[horde] Ingo and TLS
Ralf Lang
lang at b1-systems.de
Fri Feb 12 13:00:34 UTC 2021
Hi Simon,
Am 12.02.21 um 13:40 schrieb Simon Wilson:
>
> Hi list
>
> I've been troubleshooting (and fixing) an issue this evening that I
> have not come across before in several years of running Horde / Cyrus
> IMAP, and wondered if anyone else has come across this.
>
> I have Sieve running on the Cyrus IMAP server, and Ingo with StartTLS
> enabled stopped being able to connect to Sieve.
>
> Ingo config:
>
> $backends['imap']['disabled'] = true;
> $backends['sieve']['disabled'] = false;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec']
> = 'emp07.simonandkate.lan';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']
> = 'PLAIN';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
> true;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname']
> = 'ingo';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] =
> true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] =
> true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
> $backends['sieve']['shares'] = false;
>
> We started getting TLS failed pop-up errors in Horde when trying to
> write or access Sieve scripts, and STARTTLS errors in the IMAP server
> log:
>
> Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:
> emp86.simonandkate.lan[192.168.1.245]
>
> Yet I could use sivtest from the Horde server (emp86) to connect and
> logon to Sieve no problems:
>
> "sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no
> problem, and let me login.
>
> In the end I worked it out - specifically added the self-signed CA
> certificate specified in Sieve config to the Horde server's
> /etc/pki/ca-trust/source/anchors and ran update-ca-trust, and bingo it
> started working again. So for some reason Horde / Ingo was refusing to
> StartTLS with the Sieve server presenting a certificate signed by a CA
> it did not trust... even though it has done in the past.
>
> I KNOW that in about 10 years of running self-signed certificates I
> have never had to do that step, and Ingo has worked OK. Has something
> changed in Ingo or libraries it calls that is enforcing CA certificate
> trust, and is there a way to tell Ingo in config to trust self-signed
> certificates? I know it's not just openssl on the Horde server
> enforcing it - because I would have the same problem connecting using
> sivtest if that was the case.
>
> Any ideas on what has changed?
>
> Simon
I know I had issues too with a recent ingo and a more well-aged cyrus
imap installation.
I ended up building an alternate transport for this use case:
https://github.com/horde/ingo/pull/2
It basically delegates SIEVE population to a separate script.
It's not advisable for a very-high-load scenario but it should run for
small to medium horde installations up to 5000 users who do less than
20.000 sieve script changes / autoresponder changes / forwarder changes
per day. This should cover most "tricky" cyrus installations out there.
--
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
More information about the horde
mailing list