A little while ago we posted an article on configuring STunnel to use with Kayako because SSL over POP3 with Google Mail/Google Applications wasn’t working properly. Today we finally had some time to sit down and think about this and worked out a much better solution that doesn’t require STunnel to be involved in the mix.

In the Kayako cron script, they have hard-set a “notls” option when trying to connect to the IMAP or POP3 email servers. It seems when using the imap_open() function in PHP, you must only specify the “notls” option when you explicitly do NOT want any SSL encryption. Since Kayako is forcing the “notls” option on all connection strings, it was cancelling out the “ssl” option that’s enabled when you select pop3-ssl or imap-ssl in your Kayako configuration settings.

As you can see from this sample code here, Kayako is hard setting the “notls” option:

/modules/parser/cron_parser.php:

dbCore->Record4["port"] ."/". $fetchtype ."/notls}

So, in order to make your Kayako installation work with Gmail or Google Apps you must go into the file and change the above into the following (simply remove the “/notls”):

/modules/parser/cron_parser.php:
dbCore->Record4[“port”] ."/". $fetchtype ."}

Now make sure you go in and modify your server settings for each support queue:

Pop server: pop.gmail.com
POP Port: 995
Queue Type: POP3-SSL

Now, once you’ve made the changes to test your server, send a couple emails to each of your queues and hit the cron script from a web browser so you can see the debug output. This is done like this:

Testing your server:
http://support.yourserver.com/cron/index.php?_t=parser

We’re not sure why this was hard coded in the original Kayako source, because you can’t use TLS when you specify legacy SSL for a connection, so in effect the “notls” option that was hard coded performed no function except to prevent SSL from ever working in the first place.

The preferred fix would be to use the “notls” option only for POP3 connections that do not require SSL or TLS, and to add an option to the interface to select “IMAP-TLS” and “POP3-TLS” along with the code required to specify “tls” to those connection types (which would force TLS negotiation). Hopefully Kayako is reading this and integrates it to their new release – the hardest part being the addition of the two extra user interface configuration options.

Download the Kayako SSL Patch here if you’d prefer this over manually editing the file mentioned above.

Comments

Comment by Jamie Edwards on 2008-12-10 18:50:31 -0500

Thank you for creating a patch and for bringing this to our attention. We’ve added it to the tracker and will be looking at the reported issue and your proposed fix.

Comment by John Haugeland on 2008-12-10 18:51:36 -0500

Filed as defect 871.

http://bugs.kayako.com/index.php?cmd=view&id=871

Kinda not happy about this blog post’s title, though.

Comment by Roger Clark at Kayako on 2008-12-10 18:55:02 -0500

Thanks to a friend of a friend, we actually did read this post!

Currently the code is frozen for an upcoming release, so unfortunately the correction will likely not make it into that version; however, the bug has been filed and will make it into the next maintenance release.

Thanks for the fix. Not sure why “notls” was hardcoded like that in the first place!

Comment by Matt G on 2008-12-10 21:20:11 -0500

Hey Guys,

Thanks for the replies, and filing the bug report. Looking forward to the next release with it included. No offense meant by the title, but it was broken 🙂

We also have a fix idea for SMTP SSL if you guys need it, let us know.

Comment by John Haugeland on 2008-12-11 15:29:55 -0500

We’re always open to fixes. You can reach me at the email address from my blog account, if you’d like to let us know about other things that we could do.

Comment by eric on 2008-12-26 23:08:34 -0500

Hi,

I would be interested in a solution for ssl SMTP for kayako

Comment by haste | game reviews on 2009-09-12 05:11:32 -0500

Man, thanks for this tutorial. It is the ONLY guide that answer the problem of Kayako and google apps. Finally got it worked after fumbling for hours. Cheers