enabling internal service tls authentication

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

enabling internal service tls authentication

David Mehler
Hello,

I've got a vps that I'm wanting to tighten down its webmail setup.
Currently it's running php 5.6 and it does have the openssl extension
loaded. It's got apache 2.4 and that hooks in to php via php-fpm. I'm
running Postfix and Dovecot and Roundcube 1.3.6.

What I'm wanting to do is tls-encrypt all server communications from
roundcube to the various imap/smtp servers. I've got letsencrypt
providing my server certificates. In my roundcube configuration I've
got a map pointing:

#cat host1_config.inc.php
<?php
$config['username_domain'] = 'example.com';
$config['default_host'] = 'tls://mail.example.com';
// For STARTTLS IMAP
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert' => '/usr/local/etc/ssl/acme/example.com/fullchain.pem',
'ssl_key'  => '/usr/local/etc/ssl/acme/private/example.com/privkey.pem',
// probably optional parameters
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name'         => 'mail.example.com',
)
);
// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
 'ssl' => array(
 'verify_peer' => true,
// certificate is not self-signed if cafile provided
'allow_self_signed' => false,
// Letsencrypt
'ssl_cert' => '/usr/local/etc/ssl/acme/example.com/fullchain.pem',
'ssl_key'  => '/usr/local/etc/ssl/acme/private/example.com/privkey.pem',
// probably optional parameters
'ciphers' => 'TLSv1.2:@STRENGTH',
'peer_name'         => 'mail.example.com',
 ),
);

When I atempt to connect via roundcube I get a gateway timeout message
and this in my imap server log:

2018-07-16 14:01:31 imap-login: Info: Disconnected (no auth attempts
in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking:
SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol,
session=<AsiSniFxS91/AAAB>

Any ideas?

Thanks.
Dave.
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users