Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS

2016-12-19 Thread igor_123
Paul, thanks for your answer.


Paul Lesniewski wrote
>> B.  Update SMTP Settings   : localhost:25
> 
> Port 25?

Yes. As you say, smtp settings are irreIevant to  imap tls ones. Also, I see
no problem with this port. In my smtp setup, tls is used for communications
of a client with smtpd.


Paul Lesniewski wrote
> ...
>> Printing out the contents of smtpd.cert confirms that
>> CN=uranus.sai.msu.ru
> 
> But is the CA available (to SM) and known?

How do I check the availability of CA to SM? Known to whom? As I said, my
certificate/key pair is self-signed and simple (without chains). The cert
file is smtpd.cert, the key is smtpd.key.


Paul Lesniewski wrote
>> Adding these lines to squirrelmail's config_local.php
>> 
>> $imap_stream_options = array(
>>  'ssl' => array(
>>  'cafile' => '/etc/postfix/smtpd.cert',
> 
> That does not look like a CA cert path to me.

Yes, the path is non-standart, this is a testing environment. Still should
be not a problem since the path is provided in dovecot config.


Paul Lesniewski wrote
>>  'verify_peer' => false,
>>  'verify_depth' => 1,
>>  ),
>> );
>> 
>> does not change anything.
> 
> Did you verify if those are being used in the code?

No. I assumed that if including these lines was your recommendation to
David, SM should use them.


Paul Lesniewski wrote
>   The solution might
> be as simple as using a 1.4.23-SVN snapshot from our downloads page.
> I'd try that before anything else.

I will. Although, honestly, I would prefer to use the SM package from the
official repository. I have to implement it in several servers and managing
all them manually is too much trouble... 

Thanks again for your comments,
Igor




--
View this message in context: 
http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-tp26087p26484.html
Sent from the squirrelmail-users mailing list archive at Nabble.com.

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
-
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users


Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS

2016-12-19 Thread Paul Lesniewski


On 2016年12月18日 23:59, igor_123 wrote:
> Paul, thanks for your answer.
> 
> 
> Paul Lesniewski wrote
>>> B.  Update SMTP Settings   : localhost:25
>>
>> Port 25?
> 
> Yes. As you say, smtp settings are irreIevant to  imap tls ones. Also, I see
> no problem with this port. In my smtp setup, tls is used for communications
> of a client with smtpd.

It's OT, but it's not usually a good idea to mix inbound untrusted
traffic with outbound trusted.  Among other things, it makes applying
good policies more difficult/convoluted.

>> ...
>>> Printing out the contents of smtpd.cert confirms that
>>> CN=uranus.sai.msu.ru
>>
>> But is the CA available (to SM) and known?
> 
> How do I check the availability of CA to SM? Known to whom? As I said, my
> certificate/key pair is self-signed and simple (without chains). The cert
> file is smtpd.cert, the key is smtpd.key.

Even though it's self-signed, it's still signed.  The CA is whatever you
signed it with, however I think if you set verify_peer you should be
turning that verification off.

>>> Adding these lines to squirrelmail's config_local.php
>>>
>>> $imap_stream_options = array(
>>>  'ssl' => array(
>>>  'cafile' => '/etc/postfix/smtpd.cert',
>>
>> That does not look like a CA cert path to me.
> 
> Yes, the path is non-standart, this is a testing environment. Still should
> be not a problem since the path is provided in dovecot config.

No, the point is that that cert may not be your CA.

> Paul Lesniewski wrote
>>>  'verify_peer' => false,
>>>  'verify_depth' => 1,
>>>  ),
>>> );
>>>
>>> does not change anything.
>>
>> Did you verify if those are being used in the code?
> 
> No. I assumed that if including these lines was your recommendation to
> David, SM should use them.

You can only make such assumptions if you're running the newest version
of SM from our website.  I don't know what patches RedHat is putting in
their packages of SM.  At a minimum, test it with the latest SM code,
and if that works, then you know where the problem is.

> Paul Lesniewski wrote
>>   The solution might
>> be as simple as using a 1.4.23-SVN snapshot from our downloads page.
>> I'd try that before anything else.
> 
> I will. Although, honestly, I would prefer to use the SM package from the
> official repository. I have to implement it in several servers and managing
> all them manually is too much trouble... 

Then you should take your query to the package maintainer; we can't help
you with other people's repackaging/old versions.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
-
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users