Roundcube Community Forum

Third Party Contributions => API Based Plugins => Topic started by: maksek on June 16, 2018, 04:08:18 PM

Title: password plugin with sql driver and ssl
Post by: maksek on June 16, 2018, 04:08:18 PM
Hi everyone,

I need help to configure password plugin for using sql driver with TLS connection to external PosgreSQL database.

In general it works, but I can't be sure that it works correctly. Particularly, I can not make sure that client (password plugin) verifies certificate of PostgreSQL external server. This is because it works (password changing) even if I point to wrong root certificate (CA) in configuration (password_db_dsn parameter, I hope this is right place). This works even if I do not set CA certificate at all. Also, there is nothing in logs that could help, just messages that password changed successfully. So, my questions are - how can I make sure that certificate of DB server is verified and accepted? And how to configure password plugin in right way for that? I use self-signed certificates.

Roundcube password plugin settings (not the same mashine as mail server):

plugins/password/ contains:
Code: [Select]
$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'pgsql://webmail:password@tcp(';
$config['password_query'] = 'UPDATE users SET password=%P WHERE userid=%u';

PostgreSQL settings on the mail server (dovecot) side:

in pg_hba.conf I have a required entry
Code: [Select]
# TYPE    DATABASE    USER            ADDRESS                 METHOD
hostssl   mails       webmail                password

SSL settings in postgresql.conf enabled and all required files put to the right place
Code: [Select]
ssl = on
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'secp384r1'
ssl_dh_params_file = 'dh4096-postgres.pem'
ssl_cert_file = 'mail-postgres.crt'
ssl_key_file = 'mail-postgres.key'
Title: Re: password plugin with sql driver and ssl
Post by: maksek on June 19, 2018, 08:55:45 AM
After investigation of code I found that installed Roundcube 1.3.6 (current release) does not support ssl options in dsn string. But does this in current master branch.This works fine now.