[horde] ingo TLS certificate error problem

Arjen de Korte arjen+horde at de-korte.org
Tue Nov 1 15:48:59 UTC 2016 

Citeren Andy Dorman <adorman at ironicdesign.com>:

> We have several servers that support a spam/virus filtering service  
> and an email service of a different name.  The email filtering and  
> email hosting services use different domain names and the server  
> host names use a third, our company domain name.
>
> The problem happens when Ingo tries to use TLS to connect and the  
> certificate is for the email hosting service (mail.FanMail.com) and  
> the server name is for our company (IronicDesign.com).
>
> This causes PHP to complain as shown here
>
> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer  
> certificate CN=`mail.fanmail.com' did not match expected  
> CN=`yorick.ironicdesign.com' [pid 26001 on line 1215 of  
> "/usr/share/php/Net/Sieve.php"]
>
> and the user sees an error: "Script not updated: There was an error  
> activating the script. The driver said: Failed to establish TLS  
> connection"
>
> After Googling I found where I can tell PHP to not verify the peer
>
> $conf['ssl']['verify_peer'] = FALSE;
> $conf['ssl']['verify_peer_name'] = FALSE;
>
> OR I could possibly tell Ingo to use the mail.fanmail.com certificate?
>
> I am trying to figure out which approach will work and how to apply  
> it. I would prefer to use ingo/backends.local.php which we already  
> use to set the appropriate host name for a user to connect to.

In that case, you should set the hostspec to 'mail.fanmail.com'. Of  
course, that name should (DNS) resolve to the IP address of the server  
where Sieve is living.

<?php
$backends['imap']['disabled'] = true;
$backends['sieve']['disabled'] = false;
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec']  
= 'mail.fanmail.com';

Of course, the certificate on the server should contain  
CN='mail.fanmail.com'. TLS doesn't care about hostname greetings, the  
verification process uses the CN in the certificate and must match the  
(forward) DNS record of that CN (reverse is not required).

> However, I can not find an option like these below in our current  
> backends.local.php to tell Ingo or PHP to use the 'mail.fanmail.com'  
> certificate.
>
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] =  
> 'PLAIN';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
>
> I suppose a third option is to set 'usetls' to false, but I would  
> prefer not to do that as some day we hope to move our mail servers  
> into VMs outside our local network.
>
> Thanks for any help.
>
> -- 
> Andy Dorman

More information about the horde mailing list