POP3 polling does not work (yet)

[philzli]

Hi all,

I've just set up my zimbra installation and am able to send emails.

I'm now trying to poll a POP3 account using the new feature build in v4.5.

When I try to test my settings I get an instant 'Error: Connect failed'.

I tried using IP and DNS, with and without SSL (port 110 / 995, AFAIK my pop3-hoster supports SSL just fine, although I don't know if the certificate is valid they use).

Does anybody know which log-files I should check for more verbose error messages? Is there a list what kind of messages/components are logged where?

[bburtin]

The error would be in /opt/zimbra/log/mailbox.log. We don't currently support POP3 servers that don't have valid certificates. If you need this functionality, please file a bug.

[philzli]

Thanks.

It looks like I haven't got the correct CA Certificate.

Is it correct that I have to install it into tomcat's keystore?
(documentation)

If yes, that would propably mean I would have to restart tomcat right?

[bburtin]

I don't think you need to add the certificate on the client side. I was able to POP my GMail account without having to do this. The only requirement is that the POP3 server has to have a signed certificate.

[philzli]

Err, I truly hope this is not the case (or I'm misunderstanding you or the other way around):

If I would not need the CA Certificate, then I could make a POP3 Server using a certificate which I could sign using a 'fake' verisign or trustcenter or what ever CA Cert. My connection would be encrypted etc., but then I should also allow self-signed and invalid (no longer valid for example) certificates as they feature the same amount of Man-in-the-middle protection ( = none).

For fetchmail (no zimbra needed) you need to download the Equifax CA Certificate, so I guess you have to place the CA Cert in Zimbra _somewhere_.

My question is... where? :-)

Update/Added:
The problem is described here. I get the "unable to find valid certification path to requested target" which for sounds like I need the CA Cert, but it does not have be that..

[philzli]

To answer my own question:

The CA Certificates / Trusted Public Keys are to be found at:
/opt/zimbra/jdk1.5.0_08/jre/lib/security/cacerts


To list the contents go to that directory and type:
../../../bin/keytool -list -keystore cacerts

(when asked for the password just press enter)

Mine contains 44 certificates, 4 by equifax, which explains why Gmail works just fine while my server does not.

To add a certificate you currently have to use the keytool that comes with the JDK. There are also GUI tools out there to help, like keyman by IBM and portcle which is GPL'd and quit nice.

I'll file a request for enhancement for this as it is a not-to-uncommon thing to do. Even big CAs like verisign change/add new certificates once in a while.

Link to bug/enhancement: Bug #16753