Author Topic: password plugin with sql driver and ssl  (Read 3754 times)

Offline maksek

  • Newbie
  • *
  • Posts: 2
password plugin with sql driver and ssl
« on: June 16, 2018, 04:08:18 PM »
Hi everyone,

I need help to configure password plugin for using sql driver with TLS connection to external PosgreSQL database.

In general it works, but I can't be sure that it works correctly. Particularly, I can not make sure that client (password plugin) verifies certificate of PostgreSQL external server. This is because it works (password changing) even if I point to wrong root certificate (CA) in configuration (password_db_dsn parameter, I hope this is right place). This works even if I do not set CA certificate at all. Also, there is nothing in logs that could help, just messages that password changed successfully. So, my questions are - how can I make sure that certificate of DB server is verified and accepted? And how to configure password plugin in right way for that? I use self-signed certificates.

Roundcube password plugin settings (not the same mashine as mail server):

plugins/password/ contains:
Code: [Select]
$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'pgsql://webmail:password@tcp(';
$config['password_query'] = 'UPDATE users SET password=%P WHERE userid=%u';

PostgreSQL settings on the mail server (dovecot) side:

in pg_hba.conf I have a required entry
Code: [Select]
# TYPE    DATABASE    USER            ADDRESS                 METHOD
hostssl   mails       webmail                password

SSL settings in postgresql.conf enabled and all required files put to the right place
Code: [Select]
ssl = on
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'secp384r1'
ssl_dh_params_file = 'dh4096-postgres.pem'
ssl_cert_file = 'mail-postgres.crt'
ssl_key_file = 'mail-postgres.key'
« Last Edit: June 16, 2018, 06:50:49 PM by maksek »

Offline maksek

  • Newbie
  • *
  • Posts: 2
Re: password plugin with sql driver and ssl
« Reply #1 on: June 19, 2018, 08:55:45 AM »
After investigation of code I found that installed Roundcube 1.3.6 (current release) does not support ssl options in dsn string. But does this in current master branch.This works fine now.
« Last Edit: June 19, 2018, 09:45:31 AM by maksek »