Re: Fatal error: tls_start_servertls() failed
Just to follow up and help others with similar problem, here is what I did.
- Research showed that entropy is needed and low entropy is a typical
problem of headless servers where there is no mouse and keyboard connected.
- Installed munin to check entropy levels by time. During the two hours
of observation, it went down as low as 160 and went up to a maximum of
850. I think the minimum is pretty low compared to the levels talked on
the internet.
- Installed haveged utility and adjusted the entropy pool for 2048.
- It is now stabilized around 2048.
I believe this was the problem with my server. Thank you Patrick for
taking my attention to magic word "entropy".
I am now monitoring the server to verify.
On 15.02.2016 00:39, Patrick Boutilier via Info-cyrus wrote:
On 02/14/2016 02:46 AM, Mufit Eribol via Info-cyrus wrote:
Hi All,
I am running cyrus-imapd-2.4.17 on CentOS 7.2.1511 for appx. 20
mailboxes. I get the following messages every 10-12 days.
imaps TLS negotiation failed: [ip address of a client]
Fatal error: tls_start_servertls() failed
Although cyrus-imapd, saslauthd are still running after this error,
login credentials are not accepted. As I don't know where the problem
is, restart the server fixes the problem, well for another 10-12 days.
I would appreciate any hint you may give.
Thanks,
Mufit
Below are the configuration files:
/etc/cyrus.conf:
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocalcmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntpscmd="nntpd -s" listen="nntps" prefork=1
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp"
prefork=1
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpointcmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
/etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.wintess.com
autocreatequota: 20
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#defaultdomain: mail
tls_cert_file: /etc/pki/tls/certs/wintess-imap.pem
tls_key_file: /etc/pki/tls/certs/wintess-imap.pem
tls_ca_file: /etc/pki/tls/certs/wintess-imap.pem
/etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
Almost sounds like you are running out of entropy.
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Fatal error: tls_start_servertls() failed
On 15.02.2016 00:39, Patrick Boutilier via Info-cyrus wrote:
On 02/14/2016 02:46 AM, Mufit Eribol via Info-cyrus wrote:
Hi All,
I am running cyrus-imapd-2.4.17 on CentOS 7.2.1511 for appx. 20
mailboxes. I get the following messages every 10-12 days.
imaps TLS negotiation failed: [ip address of a client]
Fatal error: tls_start_servertls() failed
Although cyrus-imapd, saslauthd are still running after this error,
login credentials are not accepted. As I don't know where the problem
is, restart the server fixes the problem, well for another 10-12 days.
I would appreciate any hint you may give.
Thanks,
Mufit
Below are the configuration files:
/etc/cyrus.conf:
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocalcmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntpscmd="nntpd -s" listen="nntps" prefork=1
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp"
prefork=1
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpointcmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
/etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.wintess.com
autocreatequota: 20
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#defaultdomain: mail
tls_cert_file: /etc/pki/tls/certs/wintess-imap.pem
tls_key_file: /etc/pki/tls/certs/wintess-imap.pem
tls_ca_file: /etc/pki/tls/certs/wintess-imap.pem
/etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
Almost sounds like you are running out of entropy.
Ups, a brand new term for me. Thank you for pointing out.
Sorry for my ignorance. How can I fix this problem? If it helps it is a
small kvm VM with 2G allocated memory.
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Fatal error: tls_start_servertls() failed
On 02/14/2016 02:46 AM, Mufit Eribol via Info-cyrus wrote:
Hi All,
I am running cyrus-imapd-2.4.17 on CentOS 7.2.1511 for appx. 20
mailboxes. I get the following messages every 10-12 days.
imaps TLS negotiation failed: [ip address of a client]
Fatal error: tls_start_servertls() failed
Although cyrus-imapd, saslauthd are still running after this error,
login credentials are not accepted. As I don't know where the problem
is, restart the server fixes the problem, well for another 10-12 days.
I would appreciate any hint you may give.
Thanks,
Mufit
Below are the configuration files:
/etc/cyrus.conf:
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocalcmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntpscmd="nntpd -s" listen="nntps" prefork=1
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpointcmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
/etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.wintess.com
autocreatequota: 20
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#defaultdomain: mail
tls_cert_file: /etc/pki/tls/certs/wintess-imap.pem
tls_key_file: /etc/pki/tls/certs/wintess-imap.pem
tls_ca_file: /etc/pki/tls/certs/wintess-imap.pem
/etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
Almost sounds like you are running out of entropy.
<>
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Fatal error: tls_start_servertls() failed
Hi All,
I am running cyrus-imapd-2.4.17 on CentOS 7.2.1511 for appx. 20
mailboxes. I get the following messages every 10-12 days.
imaps TLS negotiation failed: [ip address of a client]
Fatal error: tls_start_servertls() failed
Although cyrus-imapd, saslauthd are still running after this error,
login credentials are not accepted. As I don't know where the problem
is, restart the server fixes the problem, well for another 10-12 days.
I would appreciate any hint you may give.
Thanks,
Mufit
Below are the configuration files:
/etc/cyrus.conf:
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocalcmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3scmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntpscmd="nntpd -s" listen="nntps" prefork=1
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
checkpointcmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
/etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.wintess.com
autocreatequota: 20
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#defaultdomain: mail
tls_cert_file: /etc/pki/tls/certs/wintess-imap.pem
tls_key_file: /etc/pki/tls/certs/wintess-imap.pem
tls_ca_file: /etc/pki/tls/certs/wintess-imap.pem
/etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Fatal error: tls_start_servertls() failed
-- Forwarded message -- Date: Wed, 27 Aug 2003 11:57:48 -0700 (PDT) From: Mike Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Ken: For your information my hardware and software system is as follows: Hardware -- Compaq ML350 with 4GB RAM and 128GB Raid 5 Raid array dual 2.2 GHz processors Software -- FreeBSD 4.8-RELEASE-p4 What follows is the result of running imtest as you described. [mail2] ~ imtest -m plain -u cyrus -a cyrus -s localhost verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK mail2.familyradio.org Cyrus IMAP4 v2.1.12 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE PLAIN S: + Please enter your password: C: Y3lydXMAY3lydXMAcHdyNHRvZGF5 S: A01 NO no mechanism available Authentication failed. generic failure Security strength factor: 256 . logout * BYE LOGOUT received . OK Completed Connection closed. Thanks for your help. I suspect I did something dumb in configuring this machine. :( Mike Allen
Re: Fatal error: tls_start_servertls() failed. (fwd)
You don't have a TLS problem anymore, you have a SASL problem. Are you trying to use DIGEST-MD5? What happens if you try: imtest -m plain -u cyrus -a cyrus -s localhost Mike Allen wrote: Ken: I hope the attached file helps us solve the problem which started this thread. Thanks so much for your help. Mike Allen [mail2] ~ imtest -u cyrus -a cyrus -s localhost verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK mail2.familyradio.org Cyrus IMAP4 v2.1.12 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9ImdEaXQ2Y3d6ekRvNHhkdFlNUzVCSlZBSnpibmVQcnRQV1N1Nm5DczgxUW89IixyZWFsbT0ibWFpbDIuZmFtaWx5cmFkaW8ub3JnIixxb3A9ImF1dGgiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz Please enter your password: C: dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0ibWFpbDIuZmFtaWx5cmFkaW8ub3JnIixub25jZT0iZ0RpdDZjd3p6RG80eGR0WU1TNUJKVkFKemJuZVBydFBXU3U2bkNzODFRbz0iLGNub25jZT0iQUFUVkRndnJwUjgxL2Z0SDJxaXZHWWEzQVY1dVJac0FCTjJlWTU4Y2hLUT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9ImltYXAvbG9jYWxob3N0LmZhbWlseXJhZGlvLm9yZyIscmVzcG9uc2U9ZjQ1YTkxY2Q4OTZiNTg0NzZhMGYyNTY4OTE4YjIzZTg= S: A01 NO authentication failure Authentication failed. generic failure Security strength factor: 256 ^CC: Q01 LOGOUT Connection closed. == Please note that user cyrus does have a saslpasswd2 and it is in sasldb2.db See attached 'cyrus.conf'. I;ll send more logging information if needed. Thanks for your help on this. Mike Allen -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Fatal error: tls_start_servertls() failed. (fwd)
Ken: I forgot to include this information in my previous email. Mike Allen -- Forwarded message -- Date: Mon, 25 Aug 2003 15:12:59 -0700 (PDT) From: Mike Allen [EMAIL PROTECTED] To: Ken Murchison [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fatal error: tls_start_servertls() failed. (fwd) Ken: Enclosed are two attached files with log info you requested. imtest -s runs with errors while imtest by itself does not show errors. It appears to me to be an authentication problem. Mike Allen On Thu, 21 Aug 2003, Ken Murchison wrote: Mike Allen wrote: Ken, Thanks for your help and insight. I have attached my imapd.conf file with the values I currently use. SSL/TLS still does not let me communicate with port 993. imtest will not run to completion. What am I missing? I don't know. Are imapd and/or imtest spitting out any additional messages to imapd.log? Are you running both imapd and imtest with the -s option? Thanks again for your help. Mike Allen -- Forwarded message -- Date: Wed, 20 Aug 2003 20:55:57 -0400 From: Ken Murchison [EMAIL PROTECTED] To: Mike Allen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fatal error: tls_start_servertls() failed. Mike Allen wrote: I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. First or all, telneting to port 993 won't get you any visible data, since SSL/TLS is negotiated before any IMAP protocol data is exchanged. If you really want to test imaps, then you should use imtest (included with Cyrus) or OpenSSL's s_client. The error you are seeing most likely means that you haven't configured Cyrus for SSL/TLS (tls_* options in imapd.conf). # Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file: /usr/local/etc/ssl/global.crt #tls_lmtp_key_file: /usr/local/etc/ssl/global.key tls_session_timeout: 1440 #tls_ca_file: global.crt #tls_ca_path: /usr/local/etc/ssl deleteright: c lmtpsocket: /var/imap/socket/lmtp idlesocket: /var/imap/socket/idle notifysocket: /var/imap/socket/notify -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp Aug 25 14:46:03 mail2 imapd[57409]: TLS engine: cannot load CA data Aug 25 14:46:03 mail2 imapd[57409]: starttls: TLSv1 with cipher AES256-SHA (256/ 256 bits new) no authentication Aug 25 14:46:03 mail2 imapd[57409]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Aug 25 14:46:11 mail2 imapd[57409]: no user in db Aug 25 14:46:11 mail2 imapd[57409]: client response doesn't match what we genera ted Aug 25 14:46:11 mail2 imapd[57409]: badlogin: localhost.familyradio.org[127.0.0. 1] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated] Aug 25 14:55:38 mail2 sshd[57481]: error: PAM: Authentication token is no longer valid; new one required. Aug 25 14:55:47 mail2 last message repeated 2 times Aug 25 14:56:54 mail2 su: mallen to root on /dev/ttyp0 # Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file
Re: Fatal error: tls_start_servertls() failed. (fwd)
Ken: I hope the attached file helps us solve the problem which started this thread. Thanks so much for your help. Mike Allen [mail2] ~ imtest -u cyrus -a cyrus -s localhost verify error:num=18:self signed certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK mail2.familyradio.org Cyrus IMAP4 v2.1.12 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM AUTH=LOGIN AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9uY2U9ImdEaXQ2Y3d6ekRvNHhkdFlNUzVCSlZBSnpibmVQcnRQV1N1Nm5DczgxUW89IixyZWFsbT0ibWFpbDIuZmFtaWx5cmFkaW8ub3JnIixxb3A9ImF1dGgiLG1heGJ1Zj00MDk2LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz Please enter your password: C: dXNlcm5hbWU9ImN5cnVzIixyZWFsbT0ibWFpbDIuZmFtaWx5cmFkaW8ub3JnIixub25jZT0iZ0RpdDZjd3p6RG80eGR0WU1TNUJKVkFKemJuZVBydFBXU3U2bkNzODFRbz0iLGNub25jZT0iQUFUVkRndnJwUjgxL2Z0SDJxaXZHWWEzQVY1dVJac0FCTjJlWTU4Y2hLUT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLG1heGJ1Zj0xMDI0LGRpZ2VzdC11cmk9ImltYXAvbG9jYWxob3N0LmZhbWlseXJhZGlvLm9yZyIscmVzcG9uc2U9ZjQ1YTkxY2Q4OTZiNTg0NzZhMGYyNTY4OTE4YjIzZTg= S: A01 NO authentication failure Authentication failed. generic failure Security strength factor: 256 ^CC: Q01 LOGOUT Connection closed. == Please note that user cyrus does have a saslpasswd2 and it is in sasldb2.db See attached 'cyrus.conf'. I;ll send more logging information if needed. Thanks for your help on this. Mike Allen
Re: Fatal error: tls_start_servertls() failed. (fwd)
Ken: Enclosed are two attached files with log info you requested. imtest -s runs with errors while imtest by itself does not show errors. It appears to me to be an authentication problem. Mike Allen On Thu, 21 Aug 2003, Ken Murchison wrote: Mike Allen wrote: Ken, Thanks for your help and insight. I have attached my imapd.conf file with the values I currently use. SSL/TLS still does not let me communicate with port 993. imtest will not run to completion. What am I missing? I don't know. Are imapd and/or imtest spitting out any additional messages to imapd.log? Are you running both imapd and imtest with the -s option? Thanks again for your help. Mike Allen -- Forwarded message -- Date: Wed, 20 Aug 2003 20:55:57 -0400 From: Ken Murchison [EMAIL PROTECTED] To: Mike Allen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fatal error: tls_start_servertls() failed. Mike Allen wrote: I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. First or all, telneting to port 993 won't get you any visible data, since SSL/TLS is negotiated before any IMAP protocol data is exchanged. If you really want to test imaps, then you should use imtest (included with Cyrus) or OpenSSL's s_client. The error you are seeing most likely means that you haven't configured Cyrus for SSL/TLS (tls_* options in imapd.conf). # Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file: /usr/local/etc/ssl/global.crt #tls_lmtp_key_file: /usr/local/etc/ssl/global.key tls_session_timeout: 1440 #tls_ca_file: global.crt #tls_ca_path: /usr/local/etc/ssl deleteright: c lmtpsocket: /var/imap/socket/lmtp idlesocket: /var/imap/socket/idle notifysocket: /var/imap/socket/notify -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp Aug 25 14:46:03 mail2 imapd[57409]: TLS engine: cannot load CA data Aug 25 14:46:03 mail2 imapd[57409]: starttls: TLSv1 with cipher AES256-SHA (256/ 256 bits new) no authentication Aug 25 14:46:03 mail2 imapd[57409]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied Aug 25 14:46:11 mail2 imapd[57409]: no user in db Aug 25 14:46:11 mail2 imapd[57409]: client response doesn't match what we genera ted Aug 25 14:46:11 mail2 imapd[57409]: badlogin: localhost.familyradio.org[127.0.0. 1] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated] Aug 25 14:55:38 mail2 sshd[57481]: error: PAM: Authentication token is no longer valid; new one required. Aug 25 14:55:47 mail2 last message repeated 2 times Aug 25 14:56:54 mail2 su: mallen to root on /dev/ttyp0 # Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file: /usr/local/etc/ssl/global.crt #tls_lmtp_key_file: /usr/local/etc/ssl/global.key tls_session_timeout: 1440 #tls_ca_file: global.crt #tls_ca_path: /usr/local/etc/ssl deleteright: c lmtpsocket: /var/imap/socket/lmtp idlesocket: /var/imap/socket/idle notifysocket: /var/imap/socket/notify
Re: Fatal error: tls_start_servertls() failed. (fwd)
Ken, Thanks for your help and insight. I have attached my imapd.conf file with the values I currently use. SSL/TLS still does not let me communicate with port 993. imtest will not run to completion. What am I missing? Thanks again for your help. Mike Allen -- Forwarded message -- Date: Wed, 20 Aug 2003 20:55:57 -0400 From: Ken Murchison [EMAIL PROTECTED] To: Mike Allen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fatal error: tls_start_servertls() failed. Mike Allen wrote: I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. First or all, telneting to port 993 won't get you any visible data, since SSL/TLS is negotiated before any IMAP protocol data is exchanged. If you really want to test imaps, then you should use imtest (included with Cyrus) or OpenSSL's s_client. The error you are seeing most likely means that you haven't configured Cyrus for SSL/TLS (tls_* options in imapd.conf). -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp# Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file: /usr/local/etc/ssl/global.crt #tls_lmtp_key_file: /usr/local/etc/ssl/global.key tls_session_timeout: 1440 #tls_ca_file: global.crt #tls_ca_path: /usr/local/etc/ssl deleteright: c lmtpsocket: /var/imap/socket/lmtp idlesocket: /var/imap/socket/idle notifysocket: /var/imap/socket/notify
Re: Fatal error: tls_start_servertls() failed. (fwd)
Mike Allen wrote: Ken, Thanks for your help and insight. I have attached my imapd.conf file with the values I currently use. SSL/TLS still does not let me communicate with port 993. imtest will not run to completion. What am I missing? I don't know. Are imapd and/or imtest spitting out any additional messages to imapd.log? Are you running both imapd and imtest with the -s option? Thanks again for your help. Mike Allen -- Forwarded message -- Date: Wed, 20 Aug 2003 20:55:57 -0400 From: Ken Murchison [EMAIL PROTECTED] To: Mike Allen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Fatal error: tls_start_servertls() failed. Mike Allen wrote: I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. First or all, telneting to port 993 won't get you any visible data, since SSL/TLS is negotiated before any IMAP protocol data is exchanged. If you really want to test imaps, then you should use imtest (included with Cyrus) or OpenSSL's s_client. The error you are seeing most likely means that you haven't configured Cyrus for SSL/TLS (tls_* options in imapd.conf). # Thie file was typed in by hand to eliminate non-alphanumeric # characters within it. configdirectory: /var/imap defaultpartition: default partition-default: /var/spool/imap umask: 077 allowanonymouslogin: no allowplaintext: yes quotawarn: 90 imapdresponse: yes admins: cyrus autocreatequota: 5 duplicatesuppression: yes mailnotifier: no default sieveusehomedir: false sievedir:/var/imap/sieve sendmail: /usr/sbin/sendmail postmaster: postmaster sieve_maxscriptsize: 32 sieve_maxscripts: 5 sasl_maximum_layer: 256 sasl_minimum_layer: 0 sasl_pwcheck_method: sasldb2 sasl_auto_transition: no #sasl_opiekeys: /etc/opiekeys tls_cert_file: /usr/local/ssl/global.crt tls_key_file: /usr/local/ssl/global.key tls_imap_cert_file: /usr/local/ssl/global.crt tls_imap_key_file: /usr/local/ssl/global.key #tls_lmtp_cert_file: /usr/local/etc/ssl/global.crt #tls_lmtp_key_file: /usr/local/etc/ssl/global.key tls_session_timeout: 1440 #tls_ca_file: global.crt #tls_ca_path: /usr/local/etc/ssl deleteright: c lmtpsocket: /var/imap/socket/lmtp idlesocket: /var/imap/socket/idle notifysocket: /var/imap/socket/notify -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Fatal error: tls_start_servertls() failed.
I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. Mike Allen
Re: Fatal error: tls_start_servertls() failed.
Mike Allen wrote: I get the above Fatal error when I try to do anything after the following command: telnet localhost imaps Would someone please direct me as to how to debug this? Thanks in advance for your help. First or all, telneting to port 993 won't get you any visible data, since SSL/TLS is negotiated before any IMAP protocol data is exchanged. If you really want to test imaps, then you should use imtest (included with Cyrus) or OpenSSL's s_client. The error you are seeing most likely means that you haven't configured Cyrus for SSL/TLS (tls_* options in imapd.conf). -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
