Subject: Re: cyrus and IMAPS?
To: Rasputin <rasputin@idoru.mine.nu>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 09/14/2003 18:55:02
[ On Sunday, September 14, 2003 at 23:10:29 (+0100), Rasputin wrote: ]
> Subject: cyrus and IMAPS?
>
> 
> I can't seem to get IMAPS working with the cyrus-imap21 package;

Yes.  It's working very well for me.

> September 14 20:28:09 lb master[11976]: about to exec /usr/pkg/cyrus/bin/imapd
> September 14 20:28:09 lb imaps[11976]: executed
> September 14 20:28:09 lb imapd[11976]: imaps: required OpenSSL options not present
> September 14 20:28:09 lb imapd[11976]: Fatal error: imaps: required OpenSSL options not present
> September 14 20:28:09 lb master[15973]: process 11976 exited, status 75

You don't have one or more of the necessary "tls_*" options set in the
imapd.conf file your imapd is reading.  It is looking for at minimum
these two lines:

	tls_cert_file: /var/imap/server.pem
	tls_key_file: /var/imap/server.pem

Are you sure you've specified the location of the imapd.conf file you
think you're using correctly in cyrus.conf?  Note that the default
install from pkgsrc is broken, at least with the default "cyrus.conf"
file and the default is to use /etc/imapd.conf.  You need to explicitly
specify the location in the "cmd" settings for each service in the
cyrus.conf file if you put imapd.conf in a different location:

SERVICES {
  imap      cmd="imapd -C /usr/pkg/etc/imapd.conf"    listen="imap" prefork=0
  imaps     cmd="imapd -C /usr/pkg/etc/imapd.conf -s" listen="imaps" prefork=0
  pop3      cmd="pop3d -C /usr/pkg/etc/imapd.conf"    listen="pop3" prefork=0
  pop3s     cmd="pop3d -C /usr/pkg/etc/imapd.conf -s" listen="pop3s" prefork=0
  lmtpunix  cmd="lmtpd -C /usr/pkg/etc/imapd.conf"    listen="/var/imap/socket/lmtp" prefork=0
}


I'm hoping to be able to submit proper fixes to the config file issue to
the Cyrus team soon and get this fixed properly once and for all.  The
config file location should be specified by a configure option, not
hard-coded as it currently is.  I do have some quick&dirty patches for
pkgsrc that I'm using for myself right now, but they're a bit of a cheap
hack.


> My only other idea was that the server certificate file is bad,
> but I get the same error even without a certificate, so I don't
> think it's even getting as far as reading that....

Without the file you'll get the same errors for IMAPS since of course
you can't do SSL/TLS without a certificate

Although it's most likely your imapd simply isn't reading the config
file you think it is, are you sure you created the "server.pem" file
correctly and you've placed it in the right place and given it the right
permissions and ownership?

	$ ls -l /var/imap/server.pem
	-r--r-----  1 cyrus  mail  2351 Aug 31 21:14 /var/imap/server.pem


You may also want the following in your imapd.conf file if you're trying
to use just plain logins with the normal system password:

# Use the saslauthd daemon to verify plaintext passwords.  Please ensure that
# the saslauthd daemon is running before trying to authenticate.
#
sasl_pwcheck_method: saslauthd

# Use these SASL authentication mechanisms.
#
# Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb.
#
sasl_mech_list: LOGIN OTP ANONYMOUS


-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>