#542 IMAP authentication with TLS 1.2

[Anonymous]

Hi there,

we're using MRBS for a long time no and are very happy with it. Untill now, we used imap as authentication method. Our mail provider recently deactivated TLS 1.0/1.1 for POP3, IMAP and SMTP and switched to TLS 1.2.
Since then, a login in our MRBS is not possible anymore (username not known). I've updated to the latest release of MRBS (1.11.0), but that did not solve the problem.
Any help is apprecatied! Thanks a lot and kind reagrds,
Michael

[John Beranek]

TLS version will be based on your version of PHP/OS combination. I'd guess you're using either an old OS or version of PHP

[Campbell Morrison]

Are you using 'imap' or 'imap_php' (recommended)?

[Anonymous]

imap

[Anonymous]

Thanks for the hint! I did check with imap_php, but that didn't solve the issue.

[Campbell Morrison]

Did you have $auth["imap_php"]["port"] = 993;? Also you could try $auth["imap_php"]["tls"] = true;

[Anonymous]

Thanks for the hint. Yes, I did have set these, but with no effect. Our school (where we use the MRBS) has switched its infrastructure to Microsoft recently. Thus I'll have to change the authentication to Azure AD anyhow. Since now it authenticated against our old mailserver. I was just too lazy/no time to switch it :-|

[Campbell Morrison]

Ah, if you're using Microsoft then I wonder if the problem is that Microsoft have changed their policy on authentication. See https://sourceforge.net/p/mrbs/support-requests/2607/

[Anonymous]

Uhh, this is good to know, thanks. Untill now we used an Ionos-Mailserver, thus I did not have the "joy" of authenticate with mircosoft, but when I'll switch, this is an important information. Thus, thanks again :-)

[Campbell Morrison]

You should be OK authenticating against AD.

[Anonymous]

Thanks a lot for your quick reply! We're using PHP 8.1, thus it'll most probably be an issue with our OS version, I guess. Unfortunately, we're using a simple webspace at Ionos, where I have no influence on the OS version :-/
Guess I'll have to switch to some other authentication then.
Kind regards, Michael

[John Beranek]

If the MRBS installation is being hosted outside of the school you'd need a way to do secure LDAP to authenticate against a school Active Directory server though. Not many people are willing to allow LDAP access to AD from outside their organisation...

[John Beranek]

What this leaves is SimpleSAML to Azure AD which is...less than simple.

[Anonymous]

Yes, I've just took a look and this seems to be the only valid option. Doesn't sound like fun, especially running simplesaml on a webspace without real root permissions. Maybe I'll give it a try during vacation (with a bit more time). Anyhow, thanks a lot for your help so far!

[John Beranek]

(By the way, see the section "SAML Authentication" in MRBS's AUTHENTICATION instructions)