Re: [RCU] roundcube custom tls verification options
Hello, Thanks for everyone's replies. What is wrong with this code? I keep getting a syntax error, it wants a ) not a , Thanks. Dave. array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, // Letsencrypt 'ssl_cert => '/path/to/letsencrypt/fullchain.pem' 'ssl_key' => '/path/to/letsencrypt/privkey.pem', 'ciphers' => 'TLSv1.2:@STRENGTH', 'peer_name' => 'imap.domain.com', ) ); // For STARTTLS SMTP $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, // Letsencrypt 'ssl_cert => '/path/to/letsencrypt/fullchain.pem', 'ssl_key' => '/path/to/letsencrypt/privkey.pem', 'ciphers' => 'TLSv1.2:@STRENGTH', 'peer_name' => 'smtp.domain.com', ), ); On 4/9/18, Ralph Seichter wrote: > On 09.04.2018 02:37, David Mehler wrote: > >> what I'm wanting to do is tighten my tls verification options. My >> domains each use a different letsencrypt certificate. > > Depending on your platform, you could do without any special Roundube > configuration. With modern Linux distributions like Gentoo this works: > > 1. Download LE root CA cert from https://letsencrypt.org/certificates/ > 2. Save cert in /usr/local/share/ca-certificates (you might need to > create this directory) with '.crt' name suffix. (*) > 3. Run 'update-ca-certificates --fresh' as root. > 4. Restart your web server. > > With that, Let's Encrypt is configured as a locally trusted CA for > libssl, and in the Roundube configuration only > > $config['default_host'] = 'ssl://imap.horus-it.com'; > > is then required, if you match the host name of your certificate. This > method benefits any process on your server that uses libssl. > > -Ralph > > (*) See 'man 8 update-ca-certificates'. > ___ > Roundcube Users mailing list > users@lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/users > ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Re: [RCU] roundcube custom tls verification options
On 09.04.2018 02:37, David Mehler wrote: > what I'm wanting to do is tighten my tls verification options. My > domains each use a different letsencrypt certificate. Depending on your platform, you could do without any special Roundube configuration. With modern Linux distributions like Gentoo this works: 1. Download LE root CA cert from https://letsencrypt.org/certificates/ 2. Save cert in /usr/local/share/ca-certificates (you might need to create this directory) with '.crt' name suffix. (*) 3. Run 'update-ca-certificates --fresh' as root. 4. Restart your web server. With that, Let's Encrypt is configured as a locally trusted CA for libssl, and in the Roundube configuration only $config['default_host'] = 'ssl://imap.horus-it.com'; is then required, if you match the host name of your certificate. This method benefits any process on your server that uses libssl. -Ralph (*) See 'man 8 update-ca-certificates'. ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Re: [RCU] roundcube custom tls verification options
On 09.04.2018 02:37, David Mehler wrote: > Can I put a config in each of the domain specific files? Yes. You can also do: $config['imap_conn_options'] = array( 'hostname' => array( 'ssl' => array( -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] PGP: 19359DC1 # Blog: https://kolabian.wordpress.com ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
[RCU] roundcube custom tls verification options
Hello, Is it possible to do custom connection information? This is how my config.inc.php file looks: $config['default_host'] = 'tls://localhost'; $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); $config['smtp_server'] = 'tls://localhost'; $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); $config['include_host_config'] = array( 'webmail.domain1.com' => 'domain1_config.inc.php', 'webmail.domain2.com' => 'domain2_config.inc.php', ); what I'm wanting to do is tighten my tls verification options. My domains each use a different letsencrypt certificate. What I'm wanting to add is something like: // For STARTTLS IMAP $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, //'cafile' => '/etc/ssl/certs/Your_CA_certificate.pem', // For Letsencrypt use the following two lines and remove the 'cafile' option above. 'ssl_cert => '/etc/letsencrypt/live/mail.my_domain.org/fullchain.pem' 'ssl_key' => '/etc/letsencrypt/live/mail.my_domain.org/privkey.pem' // probably optional parameters 'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH', 'peer_name' => 'mail.my_domain.org', ), ); // For STARTTLS SMTP $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, //'cafile' => '/etc/ssl/certs/Your_CA_certificate.pem', // For Letsencrypt use the following two lines and remove the 'cafile' option above. 'ssl_cert => '/etc/letsencrypt/live/mail.my_domain.org/fullchain.pem' 'ssl_key' => '/etc/letsencrypt/live/mail.my_domain.org/privkey.pem' // probably optional parameters 'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH', 'peer_name' => 'mail.my_domain.org', ), ); Can I put a config in each of the domain specific files? Thanks. Dave. ___ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users