Home Forums OS X Server and Client Discussion Mail Squirrelmail, cram-md5, and ssl

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • November 11, 2004 at 12:53 am #359887
    Anonymous
    Guest

    Question

    I have a functioning Cyrus server with IMAP set up to require SSL and use CRAM-MD5 authentication. I’m not having much luck adding webmail functionality—login attempts result in this error:

    Bad request: IMAP server does not appear to support the authentication method selected. Please contact your system administrator.

    I believe I have properly configured squirrelmail, using /etc/squirrelmail/config/conf.pl In particular, the server and port are set correctly (i.e., to values that work fine with my mail client), authentication type is cram-md5, TLS is on, and server software is set to macosx. Webmail is enabled in Server Admin. Squirrelmail and Cyrus are communicating (a little): the IMAP log shows this:

    Nov 3 17:20:20 m204 imapd[17523]: imaps TLS negotiation failed: localhost[127.0.0.1]
    Nov 3 17:20:20 m204 imapd[17523]: Fatal error: tls_start_servertls() failed

    Any ideas what the problem could be? TIA!

    December 9, 2005 at 5:33 pm #364380
    morgant
    Participant

    I’ve run the same setup and have run into the same problem.

    IMAP requiring SSL and requiring CRAM-MD5 for authentication.
    SMTP use SSL and requiring CRAM-MD5 for authentication (except for relaying accepted from hosts within my internal IP range).

    I’ve configured SquirrelMail’s IMAP setting to use CRAM-MD5 and have changed the port number to 993. I’ve tried combinations of using ‘cyrus’ and ‘macosx’ as the server type, as well as TLS on and off. (All this done via config.pl, of course.)

    I always get the following error:
    [QUOTE] Bad request: IMAP server does not appear to support the authentication method selected. Please contact your system administrator.[/QUOTE]

    What am I missing? I’m surprised no one had a response for the previous poster.

    December 10, 2005 at 1:34 pm #364388
    maccanada
    Participant

    Are you talking about the IMAP port? When runing Squirrelmail on the same server as the IMAP service, there’s little benefit in encrypting the IMAP traffic between the two. If you’ve separated out the two services onto different servers, sure you’d want this on, but otherwise I’m not sure what purpose it has with a single server setup. Using SSL will encrypt all the traffic from the server down to the client.

    I’m using SSL and cram-md5 with no problems. The IMAP port is 143. 993 is used for IMAPS (or secure IMAP) which is typically used by email clients to talk directly to the IMAP server over SSL.

    Squirrelmail does not currently (or at least properly) support IMAPS, I
    believe

    December 12, 2005 at 5:42 pm #364393
    morgant
    Participant

    Basically, I switched to CRAM-MD5 authentication and SSL encryption for IMAP & SMTP because we have many employees who have PowerBooks for workstations and are using them internally on Ethernet or WiFi and often from home or on the road. Previously those employees had to remember to use their home ISP’s SMTP server or a .Mac (or similar) account to send from the road.

    This was far from ideal and not really great for business communication, so when I set up our new mail server I went for stronger authentication and encryption all around.

    This setup has been working fine for us, but a few part-time employees have joined our team and share the same handful of computers which only have a single user account running retail software. There’s been a push from management to set them up with webmail so they can do their e-mail during slow periods.

    I was just going to configure SquirrelMail on the mail server as a short term fix and was hoping to do so without compromising security by opening up less secure means of communication. It sounds like this is not possible, correct?

    I know it’s pointless to encrypt the traffic which never leaves the box, but I’m happier doing that for a couple of people than opening up the potential for an employee to copy their mail settings to a new machine, accidentally set it up insecurely, and have private company e-mail going out over the Internet.

    December 22, 2005 at 8:09 pm #364518
    morgant
    Participant

    [QUOTE BY= MacTroll] SQM isn’t able to do SSL because php hasn’t been compiled with imaps extensions, IIRC.

    However, what I typically do in this situation is to open up both 143 and 993, so imap and imaps, but use the firewall to only allow imap connections from 127.0.0.1[/QUOTE]

    Thanks for the suggestion. I actually realized that would be the best solution over lunch the same day (just after my last post). I just had to get my brain to look at it from another point of view.

    I haven’t had the chance to make the changes yet, but I’ll try to remember to post the results.

    January 3, 2006 at 8:27 pm #364618
    morgant
    Participant

    In case someone searches the forums for this:

    Changed the server’s Mail service Security settings to USE SSL (instead of REQUIRE SSL) for IMAP (it was already set to USE SSL for SMTP).

    Ran /etc/squirrelmail/config/conf.pl to change the IMAP settings to not use Secure IMAP (TLS) and made sure it was connecting to localhost:143.

    Then verified that non-SSL IMAP and POP connections from the outside do not work after modifying the FireWall settings.

    Worked like a charm. Very quick fix.

    June 8, 2006 at 8:11 pm #366375
    Anonymous
    Guest

    Ok this has all been very helpful, although now I am having a small issue when trying to test things. I can finally login to the imap server and move around the folders. I tried to test sending a mail and I receive the following error:

    Authentication required
    Server replied: 530 Must issue a STARTTLS command first

    *** Note I had to require SSL in SMTP to get my windows IMAP clients(Thunderbird) to be able to send mail…

    Thanks in advance,

    tm

    June 8, 2006 at 11:14 pm #366381
    Anonymous
    Guest

    oops – should have been disable require ssl…

    Cheers,
    tm

    June 8, 2006 at 11:16 pm #366382
    Anonymous
    Guest

    d’oh and now squirrelmail works – but using ssl over smtp doesn’t work. aaaghh… much for a box that does everything easily. 😉

    tm 😯

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.