[horde] ingo TLS certificate error problem gets weirder
Andy Dorman
adorman at ironicdesign.com
Tue Nov 1 20:29:31 UTC 2016
On 11/01/2016 03:23 PM, Grouchy Sysadmin wrote:
> On 11/01/2016 03:15 PM, Andy Dorman wrote:
>> On 11/01/2016 02:48 PM, Andy Dorman wrote:
>>> On 11/01/2016 10:48 AM, Arjen de Korte wrote:
>>>> Citeren Andy Dorman <adorman at ironicdesign.com>:
>>>>
>>>>> We have several servers that support a spam/virus filtering service
>>>>> and an email service of a different name. The email filtering and
>>>>> email hosting services use different domain names and the server host
>>>>> names use a third, our company domain name.
>>>>>
>>>>> The problem happens when Ingo tries to use TLS to connect and the
>>>>> certificate is for the email hosting service (mail.FanMail.com) and
>>>>> the server name is for our company (IronicDesign.com).
>>>>>
>>>>> This causes PHP to complain as shown here
>>>>>
>>>>> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer
>>>>> certificate CN=`mail.fanmail.com' did not match expected
>>>>> CN=`yorick.ironicdesign.com' [pid 26001 on line 1215 of
>>>>> "/usr/share/php/Net/Sieve.php"]
>>>>>
>>>>> and the user sees an error: "Script not updated: There was an error
>>>>> activating the script. The driver said: Failed to establish TLS
>>>>> connection"
>>>>>
>>>>> After Googling I found where I can tell PHP to not verify the peer
>>>>>
>>>>> $conf['ssl']['verify_peer'] = FALSE;
>>>>> $conf['ssl']['verify_peer_name'] = FALSE;
>>>>>
>>>>> OR I could possibly tell Ingo to use the mail.fanmail.com certificate?
>>>>>
>>>>> I am trying to figure out which approach will work and how to apply
>>>>> it. I would prefer to use ingo/backends.local.php which we already use
>>>>> to set the appropriate host name for a user to connect to.
>>>>
>>>> In that case, you should set the hostspec to 'mail.fanmail.com'. Of
>>>> course, that name should (DNS) resolve to the IP address of the server
>>>> where Sieve is living.
>>>>
>>>> <?php
>>>> $backends['imap']['disabled'] = true;
>>>> $backends['sieve']['disabled'] = false;
>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
>>>> 'mail.fanmail.com';
>>>>
>>>> Of course, the certificate on the server should contain
>>>> CN='mail.fanmail.com'. TLS doesn't care about hostname greetings, the
>>>> verification process uses the CN in the certificate and must match the
>>>> (forward) DNS record of that CN (reverse is not required).
>>>>
>>>>> However, I can not find an option like these below in our current
>>>>> backends.local.php to tell Ingo or PHP to use the 'mail.fanmail.com'
>>>>> certificate.
>>>>>
>>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']
>>>>> = 'PLAIN';
>>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
>>>>> true;
>>>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] =
>>>>> 4190;
>>>>>
>>>>> I suppose a third option is to set 'usetls' to false, but I would
>>>>> prefer not to do that as some day we hope to move our mail servers
>>>>> into VMs outside our local network.
>>>>>
>>>>> Thanks for any help.
>>>>>
>>>>> --
>>>>> Andy Dorman
>>>>
>>> Sorry, I would love to do that, but it won't work. We have a bunch of
>>> servers that are all doing email+sieve for mail.fanmail.com users and
>>> domain.
>>>
>>> When the user logs into webmail, the Imp/Ingo client does an LDAP lookup
>>> (in backends.local.php) for the specific server/host that contains that
>>> user's email+sieve scripts. That email+sieve server
>>> (yorick.ironicdesign.com in my log line above) has to be used in the
>>> hostspec so Imp and Ingo pass their requests to the correct server.
>>>
>>> So I have to set hostspec to be the physical server, but the SSL
>>> certificate is for the service, mail.fanmail.com.
>>>
>>> For now I suppose I will turn off tls. That is OK since all our sieve
>>> requests use a private internal network space. We will just have to
>>> figure out a solution before we can move our IMAP servers to VMs in
>>> remote hosts.
>>>
>>> Andy Dorman
>>
>> OK, this is weird...so I thought I could turn tls off by setting this in
>> backends.local.php:
>>
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
>> false;
>>
>> But even after restarting php-fpm and Apache2 I continue to get this log
>> error:
>>
>> HORDE: [ingo] PHP ERROR: stream_socket_enable_crypto(): Peer certificate
>> CN=`mail.fanmail.com' did not match expected
>> CN=`yorick.ironicdesign.com' [pid 26624 on line 1215 of
>> "/usr/share/php/Net/Sieve.php"]
>>
>> and the user still sees the error alert I mentioned above.
>>
>> Interestingly enough, the changes that trigger the error are successful.
>> If it wasn't for the PHP ERROR log line and the alert to the user, there
>> would be no problem.
>>
>> I apologize for not mentioning this before, but this is a Debian setup
>> with Horde Groupware Webmail Edition 5.2.16 (Horde 5.2.12, Imp 6.2.16 &
>> Ingo 3.2.12) and Cyrus IMAP 2.5.10.
>>
>> Andy Dorman
>>
>
> Hi Andy,
>
> Is Cyrus trying to establish a TLS connection first? That might be what
> is causing the user visible error. I had a similar issue, and had to
> white list the Ingo server for cleartext connections from Dovecot.
>
You may be correct...just before the PHP ERROR log line I see this...
cyrus/sieve[26784]: starttls: TLSv1 with cipher ECDHE-RSA-AES128-SHA
(128/128 bits new) no authentication
That would certainly explain why turning it off in ingo is having no effect.
--
Andy Dorman
More information about the horde
mailing list