Last active 2 weeks ago

With Zammad 6.2 existing configurations for Email channels and i-doit by default have ssl verification disabled. This code snippet activates SSL verification. This change ONLY affects existing, update installations.

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

2 files changed, 3 insertions, 4 deletions

enforce_ssl_verify_true.rb

@@ -37,7 +37,3 @@ config = Setting.get('idoit_config')
37 37 unless config.blank? do
38 38 Setting.set('idoit_config', config.merge('verify_ssl' => true))
39 39 end
40 -
41 - # Side note: Elasticsearch has an option to verify SSL as well. This might be an edge case.
42 - # By default these certificates are self-signed and thus you may not want to run this at all
43 - Setting.set('es_ssl_verify', true)

optional_enable_es_ssl_verification.rb(file created)

@@ -0,0 +1,3 @@
1 + # Side note: Elasticsearch has an option to verify SSL as well. This might be an edge case.
2 + # By default these certificates are self-signed and thus you may not want to run this at all
3 + Setting.set('es_ssl_verify', true)

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 26 insertions, 10 deletions

enforce_ssl_verify_true.rb

@@ -1,18 +1,34 @@
1 1 # Enables existing Email channels to verify SSL certificates
2 - # (MAY break Email communication if certificates are invalid!)
2 + # (Below command PROBES inbound and outbound and only activates ssl verification if true!)
3 + # Has been inhanced with the help of rolfschmidt
3 4
4 - Channel
5 - .where(area: 'Email::Account Email::Notification')
6 - .each do |channel|
7 - ['inbound', 'outbound'].each do |dir|
8 - next if ['pop3', 'imap', 'smtp'].exclude?(channel.options.dig(dir, :adapter))
9 - next if !channel.options[dir].key? :options
5 + Channel.where(area: 'Email::Account', active: true).all.select do |c|
6 + c.options.dig('inbound', 'options', 'ssl_verify') == false || c.options.dig('outbound', 'options', 'ssl_verify') == false
7 + end.each do |c|
8 + if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('inbound', 'options', 'ssl_verify') == false
9 + c.options['inbound']['options']['ssl_verify'] = true
10 + inbound_result = EmailHelper::Probe.inbound(c.options['inbound'])
11 + puts "INBOUND | channel #{c.id} (#{c.options.dig('inbound', 'options', 'host')}, #{c.options.dig('inbound', 'options', 'user')}) | try SSL verify true, RESULT: #{inbound_result[:result]}"
10 12
11 - channel.options[dir][:options][:ssl_verify] = true
13 + if inbound_result[:result] == 'ok'
14 + c.options['inbound'][:options][:ssl_verify] = true
15 + c.save!
12 16 end
13 - channel.save!
14 17 end
15 - end
18 + if %[imap smtp pop3].include?(c.options.dig('inbound', 'adapter')) && c.options.dig('outbound', 'options', 'ssl_verify') == false
19 + outbound_result = EmailHelper::Probe.outbound(
20 + c.options['outbound'],
21 + 'verify-external-smtp-sending@discard.zammad.org',
22 + 'Zammad Probe Outbound',
23 + )
24 + puts "OUTBOUND | channel #{c.id} (#{c.options.dig('outbound', 'options', 'host')}, #{c.options.dig('outbound', 'options', 'user')}) | try SSL verify true, RESULT: #{outbound_result[:result]}"
25 +
26 + if outbound_result[:result] == 'ok'
27 + c.options['outbound'][:options][:ssl_verify] = true
28 + c.save!
29 + end
30 + end
31 + end; nil
16 32
17 33 # Enable SSL certificate verification for i-doit integration
18 34 # (MAY break i-doit functionality if certificates are invalid!)

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

No changes

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 27 insertions, 1 deletion

enforce_ssl_verify_true.rb

@@ -1 +1,27 @@
1 - x
1 + # Enables existing Email channels to verify SSL certificates
2 + # (MAY break Email communication if certificates are invalid!)
3 +
4 + Channel
5 + .where(area: 'Email::Account Email::Notification')
6 + .each do |channel|
7 + ['inbound', 'outbound'].each do |dir|
8 + next if ['pop3', 'imap', 'smtp'].exclude?(channel.options.dig(dir, :adapter))
9 + next if !channel.options[dir].key? :options
10 +
11 + channel.options[dir][:options][:ssl_verify] = true
12 + end
13 + channel.save!
14 + end
15 + end
16 +
17 + # Enable SSL certificate verification for i-doit integration
18 + # (MAY break i-doit functionality if certificates are invalid!)
19 +
20 + config = Setting.get('idoit_config')
21 + unless config.blank? do
22 + Setting.set('idoit_config', config.merge('verify_ssl' => true))
23 + end
24 +
25 + # Side note: Elasticsearch has an option to verify SSL as well. This might be an edge case.
26 + # By default these certificates are self-signed and thus you may not want to run this at all
27 + Setting.set('es_ssl_verify', true)

MrGeneration's Avatar MrGeneration revised this gist 2 years ago. Go to revision

1 file changed, 1 insertion

enforce_ssl_verify_true.rb(file created)

@@ -0,0 +1 @@
1 + x
Newer Older