IMAP Problems :: Can't connect from mail client.

[jim.thornton]

I am running Zimbra mail server (on a remote machine) and I have added an extra account which I have done many times. When I try to pull in the mail from this account (from my DA server) it is not working. I'm getting an error message.

I have logged into my DA server and looked at the log files:

Aug  9 14:45:53 s2 dovecot[20509]: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=37.247.48.108, lip=108.166.181.204, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<T+A+uzYA2gAl9zBs>

Then I tried unchecking the "use SSL" box but I got this:

Aug  9 14:49:50 s2 dovecot[20509]: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=37.247.48.108, lip=108.166.181.204, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<bpxdyTYA7gAl9zBs>

The problem is that I don't understand the error code. I find it weird that the user is blank. I see there is something wrong with the SSL on the server. I have not installed a server SSL because I thought that DA created a self-signed certificate. But, if that is not the case then I can buy one and put it on, but I don't think that will help if I do a server-side one because the domain is different.

Not really sure what to do here. Can someone please help me debug and fix this?

 

[zEitEr]

Hello,

My guess is that you are facing SSL cert issue, and a connection can *NOT* be established, that's why you see "no auth attempts in 1 secs". Did you try to connect to IMAP/POP via SSL from your PC or mobile device?

 

[jim.thornton]

I am able to retrieve messages from my phone using IMAP and SSL. A certificate warning came up on my phone and I accepted it and I got my mail. But I did get an error from the SMTP login. But, I'll look into that after.

I had an external account already setup in Zimbra, so I know this works on my Zimbra server.

 

[jim.thornton]

In case anyone has a similar problem. Thank you... You put me on the right track with your comments.

The error was my Zimbra server was not accepting self-signed certificates. I had to import/trust the certificate on the Zimbra server. Here are the instructions if anyone needs them:

http://www.zimbra.com/forums/users/43887-solved-external-imap-account-self-signed-cert.html

 

[moo]

This is a fairly old threat, but I ran into a simular TLS handshaking problem yesterday.

My conclusion is that it has to do with old mail clients using TLS Version 1. In my case it was a Mac OS 10.9.5 using the native Mac Mail Client.

Turns out the new dovecot build writes the following into the /etc/dovecot/conf/ssl.conf file:

ssl_min_protocol = TLSv1.1

Older clients will work again when the line is changed back to:

ssl_min_protocol = TLSv1

Don't forget to restart dovecot:

service dovecot restart

Of course, this line will be changed every time dovecot is build.
Question is whether you still want to use TLS Version 1. In my opinion is better to stop supporting it and forcing clients using older software to stop using TLS.

Hope this helps.