Re: cyradm TLS issues

Tue, 19 Oct 2021 14:49:59 -0700 

 ----- Message from Ezsra McDonald <[email protected]> ---------
    Date: Tue, 19 Oct 2021 15:12:35 -0500
    From: Ezsra McDonald <[email protected]>
Reply-To: Info <[email protected]>
Subject: cyradm TLS issues
      To: Info <[email protected]>


SYSTEM INFORMATION:
   OS: CentOS 7
   Cyrus-Imap: RPM = cyrus-imapd-2.4.17-15.el7.x86_64
    
   TLS CONFIGURATION:
   tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: HIGH:!aNULL:!eNULL:!LOW:!MD5:!EXPORT:!DES:!3DES:!RC4:@STRENGTH 
tls_prefer_server_ciphers: 1
tls_versions: tls1_2
   #tls_versions: tls1_0 tls1_1 tls1_2
    
   PROBLEM:
When I attempt to login using cyradm I get SSL/TLS errors. The only way I have been able to get this to work was to enable TLS version 1.0. Security team won't allow less than TLS1.2 and I am not able to move to a newer OS at this time. Is there a way to get it working on CentOS 7 with TLSv1.2 or later? Maybe I need different ciphers? 
    
   If I uncomment the last line I am able to connect and login.
   tls_versions: tls1_0 tls1_1 tls1_2
    
   ERRORS:
   :~$ cyradm --user cyrus --tlskey --auth plain  localhost
[ SSL_connect error -1 ]
[ SSL session removed ]
[ TLS negotiation did not succeed ]
    
   LOGS: With only TLSv1.2 enabled
   imap[]: STARTTLS negotiation failed: localhost [127.0.0.1]
    
   LOGS: With TLSv1.0 enabled
imap[]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication 
    
    
   Any assistance is appreciated.
   --Ez
CYRUS[1] / Info / see discussions[2] + participants[3] + delivery options[4] Permalink[5]
Your error shows you are connecting from localhost. Why use TLS on localhost... do the Security team insist on encrypted connection on localhost? Seems like overkill. 
I run a separate IMAPD with a separate config file with 'allowplaintext: yes' which listens only to localhost connection for just this purpose. Even if you need to connect remotely, a SSH session to localhost which is easy to secure will sort that out. 

Simon.


Links:
------
[1] https://cyrus.topicbox.com/latest
[2] https://cyrus.topicbox.com/groups/info
[3] https://cyrus.topicbox.com/groups/info/members
[4] https://cyrus.topicbox.com/groups/info/subscription
[5] https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-Mb01973f841d0bc229cd0d491 
 ___________
Simon Wilson
M: 0400 12 11 16

------------------------------------------
Cyrus: Info
Permalink: 
https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-Ma96ff6f3c25c96baeda5de98
Delivery options: https://cyrus.topicbox.com/groups/info/subscription

Reply via email to