Hi
Right now, Roundcube supports TLS, but there is no way to enforce IMAP and SMTP server certificate validation. This is very infortunate, since it means RoundCube has no way to detect trivial MiM attacks using a self-signed certificate.
Let us look at the SMTP side. Connexion handle is obtained in program/lib/Roundcube/rcube_smtp.php: $this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host);
Net_SMTP allows a stream context options to be provided, and this stream context options can be used to enforce CA valdation. It would work like this:
$opts = array( 'ssl' => array( 'verify_peer' => TRUE, 'verify_depth' => 5, 'cafile' => '/path/to_ca_file', ), ); $this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host, false, 0, $opts);
I would like to contribute such a change. Obviously, ca_file must be available as a config option (what name?). Is there any comment on the approach?
I have not looked at the IMAP side: I use imapproxy for connexion caching, and therefore Roundcube is not in charge of TLS.