Re: [RCU] Roundcube version
Hi, On 26.11.19 21:10, @lbutlr wrote: > Is there anywhere in the webUI that the version of Roundcube installed is > shown? After login, click "About". It will give you the version and installed plugins (including versions as well). Best regards, Thomas ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Re: [RCU] Content Security Policy for Roundcube
Hi James, my guess is, that the header configured in your .htaccess file is not overriding the one set in http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab. Unfortunately Apache httpd documentation (@ https://httpd.apache.org/docs/current/mod/mod_headers.html) does not. On 09.10.19 09:38, James Brown wrote: > Still can’t get this to work. > > I’m using the .htaccess file in my roundcube/ root. > > Ie to override the CSP headers in http.conf (for all that Apache serves). > > No matter what I put I still get no messages in the mailboxes. > > Javascript Console shows: > > Refused to execute a script because its hash, its nonce, or 'unsafe-inline' > appears in neither the script-src directive nor the default-src directive of > the Content Security Policy. > roundcube:57 > > In apache_root/roundcube/.htaccess I have: > > Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src > 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; > img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; > base-uri 'self'; form-action 'self';referrer no-referrer" > I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before setting it with a new value. > httpd.conf has: > > Header set Content-Security-Policy "default-src 'self'; form-action 'self'; > frame-ancestors 'self'; base-uri 'self'; report-uri > https://bordo.report-uri.com/r/d/csp/wizard"; My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38 "header set" in my .htaccess is sufficient to set it. hth, Thomas ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
[RCU] Sharing DB between last stable and 1.4-beta
Hi, is it possible to share one DB instance between 1.3.7 and 1.4-beta? I'd like to give users the option to test the new beta (and have the option to switch back to stable just in case). New skin looks awesome, I really like it! Best regards, Thomas ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Re: [RCU] managesieve
Hi David, is clock in sync on the machine (just to eliminate this as possible error)? Regarding your self-signed issues I'd suggest to let your system trust the certificate which you use. Either by putting the CA cert or the server cert in your trust store (depends on your system). There is a big difference between using a certificate which can be validated (even when self signed) and trusting any presented certificate (even if there are config switches to disable checking). hth+regards, Thomas On 14.07.2017 13:44, David Gessel wrote: > Thanks! A step closer. It seems the roundcube logins can be set to ignore > certificate errors, but managesieve isn't: > > Jul 14 04:34:49 managesieve-login: Info: Disconnected (no auth attempts in 0 > secs): user=<>, rip=10.3.69.139, lip=10.3.69.135, TLS handshaking: > SSL_accept() failed: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert > certificate expired: SSL alert number 45, session= > > This isn't accurate: it is a self-signed cert good until 2025. > > While I'm OK with lets encrypt certificates, self-signed certificates should > be supported. As I remember, I ran into this problem with roundcube's > checks, which is why the ssl:// and > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'verfify_peer_name' => false, >), > ); > > > which "managesieve_usetls" seems to ignore. > > Any way to get managesieve to function the same way or is this a "pay the > cert mafia or else..." situation? > > -David ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
