On Mon, June 15, 2015 19:59, David Highley wrote:
> "David C. Rankin wrote:"
>>
>> On 06/14/2015 11:53 PM, David C. Rankin wrote:
>> > Paul, after you look into this, if this was the sole cause, you may want
>> to
>> > drop a Install/Upgrade note regarding php 5.6 and the change required in
>> server
>> > settings.
>> >
>> > (even better, it may be worth adding a check in the squirrelmail code that
>> if
>> > server setting is listed as 'localhost', make a php call to obtain the
>> server
>> > hostname/domain to compare against the Peer reported name before a CN
>> mismatch
>> > is declared -- or something similar -- may fix it)
>>
>>
>> If you do look at this, it looks like a possible fix for php 5.6+ needs to
>> be
>> prior to line 725 in functions/imap_general.php:
>>
>> in function sqimap_create_stream:
>>
>> $imap_stream = @fsockopen($server, $port, $error_number, $error_string,
>> 15);
>>
>>
>> The problem in my case appears to be that if 'localhost' is specified as
>> the
>> imap server in config.php (as it has been for the past 5-10 years), passing
>> 'localhost' as $server to fsockopen now causes the IMAP stream open failure
>> (presumably due to the new default of verify_peer=true). I seems like a
>> functional check of something like the following could help:
>>
>> if $server equals 'localhost' {
>> $servername equals hostname.dnsdomainname (or however you get this in php)
>> $imap_stream = @fsockopen($servername, $port, $error_number, $error_string,
>> 15);
>> } else {
>> $imap_stream = @fsockopen($server, $port, $error_number, $error_string,
>> 15);
>> }
>>
>> It is trickier if the CN wasn't generated with the suggested '*.domain.tld'
>> format, but rather 'host.domain.tld'. In that case there would no way of
>> knowing
>> if the 'host' part of 'host.domain.tld' returned by the 'hostname' equivalent
>> would match the name used as the CN in certificate generation.
>>
>> However, just adding the 'localhost' check and 'host.domain.tld'
>> substitution
>> would work for every case where CN is specified in the recommended
>> '*.domain.tld' format. (I haven't looked at the code to see why smtp is not
>> effected, but it is fine)
>>
>> Another option (less desirable, but effective) would be to add a check to
>> config/conf.pl to check if ssl/tls, or port 993, etc... had been specified
>> along
>> with 'localhost' as the hostname. In that case conf.pl could warn that the
>> IMAP
>> hostname must match the mail certificate CN for authentication to succeed with
>> php 5.6+.
>
> I'm not shure this is the whole story on why squirrelmail is not
> working. We have been trying since February and Fedora 21 to get it
> working again. Using squirrelmail-1.4.22-15.fc21.noarch
>
> We have the following configuration:
> Outside web server -> dovecot -> mail server using port 993
>
> We have verified all the certificates and if we use thunderbird all
> works fine. Yet squirrelmail configtest fails with:
> [root@spruce ~]# firefox /usr/share/squirrelmail/src/configtest.php &
> [1] 6998
> [root@spruce ~]#
> (firefox:6998): GLib-GObject-WARNING **: The property
> GtkSettings:gtk-menu-images is deprecated and shouldn't be used anymore.
> It will be removed in a future version.
>
> (firefox:6998): GLib-GObject-WARNING **: The property
> GtkSettings:gtk-button-images is deprecated and shouldn't be used
> anymore. It will be removed in a future version.
> PHP Warning: date(): It is not safe to rely on the system's timezone
> settings. You are *required* to use the date.timezone setting or the
> date_default_timezone_set() function. In case you used any of those
> methods and you are still getting this warning, you most likely
> misspelled the timezone identifier. We selected the timezone 'UTC' for
> now, but please set date.timezone to select your timezone. in
> /usr/share/squirrelmail/src/configtest.php on line 80
> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
> Error messages:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed in /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning: fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning: fsockopen(): unable to connect to
> tls://douglas.highley-recommended.com:993 (Unknown error) in
> /usr/share/squirrelmail/src/configtest.php on line 431
>
>>
>> Keep fighting the good fight!
>>
>> --
>> David C. Rankin, J.D.,P.E.
The GTK WARNINGS (they are NOT ERRORS at this time) are nothing to currently
worry about.. they are just a warning of FUTURE problems to come...
Set the timezone in the /etc/php.ini file as such (RHEL/CentOS/Fedora):
;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;
[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = 'America/Denver'
Restart Apache.
Do NOT use SSLv3 as it is deprecated and compromised thus making it insecure.
Use only TLS/STARTTLS authentication. Disable SSLv3 in both the SMTP (Sendmail?)
and IMAP (Dovecot?) servers.
Disble SSLv3 in /etc/dovecot/conf.d/10-ssl.conf:
# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM
Disable SSLv3 by adding to /etc/mail/sendmail.mc and rerun make.
LOCAL_CONFIG
O CipherList=HIGH:RC4-SHA,RC4-MD5
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
Make sure you recompile the sendmail.mc to generate the new sendmail.cf file and
then restart your IMAP and SMTP servers.
-Rich
--
------------------------------------------------------------------------
Rich Hall
rich@xxxxxxxxxx
http://www.netlynx.us/rich/
ham radio: kf6arx
GPG Fingerprint: 1FE661FF5EBACE0CEC60C4CCA7DA943DD2722CC4
------------------------------------------------------------------------
Some people are like slinkies.. Not really good for anything useful,
but they bring a smile to your face when pushed down the stairs.
------------------------------------------------------------------------
And remember - if it ain't broke, hit it again.
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
