[horde] Ingo and TLS

Jan Schneider jan at horde.org
Wed Feb 17 18:12:28 UTC 2021 

Zitat von Simon Wilson <simon at simonandkate.net>:

> Hi list
>
> I've been troubleshooting (and fixing) an issue this evening that I  
> have not come across before in several years of running Horde /  
> Cyrus IMAP, and wondered if anyone else has come across this.
>
> I have Sieve running on the Cyrus IMAP server, and Ingo with  
> StartTLS enabled stopped being able to connect to Sieve.
>
> Ingo config:
>
> $backends['imap']['disabled'] = true;
> $backends['sieve']['disabled'] = false;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =  
> 'emp07.simonandkate.lan';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] =  
> 'PLAIN';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname'] =  
> 'ingo';
> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] = true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] = true;
> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
> $backends['sieve']['shares'] = false;
>
> We started getting TLS failed pop-up errors in Horde when trying to  
> write or access Sieve scripts, and STARTTLS errors in the IMAP  
> server log:
>
> Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:  
> emp86.simonandkate.lan[192.168.1.245]
>
> Yet I could use sivtest from the Horde server (emp86) to connect and  
> logon to Sieve no problems:
>
> "sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no  
> problem, and let me login.
>
> In the end I worked it out - specifically added the self-signed CA  
> certificate specified in Sieve config to the Horde server's  
> /etc/pki/ca-trust/source/anchors and ran update-ca-trust, and bingo  
> it started working again. So for some reason Horde / Ingo was  
> refusing to StartTLS with the Sieve server presenting a certificate  
> signed by a CA it did not trust... even though it has done in the  
> past.
>
> I KNOW that in about 10 years of running self-signed certificates I  
> have never had to do that step, and Ingo has worked OK. Has  
> something changed in Ingo or libraries it calls that is enforcing CA  
> certificate trust, and is there a way to tell Ingo in config to  
> trust self-signed certificates? I know it's not just openssl on the  
> Horde server enforcing it - because I would have the same problem  
> connecting using sivtest if that was the case.
>
> Any ideas on what has changed?

Did you update PHP? Certification validation has been tightened at one point.

-- 
Jan Schneider
The Horde Project
https://www.horde.org/

More information about the horde mailing list