Disable option for TLS mode on POP and/or IMAP

[Aleks]

Hi

I need a quick solution here...
I've searched forums and found nothing that worked.

Basically we want a web client (not zimbra) to connect on POP3 or IMAP port.

Here's the catch.
When that web client establish connection the first thing it tries entering TLS mode. With other clients works well (TB..)
But the certificate is self signed and that makes SSL handshake exception.

Sure they could just accept certificate, but it's a government institution.
Zimbra is intranet..

They want us to disable option for TLS mode on POP and/or IMAP
(they don't want to reprogram their webclient)

I've tried various options in admin console and shell but nothing helped.
I can always enter into TLS mode.

Quote:

javamail_imap_debug = false
javamail_imap_enable_starttls = false
javamail_imap_test_timeout = 20
javamail_imap_timeout = 20
javamail_pop3_debug = false
javamail_pop3_enable_starttls = false
javamail_pop3_test_timeout = 20
javamail_pop3_timeout = 20
javamail_smtp_debug = false
javamail_smtp_enable_starttls = true
javamail_smtp_timeout = 60

Thanks for zimbra

[veronica]

Did you try changing :

zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode

output of "only" to "on" ?

[Aleks]

Quote:

Originally Posted by veronica

Did you try changing :

zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode

output of "only" to "on" ?

Quote:

~> zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only
~> zmprov gs `zmhostname` | grep zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

I've changed ProxyPop3 and ProxyImap to mode "on" and "off" and it didn't help.

Quote:

zmprov ms `zmhostname` zimbraReverseProxyImapStartTlsMode on
zmprov ms `zmhostname` zimbraReverseProxyPop3StartTlsMode on

Quote:

zmprov ms `zmhostname` zimbraReverseProxyPop3StartTlsMode off
zmprov ms `zmhostname` zimbraReverseProxyImapStartTlsMode off

It still offer TLS mode...
I'm running out of ideas...

[Aleks]

Version: 5.0.16_GA_2921.SuSEES10_20090429025523

In admin console is set checkbox "This server is a reverse proxy lookup target"
on MTA tab the TLS checkbox is unchecked.
In POP and IMAP tabs the services are enabled and SSL.
Clear text login checkbox is also checked but is blended... (cannot uncheck it)

[raj]

many mta settings are taken from GLOBAL setttings..please go to global settings mta tab unchek it. it will show up the same in server settings.

Raj

[Aleks]

Thanks for reply raj.

I'm more interested in how to disable TLS mode on IMAP.
I do not have a clue how to do it and it is urgent.
Is it possible?

Best regards, Aleks

[cmcbride]

Another idea is to investigate purchasing a cert from a CA and installing it on your server. That cert would be trusted by the client app and should work correctly. More secure that way as well as you get encrypted traffic at that point.

[Aleks]

Quote:

Originally Posted by cmcbride

Another idea is to investigate purchasing a cert from a CA and installing it on your server. That cert would be trusted by the client app and should work correctly. More secure that way as well as you get encrypted traffic at that point.

Thanks for quick reply cmcbride!!

I did that today. I thought this would be great solution but the problem remains.

When I was generating CSR in admin console, I had to type in ref. number in CN instead of server name (requested by CA). I got an error in admin.
I had to manually generate custom CSR and send it to CA to generate and retrieve crt. They replaced CN with proper CN. I dont know if this is the problem, but ThunderBird popup's messages like "mail.domain.com" does not match "".

So this I'm again back at the start...

[Aleks]

And some logs...

Quote:

2009-07-22 15:14:15,578 INFO [ImapServer-35] [] imap - [172.24.240.101] connected
2009-07-22 15:14:15,677 INFO [ImapServer-35] [] ProtocolHandler - Exception occurred while handling connection
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAle rt(SSLSocketImpl.java:1650)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1089)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1116)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1100)
at com.zimbra.cs.imap.TcpImapHandler.doSTARTTLS(TcpIm apHandler.java:161)
at com.zimbra.cs.imap.ImapHandler.executeRequest(Imap Handler.java:640)
at com.zimbra.cs.imap.TcpImapHandler.processCommand(T cpImapHandler.java:124)
at com.zimbra.cs.tcpserver.ProtocolHandler.processCon nection(ProtocolHandler.java:160)
at com.zimbra.cs.tcpserver.ProtocolHandler.run(Protoc olHandler.java:128)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:595)
2009-07-22 15:14:15,678 INFO [ImapServer-35] [] ProtocolHandler - Handler exiting normally

[Gail]

Quote:

Originally Posted by Aleks

Thanks for reply raj.

I'm more interested in how to disable TLS mode on IMAP.
I do not have a clue how to do it and it is urgent.
Is it possible?

Best regards, Aleks

I'm more interested in how to disable TLS mode on IMAP.
I do not have a clue how to do it and it is urgent.
Is it possible?

Best regards, Aleks


I'm Gail and new here. This is EXACTLY what I need to do. Did you find a solution? It's affecting everything... HELP!!!