cyrusimap / cyrus-imapd

Cyrus IMAP is an email, contacts and calendar server
http://cyrusimap.org
Other
550 stars 151 forks source link

docs: instructions for setting up imaps/starttls need review #3042

Open elliefm opened 4 years ago

elliefm commented 4 years ago

https://www.cyrusimap.org/imap/installing.html#optional-setting-up-ssl-certificates

This appears to be giving instructions for setting up IMAPS (i.e. IMAP over a TLS-encrypted socket), which as I understand it, is different from STARTTLS (which is IMAP over an unecrypted socket, that then uses the STARTTLS command to negotiate TLS-encryption within the IMAP session, rather than already having it at the socket layer).

But at the end of the instructions it says "you should have Cyrus listening on port 993 (the IMAPS port) with the STARTTLS IMAP extension enabled", which given the above, seems incoherent.

As I recall from support days, it's common to conflate IMAPS and IMAP+STARTTLS, so it would not surprise me to find that has happened here too...

We should probably document both setup types, a) so that it's clear that they're distinct, and b) so that someone looking for one doesn't instead configure the other without realising.

But, I came here looking for how to configure this, because I didn't already know, so I can't simply fix it up myself quickly!

MichaelMenge commented 4 years ago

Yes IMAPS (Port 993) and IMAP+STARTTLS (Port143) use different Ports and are not compatible

imaps        cmd="imapd" listen="imaps" prefork=0

IMAPS requires the "-s" option for imapd. Running imapd without "-s" listining on 993 will not work as the client will begin with the tls handshake without sending the "STARTTLS" command while cyrus will send the plain server greeting and expect imap commands

Imapd without "-s" will lists the STARTTLS CAPABILITY if a cert an key is configured and depending "allowplaintex" option only secure Authentication mechanism will be enabled before STARTTLS is used.

The main difference between IMAPS and IMAP+STARTTLS that IMAPS is always encrypted, whilethe IMAP+STARTTLS starts unencrypted, which could enable an MITM attack to block the STARTTLS command from the client.

imtest -t "" -u imapuser -a imapuser -w secret localhost

the imtest command without "-s" will use IMAP+STATTLS on the IMAP Port 143 with the "-s" option IMAPS on Port 993 will be used.

the "-u" option is only required if you wan't to authenticat with an admin account and admin pw and authorize as the user.

the usage of the "-a" and "-u" options is inconsistent by different cyrus tools e.g. compare imtest and cyradm