Re: [tpop3d-discuss] TLS status

[Paul Makepeace]

On Tue, Jul 29, 2003 at 02:55:28PM +0100, Chris Lightfoot wrote:
> On Tue, Jul 29, 2003 at 02:50:56PM +0100, Paul Makepeace wrote:
> > On Tue, Jul 29, 2003 at 02:23:40PM +0100, Chris Lightfoot wrote:
>     [ the joy of SSL ]
> > > > experimentation.
> > > 
> > > The stuff is documented in the latest man pages.
> > 
> > Hmm, I have :
> > 
> > listen-address: 0.0.0.0:995;tls=immediate,certificate=/etc/mail/cert 
> > 0.0.0.0:11000

** That should in fact not have the "certificate=" bit.

> > 
> > And yet when I telnet to 995 I get intelligible text which is not what
> > I'd expect from an "immediate" connection.
> 
> No, that's what you should expect -- tpop3d is sending the
> first bit of TLS negotiation bumf, which is not human

I did say /intelligible/, i.e. I can read it, viz:

$ telnet localhost 995
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK <address@hidden>
^]
telnet> close
Connection closed.
$

Anyway it turned out I accidently was executing the old tpop3d. Duh,
pardon me. It seems to be working at least from the openssl command line
test. Once I've had users try it I'll make a INSTALL.TLS doc or
something for my sins.

> mode where you establish the TLS connection as soon as the
> physical connection is established. It's not exactly
> obvious, is it?

This bit I did actually understand from the docs :)

I noticed that if tpop3d can't bind to all its ports it is merely a
warning not an error and the daemon doesn't exit. I was surprised by
this as I'd generally treat failure to bind as a hard error; is this
intentional?

Paul

-- 
Paul Makepeace ....................................... http://paulm.com/

"If life is good, then will I really have to explain this to my
 parents."
   -- http://paulm.com/toys/surrealism/