On Thu, 06 Aug 2009 12:34:30 +0200, "A.L.E.C" alec@alec.pl wrote:
Julien Vehent wrote:
OK, so to use STARTTLS with roundcube, the postfix server must be configured with the option smtpd_enforce_tls = yes, right ?
No, it is must not. As I see in the code, STARTTLS is called when authentication is requested (when smtp_user and smtp_pass options in Roundcube config
are
set) and (from Net_SMTP):
version_compare(PHP_VERSION, '5.1.0', '>=') && extension_loaded('openssl') && isset($this->_esmtp['STARTTLS']) && strncasecmp($this->host, 'ssl://', 6) != 0
OK, It confirms what I read in the postfix doc, that the server must not enforce STARTTLS (RFC 2487).
So, I have the following roundcube configuration :
// use this host for sending mails.
// to use SSL connection, set ssl://smtp.host.com
// if left blank, the PHP mail() function is used
$rcmail_config['smtp_server'] = 'ssl://localhost';
// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 25;
// SMTP username (if required) if you use %u as the username RoundCube
// will use the current username for login
$rcmail_config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password RoundCube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '%p';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
The following postfix configuration :
# TLS server options
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_key_file = [keyfile] smtpd_tls_cert_file = [pemcert] smtpd_tls_CAfile = [cafile] smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_ask_ccert = yes
and the following trace when I try to send an email from roundcube to my gmail account : http://www.linuxwall.info/files/starttlsroundcubetrace.pcap.txt
Postfix sends its banner in packet '12:43:23.225014' and then roundcube ACK it and does nothing more. It doesn't send any more data. My understanding is that roundcube should then announce itself through a 'EHLO' command, and postfix would returns its capabilities.
But instead, postfix then announce that the command has not been recognized (but what command ? ack number didn't change between '12:43:23.209554' and '12:43:23.225096' so no data have been transmitted...)
It's weird, and I don't know how to debug it further...
The only thing I'm sure of, is that this postfix configuration works fine with thunderbird in TLS mode.
Julien
List info: http://lists.roundcube.net/dev/
Julien Vehent wrote:
&& strncasecmp($this->host, 'ssl://', 6) != 0
!!!! http://php.net/manual/en/function.strncasecmp.php
$rcmail_config['smtp_server'] = 'ssl://localhost';
// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 25;
I'm sure that your postfix does not use SSL on 25 port.
The only thing I'm sure of, is that this postfix configuration works fine with thunderbird in TLS mode.
TLS != SSL
On Thu, 06 Aug 2009 13:20:20 +0200, "A.L.E.C" alec@alec.pl wrote:
Julien Vehent wrote:
&& strncasecmp($this->host, 'ssl://', 6) != 0
!!!! http://php.net/manual/en/function.strncasecmp.php
$rcmail_config['smtp_server'] = 'ssl://localhost';
// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 25;
I'm sure that your postfix does not use SSL on 25 port.
The only thing I'm sure of, is that this postfix configuration works
fine
with thunderbird in TLS mode.
TLS != SSL
My extremely humble excuses for this mistake... after changing the configuration several times, I had forgotten this ssl://
it works fine now, as shows the capture : http://www.linuxwall.info/files/starttlsroundcubetrace.pcap.txt
May I recommend that the comments in the main.inc.php explain this issue ? I am always confused about the difference SMTP makes between SSL and TLS. It doesn't quite make sense to me to handle the two protocols separately since one is just the renamed evolution of the other. But this is not roundcube's problem.
Thanks for you help alec.
Julien
List info: http://lists.roundcube.net/dev/
On Thu, 06 Aug 2009 13:28:51 +0200, Julien Vehent julien@linuxwall.info wrote:
On Thu, 06 Aug 2009 13:20:20 +0200, "A.L.E.C" alec@alec.pl wrote:
Julien Vehent wrote:
&& strncasecmp($this->host, 'ssl://', 6) != 0
!!!! http://php.net/manual/en/function.strncasecmp.php
$rcmail_config['smtp_server'] = 'ssl://localhost';
// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 25;
I'm sure that your postfix does not use SSL on 25 port.
The only thing I'm sure of, is that this postfix configuration works
fine
with thunderbird in TLS mode.
TLS != SSL
My extremely humble excuses for this mistake... after changing the configuration several times, I had forgotten this ssl://
it works fine now, as shows the capture : http://www.linuxwall.info/files/starttlsroundcubetrace.pcap.txt
May I recommend that the comments in the main.inc.php explain this issue
?
I am always confused about the difference SMTP makes between SSL and
TLS.
It doesn't quite make sense to me to handle the two protocols separately since one is just the renamed evolution of the other. But this is not roundcube's problem.
There is a fundamental difference between SSL and TLS:
encryption during establishment of the socket connection. In other words, the socket connect() wraps the certificate/key negotiation and the application/presentation-level protocol is ignorant of the presence of additional security
authentication/encryption after the socket connection is already established and the application-level protocol is underway. The socket() connection is initially a normal raw/plain-text connection, and the application-level protocol (in this case SMTP) requests the certificate/key negotiation during the information exchange that takes place after the socket connection has been established (e.g. the STARTTLS SMTP command).
This difference is why TLS is usually available on the same port/socket as the normal/insecure protocol, whereas SSL typically requires a new port/protocol (e.g. imaps:993 vs. imap:143). An SSL server starts in with the key exchange immediately upon acceptance of the socket connect(), whereas a non-SSL server accepts plain connections and can optionally add TLS later.
Thanks for you help alec.
Julien
List info: http://lists.roundcube.net/dev/