Re: force TLS1.1 or later [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




David,

I'm glad it worked.

We should give thanks to the original programmer who left the comment in their code. Otherwise I'm sure I never would have found it.


Ted Hatfield




On Tue, 8 Nov 2022, David Carvalho wrote:

Hello.
After disabling tls1.0 on my MTA and  replacing

$stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
with
$stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
In  Deliver_SMTP.class.php

Everything is working fine!
Thank you so much!

Best regards
David


-----Original Message-----
From: Ted Hatfield <ted@xxxxxxxxx>
Sent: 08 November 2022 11:02
To: David Carvalho via squirrelmail-users
<squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
Cc: David Carvalho <david@xxxxxxxxx>
Subject: Re:  force TLS1.1 or later

On Tue, 8 Nov 2022, David Carvalho via squirrelmail-users wrote:
Good morning and thank you so much for the reply.

This is not a single server. It is installed on  a web server which acts
as an interface to send and receive e-mail from our mail server.
Can't use sendmail anymore, as I discovered a few years ago I needed
to specify relay for the web server IP in /etc/mail/access Config.php

$domain                 = 'my.domain';
$imapServerAddress      = 'myserver.mydomain';
$imapPort               = 993;
$useSendmail            = false;
$smtpServerAddress      = 'myserver.mydomain';
/* $smtpPort               = 465;  */
$smtpPort               = 587;
$sendmail_path          = '/usr/sbin/sendmail';


The problem with tarball install is that I'm concerned about dependencies,
so to be honest, I'd prefer to use  a  "builtin", stable and proven version,
for the moment.
I have a docker with roundcube and it works fine whether I disable tls1 or
not. Not sure if this helps. It has its own php version...

Is it possible to change this in order to use tls 1.2?
File: Deliver_SMTP.class.php

 if (($use_smtp_tls == true) and (check_php_version(4,3)) and
(extension_loaded('openssl'))) {
           $stream = @fsockopen('tls://' . $host, $port, $errorNumber,
$errorString);
       } else {
           $stream = @fsockopen($host, $port, $errorNumber,
$errorString);


Best regards.
David

-----Original Message-----
From: Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>
Sent: 07 November 2022 22:34
To: Squirrelmail User Support Mailing List
<squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
Cc: David Carvalho <david@xxxxxxxxx>
Subject: Re:  force TLS1.1 or later


I'm using Squirrelmail 1.4.22-16 on an Oracle Linux 6 with PHP 5.3.3

It's running on old hardware so probably it won't be upgraded anytime
soon.

Squirrelmail is working fine for many years, but I wanted to disable
TLS1 support in sendmail. As soon as I do it, I get "Can't open
Stream" error message. Changed port 465 to 587 but I get the same error.

This PHP version supports TLS1.1 and 1.2, so,  is there a way to "force"
squirrelmail to use these later protocols?

SquirrelMail doesn't specifically ask for a TLS version, but it's possible
the way it works with your PHP version may cause the downgrade.  You'd have
to give more details about your configuration to know where to start.

That said, if this is a single-server solution, there is no reason for
you to be encrypting connections to the same host.  Setting that up
(even if you have to create a custom port/local listener in sendmail
that is
non-encrypted) would likely be a more productive use of your time.  What's
more, you don't even need to be using SMTP to send outgoing mail at all:
just configure SquirrelMail to use the sendmail command instead.  If you
run the configuration tool, it will walk you through doing so (save a copy
of your main configuration file just in case).

Also, you know that running a system that far out of date is risky and
will contain known security vulnerabilities.  For SquirrelMail's part, you
can easily upgrade yourself by downloading a tarball of version 1.4.23-svn
from our downloads page and install it in a parallel directory where you can
test migrating your configuration and plugins over -- if it's lightly
modified/configured, that probably won't cause too much trouble.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php



David,

I'm running SquirrelMail version 1.4.23 on my server.  The file:
Deliver_SMTP.class.php is newer and has this comment in the code referencing
the tls:// statement.


// NB: Using "ssl://" ensures the highest possible TLS version // will be
negotiated with the server (whereas "tls://" only // uses TLS version 1.0)


You can try changing the php code from

$stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);

to

$stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);

and see if this resolves the issue.  However if you do so you will need to
keep a copy of your local changes just in case you reload the package and
inadvertently overwrite the local changes.

Good luck.

Ted Hatifeld




-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users



[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux