[horde] Ingo and TLS

Simon Wilson simon at simonandkate.net
Fri Feb 12 12:40:19 UTC 2021 

Hi list

I've been troubleshooting (and fixing) an issue this evening that I  
have not come across before in several years of running Horde / Cyrus  
IMAP, and wondered if anyone else has come across this.

I have Sieve running on the Cyrus IMAP server, and Ingo with StartTLS  
enabled stopped being able to connect to Sieve.

Ingo config:

$backends['imap']['disabled'] = true;
$backends['sieve']['disabled'] = false;
$backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec']  
= 'emp07.simonandkate.lan';
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']  
= 'PLAIN';
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname'] =  
'ingo';
$backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] = true;
$backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
$backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
$backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] = true;
$backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
$backends['sieve']['shares'] = false;

We started getting TLS failed pop-up errors in Horde when trying to  
write or access Sieve scripts, and STARTTLS errors in the IMAP server  
log:

Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:  
emp86.simonandkate.lan[192.168.1.245]

Yet I could use sivtest from the Horde server (emp86) to connect and  
logon to Sieve no problems:

"sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no  
problem, and let me login.

In the end I worked it out - specifically added the self-signed CA  
certificate specified in Sieve config to the Horde server's  
/etc/pki/ca-trust/source/anchors and ran update-ca-trust, and bingo it  
started working again. So for some reason Horde / Ingo was refusing to  
StartTLS with the Sieve server presenting a certificate signed by a CA  
it did not trust... even though it has done in the past.

I KNOW that in about 10 years of running self-signed certificates I  
have never had to do that step, and Ingo has worked OK. Has something  
changed in Ingo or libraries it calls that is enforcing CA certificate  
trust, and is there a way to tell Ingo in config to trust self-signed  
certificates? I know it's not just openssl on the Horde server  
enforcing it - because I would have the same problem connecting using  
sivtest if that was the case.

Any ideas on what has changed?

Simon

-- 
Simon Wilson
M: 0400 12 11 16

More information about the horde mailing list