[horde] Ingo and TLS
Jan Schneider
jan at horde.org
Wed Mar 17 20:28:26 UTC 2021
Zitat von Simon Wilson <simon at simonandkate.net>:
> ----- Message from Jan Schneider <jan at horde.org> ---------
> Date: Wed, 17 Feb 2021 18:12:28 +0000
> From: Jan Schneider <jan at horde.org>
> Subject: Re: [horde] Ingo and TLS
> To: horde at lists.horde.org
>
>
>> Zitat von Simon Wilson <simon at simonandkate.net>:
>>
>>> Hi list
>>>
>>> I've been troubleshooting (and fixing) an issue this evening that
>>> I have not come across before in several years of running Horde /
>>> Cyrus IMAP, and wondered if anyone else has come across this.
>>>
>>> I have Sieve running on the Cyrus IMAP server, and Ingo with
>>> StartTLS enabled stopped being able to connect to Sieve.
>>>
>>> Ingo config:
>>>
>>> $backends['imap']['disabled'] = true;
>>> $backends['sieve']['disabled'] = false;
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['driver'] = 'timsieved';
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['hostspec'] =
>>> 'emp07.simonandkate.lan';
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['logintype'] =
>>> 'PLAIN';
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['usetls'] = true;
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['port'] = 4190;
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['scriptname'] =
>>> 'ingo';
>>> $backends['sieve']['transport'][Ingo::RULE_ALL]['params']['debug'] = true;
>>> $backends['sieve']['script'][Ingo::RULE_ALL]['driver'] = 'sieve';
>>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['utf8'] = false;
>>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['imapflags'] = true;
>>> $backends['sieve']['script'][Ingo::RULE_ALL]['params']['notify'] = true;
>>> $backends['sieve']['shares'] = false;
>>>
>>> We started getting TLS failed pop-up errors in Horde when trying
>>> to write or access Sieve scripts, and STARTTLS errors in the IMAP
>>> server log:
>>>
>>> Feb 12 21:55:22 emp07 sieve[13185]: STARTTLS failed:
>>> emp86.simonandkate.lan[192.168.1.245]
>>>
>>> Yet I could use sivtest from the Horde server (emp86) to connect
>>> and logon to Sieve no problems:
>>>
>>> "sivtest emp07 -u simon -a simon -t """ would connect, StartTLS no
>>> problem, and let me login.
>>>
>>> In the end I worked it out - specifically added the self-signed CA
>>> certificate specified in Sieve config to the Horde server's
>>> /etc/pki/ca-trust/source/anchors and ran update-ca-trust, and
>>> bingo it started working again. So for some reason Horde / Ingo
>>> was refusing to StartTLS with the Sieve server presenting a
>>> certificate signed by a CA it did not trust... even though it has
>>> done in the past.
>>>
>>> I KNOW that in about 10 years of running self-signed certificates
>>> I have never had to do that step, and Ingo has worked OK. Has
>>> something changed in Ingo or libraries it calls that is enforcing
>>> CA certificate trust, and is there a way to tell Ingo in config to
>>> trust self-signed certificates? I know it's not just openssl on
>>> the Horde server enforcing it - because I would have the same
>>> problem connecting using sivtest if that was the case.
>>>
>>> Any ideas on what has changed?
>>
>> Did you update PHP? Certification validation has been tightened at
>> one point.
>
> Hi Jan, thank you. Yes I check PHP for updates every few weeks, with
> basic functionality testing for release... looks like I need to add
> something to those tests :) The server is running PHP 7.4.15. Do you
> know *what* changed in tightening PHP certificate trust validation?
> I've had a search, nothing obvious coming up.
For example it stopped accepting self-signed certificates by default
at some point.
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the horde
mailing list