[Rt-commit] rt branch, 4.0/mailgate-ssl-deps, updated. rt-4.0.4-114-g8647578

Alex Vandiver alexmv at bestpractical.com
Tue Dec 13 17:22:01 EST 2011 

The branch, 4.0/mailgate-ssl-deps has been updated
       via  8647578775e9620e0d92a21d080bc8da35012b17 (commit)
      from  ea54d2323fa2241131b81d4b7d813de2dd958b4a (commit)

Summary of changes:
 bin/rt-mailgate.in |   16 ++++++++++++++--
 docs/security.pod  |    7 +++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

- Log -----------------------------------------------------------------
commit 8647578775e9620e0d92a21d080bc8da35012b17
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Dec 13 17:13:43 2011 -0500

    Use --no-ssl-verify to allow self-signed certs

diff --git a/bin/rt-mailgate.in b/bin/rt-mailgate.in
index ab5e5b6..d460343 100755
--- a/bin/rt-mailgate.in
+++ b/bin/rt-mailgate.in
@@ -57,10 +57,10 @@ use warnings;
 
 use Getopt::Long;
 
-my $opts = {};
+my $opts = { 'ssl-verify' => 1 };
 GetOptions( $opts,   "queue=s", "action=s", "url=s",
             "jar=s", "help",    "debug",    "extension=s",
-            "timeout=i"
+            "timeout=i", "ssl-verify!",
           );
 
 my $gateway = RT::Client::MailGateway->new();
@@ -150,6 +150,7 @@ sub get_useragent {
     my $opts = shift;
     my $ua   = LWP::UserAgent->new();
     $ua->cookie_jar( { file => $opts->{'jar'} } ) if $opts->{'jar'};
+    $ua->ssl_opts( verify_hostname => $opts->{'ssl-verify'} );
     return $ua;
 }
 
@@ -355,6 +356,17 @@ If your RT server uses SSL, you will need to install additional Perl
 libraries. RT will detect and install these dependencies if you pass the
 C<--enable-ssl-mailgate> flag to configure as documented in RT's README.
 
+If you have a self-signed SSL certificate, you may also need to pass
+C<--no-verify-ssl>, below.
+
+=item C<--no-verify-ssl>
+
+This flag tells the mail gateway to trust all SSL certificates,
+regardless of if their hostname matches the certificate, and regardless
+of CA.  This is required if you have a self-signed certificate, or some
+other certificate which is not traceable back to an certificate your
+system ultimitely trusts.
+
 =item C<--extension> OPTIONAL
 
 Some MTAs will route mail sent to user-foo at host or user+foo at host to user at host
diff --git a/docs/security.pod b/docs/security.pod
index 6c0599d..b8650e0 100644
--- a/docs/security.pod
+++ b/docs/security.pod
@@ -23,6 +23,13 @@ can connect.  You can use the C<--enable-ssl-mailgate> command to
 configure to automate the installation of these dependencies.  This is
 documented further in step 10 of the README.
 
+You should use a certificate signed by a reputable authority, or at very
+least a certificate signed by a consistent local CA, which you configure
+your local systems to trust.  If your SSL certificate is self-signed, it
+does little to prevent phishing, as users are trained to accept the
+unauthorized certificate.  See also the C<--no-verify-ssl> flag to
+C<rt-mailgate>.
+
 =item *
 
 Be sure to change the password for the C<root> user of RT.  The default

-----------------------------------------------------------------------

More information about the Rt-commit mailing list