External IMAP account forces TLS when I don't want it

[halfgaar]

(edit: hmm, it works now. I disabled starttls on the server again and now it works...)

Hi,

I'm migrating my mail to zimbra, but I'm running into problems. I need to import my existing mail from my Imap server (running on my desktop PC). I can't upload to zimbra, because Thunderbird just stops after a while. So, I need to use the external account feature of Zimbra.

However, when I try to connect, it says this:

Quote:

d2:CN22:halfgaar.kicks-ass.net1:O24:Internet Widgits Pty Ltd2:OU0:6:accept4:true5:alias26:localhost:AD30F7E 036BD704D4:fromi1283591878000e4:host9:localhost3:i cn22:halfgaar.kicks-ass.net2:io24:Internet Widgits Pty Ltd3:iou0:3:md532:2E1712109A87D760F23FB140F655247E 8:mismatch5:false1:s16:AD30F7E036BD704D4:sha140:47 18B4E622EA6B19D877CA6D73655DD20A6214032:toi1598951 878000ee

I connect through an SSH tunnel to port 143, (local port 1900 to remote 143). Seeing as how it mentions certificate info like halfgaar.kicks-ass.net (my home address) and Internet Widgists, it is clear it communicates through TLS, because it can't know that otherwise. But, my certificate is self signed, so it gives an error.

When I disable STARTTLS in the server, it gives a timeout.

This post was of no help.

My server is configured with:

- zmtlsctl both (although that applies to the webserver, afaik)
- zmlocalconfig -e ssl_allow_accept_untrusted_certs=true
- zmlocalconfig -e data_source_trust_self_signed_certs=true

I did zmcontrol restart to no avail.

I also tried connecting directly with SSL port 993. Same problem.

Anybody know the solution? Or perhaps another way to import mail?

[meesha]

We have the same problem...

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: d2:CN19osta.casablanca.cz1:O14:Casablanca INT2:OU0:6:accept4:true5:alias22osta.casablanca. cz:6E4:fromi1296638416000e4:host19osta.casablanc a.cz3:icn17:Casablanca INT CA2:io14:Casablanca INT3:iou0:3:md532:C2F61F9F42CC4386D7F7649ABBEB4FAF 8:mismatch5:false1:s2:6E4:sha140:0AC8E1B8FFB0AAE5C 6FF537B67685F8E1F87720F2:toi1328174416000ee
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1149)
at com.zimbra.common.net.CustomSSLSocket.startHandsha ke(CustomSSLSocket.java:90)
at com.zimbra.cs.mailclient.MailConnection.startTls(M ailConnection.java:100)
at com.zimbra.cs.mailclient.MailConnection.connect(Ma ilConnection.java:84)
at com.zimbra.cs.datasource.imap.ConnectionManager.ne wConnection(ConnectionManager.java:145)
... 40 more


- Certificate is not self-signed, is signed by self CA.
- Certificate is not expired.
- SSL3 is supported by target server.

What should I do for success connect to IMAP account?

I am not able to connect to External IMAP/POP3 account in webmail.
I am not able to use Migration Wizard, there is the same error.

Thank you for your help.
Michael

[meesha]

Hi, did you already resolved this problem? We have the same...

Thanks,
Michael

Quote:

Originally Posted by halfgaar

(edit: hmm, it works now. I disabled starttls on the server again and now it works...)

Hi,

I'm migrating my mail to zimbra, but I'm running into problems. I need to import my existing mail from my Imap server (running on my desktop PC). I can't upload to zimbra, because Thunderbird just stops after a while. So, I need to use the external account feature of Zimbra.

However, when I try to connect, it says this:



I connect through an SSH tunnel to port 143, (local port 1900 to remote 143). Seeing as how it mentions certificate info like halfgaar.kicks-ass.net (my home address) and Internet Widgists, it is clear it communicates through TLS, because it can't know that otherwise. But, my certificate is self signed, so it gives an error.

When I disable STARTTLS in the server, it gives a timeout.

This post was of no help.

My server is configured with:

- zmtlsctl both (although that applies to the webserver, afaik)
- zmlocalconfig -e ssl_allow_accept_untrusted_certs=true
- zmlocalconfig -e data_source_trust_self_signed_certs=true

I did zmcontrol restart to no avail.

I also tried connecting directly with SSL port 993. Same problem.

Anybody know the solution? Or perhaps another way to import mail?

[phoenix]

Quote:

Originally Posted by meesha

Hi, did you already resolved this problem? We have the same...

Did you read this line in the first post:

Quote:

Originally Posted by halfgaar

(edit: hmm, it works now. I disabled starttls on the server again and now it works...)

[meesha]

Okey, I missed it. But it is not my possible solution. I need connect to the server, because I am not able change configuration (disable STARTTLS). Do you know, how to fix it on the client - Zimbra side?

Quote:

Originally Posted by phoenix

Did you read this line in the first post:

[halfgaar]

I don't know of a client side solution. Perhaps you can work around it by somehow putting your mail in an IMAP server you set up yourself? Will your mail provider give you your server-side maildir in a tar.gz if you ask for it? If so, you can unpack it to your own machine on which you install an IMAP server.

BTW: a friend of mine did find out why Thunderbird just stalls on uploading IMAP messages. He found that every message larger than a certain number of bytes would crash the process. I don't know how big, though...

And another thing. I don't know if there is a solution for it already (there wasn't when I did it), but mail should be imported oldest-to-newest, to make sure your conversations are detected properly. The Migration wizard can do that, but that wizard has no support to download from IMAP.

[meesha]

I am able to do migration in other way - with imapsync. But what I cannot do different, is Preferences->Accounts->Add external account->IMAP/POP3. We are testing Zimbra before implementation. Our testing users found this problem with add external account.
Our users have some external accounts on several IMAP servers (different server software/demons), where is impossible change configuration because of Zimbra client.
I have tried 3 of them and everywhere is the same problem - mismatch certificates, that's why it is propably problem with client (Zimbra).

Quote:

Originally Posted by halfgaar

I don't know of a client side solution. Perhaps you can work around it by somehow putting your mail in an IMAP server you set up yourself? Will your mail provider give you your server-side maildir in a tar.gz if you ask for it? If so, you can unpack it to your own machine on which you install an IMAP server.

BTW: a friend of mine did find out why Thunderbird just stalls on uploading IMAP messages. He found that every message larger than a certain number of bytes would crash the process. I don't know how big, though...

And another thing. I don't know if there is a solution for it already (there wasn't when I did it), but mail should be imported oldest-to-newest, to make sure your conversations are detected properly. The Migration wizard can do that, but that wizard has no support to download from IMAP.

[halfgaar]

Is there a bug report about it? Of not, you can always report it. Include a link to this forum post. It has information and confirmation of the bug.

[meesha]

How to disable default starttls in zimbra to access external IMAP?

zmlocalconfig -e javamail_imap_enable_starttls=false
zmmailboxdctl restart

Do it under the zimbra user to avoid problem with permissions of config file.

[jlguallar]

I had the same issue.

meesha instructions above solved my issue.

I run Zimbra 7.1.4 OpenSource edition on RHEL x86-63

Thanks meesha!