Subject: Re: cyrus and IMAPS?
To: None <>
From: Rasputin <>
List: netbsd-users
Date: 09/15/2003 15:29:00
* Johnny C. Lam <> [0959 07:59]:
> On Sun, Sep 14, 2003 at 06:55:02PM -0400, Greg A. Woods wrote:
> [snip]
> > 
> > You don't have one or more of the necessary "tls_*" options set in the
> > imapd.conf file your imapd is reading.  It is looking for at minimum
> > these two lines:
> > 
> > 	tls_cert_file: /var/imap/server.pem
> > 	tls_key_file: /var/imap/server.pem

I had those, but it didn't seem to help.
Adding a 'tls_ca_cert' : /var/imap/sever.pem fixed that.

> You're right that this is easy to forget since it's not actually
> specifically indicated in the man pages.  I'll add these (commented out)
> to the default imapd.conf files installed by pkgsrc.

For the record, it was cyrus-imapd21 that was causing me problems -
it's logging doesn't tell you much, whereas version 2 says:

ep 15 14:17:21 lb imapd[22121]: TLS engine: cannot load CA data
September 15 14:17:21 lb imapd[22121]: unable to get certificate from '/tmp/server.pem'
September 15 14:17:21 lb imapd[22121]: TLS engine: cannot load cert/key data
September 15 14:17:21 lb imapd[22121]: error initializing TLS: [CA_file: ] [CA_path: ] [cert_file: /tmp/server.pem] [key_file: /tmp/server.pem]

which was all the hint I needed.  Rather than mucking about with
openssl I installed courier,ran mkimapdcert then uninstalled it.

I now have TLS on the imap port too, which is a bonus:)

> > Are you sure you've specified the location of the imapd.conf file you
> > think you're using correctly in cyrus.conf?  Note that the default
> > install from pkgsrc is broken, at least with the default "cyrus.conf"
> > file and the default is to use /etc/imapd.con
> I thought pkgsrc did a global search-and-replace for "/etc/imapd.conf"
> and "/etc/cyrus.conf" and replaced them with ${PKG_SYSCONFDIR}/... in
> the post-patch target, so imapd should be finding the config files in
> the correct, default ${PKG_SYSCONFDIR} locations.  Did that not work?

Did read that imapd.conf's location was hardcoded in the
distribution, I thought that was a bit DJB....
	In my case, it's irrelevant since I always copy live server config
files to /etc and symlink from /usr/pkg/etc. 

[ It stops package upgrades walloping them. Plus I always backup
/etc when running buildworld, so if my RSI means I accidentally
clobber a file, there's usually a backup in /etc.timestamp.... ]
> > # Don't use CRAM-MD5 or DIGEST-MD5 if you don't have a local sasldb.
> > sasl_mech_list: LOGIN OTP ANONYMOUS

I didn't try mucking about with these, in fact I didn't specify one. 
Worked fine either way. 

One thing I would point out is that SASL is incredibly poorly
documented.  The manpage for saslauthd for both security/cyrus-sasl*
packages is unreadable too, again I think that's a problem with the
distributed sources, not a packaging issue.

It does make things a bit harder to figure out - reading the source
to figure out command line usage is a bit scary :)

Thanks to both Greg and Johnny for the pointers, I will go off
and read up on SASL thoroughly before posting again....

Lowery's Law:
	If it jams -- force it.  If it breaks, it needed replacing
Rasputin :: Jack of All Trades - Master of Nuns