[horde] ingo TLS certificate error problem...an update
Vilius Sumskas/LNK
vilius at lnk.lt
Wed Nov 2 14:51:42 UTC 2016
> On 11/01/2016 03:44 PM, Andy Dorman wrote:
> > On 11/01/2016 03:26 PM, Arjen de Korte wrote:
> >>
> >> I don't see how this is ever going to work if you can't resolve the
CN
> >> of the certificate to the IP address of the server (which in your
case
> >> will never work). How can a client verify if the certificate a server
> >> presents is for that server, other than by checking if one of the
Common
> >> Names matches a with the IP address of the server?
> >>
> >>> For now I suppose I will turn off tls. That is OK since all our
sieve
> >>> requests use a private internal network space. We will just have to
> >>> figure out a solution before we can move our IMAP servers to VMs in
> >>> remote hosts.
> >>
> >> You'll have much more to figure out, since IMAP clients will not
trust
> >> the certificates either for the same reason above.
> >>
> >
> > Strangely enough, IMAP through our nginx proxy (which also uses the
> > mail.fanmail.com SSL certificate) does the exact same LDAP lookup to
> > direct requests to the correct IMAP host and this handles TLS just
fine.
> >
> > Perhaps we need to adjust our webmail config to go through the nginx
> > proxy like all other external clients instead of trying to connect to
> > IMAP/Sieve direct on the correct server.
> >
>
> Thanks Arien...you make a very good point.
>
> So, instead of going direct to the specific server for ingo/sieve, I
> modified our development server to use our Nginx front-end proxy just
> like external IMAP clients do (and tls works fine for external IMAP
> clients). Here are the updated settings in ingo/backends.local.php:
>
> $backends['imap']['disabled'] = true;
> $backends['sieve']['disabled'] = false;
> $backends['sieve']['preferred'] = '';
>
> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] =
true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
>
> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
> 'mail.fanmail.com';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] =
> 'PLAIN';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
true;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] =
4190;
Does your Nginx proxy actually listens on that port? FWIW I don't think
Nginx supports proxying of Sieve protocol.
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2013-December/037112.html
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname']
> = 'ingo';
>
> Now the PHP ERROR log entry is gone and sieve filter changes work (FWIW
> they always worked but they still do), but the user error notification
> on the web page still pops up.
>
> We actually see 2 notifications that seem to contradict:
>
> - Changes saved.
> - Script not updated: There was an error activating the script. The
> driver said: Connection refused.
Changes get saved to local Horde store (cache), but they are not sent to
sieve probably.
> I am NOT a PHP expert, but I am going to do some code diving and see if
> I can figure out what is causing the error notification even when
> everything works. Since this is not happening to anyone else there must
> be something else I am missing in my configuration.
>
> Again, this is a Debian setup with Horde Groupware Webmail Edition
> 5.2.16 (Horde 5.2.12, Imp 6.2.16 & Ingo 3.2.12), Cyrus IMAP 2.5.10 and
> PHP 5.6.26.
--
Vilius
More information about the horde
mailing list