I’m setting up SquirrelMail to point to my Exchange 2010 server via IMAP (don’t ask) and couldn’t get SM to talk to Exchange on port 993 (imaps). Even though the servers on the same subnet, any time passwords are being sent over the network I like to opt for SSL. I found a couple of sites suggesting that the problem was that there was no SSL certificate installed, but I knew for a fact there was a valid certificate because I could get to https://webmail.example.com/ for OWA.
Some of the errors SquirrelMail was reporting were “Error connecting to IMAP server xxxx Server error: (0)” and “Error connecting to IMAP server: tls://xxxx:993. 0: ”
Nothing would actually work on port 993. Telnet to 993 got this:
$ telnet 10.0.20.18 993 Trying 10.0.20.18... Connected to 10.0.20.18. Escape character is '^]'. * BYE Connection is closed. 14 Connection closed by foreign host.
After too much poking, I decided to go down to a lower level and do a simple openssl certificate retrieval and see what came back:
$ openssl s_client -connect 10.0.20.18:993 CONNECTED(00000003) 140281653434184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 113 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
That didn’t look right, so I ran it against the same server on port 443 and got back a real certificate. Same for port 995 (pop3s):
$ openssl s_client -connect 10.0.20.18:443 CONNECTED(00000003) depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com verify return:1 depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 (snip)
So there’s just something wrong with SSL on port 993. To make a long story short, I had to use the Enable-ExchangeCertificate to apply the SSL certificate to port 993. First, run “Get-ExchangeCertificate” to list the available certificates and retrieve the Thumbprint.
[PS] C:\Windows\system32>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy .P.... CN=exch2010fe1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx I..W.. CN=webmail.example.com, OU=Domain Control Validated, O=webmail.ex...
Copy & paste the thumbprint for whichever cert you want to use into Enable-ExchangeCertificate:
[PS] C:\Windows\system32>Enable-ExchangeCertificate -ThumbPrint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -Services IIS,P OP,IMAP -DoNotRequireSSL [PS] C:\Windows\system32>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy ...... CN=exch2010fe1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx IP.W.. CN=webmail.example.com, OU=Domain Control Validated, O=webmail.ex...
After running that, imaps on port 993 worked perfectly. I can connect to it with both SquirrelMail and Thunderbird.
The SquirrelMail config looks like this:
IMAP Settings -------------- 4. IMAP Server : webmail.example.com 5. IMAP Port : 993 6. Authentication type : login 7. Secure IMAP (TLS) : true 8. Server software : exchange 9. Delimiter : detect
Edit Feb 15, 2011: I just renewed the SSL cert and ran into a problem with a Ruby script that was suddenly unable to check a mailbox over IMAPS. The error received was:
/usr/lib/ruby/1.8/net/imap.rb:898:in `connect': unknown protocol (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/1.8/net/imap.rb:898:in `initialize'
After a few minutes, I remembered this blog post and ran Enable-ExchangeCertificate and it worked again. Glad I wrote it down.
CONNECTED(00000003) 26831:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Evan Hoffman's Blog 