to directory with certificates of CAs.
tls_client_ca_dir: /etc/ssl/certs
# The length of time (in minutes) that a TLS session will be cached for
later
# reuse. The maximum value is 1440 (24 hours), the default. A value of
0 will
# disable session caching.
tls_session_timeout: 1440
# The list of SSL/TLS ciphers to allow, in decreasing order of precedence.
# The format of the string is described in ciphers(1). The Debian default
# selects TLSv1 high-security ciphers only, and removes all anonymous
ciphers
# from the list (because they provide no defense against man-in-the-middle
# attacks). It also orders the list so that stronger ciphers come first.
#tls_ciphers: TLSv1.3:TLSv1.2:+TLSv1:+HIGH:!aNULL:@STRENGTH
# Above is our preferred cipher list, but use this one to see if it help
get things working
tls_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
# A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
# with all protocols, and substracts protocols not in this list. Newer
# versions of SSL/TLS will need to be added here to allow them to get
# disabled. */
#tls_versions: tls1_0 tls1_1 tls1_2
tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
# The per-protocol requirements below are not mentioned in the man page
# but a global requirement to negotiate TLS before authenticating is
# defined so lets use that since we need to send plain passwords
#tls_required: 1
# Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
#tls_require_cert: false
# Require a client certificate for imap ONLY.
#imap_tls_require_cert: false
# Require a client certificate for pop3 ONLY.
#pop3_tls_require_cert: false
# Require a client certificate for lmtp ONLY.
#lmtp_tls_require_cert: false
# Require a client certificate for sieve ONLY.
#sieve_tls_require_cert: false
*************************************
Secondly the configuration for starttls with ptclient and ldap:
*************************************
##
## Other LDAP items
## This is for AUTHORIZATION, we use saslauthd for AUTHENTICATION
##
# First we need to tell it to use ptloader for authorization
auth_mech: pts
#
# And tell ptloader to use LDAP
pts_module: ldap
ptloader_sock: /var/lib/cyrus/ptclient/ptsock
#
# The defaults for the cache settings should be fine
# db type defaults to twoskip, db_path to configdirectory/ptscache.db
# other settings are only for kerberos module
ptscache_db: twoskip
ptscache_db_path: /var/lib/cyrus/ptclient/ptscache.db
#
# General settings
# Probably also useful to tell cyrus where the LDAP is
#ldap_uri: ldaps://DC.MyCompany.local:636
ldap_uri: ldap://DC.MyCompany.local:389
ldap_bind_dn: a-tested-bind-dn
ldap_password: very-secret
ldap_timeout: 20s
ldap_time_limit: 20s
# Don't attempt SASL for authorization, it is used for authentication
already
ldap_sasl: 0
# For start_tls we will need version 3 but it is supposed to select
automatically
ldap_version: 3
ldap_start_tls: 1
# Make sure cyrus can find the CA file to accept LDAP servers certificate
# The CA is another windows server in our network
ldap_ca_dir: /etc/ssl/certs/
ldap_ca_file: /etc/ssl/certs/CAserver-CA-Cert.pem
# And ensure that we check the certificate
ldap_verify_peer: 1
# Might also be worth specifying the ciphers we want
ldap_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
ldap_client_cert: /etc/ssl/certs/localhost-client.pem
ldap_client_key: /etc/ssl/private/localhost-client.key
## Set a limit on number of record for single query
ldap_size_limit: 100
#
# User lookups
# Set a default search base although it looks like we can set separately
for users and groups
# This filter works to make sure the account is a user and not disabled
ldap_base: ou=MyBusiness,dc=MyCompany,dc=local
ldap_scope: sub
ldap_filter:
(&(objectClass=person)(sAMAccountName=%u)(!(userAccountControl=514)))
# But lets have a simpler testing filter
#ldap_filter: (sAMAccountName=%U)
#
#
# Groups - we will need these for shared folder ACIs
# Set a filter to identify a group, this one ensures it is a
distribution group
# and not a security group
ldap_group_base: ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_group_scope: sub
ldap_group_filter:
(&(objectClass=group)(!(groupType=2147483656))(!(groupType=2147483652)))
#
# Method to extract members from the group, this is poorly documented
but after much trial an
# error, the 'member' attribute in AD groups contains distinguished
names (DNs) so need to
# use a filter to return all of the group names that contain the DN for
our supplied username
# in their 'member' attribute'. %D is the token for the user dn
# The attribute for the group name we set to 'name' although
'sAMAccountName' returns the
# same value it is a bit confusing when debugging.
ldap_member_base: ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_member_scope: sub
ldap_member_method: filter
ldap_member_filter: (member=%D)
ldap_member_attribute: name
##
##
******************************
The wireshark dump for a login attempt with these settings looks like
(TCP, LDAP and TLS output only)
******************************
Transmission Control Protocol, Src Port: 60730, Dst Port: 389, Seq: 0,
Len: 0
Source Port: 60730
Destination Port: 389
[Stream index: 132]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 3651110048
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
Window: 64240
[Calculated window size: 64240]
Checksum: 0x8ed7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted,
Timestamps, No-Operation (NOP), Window scale
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60738, Seq: 0,
Ack: 1, Len: 0
Source Port: 389
Destination Port: 60738
[Stream index: 178]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 440187957
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 3706155260
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
Window: 8192
[Calculated window size: 8192]
Checksum: 0x828a [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, No-Operation (NOP),
Window scale, SACK permitted, Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389, Seq: 1,
Ack: 1, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1642813595
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2986324420
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x104d [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389, Seq: 1,
Ack: 1, Len: 31
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 31]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1642813595
[Next Sequence Number: 32 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2986324420
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x94e6 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (31 bytes)
[PDU Size: 31]
Lightweight Directory Access Protocol
LDAPMessage extendedReq(1)
messageID: 1
protocolOp: extendedReq (23)
extendedReq
requestName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
[Response In: 21557]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736, Seq: 1,
Ack: 32, Len: 46
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 46]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 2986324420
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 32 (relative ack number)
Acknowledgment number (raw): 1642813626
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x82b0 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (46 bytes)
[PDU Size: 46]
Lightweight Directory Access Protocol
LDAPMessage extendedResp(1)
messageID: 1
protocolOp: extendedResp (24)
extendedResp
resultCode: success (0)
matchedDN:
errorMessage:
responseName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
[Response To: 21556]
[Time: 0.000220000 seconds]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389, Seq: 32,
Ack: 47, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 32 (relative sequence number)
Sequence Number (raw): 1642813626
[Next Sequence Number: 32 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x0fff [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 60736, Dst Port: 389, Seq: 32,
Ack: 47, Len: 7
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 7]
Sequence Number: 32 (relative sequence number)
Sequence Number (raw): 1642813626
[Next Sequence Number: 39 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0xdba7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
TCP payload (7 bytes)
Transport Layer Security
Transmission Control Protocol, Src Port: 60736, Dst Port: 389, Seq: 39,
Ack: 47, Len: 0
Source Port: 60736
Destination Port: 389
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 39 (relative sequence number)
Sequence Number (raw): 1642813633
[Next Sequence Number: 40 (relative sequence number)]
Acknowledgment Number: 47 (relative ack number)
Acknowledgment number (raw): 2986324466
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x0ff7 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736, Seq: 47,
Ack: 40, Len: 0
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 47 (relative sequence number)
Sequence Number (raw): 2986324466
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 40 (relative ack number)
Acknowledgment number (raw): 1642813634
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x8282 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 389, Dst Port: 60736, Seq: 47,
Ack: 40, Len: 0
Source Port: 389
Destination Port: 60736
[Stream index: 177]
[TCP Segment Len: 0]
Sequence Number: 47 (relative sequence number)
Sequence Number (raw): 2986324466
[Next Sequence Number: 47 (relative sequence number)]
Acknowledgment Number: 40 (relative ack number)
Acknowledgment number (raw): 1642813634
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x8276 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
*************************************
Notice there is nothing showing under TLS in the 7th packet, which I
would expect to be a TLS client Hello looking at the packets produced by
ldapsearch when using -ZZ for starttls.
And for 3rd part the imapd.conf re-commented to use ldaps instead of
start_tls:
*************************************
##
## Other LDAP items
## This is for AUTHORIZATION, we use saslauthd for AUTHENTICATION
##
# First we need to tell it to use ptloader for authorization
auth_mech: pts
#
# And tell ptloader to use LDAP
pts_module: ldap
ptloader_sock: /var/lib/cyrus/ptclient/ptsock
#
# The defaults for the cache settings should be fine
# db type defaults to twoskip, db_path to configdirectory/ptscache.db
# other settings are only for kerberos module
ptscache_db: twoskip
ptscache_db_path: /var/lib/cyrus/ptclient/ptscache.db
#
# General settings
# Probably also useful to tell cyrus where the LDAP is
ldap_uri: ldaps://DC.MyCompany.local:636
#ldap_uri: ldap://DC.MyCompany.local:389
ldap_bind_dn: a-tested-bind-dn
ldap_password: very-secret
ldap_timeout: 20s
ldap_time_limit: 20s
# Don't attempt SASL for authorization, it is used for authentication
already
ldap_sasl: 0
# For start_tls we will need version 3 but it is supposed to select
automatically
#ldap_version: 3
#ldap_start_tls: 1
# Make sure cyrus can find the CA file to accept LDAP servers certificate
# The CA is another windows server in our network
ldap_ca_dir: /etc/ssl/certs/
ldap_ca_file: /etc/ssl/certs/CAserver-CA-Cert.pem
# And ensure that we check the certificate
ldap_verify_peer: 1
# Might also be worth specifying the ciphers we want
ldap_ciphers:
TLSv1.3:TLSv1.2:+TLSv1:+HIGH:+MEDIUM:+LOW:+SSLv3:!aNULL:@STRENGTH
ldap_client_cert: /etc/ssl/certs/localhost-client.pem
ldap_client_key: /etc/ssl/private/localhost-client.key
## Set a limit on number of record for single query
ldap_size_limit: 100
#
# User lookups
# Set a default search base although it looks like we can set separately
for users and groups
# This filter works to make sure the account is a user and not disabled
ldap_base: ou=MyBusiness,dc=MyCompany,dc=local
ldap_scope: sub
ldap_filter:
(&(objectClass=person)(sAMAccountName=%u)(!(userAccountControl=514)))
# But lets have a simpler testing filter
#ldap_filter: (sAMAccountName=%U)
#
#
# Groups - we will need these for shared folder ACIs
# Set a filter to identify a group, this one ensures it is a
distribution group
# and not a security group
ldap_group_base: ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_group_scope: sub
ldap_group_filter:
(&(objectClass=group)(!(groupType=2147483656))(!(groupType=2147483652)))
#
# Method to extract members from the group, this is poorly documented
but after much trial an
# error, the 'member' attribute in AD groups contains distinguished
names (DNs) so need to
# use a filter to return all of the group names that contain the DN for
our supplied username
# in their 'member' attribute'. %D is the token for the user dn
# The attribute for the group name we set to 'name' although
'sAMAccountName' returns the
# same value it is a bit confusing when debugging.
ldap_member_base: ou=DistributionGroups,ou=MyBusiness,dc=MyCompany,dc=local
ldap_member_scope: sub
ldap_member_method: filter
ldap_member_filter: (member=%D)
ldap_member_attribute: name
##
##
*************************************
Followed by the wireshark dump when using these settings:
*************************************
Transmission Control Protocol, Src Port: 33954, Dst Port: 636, Seq: 0,
Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 4008815861
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1010 .... = Header Length: 40 bytes (10)
Flags: 0x002 (SYN)
Window: 64240
[Calculated window size: 64240]
Checksum: 0x6076 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, SACK permitted,
Timestamps, No-Operation (NOP), Window scale
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954, Seq: 0,
Ack: 1, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 1061013048
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 4008815862
1010 .... = Header Length: 40 bytes (10)
Flags: 0x012 (SYN, ACK)
Window: 8192
[Calculated window size: 8192]
Checksum: 0x828a [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (20 bytes), Maximum segment size, No-Operation (NOP),
Window scale, SACK permitted, Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 33954, Dst Port: 636, Seq: 1,
Ack: 1, Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 4008815862
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1061013049
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x9547 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 33954, Dst Port: 636, Seq: 1,
Ack: 1, Len: 0
Source Port: 33954
Destination Port: 636
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 4008815862
[Next Sequence Number: 2 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1061013049
1000 .... = Header Length: 32 bytes (8)
Flags: 0x011 (FIN, ACK)
Window: 502
[Calculated window size: 64256]
[Window size scaling factor: 128]
Checksum: 0x9546 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954, Seq: 1,
Ack: 2, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1061013049
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 2 (relative ack number)
Acknowledgment number (raw): 4008815863
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 514
[Calculated window size: 131584]
[Window size scaling factor: 256]
Checksum: 0x8282 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
[Timestamps]
Transmission Control Protocol, Src Port: 636, Dst Port: 33954, Seq: 1,
Ack: 2, Len: 0
Source Port: 636
Destination Port: 33954
[Stream index: 1]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1061013049
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 2 (relative ack number)
Acknowledgment number (raw): 4008815863
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x8276 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
*************************************
Again comparing with an ldapsearch using ldaps, I would expect the 4th
packet to be a TLS Client Hello, not Fin,Ack
I have tried all sorts of combinations turning different options off and
back on to no avail, and re-read every line many times looking for typos
but I'm at that point where I won't see them now even if they are really
obvious!
Thanks for all your help
On 21/06/2021 19:57, AndrewHardy via Info wrote:
Hi Jim,
No worries, understand your requirement to keep it confidential. Have
you confirmed whether the CA certificate can be found/read?
Also wondering if you could perhaps just share the ldap configuration
lines (cat imapd.conf | grep “ldap_”.
I’m curious if you have ldap_start_tls: configured e.g have you tried
toggling starttls no/yes direct tls/ssl and curious if ldap_servers:
ldap://ldap.server or ldaps://ldap.server to see if behaviour changes
with different combinations?
Regards
Andrew
On 22/06/2021, at 03:24, [email protected] wrote:
Hi Andrew,
I didn't have client certificate and key configured because I assumed
ptclient would be happy just verifying the server certificate (the CA
cert for it is installed and properly referenced in imapd.conf) the
same as saslauthd and lpadsearch manage with. The other parameters
are all configured and as far as I can see correct, i.e. the
directory and file parameters point to the correct directory and file
for the CA certificate.
In case the client cert and key were needed, I tried initially with
the snakeoil cert and key (no difference) and then just in case that
wasn't set up as a client cert, I created a new request and generated
a new client/server certificate on my windows CA which I re-exported
and is now in the correct location and referenced properly in
imapd.conf, but still no change to how either ldaps, or starttls are
failing.
I could share the entire impad.conf, but it is debian based so has a
lot of comments and a lot of commented out options before you even
get to the authorization section and I will need to be really careful
to modify anything company specific, so I am trying not to share it,
but will if it is the only way.
Thanks
Jim
*Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions
<https://cyrus.topicbox.com/groups/info> + participants
<https://cyrus.topicbox.com/groups/info/members> + delivery options
<https://cyrus.topicbox.com/groups/info/subscription> Permalink
<https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-M9af3c6e3bcf2b0d9c03dcdc6>
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-Ma262c69b1dc4c06331763f67
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
