Hello,
Thanks for everyone's replies. What is wrong with this code? I keep getting a syntax error, it wants a ) not a ,
Thanks. Dave.
<?php $config['username_domain'] = 'domain.com'; // For STARTTLS IMAP $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, // Letsencrypt 'ssl_cert => '/path/to/letsencrypt/fullchain.pem' 'ssl_key' => '/path/to/letsencrypt/privkey.pem', 'ciphers' => 'TLSv1.2:@STRENGTH', 'peer_name' => 'imap.domain.com', ) );
// For STARTTLS SMTP $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, // certificate is not self-signed if cafile provided 'allow_self_signed' => false, // Letsencrypt 'ssl_cert => '/path/to/letsencrypt/fullchain.pem', 'ssl_key' => '/path/to/letsencrypt/privkey.pem', 'ciphers' => 'TLSv1.2:@STRENGTH', 'peer_name' => 'smtp.domain.com', ), );
On 4/9/18, Ralph Seichter m16+roundcube@monksofcool.net wrote:
On 09.04.2018 02:37, David Mehler wrote:
what I'm wanting to do is tighten my tls verification options. My domains each use a different letsencrypt certificate.
Depending on your platform, you could do without any special Roundube configuration. With modern Linux distributions like Gentoo this works:
- Download LE root CA cert from https://letsencrypt.org/certificates/
- Save cert in /usr/local/share/ca-certificates (you might need to create this directory) with '.crt' name suffix. (*)
- Run 'update-ca-certificates --fresh' as root.
- Restart your web server.
With that, Let's Encrypt is configured as a locally trusted CA for libssl, and in the Roundube configuration only
$config['default_host'] = 'ssl://imap.horus-it.com';
is then required, if you match the host name of your certificate. This method benefits any process on your server that uses libssl.
-Ralph
(*) See 'man 8 update-ca-certificates'. _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users