[horde] ingo TLS certificate error problem

Andy Dorman adorman at ironicdesign.com
Tue Nov 1 14:56:34 UTC 2016

We have several servers that support a spam/virus filtering service and 
an email service of a different name.  The email filtering and email 
hosting services use different domain names and the server host names 
use a third, our company domain name.

The problem happens when Ingo tries to use TLS to connect and the 
certificate is for the email hosting service (mail.FanMail.com) and the 
server name is for our company (IronicDesign.com).

This causes PHP to complain as shown here

HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer certificate 
CN=`mail.fanmail.com' did not match expected 
CN=`yorick.ironicdesign.com' [pid 26001 on line 1215 of 

and the user sees an error: "Script not updated: There was an error 
activating the script. The driver said: Failed to establish TLS connection"

After Googling I found where I can tell PHP to not verify the peer

$conf['ssl']['verify_peer'] = FALSE;
$conf['ssl']['verify_peer_name'] = FALSE;

OR I could possibly tell Ingo to use the mail.fanmail.com certificate?

I am trying to figure out which approach will work and how to apply it. 
I would prefer to use ingo/backends.local.php which we already use to 
set the appropriate host name for a user to connect to.

However, I can not find an option like these below in our current 
backends.local.php to tell Ingo or PHP to use the 'mail.fanmail.com' 

$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] = 
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;

I suppose a third option is to set 'usetls' to false, but I would prefer 
not to do that as some day we hope to move our mail servers into VMs 
outside our local network.

Thanks for any help.

Andy Dorman

More information about the horde mailing list