Simon, Thanks for the response. I will give your solution a try. --Ez
On Tue, Oct 19, 2021 at 4:49 PM Simon Wilson via Info < [email protected]> wrote: > ----- Message from Ezsra McDonald <[email protected]> --------- > Date: Tue, 19 Oct 2021 15:12:35 -0500 > From: Ezsra McDonald <[email protected]> > Reply-To: Info <[email protected]> > Subject: cyradm TLS issues > To: Info <[email protected]> > > SYSTEM INFORMATION: > OS: CentOS 7 > Cyrus-Imap: RPM = cyrus-imapd-2.4.17-15.el7.x86_64 > > TLS CONFIGURATION: > tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem > tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key > tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt > tls_cipher_list: > HIGH:!aNULL:!eNULL:!LOW:!MD5:!EXPORT:!DES:!3DES:!RC4:@STRENGTH > tls_prefer_server_ciphers: 1 > tls_versions: tls1_2 > #tls_versions: tls1_0 tls1_1 tls1_2 > > PROBLEM: > When I attempt to login using cyradm I get SSL/TLS errors. The only way I > have been able to get this to work was to enable TLS version 1.0. Security > team won't allow less than TLS1.2 and I am not able to move to a newer OS > at this time. Is there a way to get it working on CentOS 7 with TLSv1.2 or > later? Maybe I need different ciphers? > > If I uncomment the last line I am able to connect and login. > tls_versions: tls1_0 tls1_1 tls1_2 > > ERRORS: > :~$ cyradm --user cyrus --tlskey --auth plain localhost > [ SSL_connect error -1 ] > [ SSL session removed ] > [ TLS negotiation did not succeed ] > > LOGS: With only TLSv1.2 enabled > imap[]: STARTTLS negotiation failed: localhost [127.0.0.1] > > LOGS: With TLSv1.0 enabled > imap[]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits > new) no authentication > > > Any assistance is appreciated. > --Ez > > > > Your error shows you are connecting from localhost. Why use TLS on > localhost... do the Security team insist on encrypted connection on > localhost? Seems like overkill. > > I run a separate IMAPD with a separate config file with 'allowplaintext: > yes' which listens only to localhost connection for just this purpose. Even > if you need to connect remotely, a SSH session to localhost which is easy > to secure will sort that out. > > Simon. > ___________ > Simon Wilson > M: 0400 12 11 16 > *Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions > <https://cyrus.topicbox.com/groups/info> + participants > <https://cyrus.topicbox.com/groups/info/members> + delivery options > <https://cyrus.topicbox.com/groups/info/subscription> Permalink > <https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-Ma96ff6f3c25c96baeda5de98> > > ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T21eaaa194ab9b730-M36166dffafed46f1b275df6a Delivery options: https://cyrus.topicbox.com/groups/info/subscription
