Re: force TLS1.1 or later

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 8 Nov 2022, David Carvalho via squirrelmail-users wrote:
Good morning and thank you so much for the reply.

This is not a single server. It is installed on  a web server which acts as an interface to send and receive e-mail from our mail server.
Can't use sendmail anymore, as I discovered a few years ago I needed to specify relay for the web server IP in /etc/mail/access

$domain                 = 'my.domain';
$imapServerAddress      = 'myserver.mydomain';
$imapPort               = 993;
$useSendmail            = false;
$smtpServerAddress      = 'myserver.mydomain';
/* $smtpPort               = 465;  */
$smtpPort               = 587;
$sendmail_path          = '/usr/sbin/sendmail';

The problem with tarball install is that I'm concerned about dependencies, so to be honest, I'd prefer to use  a  "builtin", stable and proven version, for the moment.
I have a docker with roundcube and it works fine whether I disable tls1 or not. Not sure if this helps. It has its own php version...

Is it possible to change this in order to use tls 1.2?
File: Deliver_SMTP.class.php

 if (($use_smtp_tls == true) and (check_php_version(4,3)) and (extension_loaded('openssl'))) {
           $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
       } else {
           $stream = @fsockopen($host, $port, $errorNumber, $errorString);

Best regards.

-----Original Message-----
From: Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>
Sent: 07 November 2022 22:34
To: Squirrelmail User Support Mailing List <squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
Cc: David Carvalho <david@xxxxxxxxx>
Subject: Re:  force TLS1.1 or later

I'm using Squirrelmail 1.4.22-16 on an Oracle Linux 6 with PHP 5.3.3

It's running on old hardware so probably it won't be upgraded anytime

Squirrelmail is working fine for many years, but I wanted to disable
TLS1 support in sendmail. As soon as I do it, I get "Can't open
Stream" error message. Changed port 465 to 587 but I get the same error.

This PHP version supports TLS1.1 and 1.2, so,  is there a way to "force"
squirrelmail to use these later protocols?

SquirrelMail doesn't specifically ask for a TLS version, but it's possible the way it works with your PHP version may cause the downgrade.  You'd have to give more details about your configuration to know where to start.

That said, if this is a single-server solution, there is no reason for you to be encrypting connections to the same host.  Setting that up (even if you have to create a custom port/local listener in sendmail that is
non-encrypted) would likely be a more productive use of your time.  What's more, you don't even need to be using SMTP to send outgoing mail at all:
just configure SquirrelMail to use the sendmail command instead.  If you run the configuration tool, it will walk you through doing so (save a copy of your main configuration file just in case).

Also, you know that running a system that far out of date is risky and will contain known security vulnerabilities.  For SquirrelMail's part, you can easily upgrade yourself by downloading a tarball of version 1.4.23-svn from our downloads page and install it in a parallel directory where you can test migrating your configuration and plugins over -- if it's lightly modified/configured, that probably won't cause too much trouble.

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!


I'm running SquirrelMail version 1.4.23 on my server.  The file:
Deliver_SMTP.class.php is newer and has this comment in the code
referencing the tls:// statement.

// NB: Using "ssl://" ensures the highest possible TLS version
// will be negotiated with the server (whereas "tls://" only
// uses TLS version 1.0)

You can try changing the php code from

$stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);


$stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);

and see if this resolves the issue.  However if you do so you will need to
keep a copy of your local changes just in case you reload the package and
inadvertently overwrite the local changes.

Good luck.

Ted Hatifeld

squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux