Kevin-
I found the problem. Since you can't import private keys to a keystore using keytool, I built my private key and my CSR on a new store.
When I was building this store/private key, I used the default tomcat password "changeit" instead of zimbra.
When I found out that zimbra's tomcat setup was using "zimbra" as the keystore password, I changed the setting in server.xml rather than change the password on my keystore/private key. This proved to be the problem, as it appears the imap/pop apps access the keystore directly, and I imagine they are hard coded to use the keystore password zimbra.
Everything works fine after changing the keypass and the storepass to zimbra.
bp |