Last active 2 weeks ago

With Zammad 6.2 existing configurations for Email channels and i-doit by default have ssl verification disabled. This code snippet activates SSL verification. This change ONLY affects existing, update installations.

MrGeneration's Avatar MrGeneration revised this gist 2 weeks ago. Go to revision

1 file changed

enable_ssl_verification_ldap renamed to enable_ssl_verification_ldap.rb

File renamed without changes

MrGeneration's Avatar MrGeneration revised this gist 2 weeks ago. Go to revision

4 files changed, 46 insertions

disable_ssl_verification_idoit.rb(file created)

@@ -0,0 +1,4 @@
1 + # Disable SSL certificate verification for i-doit integration
2 +
3 + config = Setting.get('idoit_config')
4 + unless config.blank? ; then Setting.set('idoit_config', config.merge('verify_ssl' => false)) end

enable_ssl_verification_ldap(file created)

@@ -0,0 +1,4 @@
1 + LdapSource.all.each do |l|
2 + l.preferences.merge!("ssl_verify"=>true)
3 + l.save
4 + end;

enforce_ssl_verify_false.rb(file created)

@@ -0,0 +1,37 @@
1 + # Disables SSL verification on existing email channels
2 + # (Below command PROBES inbound and outbound and only activates ssl verification if true!)
3 + # Has been enhanced with the help of rolfschmidt
4 +
5 + Channel.where(area: 'Email::Account', active: true).all.select do |c|
6 + c.options.dig('inbound', 'options', 'ssl_verify') == true || c.options.dig('outbound', 'options', 'ssl_verify') == true
7 + end.each do |c|
8 + if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('inbound', 'options', 'ssl_verify') == true
9 + c.options['inbound']['options']['ssl_verify'] = false
10 + inbound_result = EmailHelper::Probe.inbound(c.options['inbound'])
11 + puts "INBOUND | channel #{c.id} (#{c.options.dig('inbound', 'options', 'host')}, #{c.options.dig('inbound', 'options', 'user')}) | try SSL verify false, RESULT: #{inbound_result[:result]}"
12 +
13 + if inbound_result[:result] == 'ok'
14 + c.options['inbound'][:options][:ssl_verify] = false
15 + c.save!
16 + else
17 + puts " - DEBUG - response: #{inbound_result[:message]}; human message: #{inbound_result[:message_human]}; possibly invalid fields: #{inbound_result[:invalid_field]}"
18 + c.reload
19 + end
20 + end
21 + if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('outbound', 'options', 'ssl_verify') == true
22 + c.options['outbound']['options']['ssl_verify'] = false
23 + outbound_result = EmailHelper::Probe.outbound(
24 + c.options['outbound'],
25 + EmailAddress.where(channel_id: c.id).first.email,
26 + )
27 + puts "OUTBOUND | channel #{c.id} (#{c.options.dig('outbound', 'options', 'host')}, #{c.options.dig('outbound', 'options', 'user')}) | try SSL verify false, RESULT: #{outbound_result[:result]}"
28 +
29 + if outbound_result[:result] == 'ok'
30 + c.options['outbound'][:options][:ssl_verify] = false
31 + c.save!
32 + else
33 + puts " - DEBUG - response: #{outbound_result[:message]}; human message: #{outbound_result[:message_human]}; possibly invalid fields: #{outbound_result[:invalid_field]}"
34 + c.reload
35 + end
36 + end
37 + end; nil

optional_disable_es_ssl_verification.rb(file created)

@@ -0,0 +1 @@
1 + Setting.set('es_ssl_verify', false)

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

2 files changed, 2 insertions, 2 deletions

disable_ssl_verification_ldap.rb

@@ -4,4 +4,4 @@
4 4 LdapSource.all.each do |l|
5 5 l.preferences.merge!("ssl_verify"=>false)
6 6 l.save
7 - end;
7 + end;

optional_enable_es_ssl_verification.rb

@@ -1,3 +1,3 @@
1 1 # Side note: Elasticsearch has an option to verify SSL as well. This might be an edge case.
2 2 # By default these certificates are self-signed and thus you may not want to run this at all
3 - Setting.set('es_ssl_verify', true)
3 + Setting.set('es_ssl_verify', true)

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 7 insertions

disable_ssl_verification_ldap.rb(file created)

@@ -0,0 +1,7 @@
1 + # If you've configured "SSL-Verification: true" on previous Zammad-Versions, this setting is going to be a problem.
2 + # Below turns off SSL verification for all LDAP-Sources. You then can login again and have the time needed to fix the configuration.
3 +
4 + LdapSource.all.each do |l|
5 + l.preferences.merge!("ssl_verify"=>false)
6 + l.save
7 + end;

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

2 files changed, 5 insertions, 6 deletions

enable_ssl_verification_idoit.rb(file created)

@@ -0,0 +1,5 @@
1 + # Enable SSL certificate verification for i-doit integration
2 + # (MAY break i-doit functionality if certificates are invalid!)
3 +
4 + config = Setting.get('idoit_config')
5 + unless config.blank? ; then Setting.set('idoit_config', config.merge('verify_ssl' => true)) end

enforce_ssl_verify_true.rb

@@ -35,9 +35,3 @@ end.each do |c|
35 35 end
36 36 end
37 37 end; nil
38 -
39 - # Enable SSL certificate verification for i-doit integration
40 - # (MAY break i-doit functionality if certificates are invalid!)
41 -
42 - config = Setting.get('idoit_config')
43 - unless config.blank? ; then Setting.set('idoit_config', config.merge('verify_ssl' => true)) end

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 1 insertion, 2 deletions

enforce_ssl_verify_true.rb

@@ -22,8 +22,7 @@ end.each do |c|
22 22 c.options['outbound']['options']['ssl_verify'] = true
23 23 outbound_result = EmailHelper::Probe.outbound(
24 24 c.options['outbound'],
25 - 'verify-external-smtp-sending@discard.zammad.org',
26 - 'Zammad Probe Outbound',
25 + EmailAddress.where(channel_id: c.id).first.email,
27 26 )
28 27 puts "OUTBOUND | channel #{c.id} (#{c.options.dig('outbound', 'options', 'host')}, #{c.options.dig('outbound', 'options', 'user')}) | try SSL verify true, RESULT: #{outbound_result[:result]}"
29 28

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 3 insertions

enforce_ssl_verify_true.rb

@@ -15,9 +15,11 @@ end.each do |c|
15 15 c.save!
16 16 else
17 17 puts " - DEBUG - response: #{inbound_result[:message]}; human message: #{inbound_result[:message_human]}; possibly invalid fields: #{inbound_result[:invalid_field]}"
18 + c.reload
18 19 end
19 20 end
20 21 if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('outbound', 'options', 'ssl_verify') == false
22 + c.options['outbound']['options']['ssl_verify'] = true
21 23 outbound_result = EmailHelper::Probe.outbound(
22 24 c.options['outbound'],
23 25 'verify-external-smtp-sending@discard.zammad.org',
@@ -30,6 +32,7 @@ end.each do |c|
30 32 c.save!
31 33 else
32 34 puts " - DEBUG - response: #{outbound_result[:message]}; human message: #{outbound_result[:message_human]}; possibly invalid fields: #{outbound_result[:invalid_field]}"
35 + c.reload
33 36 end
34 37 end
35 38 end; nil

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 4 insertions

enforce_ssl_verify_true.rb

@@ -13,6 +13,8 @@ end.each do |c|
13 13 if inbound_result[:result] == 'ok'
14 14 c.options['inbound'][:options][:ssl_verify] = true
15 15 c.save!
16 + else
17 + puts " - DEBUG - response: #{inbound_result[:message]}; human message: #{inbound_result[:message_human]}; possibly invalid fields: #{inbound_result[:invalid_field]}"
16 18 end
17 19 end
18 20 if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('outbound', 'options', 'ssl_verify') == false
@@ -26,6 +28,8 @@ end.each do |c|
26 28 if outbound_result[:result] == 'ok'
27 29 c.options['outbound'][:options][:ssl_verify] = true
28 30 c.save!
31 + else
32 + puts " - DEBUG - response: #{outbound_result[:message]}; human message: #{outbound_result[:message_human]}; possibly invalid fields: #{outbound_result[:invalid_field]}"
29 33 end
30 34 end
31 35 end; nil

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 1 insertion, 1 deletion

enforce_ssl_verify_true.rb

@@ -1,6 +1,6 @@
1 1 # Enables existing Email channels to verify SSL certificates
2 2 # (Below command PROBES inbound and outbound and only activates ssl verification if true!)
3 - # Has been inhanced with the help of rolfschmidt
3 + # Has been enhanced with the help of rolfschmidt
4 4
5 5 Channel.where(area: 'Email::Account', active: true).all.select do |c|
6 6 c.options.dig('inbound', 'options', 'ssl_verify') == false || c.options.dig('outbound', 'options', 'ssl_verify') == false

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 1 insertion, 3 deletions

enforce_ssl_verify_true.rb

@@ -34,6 +34,4 @@ end; nil
34 34 # (MAY break i-doit functionality if certificates are invalid!)
35 35
36 36 config = Setting.get('idoit_config')
37 - unless config.blank? do
38 - Setting.set('idoit_config', config.merge('verify_ssl' => true))
39 - end
37 + unless config.blank? ; then Setting.set('idoit_config', config.merge('verify_ssl' => true)) end
Newer Older