[horde] ingo TLS certificate error problem
adorman at ironicdesign.com
Tue Nov 1 20:44:18 UTC 2016
On 11/01/2016 03:26 PM, Arjen de Korte wrote:
> I don't see how this is ever going to work if you can't resolve the CN
> of the certificate to the IP address of the server (which in your case
> will never work). How can a client verify if the certificate a server
> presents is for that server, other than by checking if one of the Common
> Names matches a with the IP address of the server?
>> For now I suppose I will turn off tls. That is OK since all our sieve
>> requests use a private internal network space. We will just have to
>> figure out a solution before we can move our IMAP servers to VMs in
>> remote hosts.
> You'll have much more to figure out, since IMAP clients will not trust
> the certificates either for the same reason above.
Strangely enough, IMAP through our nginx proxy (which also uses the
mail.fanmail.com SSL certificate) does the exact same LDAP lookup to
direct requests to the correct IMAP host and this handles TLS just fine.
Perhaps we need to adjust our webmail config to go through the nginx
proxy like all other external clients instead of trying to connect to
IMAP/Sieve direct on the correct server.
More information about the horde