Discussion:
[RCU] roundcube custom tls verification options
David Mehler
2018-04-09 00:37:34 UTC
Permalink
Hello,

Is it possible to do custom connection information? This is how my
config.inc.php file looks:

$config['default_host'] = 'tls://localhost';
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
$config['smtp_server'] = 'tls://localhost';
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);


$config['include_host_config'] = array(
'webmail.domain1.com' => 'domain1_config.inc.php',
'webmail.domain2.com' => 'domain2_config.inc.php',
);

what I'm wanting to do is tighten my tls verification options. My
domains each use a different letsencrypt certificate. What I'm wanting
to add is something like:

// For STARTTLS IMAP
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// 'cafile' => '/etc/ssl/certs/Your_CA_certificate.pem',
// For Letsencrypt use the following two lines and remove the
'cafile' option above.
'ssl_cert => '/etc/letsencrypt/live/mail.my_domain.org/fullchain.pem'
'ssl_key' => '/etc/letsencrypt/live/mail.my_domain.org/privkey.pem'
// probably optional parameters
'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
'peer_name' => 'mail.my_domain.org',
),
);
// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// 'cafile' => '/etc/ssl/certs/Your_CA_certificate.pem',
// For Letsencrypt use the following two lines and remove the
'cafile' option above.
'ssl_cert => '/etc/letsencrypt/live/mail.my_domain.org/fullchain.pem'
'ssl_key' => '/etc/letsencrypt/live/mail.my_domain.org/privkey.pem'
// probably optional parameters
'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
'peer_name' => 'mail.my_domain.org',
),
);


Can I put a config in each of the domain specific files?

Thanks.
Dave.
A.L.E.C
2018-04-09 06:07:27 UTC
Permalink
Post by David Mehler
Can I put a config in each of the domain specific files?
Yes. You can also do:

$config['imap_conn_options'] = array(
'hostname' => array(
'ssl' => array(
--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
Ralph Seichter
2018-04-09 07:38:49 UTC
Permalink
Post by David Mehler
what I'm wanting to do is tighten my tls verification options. My
domains each use a different letsencrypt certificate.
Depending on your platform, you could do without any special Roundube
configuration. With modern Linux distributions like Gentoo this works:

1. Download LE root CA cert from https://letsencrypt.org/certificates/
2. Save cert in /usr/local/share/ca-certificates (you might need to
create this directory) with '.crt' name suffix. (*)
3. Run 'update-ca-certificates --fresh' as root.
4. Restart your web server.

With that, Let's Encrypt is configured as a locally trusted CA for
libssl, and in the Roundube configuration only

$config['default_host'] = 'ssl://imap.horus-it.com';

is then required, if you match the host name of your certificate. This
method benefits any process on your server that uses libssl.

-Ralph

(*) See 'man 8 update-ca-certificates'.
David Mehler
2018-04-09 09:02:25 UTC
Permalink
Hello,

Thanks for everyone's replies. What is wrong with this code? I keep
getting a syntax error, it wants a ) not a ,

Thanks.
Dave.

<?php
$config['username_domain'] = 'domain.com';
// For STARTTLS IMAP
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert => '/path/to/letsencrypt/fullchain.pem'
'ssl_key' => '/path/to/letsencrypt/privkey.pem',
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name' => 'imap.domain.com',
)
);

// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert => '/path/to/letsencrypt/fullchain.pem',
'ssl_key' => '/path/to/letsencrypt/privkey.pem',
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name' => 'smtp.domain.com',
),
);
Post by Ralph Seichter
Post by David Mehler
what I'm wanting to do is tighten my tls verification options. My
domains each use a different letsencrypt certificate.
Depending on your platform, you could do without any special Roundube
1. Download LE root CA cert from https://letsencrypt.org/certificates/
2. Save cert in /usr/local/share/ca-certificates (you might need to
create this directory) with '.crt' name suffix. (*)
3. Run 'update-ca-certificates --fresh' as root.
4. Restart your web server.
With that, Let's Encrypt is configured as a locally trusted CA for
libssl, and in the Roundube configuration only
$config['default_host'] = 'ssl://imap.horus-it.com';
is then required, if you match the host name of your certificate. This
method benefits any process on your server that uses libssl.
-Ralph
(*) See 'man 8 update-ca-certificates'.
_______________________________________________
Roundcube Users mailing list
http://lists.roundcube.net/mailman/listinfo/users
Loading...