[Techtalk] tls and mail server
Maria McKinley
maria at shadlen.org
Thu Oct 29 08:42:16 UTC 2009
So, I'm not sure what was going on here, but its looking a bit
embarassing. It turns out that I was missing /etc/pam.d/imaps, which was
why testsaslauthd was not working. Once I got that working, I went back
through the logs and discovered that imaps was actually only failing for
one ip. It was just that the one ip was failing a lot, and filling up
the logs. I really have no idea why imaps was working without
/etc/pam.d/imaps present, and this evident problem with ldap, that I
discovered while troubleshooting. But, authentication doesn't seem to be
the reason why sieve isn't working, which is what brought me here in the
first place. I think I am going to try to figure out what is going on
with sieve before figuring out what is going on with ldap, which is
working for day to day operations. Btw, I did look at the certs, and
none are expired; looked at the issuer site, and none are revoked.
ugh,
maria
Elwing wrote:
> Your certificate has been revoked or it's untrusted (ie, you need to add
> the root certificate to your ldapsearch tool - not sure how to do that
> though) look at your certificate openssl x509 -out text <cert file> and
> you should see when it's good to, and you can see the issuer to
> determine if it's revoked.
>
> Laura
>
>
> On Oct 27, 2009, at 7:50 PM, Maria McKinley wrote:
>
>> I am using 2.2.13-14+lenny3. I am using a CA from http://www.cacert.org/.
>>
>> Running ldapsearch -x -ZZ -d 255 goes through the certs, reading,
>> getting what it wants, and then ends with:
>>
>> TLS: peer cert untrusted or revoked (0x42)
>> ldap_err2string
>> ldap_start_tls: Connect error (-11)
>>
>> I'll check out your weblog about the patch, not sure I want to switch
>> to the experimental package.
>>
>> thanks,
>> maria
>>
>> Elwing wrote:
>>> What version of cyrus are you using? There is a bug before 2.3.20 (I
>>> think) that won't accept the cert configuration unless you have a CA
>>> (most people don't). It's been fixed in newer versions, and if not,
>>> I have a patch at
>>> http://weblog.elwing.org/elwing/index.php/2007/07/18/cyrus-imap-and-certificates/ (and
>>> more details about the problem).
>>> I've also seen this error when the key doesn't match the cert, and a
>>> few other things related to the certificates.. it's really hit or
>>> miss with the *excellent* error messages that cyrus gives you.
>>> Elwing
>>> On Oct 27, 2009, at 6:59 PM, Maria McKinley wrote:
>>>> Greetings,
>>>>
>>>> I am running cyrus/tls/ldap. The imaps connection is not working,
>>>> but the imap and smtp connections are:
>>>>
>>>> ella:/var/log# testsaslauthd -u "test" -p "xxx" -s smtp
>>>> 0: OK "Success."
>>>> ella:/var/log# testsaslauthd -u "test" -p "xxx" -s imaps
>>>> 0: NO "authentication failed"
>>>> ella:/var/log# testsaslauthd -u "test" -p "xxx" -s imap
>>>> 0: OK "Success."
>>>>
>>>> I can't figure out why this would be. Weirdly, I can connect and
>>>> check my mail on 993, but trying to access sieve gives errors and
>>>> times out, and there are lots of these errors in the logs:
>>>>
>>>> cyrus/imaps[18287]: Fatal error: tls_start_servertls() failed
>>>>
>>>> Anybody have an idea where to check? In the meantime, I continue to
>>>> google and check config files...
>>>>
>>>> thanks,
>>>> maria
>>>> _______________________________________________
>>>> Techtalk mailing list
>>>> Techtalk at linuxchix.org
>>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>> _______________________________________________
>>> Techtalk mailing list
>>> Techtalk at linuxchix.org
>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list