Hello. After disabling tls1.0 on my MTA and replacing $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString); with $stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString); In Deliver_SMTP.class.php Everything is working fine! Thank you so much! Best regards David -----Original Message----- From: Ted Hatfield <ted@xxxxxxxxx> Sent: 08 November 2022 11:02 To: David Carvalho via squirrelmail-users <squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx> Cc: David Carvalho <david@xxxxxxxxx> Subject: Re: force TLS1.1 or later On Tue, 8 Nov 2022, David Carvalho via squirrelmail-users wrote: > Good morning and thank you so much for the reply. > > This is not a single server. It is installed on a web server which acts as an interface to send and receive e-mail from our mail server. > Can't use sendmail anymore, as I discovered a few years ago I needed > to specify relay for the web server IP in /etc/mail/access Config.php > > $domain = 'my.domain'; > $imapServerAddress = 'myserver.mydomain'; > $imapPort = 993; > $useSendmail = false; > $smtpServerAddress = 'myserver.mydomain'; > /* $smtpPort = 465; */ > $smtpPort = 587; > $sendmail_path = '/usr/sbin/sendmail'; > > > The problem with tarball install is that I'm concerned about dependencies, so to be honest, I'd prefer to use a "builtin", stable and proven version, for the moment. > I have a docker with roundcube and it works fine whether I disable tls1 or not. Not sure if this helps. It has its own php version... > > Is it possible to change this in order to use tls 1.2? > File: Deliver_SMTP.class.php > > if (($use_smtp_tls == true) and (check_php_version(4,3)) and (extension_loaded('openssl'))) { > $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString); > } else { > $stream = @fsockopen($host, $port, $errorNumber, > $errorString); > > > Best regards. > David > > -----Original Message----- > From: Paul Lesniewski <paul@xxxxxxxxxxxxxxxx> > Sent: 07 November 2022 22:34 > To: Squirrelmail User Support Mailing List > <squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx> > Cc: David Carvalho <david@xxxxxxxxx> > Subject: Re: force TLS1.1 or later > > >> I'm using Squirrelmail 1.4.22-16 on an Oracle Linux 6 with PHP 5.3.3 >> >> It's running on old hardware so probably it won't be upgraded anytime >> soon. >> >> Squirrelmail is working fine for many years, but I wanted to disable >> TLS1 support in sendmail. As soon as I do it, I get "Can't open >> Stream" error message. Changed port 465 to 587 but I get the same error. >> >> This PHP version supports TLS1.1 and 1.2, so, is there a way to "force" >> squirrelmail to use these later protocols? > > SquirrelMail doesn't specifically ask for a TLS version, but it's possible the way it works with your PHP version may cause the downgrade. You'd have to give more details about your configuration to know where to start. > > That said, if this is a single-server solution, there is no reason for > you to be encrypting connections to the same host. Setting that up > (even if you have to create a custom port/local listener in sendmail > that is > non-encrypted) would likely be a more productive use of your time. What's more, you don't even need to be using SMTP to send outgoing mail at all: > just configure SquirrelMail to use the sendmail command instead. If you run the configuration tool, it will walk you through doing so (save a copy of your main configuration file just in case). > > Also, you know that running a system that far out of date is risky and will contain known security vulnerabilities. For SquirrelMail's part, you can easily upgrade yourself by downloading a tarball of version 1.4.23-svn from our downloads page and install it in a parallel directory where you can test migrating your configuration and plugins over -- if it's lightly modified/configured, that probably won't cause too much trouble. > > -- > Paul Lesniewski > SquirrelMail Team > Please support Open Source Software by donating to SquirrelMail! > http://squirrelmail.org/donate_paul_lesniewski.php > > David, I'm running SquirrelMail version 1.4.23 on my server. The file: Deliver_SMTP.class.php is newer and has this comment in the code referencing the tls:// statement. // NB: Using "ssl://" ensures the highest possible TLS version // will be negotiated with the server (whereas "tls://" only // uses TLS version 1.0) You can try changing the php code from $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString); to $stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString); and see if this resolves the issue. However if you do so you will need to keep a copy of your local changes just in case you reload the package and inadvertently overwrite the local changes. Good luck. Ted Hatifeld ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users