[horde] Ingo and TLS
Simon Wilson
simon at simonandkate.net
Thu Feb 18 23:19:39 UTC 2021
----- Message from Jan Schneider <jan at horde.org> ---------
Date: Wed, 17 Feb 2021 18:12:28 +0000
From: Jan Schneider <jan at horde.org>
Subject: Re: [horde] Ingo and TLS
To: horde at lists.horde.org
> Zitat von Simon Wilson <simon at simonandkate.net>:
>
>> Hi list
>>
>> I've been troubleshooting (and fixing) an issue this evening that I
>> have not come across before in several years of running Horde /
>> Cyrus IMAP, and wondered if anyone else has come across this.
>>
>> I have Sieve running on the Cyrus IMAP server, and Ingo with
>> StartTLS enabled stopped being able to connect to Sieve.
>>
>> Ingo config:
>>
>> $backends['imap']['disabled'] = true;
>> $backends['sieve']['disabled'] = false;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
>> 'emp07.simonandkate.lan';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] =
>> 'PLAIN';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname'] =
>> 'ingo';
>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] = true;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] = true;
>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
>> $backends['sieve']['shares'] = false;
>>
>> We started getting TLS failed pop-up errors in Horde when trying to
>> write or access Sieve scripts, and STARTTLS errors in the IMAP
>> server log:
>>
>> Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:
>> emp86.simonandkate.lan[192.168.1.245]
>>
>> Yet I could use sivtest from the Horde server (emp86) to connect
>> and logon to Sieve no problems:
>>
>> "sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no
>> problem, and let me login.
>>
>> In the end I worked it out - specifically added the self-signed CA
>> certificate specified in Sieve config to the Horde server's
>> /etc/pki/ca-trust/source/anchors and ran update-ca-trust, and bingo
>> it started working again. So for some reason Horde / Ingo was
>> refusing to StartTLS with the Sieve server presenting a certificate
>> signed by a CA it did not trust... even though it has done in the
>> past.
>>
>> I KNOW that in about 10 years of running self-signed certificates I
>> have never had to do that step, and Ingo has worked OK. Has
>> something changed in Ingo or libraries it calls that is enforcing
>> CA certificate trust, and is there a way to tell Ingo in config to
>> trust self-signed certificates? I know it's not just openssl on the
>> Horde server enforcing it - because I would have the same problem
>> connecting using sivtest if that was the case.
>>
>> Any ideas on what has changed?
>
> Did you update PHP? Certification validation has been tightened at one point.
Hi Jan, thank you. Yes I check PHP for updates every few weeks, with
basic functionality testing for release... looks like I need to add
something to those tests :) The server is running PHP 7.4.15. Do you
know *what* changed in tightening PHP certificate trust validation?
I've had a search, nothing obvious coming up.
Simon.
>
> --
> Jan Schneider
> The Horde Project
> https://www.horde.org/
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
----- End message from Jan Schneider <jan at horde.org> -----
--
Simon Wilson
M: 0400 12 11 16
More information about the horde
mailing list