On 06/14/2015 08:00 PM, David C. Rankin wrote:
> On 06/14/2015 07:05 PM, David C. Rankin wrote:
>> Checking outgoing mail service....
>> SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>>
>> I think you have nailed the issue as a 'ca' problem which makes sense with
>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you
>> have a chance to look into this. I'm happy to do the digging.
>
> I think I have made progress. It looks like the problem is with the way
> squirrelmail handles the certificate check. I made several changes and how
> configtest.php gives the following error:
>
> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match expected
> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on line
> 740 Warning: fsockopen(): Failed to enable crypto in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>
> Seeing the CN mismatch, I set config_local.php with 'verify_peer' => false:
>
> $imap_stream_options = array(
> 'ssl' => array(
> 'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
> 'verify_peer' => false,
> 'verify_depth' => 3,
> ),
> );
>
> However, that made no difference. (*Note:* with php 5.6+ the default for
> verify_peer is now 'true' -- I don't know if that prevents override in
> config_local.php) Let me know when you have some time and I'm glad to help.
>
For whatever reason, and for reasons I cannot explain, squirrelmail can no
longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when your
dovecot server certificate uses a CN of *.domain.tld. For years, my server
config always looked like:
Server Settings
General
-------
1. Domain : mydomain.com
2. Invert Time : false
3. Sendmail or SMTP : SMTP
A. Update IMAP Settings : localhost:993 (dovecot)
B. Update SMTP Settings : localhost:25
R Return to Main Menu
C Turn color off
S Save data
Q Quit
After looking at the CN mismatch reported though configtest.php, I decided to
change my server configuration to match my server CN:
Server Settings
General
-------
1. Domain : mydomain.com
2. Invert Time : false
3. Sendmail or SMTP : SMTP
A. Update IMAP Settings : mail.mydomain.com:993 (dovecot)
B. Update SMTP Settings : localhost:25
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Bingo! configtest.php worked:
Checking IMAP service....
IMAP server ready (* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.)
Capabilities: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
Checking internationalization (i18n) settings...
gettext - Gettext functions are available. On some systems you must have
appropriate system locales compiled.
Test translations. This test is not accurate and might work only on
some systems.
mbstring - Mbstring functions are available.
recode - Recode functions are unavailable.
iconv - Iconv functions are unavailable.
timezone - Webmail users can change their time zone settings. Current time
zone is CDT.
So what was the reason? Looking at the release notes for php 5.6 listed on
http://php.net/manual/en/context.ssl.php showed:
5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed
to TRUE.
While I cannot confirm with 100% certainty the change in the default was the
sole cause and that changes to ca-certificates over the past few months didn't
also contribute, it certainly seems to be the most likely candidate.
Paul, after you look into this, if this was the sole cause, you may want to
drop a Install/Upgrade note regarding php 5.6 and the change required in server
settings.
(even better, it may be worth adding a check in the squirrelmail code that if
server setting is listed as 'localhost', make a php call to obtain the server
hostname/domain to compare against the Peer reported name before a CN mismatch
is declared -- or something similar -- may fix it)
Hopefully this will narrow down your work a bit.
--
David C. Rankin, J.D.,P.E.
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
