Re: [RCU] roundcube custom tls verification options

2018-04-09 Thread David Mehler 
Hello,

Thanks for everyone's replies. What is wrong with this code? I keep
getting a syntax error, it wants a ) not a ,

Thanks.
Dave.

 array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert => '/path/to/letsencrypt/fullchain.pem'
'ssl_key'  => '/path/to/letsencrypt/privkey.pem',
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name' => 'imap.domain.com',
)
);

// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
 'ssl' => array(
 'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert => '/path/to/letsencrypt/fullchain.pem',
'ssl_key'  => '/path/to/letsencrypt/privkey.pem',
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name' => 'smtp.domain.com',
 ),
);



On 4/9/18, Ralph Seichter  wrote:
> On 09.04.2018 02:37, David Mehler wrote:
>
>> what I'm wanting to do is tighten my tls verification options. My
>> domains each use a different letsencrypt certificate.
>
> Depending on your platform, you could do without any special Roundube
> configuration. With modern Linux distributions like Gentoo this works:
>
>   1. Download LE root CA cert from https://letsencrypt.org/certificates/
>   2. Save cert in /usr/local/share/ca-certificates (you might need to
>  create this directory) with '.crt' name suffix. (*)
>   3. Run 'update-ca-certificates --fresh' as root.
>   4. Restart your web server.
>
> With that, Let's Encrypt is configured as a locally trusted CA for
> libssl, and in the Roundube configuration only
>
>   $config['default_host'] = 'ssl://imap.horus-it.com';
>
> is then required, if you match the host name of your certificate. This
> method benefits any process on your server that uses libssl.
>
> -Ralph
>
> (*) See 'man 8 update-ca-certificates'.
> ___
> Roundcube Users mailing list
> users@lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/users
>
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] roundcube custom tls verification options

2018-04-09 Thread Ralph Seichter 
On 09.04.2018 02:37, David Mehler wrote:

> what I'm wanting to do is tighten my tls verification options. My
> domains each use a different letsencrypt certificate.

Depending on your platform, you could do without any special Roundube
configuration. With modern Linux distributions like Gentoo this works:

  1. Download LE root CA cert from https://letsencrypt.org/certificates/
  2. Save cert in /usr/local/share/ca-certificates (you might need to
 create this directory) with '.crt' name suffix. (*)
  3. Run 'update-ca-certificates --fresh' as root.
  4. Restart your web server.

With that, Let's Encrypt is configured as a locally trusted CA for
libssl, and in the Roundube configuration only

  $config['default_host'] = 'ssl://imap.horus-it.com';

is then required, if you match the host name of your certificate. This
method benefits any process on your server that uses libssl.

-Ralph

(*) See 'man 8 update-ca-certificates'.
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] roundcube custom tls verification options

2018-04-09 Thread A.L.E.C 
On 09.04.2018 02:37, David Mehler wrote:

> Can I put a config in each of the domain specific files?

Yes. You can also do:

$config['imap_conn_options'] = array(
'hostname' => array(
 'ssl' => array(

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]

PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users