Hi all, hoping you might be able to help me out.

I have a Perdition proxy server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16) backend mailstores based on an LDAP query. Everything works fine except for securing the connection between Perdition and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY string. STARTTLS works perfectly fine connecting from the Perdition server to the Cyrus server using both "imtest" and "openssl s_client".

The certs are all signed by a separate test CA I set up the other day and work fine otherwise. I've posted the log and relevant Perdition configs below, and I’ve tested the backend servers individually to ensure STARTTLS is working fine on Cyrus’ end. Have I messed something up?

##/var/log/maillog##

    Sep  3 10:23:34 perdition-host perdition[20007]: Connect: client.example.com -> perdition.example.com

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* OK IMAP4 Ready perdition.example.com 00021e71\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "1 STARTTLS\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "1 OK Begin TLS negotiation now\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SSL connection using AES256-GCM-SHA384

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \"user-test@email.example.com\" \"password\""

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 1 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 4 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is set, but the real-server does not have the STARTTLS capability, connection will not be encrypted

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim08 LOGIN {37}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response login

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "user-test@email.example.com {9}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "password\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response passwd

    Sep  3 10:23:34 perdition-host perdition[20007]: main: protocol->out_authenticate -1

    Sep  3 10:23:34 perdition-host perdition[20007]: Fatal error authenticating user. Exiting child.

##/etc/sysconfig/perdition##

    RUN_PERDITION=yes

    POP3=no

    POP3S=no

    IMAP4=no

    IMAP4S=yes

##/usr/etc/perdition/perdition_imap4s.conf##

    (All left default except following options:)

    connection_logging

    debug

    listen_port 143

    map_library /usr/lib/libperditiondb_ldap.so.0

    map_library_opt "ldap:<ldap_url_here>"

    ok_line Connected to perdition IMAP proxy.

    protocol IMAP4S

    outgoing_port 143

    pid_file /var/run/perdition/perdition.imap4s.pid

    timeout 60

    ssl_mode tls_all

    ssl_ca_file /etc/pki/tls/certs/ca.crt

    ssl_ca_accept_self_signed

    ssl_cert_file /etc/pki/tls/private/host_perdition.crt

    ssl_cert_accept_self_signed

    ssl_key_file /etc/pki/tls/private/host_perdition.key

Thanks in advance for any help, I’ve spent a good amount of time stuck on this issue.

Steven Kelbley