Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot connect to imap after certificate update #5599

Closed
thstyl2000 opened this issue Sep 29, 2021 · 6 comments
Closed

Cannot connect to imap after certificate update #5599

thstyl2000 opened this issue Sep 29, 2021 · 6 comments

Comments

@thstyl2000
Copy link

Expected behavior

Email server changes certificate, mail app should ask if new certificate is to be trusted.

Actual behavior

Server becomes unreachable, horde sends error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Mail app

Mail app version: 1.10.5

Mailserver or service: dovecot

Server configuration

Operating system: freebsd

Web server: apache

Database: MariaDB

PHP version: (e.g. 7.0) 8.0.7

Nextcloud Version: 21.0.4

Client configuration

Browser: any

Operating system: linux

@ChristophWurst
Copy link
Member

TLS certs are validated by default. You can't turn this off. https://github.com/nextcloud/mail/blob/master/doc/admin.md#disable-tls-verification-for-imapsmtp allows admins to change the default. #2785 is the feature request to make this a user setting.

@thstyl2000
Copy link
Author

Hi and thanks for the quick response! I am aware of that request, but that is not what I meant. Every other client produces a popup that asks the user if the new certificate is to be trusted or not. So a user will choose (supposing the admin has communicated the certificate change) to trust the new certificate (usually users have elevated rights on their own business laptops). The system still works with full TLS validation.

The way it is now, it is not possible for a user who does not admin the nextcloud installation to continue have access to the email account, unless the mail admin is also nextcloud admin and he/she installs the certificate in the nextcloud instance, or disable TLS verification.

@thstyl2000
Copy link
Author

So maybe there could be some user folder containing user approved certificates which are then installed by a cron job. This feature could also be made admin-switchable, if one is concerned about possible security issues.

@ChristophWurst
Copy link
Member

As long as the old and the new imap server have trustworthy certificates installed this isn't a problem.

So, if the old imap server was already self-signed then you couldn't have used it unless TLS verification was turned off.

We don't pin the cert. As long as the credentials work the app will connect to the new IMAP server. If you have TLS verification on then it will verify the TLS of the new server and only connect if that check passes.

@ChristophWurst
Copy link
Member

So maybe there could be some user folder containing user approved certificates which are then installed by a cron job. This feature could also be made admin-switchable, if one is concerned about possible security issues.

This is #2785.

@thstyl2000
Copy link
Author

The problem was that the complete chain was new, including the authority certificate, which was not installed in the system. So this was not a self-signed certificate, but a new full chain. So I am not sure if #2785 applies.....please correct me if I am wrong!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants