[horde] ingo TLS certificate error problem
Andy Dorman
adorman at ironicdesign.com
Tue Nov 1 19:48:23 UTC 2016
On 11/01/2016 10:48 AM, Arjen de Korte wrote:
> Citeren Andy Dorman <adorman at ironicdesign.com>:
>
>> We have several servers that support a spam/virus filtering service
>> and an email service of a different name. The email filtering and
>> email hosting services use different domain names and the server host
>> names use a third, our company domain name.
>>
>> The problem happens when Ingo tries to use TLS to connect and the
>> certificate is for the email hosting service (mail.FanMail.com) and
>> the server name is for our company (IronicDesign.com).
>>
>> This causes PHP to complain as shown here
>>
>> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer
>> certificate CN=`mail.fanmail.com' did not match expected
>> CN=`yorick.ironicdesign.com' [pid 26001 on line 1215 of
>> "/usr/share/php/Net/Sieve.php"]
>>
>> and the user sees an error: "Script not updated: There was an error
>> activating the script. The driver said: Failed to establish TLS
>> connection"
>>
>> After Googling I found where I can tell PHP to not verify the peer
>>
>> $conf['ssl']['verify_peer'] = FALSE;
>> $conf['ssl']['verify_peer_name'] = FALSE;
>>
>> OR I could possibly tell Ingo to use the mail.fanmail.com certificate?
>>
>> I am trying to figure out which approach will work and how to apply
>> it. I would prefer to use ingo/backends.local.php which we already use
>> to set the appropriate host name for a user to connect to.
>
> In that case, you should set the hostspec to 'mail.fanmail.com'. Of
> course, that name should (DNS) resolve to the IP address of the server
> where Sieve is living.
>
> <?php
> $backends['imap']['disabled'] = true;
> $backends['sieve']['disabled'] = false;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
> 'mail.fanmail.com';
>
> Of course, the certificate on the server should contain
> CN='mail.fanmail.com'. TLS doesn't care about hostname greetings, the
> verification process uses the CN in the certificate and must match the
> (forward) DNS record of that CN (reverse is not required).
>
>> However, I can not find an option like these below in our current
>> backends.local.php to tell Ingo or PHP to use the 'mail.fanmail.com'
>> certificate.
>>
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']
>> = 'PLAIN';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
>> true;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
>>
>> I suppose a third option is to set 'usetls' to false, but I would
>> prefer not to do that as some day we hope to move our mail servers
>> into VMs outside our local network.
>>
>> Thanks for any help.
>>
>> --
>> Andy Dorman
>
Sorry, I would love to do that, but it won't work. We have a bunch of
servers that are all doing email+sieve for mail.fanmail.com users and
domain.
When the user logs into webmail, the Imp/Ingo client does an LDAP lookup
(in backends.local.php) for the specific server/host that contains that
user's email+sieve scripts. That email+sieve server
(yorick.ironicdesign.com in my log line above) has to be used in the
hostspec so Imp and Ingo pass their requests to the correct server.
So I have to set hostspec to be the physical server, but the SSL
certificate is for the service, mail.fanmail.com.
For now I suppose I will turn off tls. That is OK since all our sieve
requests use a private internal network space. We will just have to
figure out a solution before we can move our IMAP servers to VMs in
remote hosts.
Andy Dorman
More information about the horde
mailing list