Several versions after I patched it myself (and submitted the patch to the developer list), Cyrus developers have finally realized that their SSL code is a bit “broke” (it’s really OpenSSL, but they have no plans to fix it). Version 2.3.12 properly accepts a certificate file with no CA data set.

I’m even referenced in the mailing list discussion! I am however a little miffed that my patch wasn’t accepted almost a year ago when I first submitted it.

So, if you haven’t heard already, Leopard has this new file system - Case Sensitive, Journaled. Well, the WoW installer won’t work on it (and neither will Adobe stuff, like acrobat or CS3). And the only way to get not case sensitive? Re-format. Yeah, you heard that right, re-format a drive I just spent about a week getting configured the way I wanted to. Enter Time Machine. I have it configured to back itself up every hour (the default). I reformatted and re-installed my primary partition (after backing up the important documents to another partition of course). When it booted, it asked if I had another mac (or perhaps a Time Machine backup) that I wanted to transfer the settings from. Of course! So I waited (about an hour) for Time Machine to restore itself, and I’m back and happy. The only thing that didn’t restore properly was the Missing Sync, but I wasn’t really surprised as it’s a kernel module, and there’s really no reason for Time Machine to back up kernel modules.

I’m a very happy camper at this moment. And on the plus side, we made a pretty hefty purchase at newegg which should be arriving soon. I’ll post more details about that when I’ve had more time to sleep

The new mail server is up and running and is acting as the primary MX for my domain. I’m going to leave my old server up as the secondary MX just in case, but the server passed all the tests I gave it. I have Exim and Cyrus working together with SpamAssassin and ClamAV to deliver mail to virtual domains. The server is currently handling mail for three domains (elwing.org and two others) with alias files for each domain. So, postmaster at domain1.tld and postmaster at domain2.tld can be different. (They’re all pointing to my account at the moment, but they don’t have to be!)

I pretty much used my old configuration file with a few tweaks to tell exim how to deal with virtual aliases. Cyrus handles virtual domains out of the box (2.2+), but the concept of a global admin doesn’t exist when you’re using PAM as an authentication method. And the PAM file looks a lot like user@domain:password. When trying to log into cyrus as the global admin user, saslauthd would think that the realm was org (the machine’s name is elwing.org, so I’m guessing it came from there), and 1) I couldn’t log in because I didn’t have an entry in the password file for it, and two, I wasn’t the global admin. It’s a little annoying that I have to have multiple admin accounts, but as I’m working on writing scripts for user maintenance, it’s not that big of a deal.

If you send me e-mail to elwing.org and it bounces, please forward the full response (and headers if you can) to my gmail account (elwing) and I’ll debug it. Thanks!

I’ve *finally* discovered why my IMAP server no longer likes my self-signed certificates. The certificates are just fine. Cyrus is just fine. It’s OpenSSL that’s the problem - Bug 1513 to be exact.

The error messages, for anyone searching:

Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load CA data
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: Fatal error: tls_init() failed

Cyrus calls SSL_CTX_use_certificate_chain_file() to read in the certificate file, but in my case, since I don’t have CA data set, an earlier function returns an error, so the SSL_CTX_use_certificate_chain_file() function also returns an error, even though the certificate and key are just fine.

I wrote a small patch for FreeBSD 6.2, but the basic idea is go into imap/tls.c, search for SSL_CTX_use_certificate_chain_file() - it’s inside set_cert_stuff(). On the line immediately previous to the SSL_CTX_use_certificate_chain_file() call, add ERR_clear_error();

That’s it! You should now be able to use TLS.

Caveat: Use this patch at your own risk, I am not responsible for anything that happens to your system if you use it and it doesn’t work for you. I know this is not the best solution in the world, but it’s a decent workaround until the OpenSSL guys can get their act together.

All of my web server traffic has now been moved to my new host - so if you notice anything out of the ordinary, please let me know so that I can remedy it ASAP

For those of you who have previously complained that my server was too slow, that shouldn’t be a problem now