[prev in list] [next in list] [prev in thread] [next in thread]
List: cyrus-info
Subject: Re: sync_client and TLS support?
From: "andrewhardy via Info" <info () cyrus ! topicbox ! com>
Date: 2021-05-19 8:15:34
Message-ID: 1AB553E2-8BEC-4302-9065-EB2F1C9DFAFF () andrewhardy ! co ! nz
[Download RAW message or body]
Thanks for the quick response Ellie.
Appending /tls to the defined port worked and replication over TLS appears to work \
fine. This will come in quite handy where private links are not possible or cost \
prohibiting. I haven't tested this in anger or attempted to get mutual authentication \
working but if I can get it functioning and tested as desired, will feed some "how \
tos" back.
Interesting that appending /tls was the toggle, who would have thought ;)
Thanks for the observation on versioning.
It turns out that the version that ships with the @appstream repo is well behind in \
its versioning. I'll definitely be taking the time to re-compile/build using the \
latest version. Probably steering away from Centos 8 at this point, seems like it's \
going to be more problematic than what its worth.
cyrus-imapd.x86_64 3.0.7-19.el8 @appstream
Appreciate the quick response, will feed any doc improvements through as I go along.
Cheers,
Andrew
> On 19/05/2021, at 12:15 PM, ellie timoney <ellie@fastmail.com> wrote:
>
> Hi,
>
> I haven't seen "fossies.org <http://fossies.org/>" before, but the canonical 3.4.1 \
> sync_client source can be found here: \
> https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c \
> <https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c>
>
> But you won't find TLS handling code in that file, because it just calls down to \
> backend_connect() to do the heavy lifting, which is in: \
> https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c \
> <https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c>
> It looks like if you provide a "/tls" flag in the port/service name specification, \
> then it will try to do TLS. So where you've specified "993", maybe "993/tls" will \
> do the trick? It looks like "noauth" is another possible flag here, which is news \
> to me. Some of this stuff isn't very well documented, sorry.
> I think we might assume that replication mostly occurs over a private network -- \
> either a physical one within the same datacentre, or over VPN to a remote one -- \
> but if you don't have these luxuries it makes sense that you'd want to use TLS for \
> the connection. I don't know if anyone is using it like this, but it ought to work \
> fine since it just uses the same backend module as everything else. If you get it \
> working, it'd be great if you could send through some notes that we could integrate \
> into the docs!
> > 3.0.7-19.el8 Fedora server ready
>
> Ohhh... it's interesting that you're looking at the 3.4.1 sources, but actually \
> running 3.0.7. Everything I've described above _should_ work for 3.0, as in, I \
> don't believe the /tls flag is a new feature (otherwise I'd probably recognise it). \
> But I've been looking at the 3.4.1 sources, not the 3.0.7 ones, so your mileage may \
> vary. For what it's worth, 3.0.7 is two major releases out of date (the current \
> stable series is 3.4; the previous stable series was 3.2). If you can manage to \
> run something newer, you should.
> Cheers,
>
> ellie
>
> On Tue, 18 May 2021, at 5:17 AM, andrewhardy via Info wrote:
> > Hi there,
> >
> > I was hoping to verify with a source of truth whether
> > sync_client embedded within the "Cyrus-imapd-3.4.1.tar.gz" has implicit TLS \
> > support. (I assume it came bundled with Cyrus install - haven't validated that - \
> > Centos 8). I manage to track down a sync_client.c file found at the URL below and \
> > it doesn't appear to offer starttls or implicit TLS support within the connect \
> > code (unless I'm missing something obvious) and it doesn't appear to make use of \
> > the TLS settings contained within imapd.conf file.
> > - https://fossies.org/linux/cyrus-imapd/imap/sync_client.c \
> > <https://fossies.org/linux/cyrus-imapd/imap/sync_client.c> Is this correct \
> > assertion or am I missing something obvious? Sync Client is working fine over \
> > IMAP TCP/143 but when changed to TCP 993, fails.
> > Was hoping to get this configured for mutual authentication between Cyrus \
> > servers for secure replication given it's a privileged account being passed over \
> > the wire. Is this something that is supported using the sync_client utility at \
> > present or are there alternative Cyrus mailbox synchronisation tools out there \
> > that would enable secure transmission of replication data? Unfortunately cannot \
> > find any documentation that would hint at TLS support and I "assumed" that it'd \
> > honour the client/server authentication certificates and configuration in \
> > imapd.conf. Believe this was an incorrect assumption on my part. I must admit \
> > from what I have seen so far, Cyrus is a pretty cool application. Thanks for \
> > developing this. ———
> > On the service side, I get the following failure:
> > cyrus/imaps[102032]: imaps TLS negotiation failed: testimapserver [10.0.0.10]
> > On the client side, using openssl s_client -connect testimapserver:993 returns a \
> > successful TLSv1.3 connection with Cipher TLS_AES_256_GCM_SHA384 with the server \
> > response being:
> > * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=PLAIN AUTH=LOGIN SASL-IR] \
> > testimapserver Cyrus IMAP 3.0.7-19.el8 Fedora server ready
> > ———
> > If you could please confirm my suspicion and let me know if TLS support is \
> > considered in a potential future release, that would be greatly appreciated. If \
> > I've got it wrong and it is supported but its a configuration issue on my part, \
> > apologies.
>
> Cyrus <https://cyrus.topicbox.com/latest> / Info / see discussions \
> <https://cyrus.topicbox.com/groups/info> + participants \
> <https://cyrus.topicbox.com/groups/info/members> + delivery options \
> <https://cyrus.topicbox.com/groups/info/subscription>Permalink \
> <https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-Mf38c1a2f6ce579778a2c436c>
>
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-M9cb3e9a945091ddb23d1664c
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
[Attachment #3 (unknown)]
<html><html><html><head><meta content="text/html; charset=utf-8" \
http-equiv="Content-Type" /></head><body class="" style="word-wrap: break-word; \
-webkit-nbsp-mode: space; line-break: after-white-space;"><div class="" dir="auto" \
style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: \
after-white-space;">Thanks for the quick response Ellie. <br class="" /><div \
class=""><div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; \
line-height: normal; font-family: Menlo; color: rgb(46, 174, 187);"><span class="" \
style="font-variant-ligatures: no-common-ligatures; color: #000000"><br class="" \
/></span></div><div class="" style="margin: 0px; font-stretch: normal; font-size: \
11px; line-height: normal; font-family: Menlo; color: rgb(46, 174, 187);"><span \
class="" style="font-variant-ligatures: no-common-ligatures; color: \
#000000">Appending /tls to the defined port worked and replication over TLS appears \
to work fine. This will come in quite handy where private links are not possible or \
cost prohibiting. I haven’t tested this in anger or attempted to get mutual \
authentication working but if I can get it functioning and tested as desired, will \
feed some “how tos” back.</span></div><div class="" style="margin: 0px; \
font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; \
color: rgb(46, 174, 187);"><span class="" style="font-variant-ligatures: \
no-common-ligatures; color: #000000"><br class="" /></span></div><div class="" \
style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; \
font-family: Menlo; color: rgb(46, 174, 187);"><span class="" \
style="font-variant-ligatures: no-common-ligatures; color: #000000">Interesting that \
appending /tls was the toggle, who would have thought ;)</span></div><div class="" \
style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; \
font-family: Menlo; color: rgb(46, 174, 187);"><span class="" \
style="font-variant-ligatures: no-common-ligatures; color: #000000"><br class="" \
/></span></div><div class="" style="margin: 0px; font-stretch: normal; line-height: \
normal;"><font class="" color="#000000"><font class="" face="Menlo"><span class="" \
style="font-size: 11px;">Thanks for the observation on \
versioning. </span></font></font></div><div class="" style="margin: 0px; \
font-stretch: normal; line-height: normal;"><font class="" color="#000000"><font \
class="" face="Menlo"><span class="" style="font-size: 11px;"><br class="" \
/></span></font></font></div><div class="" style="margin: 0px; font-stretch: normal; \
line-height: normal;">It turns out that the version that ships with the @appstream \
repo is well behind in its versioning. <font class="" color="#000000" \
face="Menlo"><span class="" style="caret-color: rgb(0, 0, 0); font-size: \
11px;">I’ll definitely be taking the time to re-compile/build using the latest \
version. Probably steering away from Centos 8 at this point, seems like it’s \
going to be more problematic than what its worth.</span></font></div><div class="" \
style="margin: 0px; font-stretch: normal; line-height: normal;"><span class="" \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Menlo; font-size: \
11px;"><br class="" /></span></div><div class="" style="margin: 0px; font-stretch: \
normal; line-height: normal;"><div class=""><span class="" style="color: rgb(46, 174, \
187); font-family: Menlo; font-size: 11px; font-variant-ligatures: \
no-common-ligatures;">cyrus-imapd.x86_64 </span><span class="" \
style="font-family: Menlo; font-size: 11px; font-variant-ligatures: \
no-common-ligatures; color: rgb(0, 0, 0);">3.0.7-19.el8 \
@appstream</span></div></div><div class="" style="margin: 0px; font-stretch: normal; \
font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(46, 174, \
187);"><br class="" /></div><div class="" style="margin: 0px; font-stretch: normal; \
font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(46, 174, \
187);">Appreciate the quick response, will feed any doc improvements through as I go \
along.</div><div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; \
line-height: normal; font-family: Menlo; color: rgb(46, 174, 187);"><br class="" \
/></div><div class="" style="margin: 0px; font-stretch: normal; font-size: 11px; \
line-height: normal; font-family: Menlo; color: rgb(46, 174, 187);">Cheers,</div><div \
class="" style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: \
normal; font-family: Menlo; color: rgb(46, 174, 187);">Andrew</div><div class="" \
style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; \
font-family: Menlo; color: rgb(46, 174, 187);"><br class="" /></div><div><br class="" \
/><blockquote class="" type="cite"><div class="">On 19/05/2021, at 12:15 PM, ellie \
timoney <<a class="" href="mailto:ellie@fastmail.com">ellie@fastmail.com</a>> \
wrote:</div><br class="Apple-interchange-newline" /><div class=""><meta \
charset="UTF-8" class="" /><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">Hi,<br class="" /></div><div \
class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">I haven't seen "<a \
class="" href="http://fossies.org/">fossies.org</a>" before, but the canonical \
3.4.1 sync_client source can be found here:</div><div class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><a \
class="" href="https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sy \
nc_client.c">https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/sync_client.c</a><br \
class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;"><br class="" /></div><div \
class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;">But you won't find TLS handling code in that file, because it just calls \
down to backend_connect() to do the heavy lifting, which is in: <a class="" \
href="https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c"> \
https://github.com/cyrusimap/cyrus-imapd/blob/cyrus-imapd-3.4.1/imap/backend.c</a><br \
class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;"><br class="" /></div><div \
class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">It \
looks like if you provide a "/tls" flag in the port/service name \
specification, then it will try to do TLS. So where you've specified \
"993", maybe "993/tls" will do the trick? It looks like \
"noauth" is another possible flag here, which is news to me. Some of \
this stuff isn't very well documented, sorry.<br class="" /></div><div class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">I think we might assume that \
replication mostly occurs over a private network -- either a physical one within the \
same datacentre, or over VPN to a remote one -- but if you don't have these \
luxuries it makes sense that you'd want to use TLS for the connection. I \
don't know if anyone is using it like this, but it ought to work fine since it \
just uses the same backend module as everything else. If you get it working, \
it'd be great if you could send through some notes that we could integrate into \
the docs!<br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;"><br class="" /></div><div \
class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;">> 3.0.7-19.el8 Fedora server ready<br class="" /></div><div class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">Ohhh... it's interesting \
that you're looking at the 3.4.1 sources, but actually running 3.0.7. \
Everything I've described above _should_ work for 3.0, as in, I don't \
believe the /tls flag is a new feature (otherwise I'd probably recognise it). \
But I've been looking at the 3.4.1 sources, not the 3.0.7 ones, so your \
mileage may vary. For what it's worth, 3.0.7 is two major releases out of \
date (the current stable series is 3.4; the previous stable series was 3.2). If \
you can manage to run something newer, you should.<br class="" /></div><div class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">Cheers,<br class="" \
/></div><div class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;"><br class="" /></div><div class="" style="caret-color: rgb(0, \
0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;">ellie</div><div class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><br class="" /></div><div class="" style="caret-color: rgb(0, 0, 0); \
font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: \
normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: \
0px; text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;">On Tue, 18 May 2021, at 5:17 \
AM, andrewhardy via Info wrote:<br class="" /></div><blockquote class="" id="qt" \
style="font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: \
auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; text-decoration: none;" type="cite"><div class="">Hi \
there,<br class="" /></div><div class=""><br class="" /></div><div class="">I was \
hoping to verify with a source of truth whether<br class="" /></div><div \
class="">sync_client embedded within the “Cyrus-imapd-3.4.1.tar.gz” has \
implicit TLS support. (I assume it came bundled with Cyrus install - haven’t \
validated that - Centos 8).<br class="" /></div><div class="">I manage to track down \
a sync_client.c file found at the URL below and it doesn’t appear to offer \
starttls or<br class="" /></div><div class="">implicit TLS support within the connect \
code (unless I’m missing something obvious) and it doesn’t appear to<br \
class="" /></div><div class="">make use of the TLS settings contained within \
imapd.conf file.<br class="" /></div><div class="">-<span \
class="Apple-converted-space"> </span><a class="" \
href="https://fossies.org/linux/cyrus-imapd/imap/sync_client.c">https://fossies.org/linux/cyrus-imapd/imap/sync_client.c</a><br \
class="" /></div><div class="">Is this correct assertion or am I missing something \
obvious? Sync Client is working fine over IMAP TCP/143 but when changed to TCP 993, \
fails.<br class="" /></div><div class=""><br class="" /></div><div class="">Was \
hoping to get this configured for mutual authentication between Cyrus servers \
<strong><a href="https://cyrus.topicbox.com/latest" \
style="color:inherit;text-decoration:none">Cyrus</a></strong> / Info / see
<a href="https://cyrus.topicbox.com/groups/info">discussions</a>
+
<a href="https://cyrus.topicbox.com/groups/info/members">participants</a>
+
<a href="https://cyrus.topicbox.com/groups/info/subscription">delivery options</a>
<a href="https://cyrus.topicbox.com/groups/info/T775ec6d234b46b89-M9cb3e9a945091ddb23d1664c" \
style="float:right">Permalink</a> </div>
</body></html></html></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic