[horde] Ingo and TLS

Simon Wilson simon at simonandkate.net
Sat Feb 13 04:09:31 UTC 2021 

----- Message from Ralf Lang <lang at b1-systems.de> ---------
    Date: Fri, 12 Feb 2021 14:00:34 +0100
    From: Ralf Lang <lang at b1-systems.de>
Subject: Re: [horde] Ingo and TLS
      To: horde at lists.horde.org, simon at simonandkate.net


> Hi Simon,
>
> Am 12.02.21 um 13:40 schrieb Simon Wilson:
>>
>> Hi list
>>
>> I've been troubleshooting (and fixing) an issue this evening that I
>> have not come across before in several years of running Horde / Cyrus
>> IMAP, and wondered if anyone else has come across this.
>>
>> I have Sieve running on the Cyrus IMAP server, and Ingo with StartTLS
>> enabled stopped being able to connect to Sieve.
>>
>> Ingo config:
>>
>> $backends['imap']['disabled'] = true;
>> $backends['sieve']['disabled'] = false;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec']
>> = 'emp07.simonandkate.lan';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype']
>> = 'PLAIN';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] =
>> true;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname']
>> = 'ingo';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] =
>> true;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] =
>> true;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
>> $backends['sieve']['shares'] = false;
>>
>> We started getting TLS failed pop-up errors in Horde when trying to
>> write or access Sieve scripts, and STARTTLS errors in the IMAP server
>> log:
>>
>> Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:
>> emp86.simonandkate.lan[192.168.1.245]
>>
>> Yet I could use sivtest from the Horde server (emp86) to connect and
>> logon to Sieve no problems:
>>
>> "sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no
>> problem, and let me login.
>>
>> In the end I worked it out - specifically added the self-signed CA
>> certificate specified in Sieve config to the Horde server's
>> /etc/pki/ca-trust/source/anchors and ran update-ca-trust, and bingo it
>> started working again. So for some reason Horde / Ingo was refusing to
>> StartTLS with the Sieve server presenting a certificate signed by a CA
>> it did not trust... even though it has done in the past.
>>
>> I KNOW that in about 10 years of running self-signed certificates I
>> have never had to do that step, and Ingo has worked OK. Has something
>> changed in Ingo or libraries it calls that is enforcing CA certificate
>> trust, and is there a way to tell Ingo in config to trust self-signed
>> certificates? I know it's not just openssl on the Horde server
>> enforcing it - because I would have the same problem connecting using
>> sivtest if that was the case.
>>
>> Any ideas on what has changed?
>>
>> Simon
>
> I know I had issues too with a recent ingo and a more well-aged cyrus
> imap installation.
>
> I ended up building an alternate transport for this use case:
>
> https://github.com/horde/ingo/pull/2
>
> It basically delegates SIEVE population to a separate script.
> It's not advisable for a very-high-load scenario but it should run for
> small to medium horde installations up to 5000 users who do less than
> 20.000 sieve script changes / autoresponder changes / forwarder changes
> per day. This should cover most "tricky" cyrus installations out there.
>
>
> --
> Ralf Lang
> Linux Consultant / Developer
> Tel.: +49-170-6381563
> Mail: lang at b1-systems.de
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
> GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537


----- End message from Ralf Lang <lang at b1-systems.de> -----

Thanks Ralf... I got it going for now by trusting the self-signed  
cert's CA cert with update-ca-trust. I'll save the github link though  
for investigation...  With our <10 user count, I doubt we'd run into  
capacity issues! :)

The post here was as much for if anyone else comes across this as  
anything. I know how frustrating it can be to come across weird issues  
and not be able to find anyone with the same.

Simon.

-- 
Simon Wilson
M: 0400 12 11 16

More information about the horde mailing list