-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to imap after certificate update #5599
Comments
TLS certs are validated by default. You can't turn this off. https://github.com/nextcloud/mail/blob/master/doc/admin.md#disable-tls-verification-for-imapsmtp allows admins to change the default. #2785 is the feature request to make this a user setting. |
Hi and thanks for the quick response! I am aware of that request, but that is not what I meant. Every other client produces a popup that asks the user if the new certificate is to be trusted or not. So a user will choose (supposing the admin has communicated the certificate change) to trust the new certificate (usually users have elevated rights on their own business laptops). The system still works with full TLS validation. The way it is now, it is not possible for a user who does not admin the nextcloud installation to continue have access to the email account, unless the mail admin is also nextcloud admin and he/she installs the certificate in the nextcloud instance, or disable TLS verification. |
So maybe there could be some user folder containing user approved certificates which are then installed by a cron job. This feature could also be made admin-switchable, if one is concerned about possible security issues. |
As long as the old and the new imap server have trustworthy certificates installed this isn't a problem. So, if the old imap server was already self-signed then you couldn't have used it unless TLS verification was turned off. We don't pin the cert. As long as the credentials work the app will connect to the new IMAP server. If you have TLS verification on then it will verify the TLS of the new server and only connect if that check passes. |
This is #2785. |
The problem was that the complete chain was new, including the authority certificate, which was not installed in the system. So this was not a self-signed certificate, but a new full chain. So I am not sure if #2785 applies.....please correct me if I am wrong! |
Expected behavior
Email server changes certificate, mail app should ask if new certificate is to be trusted.
Actual behavior
Server becomes unreachable, horde sends
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mail app
Mail app version: 1.10.5
Mailserver or service: dovecot
Server configuration
Operating system: freebsd
Web server: apache
Database: MariaDB
PHP version: (e.g. 7.0) 8.0.7
Nextcloud Version: 21.0.4
Client configuration
Browser: any
Operating system: linux
The text was updated successfully, but these errors were encountered: