IMAP SSL/TLS or STARTTLS will not work only None

[tinybeetle]

I have MailEnable 9.12 Standard installed on Windows 2012 r2. I've got SSL working just fine with the webinterface, it is using a public GoDaddy SSL. Email headers do show that TLS 1.2 is being used for connectivity. However, when I try to set up IMAP to use anything other than Security Type "None" in Android I cannot establish a connection. I've looked in every log I can think of on the server and I do not see what is wrong. If I leave the security at "None" IMAP works just fine. I've even tried turning the Windows Firewall completely off to no avail.

I've added user IME_System (no user name IME_Service exists on my Windows 2012 server) to the Certificate in MMC and to the Certificate Registry key as indicated in the MailEnable KB and elsewhere on this forum. Still it does not work.

What am I missing, where should I be looking?

Thanks, Jan

[MailEnable-Ian]

Hi,

Have you set the SSL certificate to be used within MailEnable under the "localhost" properties window under the SSL tab? Have you enabled the SSL ports within the IMAP properties?

Here is an article to help troubleshoot mail client connectivity: http://www.mailenable.com/kb/content/ar ... D=ME020075

[tinybeetle]

Thank you for responding. I figured out the issue. The checkbox for "Requires SSL" must be checked in both the SMTP advanced settings and the IMAP settings. That is rather counter-intuitive. "Requires" implies that without the check-mark SSL is available but up to the client whether or not to use it on that port number. A better name for that option would be "Use SSL" or "Utilize SSL".

Hopefully this helps someone else who may be running into this issue.

[cjard]

Just wanted to add a bit (sorry to dig up an old thread) - I don't think the advice given by tinybeetle is necessarily correct. The way I read it, tinybeetle's implication was that the "Require SSL" setting means "Allow the client to use SSL if they want", but if I telnet my SMTP (for example) with Require SSL OFF, then i see the welcome message, whereas if I telnet it with Require SSL ON, then I see nothing (as it's waiting to do cert exchange?)

Ergo, I'm under the impression that Require SSL means "The client must use SSL in order to interact with the service on this port" and it's hence not counter-intuitive: you're after a scenario where the client must use SSL, so you need to therefore tick Requires SSL for the additional port, and then set your android to use it. If your android phone is willing to isse a STARTTLS command (i.e. it MAY do secure rather than MUST do secure) and ME is willing to accept it (I've a query as to whether it will; i think it doesnt) then they should go on to upgrade the connection to SSL/TLS after the initial plaintext conversation, on any port that doesnt have RequireSSL set to true.. On a port where RequireSSL is true, the conversation must negotiate security right at the start, before any other commands. If ME doesnt accept STARTTLS as an IMAP command, you're stuck at the level of offering up to 2 ports, one secure and one not, and configuring clients accordingly

[MailEnable-Ian]

Hi,

Just wanted to add a bit (sorry to dig up an old thread) - I don't think the advice given by tinybeetle is necessarily correct. The way I read it, tinybeetle's implication was that the "Require SSL" setting means "Allow the client to use SSL if they want", but if I telnet my SMTP (for example) with Require SSL OFF, then i see the welcome message, whereas if I telnet it with Require SSL ON, then I see nothing (as it's waiting to do cert exchange?)

Ergo, I'm under the impression that Require SSL means "The client must use SSL in order to interact with the service on this port" and it's hence not counter-intuitive: you're after a scenario where the client must use SSL, so you need to therefore tick Requires SSL for the additional port, and then set your android to use it. If your android phone is willing to isse a STARTTLS command (i.e. it MAY do secure rather than MUST do secure) and ME is willing to accept it (I've a query as to whether it will; i think it doesnt) then they should go on to upgrade the connection to SSL/TLS after the initial plaintext conversation, on any port that doesnt have RequireSSL set to true.. On a port where RequireSSL is true, the conversation must negotiate security right at the start, before any other commands. If ME doesnt accept STARTTLS as an IMAP command, you're stuck at the level of offering up to 2 ports, one secure and one not, and configuring clients accordingly

Upgrade to 9.62 Standard as IMAP now supports STARTTLS and provides additional security settings within the IMAP properties window for authentication methods.