Re: [SM-USERS] force TLS1.1 or later [SOLVED]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

David,

I'm glad it worked.

We should give thanks to the original programmer who left the comment in 
their code.  Otherwise I'm sure I never would have found it.

Ted Hatfield

On Tue, 8 Nov 2022, David Carvalho wrote:

> Hello.
> After disabling tls1.0 on my MTA and  replacing
>
> $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
> with
> $stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
> In  Deliver_SMTP.class.php
>
> Everything is working fine!
> Thank you so much!
>
> Best regards
> David
>
>
> -----Original Message-----
> From: Ted Hatfield <te...@io...>
> Sent: 08 November 2022 11:02
> To: David Carvalho via squirrelmail-users
> <squ...@li...>
> Cc: David Carvalho <da...@di...>
> Subject: Re: [SM-USERS] force TLS1.1 or later
>
> On Tue, 8 Nov 2022, David Carvalho via squirrelmail-users wrote:
>> Good morning and thank you so much for the reply.
>>
>> This is not a single server. It is installed on  a web server which acts
> as an interface to send and receive e-mail from our mail server.
>> Can't use sendmail anymore, as I discovered a few years ago I needed
>> to specify relay for the web server IP in /etc/mail/access Config.php
>>
>> $domain                 = 'my.domain';
>> $imapServerAddress      = 'myserver.mydomain';
>> $imapPort               = 993;
>> $useSendmail            = false;
>> $smtpServerAddress      = 'myserver.mydomain';
>> /* $smtpPort               = 465;  */
>> $smtpPort               = 587;
>> $sendmail_path          = '/usr/sbin/sendmail';
>>
>>
>> The problem with tarball install is that I'm concerned about dependencies,
> so to be honest, I'd prefer to use  a  "builtin", stable and proven version,
> for the moment.
>> I have a docker with roundcube and it works fine whether I disable tls1 or
> not. Not sure if this helps. It has its own php version...
>>
>> Is it possible to change this in order to use tls 1.2?
>> File: Deliver_SMTP.class.php
>>
>>  if (($use_smtp_tls == true) and (check_php_version(4,3)) and
> (extension_loaded('openssl'))) {
>>            $stream = @fsockopen('tls://' . $host, $port, $errorNumber,
> $errorString);
>>        } else {
>>            $stream = @fsockopen($host, $port, $errorNumber,
>> $errorString);
>>
>>
>> Best regards.
>> David
>>
>> -----Original Message-----
>> From: Paul Lesniewski <pa...@sq...>
>> Sent: 07 November 2022 22:34
>> To: Squirrelmail User Support Mailing List
>> <squ...@li...>
>> Cc: David Carvalho <da...@di...>
>> Subject: Re: [SM-USERS] force TLS1.1 or later
>>
>>
>>> I'm using Squirrelmail 1.4.22-16 on an Oracle Linux 6 with PHP 5.3.3
>>>
>>> It's running on old hardware so probably it won't be upgraded anytime
>>> soon.
>>>
>>> Squirrelmail is working fine for many years, but I wanted to disable
>>> TLS1 support in sendmail. As soon as I do it, I get "Can't open
>>> Stream" error message. Changed port 465 to 587 but I get the same error.
>>>
>>> This PHP version supports TLS1.1 and 1.2, so,  is there a way to "force"
>>> squirrelmail to use these later protocols?
>>
>> SquirrelMail doesn't specifically ask for a TLS version, but it's possible
> the way it works with your PHP version may cause the downgrade.  You'd have
> to give more details about your configuration to know where to start.
>>
>> That said, if this is a single-server solution, there is no reason for
>> you to be encrypting connections to the same host.  Setting that up
>> (even if you have to create a custom port/local listener in sendmail
>> that is
>> non-encrypted) would likely be a more productive use of your time.  What's
> more, you don't even need to be using SMTP to send outgoing mail at all:
>> just configure SquirrelMail to use the sendmail command instead.  If you
> run the configuration tool, it will walk you through doing so (save a copy
> of your main configuration file just in case).
>>
>> Also, you know that running a system that far out of date is risky and
> will contain known security vulnerabilities.  For SquirrelMail's part, you
> can easily upgrade yourself by downloading a tarball of version 1.4.23-svn
> from our downloads page and install it in a parallel directory where you can
> test migrating your configuration and plugins over -- if it's lightly
> modified/configured, that probably won't cause too much trouble.
>>
>> --
>> Paul Lesniewski
>> SquirrelMail Team
>> Please support Open Source Software by donating to SquirrelMail!
>> http://squirrelmail.org/donate_paul_lesniewski.php
>>
>>
>
> David,
>
> I'm running SquirrelMail version 1.4.23 on my server.  The file:
> Deliver_SMTP.class.php is newer and has this comment in the code referencing
> the tls:// statement.
>
>
> // NB: Using "ssl://" ensures the highest possible TLS version // will be
> negotiated with the server (whereas "tls://" only // uses TLS version 1.0)
>
>
> You can try changing the php code from
>
> $stream = @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
>
> to
>
> $stream = @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
>
> and see if this resolves the issue.  However if you do so you will need to
> keep a copy of your local changes just in case you reload the package and
> inadvertently overwrite the local changes.
>
> Good luck.
>
> Ted Hatifeld
>
>