[horde] ingo TLS certificate error problem gets weirder

Grouchy Sysadmin sysadmin at i.grouchysysadmin.com
Tue Nov 1 20:23:33 UTC 2016

On 11/01/2016 03:15 PM, Andy Dorman wrote:
> On 11/01/2016 02:48 PM, Andy Dorman wrote:
>> On 11/01/2016 10:48 AM, Arjen de Korte wrote:
>>> Citeren Andy Dorman <adorman at ironicdesign.com>:
>>>> We have several servers that support a spam/virus filtering service
>>>> and an email service of a different name.  The email filtering and
>>>> email hosting services use different domain names and the server host
>>>> names use a third, our company domain name.
>>>> The problem happens when Ingo tries to use TLS to connect and the
>>>> certificate is for the email hosting service (mail.FanMail.com) and
>>>> the server name is for our company (IronicDesign.com).
>>>> This causes PHP to complain as shown here
>>>> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer
>>>> certificate CN=`mail.fanmail.com' did not match expected
>>>> CN=`yorick.ironicdesign.com' [pid 26001 on line 1215 of
>>>> "/usr/share/php/Net/Sieve.php"]
>>>> and the user sees an error: "Script not updated: There was an error
>>>> activating the script. The driver said: Failed to establish TLS
>>>> connection"
>>>> After Googling I found where I can tell PHP to not verify the peer
>>>> $conf['ssl']['verify_peer'] = FALSE;
>>>> $conf['ssl']['verify_peer_name'] = FALSE;
>>>> OR I could possibly tell Ingo to use the mail.fanmail.com certificate?
>>>> I am trying to figure out which approach will work and how to apply
>>>> it. I would prefer to use ingo/backends.local.php which we already use
>>>> to set the appropriate host name for a user to connect to.
>>> In that case, you should set the hostspec to 'mail.fanmail.com'. Of
>>> course, that name should (DNS) resolve to the IP address of the server
>>> where Sieve is living.
>>> <?php
>>> $backends['imap']['disabled'] = true;
>>> $backends['sieve']['disabled'] = false;
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
>>> 'mail.fanmail.com';
>>> Of course, the certificate on the server should contain
>>> CN='mail.fanmail.com'. TLS doesn't care about hostname greetings, the
>>> verification process uses the CN in the certificate and must match the
>>> (forward) DNS record of that CN (reverse is not required).
>>>> However, I can not find an option like these below in our current
>>>> backends.local.php to tell Ingo or PHP to use the 'mail.fanmail.com'
>>>> certificate.
>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']
>>>> = 'PLAIN';
>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
>>>> true;
>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] =
>>>> 4190;
>>>> I suppose a third option is to set 'usetls' to false, but I would
>>>> prefer not to do that as some day we hope to move our mail servers
>>>> into VMs outside our local network.
>>>> Thanks for any help.
>>>> -- 
>>>> Andy Dorman
>> Sorry, I would love to do that, but it won't work.  We have a bunch of
>> servers that are all doing email+sieve for mail.fanmail.com users and
>> domain.
>> When the user logs into webmail, the Imp/Ingo client does an LDAP lookup
>> (in backends.local.php) for the specific server/host that contains that
>> user's email+sieve scripts. That email+sieve server
>> (yorick.ironicdesign.com in my log line above) has to be used in the
>> hostspec so Imp and Ingo pass their requests to the correct server.
>> So I have to set hostspec to be the physical server, but the SSL
>> certificate is for the service, mail.fanmail.com.
>> For now I suppose I will turn off tls.  That is OK since all our sieve
>> requests use a private internal network space. We will just have to
>> figure out a solution before we can move our IMAP servers to VMs in
>> remote hosts.
>> Andy Dorman
> OK, this is weird...so I thought I could turn tls off by setting this in
> backends.local.php:
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
> false;
> But even after restarting php-fpm and Apache2 I continue to get this log
> error:
> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer certificate
> CN=`mail.fanmail.com' did not match expected
> CN=`yorick.ironicdesign.com' [pid 26624 on line 1215 of
> "/usr/share/php/Net/Sieve.php"]
> and the user still sees the error alert I mentioned above.
> Interestingly enough, the changes that trigger the error are successful.
> If it wasn't for the PHP ERROR log line and the alert to the user, there
> would be no problem.
> I apologize for not mentioning this before, but this is a Debian setup
> with Horde Groupware Webmail Edition 5.2.16 (Horde 5.2.12, Imp 6.2.16 &
> Ingo 3.2.12) and Cyrus IMAP 2.5.10.
> Andy Dorman

Hi Andy,

Is Cyrus trying to establish a TLS connection first? That might be what
is causing the user visible error. I had a similar issue, and had to
white list the Ingo server for cleartext connections from Dovecot.

More information about the horde mailing list