Re: Problem with STARTTLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, April 30, 2018 13:22, Paul Lesniewski wrote:

>>     Verify return code: 19 (self signed certificate in certificate
>> chain)
> That's likely your problem - SquirrelMail needs the homebrewed CA or
> you need to adjust the verify options.

That message is completely misleading.  Every CA certificate in a
complete certificate chain must eventually resolve to a self-signed
originator.  I have no idea what the person who wrote that bit of code
thought they were trying to convey.

In the meantime I have resolved the difficulty with the SMTP server
after discovering that the ca-bundle.crt file on the SM service host
was not the correct one.  The IMAP service worked because I had, in
desperation, copied the ca-bundle.crt file from the IMAP server to the
SM install.

The reason this did not work for the SMTP server as well is a
convoluted tale.  Suffice that Firefox, our preferred browser,
introduced a change which invalidated our original PKI private CA Root
certificate.  The replacement root CA and new PKI are rolled out on an
as needed basis. This is done to avoid disrupting existing services
that are unaffected by the choices of the Mozilla developers.  Most of
this stuff is on an internal private LAN with no wireless and TLS is
used there simply to avoid casual packet sniffing revealing much in
the way of credentials.

As it happens, the IMAP server and the SMTP servers are on different
CA releases.  And from outside the LAN the IMAP server can only be
reached through a proxy.  It is maddening but these things happen. 
Updating the ca-bundle.crt to a common base on all three hosts, IMAP,
SMTP and SM has resolved the TLS problems.

>> ---
>> 220 ESMTP Postfix
>> As demonstrated above, I can connect to SMTP using the same
>> certificates and keys as configured for Squirrelmail, as shown
>> below:
> I'm confused - you say you've configured cert/key for SquirrelMail
> but below looks like Apache style configuration and below that,
> you state that you aren't aware of how to configure the PHP side.
> I will guess that you are not using $imap_stream_options and
> $smtp_stream_options in config/config_local.php

I am sorry for the confusion.  I was attempting to show that the files
that I used with s-client were identical to those configured in SM's
VirtualHost directive.

Following the ca-bundle.crt changes I get this from configtest.php:

. . .
Congratulations, your SquirrelMail setup looks fine to me!

However, I still cannot log on to the IMAP server and I cannot seem to
find any logged errors on either the SM or IMAP host as to why.  I can
logon to the same IMAP host with the same credentials from our
existing SM installation so there has to be a loose wire somewhere on
the new SM host.  I will continue to plug away at it.

Thanks for the help. I will likely be back for more.


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Check out the vibrant tech community on one of the world's most
engaging tech sites,!
squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux