Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    TLS setting Kopano-gateway (8.7.20) on Debian

    Kopano Groupware Core
    2
    6
    438
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scheini72
      scheini72 last edited by scheini72

      Hi all,

      finally I have everything, but still kopano-gateway gives me some hedache.
      I can’t get IMAPs running as the TLS protocols minimum are not set.

      ri Apr 16 07:32:29 2021: [kopano-gateway|T670422] [info   ] Accepted connection from <ip>:44392
Fri Apr 16 07:32:29 2021: [kopano-gateway|T670422] [notice ] Starting worker thread for IMAPs request
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [info   ] ECChannel::HrEnableTLS(): min TLS version 0x303
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [info   ] ECChannel::HrEnableTLS(): max TLS version 0x303
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [info   ] ECChannel::HrEnableTLS(): TLS flags 0xc0520854
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [debug  ] > * OK [CAPABILITY IMAP4rev1 LITERAL+ AUTH=PLAIN] IMAP gateway ready
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [error  ] Client disconnected
Fri Apr 16 07:32:29 2021: [net/imaps|T670434] [notice ] Client [::ffff:<ip>]:44392 thread exiting

      when starting I got those log

      Fri Apr 16 07:31:58 2021: [kopano-gateway|T670422] [=======] Starting kopano-gateway version 8.7.20 (pid 670422 uid 998)
Fri Apr 16 07:31:58 2021: [kopano-gateway|T670422] [info   ] Coredump status left at system default.      
Fri Apr 16 07:31:58 2021: [kopano-gateway|T670422] [info   ] Maximum TLS protocol version to use: 0x303
Fri Apr 16 07:31:58 2021: [kopano-gateway|T670422] [info   ] Minimum TLS protocol version to use: 0x303
Fri Apr 16 07:31:58 2021: [kopano-gateway|T670422] [info   ] Re-using fd 4 to listen on *:993 for imaps

      what do I need to set, that Thunderbird is able to connect. I still want to have Imaps only though.

      # SSL protocols to use, space-separated list of protocols                                                                                                                                     
# (SSLv3 TLSv1 TLSv1.1 TLSv1.2); prefix with ! to lock out a protocol.
                                                                                   
ssl_protocols = TLSv1.2 !SSLv3 !TLSv1 !TLSv1.1

# SSL ciphers to use, set to 'ALL' for backward compatibility
#ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_ciphers = ALL:!SSLv2:!EXP:!aNULL!SSLv3
                                   
# Prefer the server's order of SSL ciphers over client's
#ssl_prefer_server_ciphers = yes
                                                                  
# Process model, using pthreads (thread) or processes (fork)
# Processes are potentially safer from a security point of view.
process_model = thread

      thanks
      scheini72

      longsleep 1 Reply Last reply Reply Quote 0
      • longsleep
        longsleep Kopano @scheini72 last edited by

        @scheini72

        We refactored some of the TLS settings starting with Kopano 9. To avoid breaking backwards compatibility with older distributions those changes are not available in Kopano 8.

        To set the minimal TLS version (kopano-gateway), use

          tls_min_proto
       The lowest SSL/TLS version to offer. Possible values are: ssl3, tls1.0,
       tls1.1, tls1.2, and, if supported by the system, tls1.3.

       Default: tls1.2

        (requires Kopano Core 9 or higher).

        scheini72 1 Reply Last reply Reply Quote 0
        • scheini72
          scheini72 @longsleep last edited by

          @longsleep
          thanks for the info. I do have 8.7.20, so I need still the ssl_protocols and ssl_ciphers.
          What do I need to set then? The current settings do not work.
          thanks in advance
          Schein72

          scheini72 longsleep 2 Replies Last reply Reply Quote 0
          • scheini72
            scheini72 @scheini72 last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • longsleep
              longsleep Kopano @scheini72 last edited by

              @scheini72

              You can only use the settings as they are available in corresponding Kopano Core version. Afaik its not possible to set the minimal TLS version in 8.x (this features has been introduced in 9.x).

              What exactly is the problem with Thunderbird and why is it not able to connect?

              scheini72 1 Reply Last reply Reply Quote 0
              • scheini72
                scheini72 @longsleep last edited by scheini72

                @longsleep
                I can’t tell you, i have a workaround now that I do not user TLS between gateway and server anymore (see below server.cfg and gateway.cfg.

                The issue, I was not able to select my folder to be able to subscribe. If the RCA was too much folders under the public folder I can’t tell.

                server.cfg

                ##############################################################               
# SERVER SETTINGS                                                                                     
                                                                            
# Space-separated list of address:port specifiers for where the server should
# listen for unencrypted connections.                                              
#                                                                           
#    "*:236" — port 236, all protocols                
#    "[::]:236" — port 236 on IPv6 only                              
#    "[2a01:db1::1]:236" — port 236 on specific address only              
#    To disable unencrypted connections, set to an empty value.                      
#                                                                             
#server_listen = *:236                                                                            
server_listen = *:236                                                 
                                                                         
# Space-separated list of paths for where to listen for AF_LOCAL
# connections.
# To disable, set to an empty value.

                gateway.cfg

                ##############################################################
# GATEWAY SETTINGS
                              
# Space-separated list of address:port specifiers for where the server should
# listen for connections.
#                                  
#    "*:143" — port 143, all protocols
#    "[::]:143" — port 143 on IPv6 only
#    "[2001:db8::1]:143" — port 143 on specific address only      
#                          
# imaps is normally on 993, pop3s on 995.
#                                                                                            
#pop3_listen = *:110        
pop3_listen =
pop3s_listen =                                                  
imap_listen =              
#imap_listen =
imaps_listen = *:993                                            
                                                            
# Connection to the storage server.                              
# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
#server_socket = http://[:1]:237/
#server_socket = http://localhost:237/

                Currently it’s running. As soon as I do have time, I’ll do a thorough testing and check (hopefully already on the new release, which should come within the next weeks/months?).

                cheers
                scheini72

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post