IMAP & self-signed SSL certificates

[simmcrd]

I'm using the Email application. I get a "non-trusted certificate" error when setting up mail for IMAP. This is expected because I generally self-sign my certs. Though, what is not expected is that there seems to be no mechanism to accept non-trusted server certificates. No self-sign certs? That's a deal breaker. There has got to be a work-a-round.

 

[klotz]

If it doesn't accept CA-Cert, which is free http://www.cacert.org/ try go-daddy which is cheap. A self-signed cert gives you no value if you can't view the hash on the device before you accept it.

 

[solid]

I found a work around on another forum. I can't find it now but the gist of it is that you are selecting "SSL Always" or "TLS Always" in the security type column. The forum post I read said that these settings require the cert to be part of your valid keystore. If you set it to "SSL if available" or "TLS if available" (whichever is appropriate for your server config) then the android client will use the certs even if they are not trusted in your Keystore. I did that with the android client using my ssl ports (465 && 993) and that seemed to work. I have not tested if the data is encrypted because I am work. I will throw kismit against it when I get home to verify it is doing ssl. Supposedly this information is third(fourth?) hand from an actual Android developer but I am not one and have not verified it myself.

 

[simmcrd]

Thanks, but it does not work. I selected Security type "SSL (if available)" on my g1. After "checking incoming server settings" I get a "Setip could not finish / Username or password incorrect. () ". My server logs (linux) are:

Oct 24 13:38:16 axum cyrus/imaps[17759]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 24 13:38:18 axum cyrus/imaps[17759]: badlogin: myrouter.mysite.com [192.168.1.1] plaintext robeks SASL(-13): authentication failure: checkpass failed

By the way, I have standard IMAP (port 143) blocked on my router, firewire, and server. I use IMAPS (port 993) only.

 

[sjandroid]

solid is correct, I have done this myself. simmcrd must be giving a bad username/password.

More discussion here:
http://code.google.com/p/android/issues/detail?id=1016

 

[simmcrd]

Thanks, that helped, but now I've reached another impasse. Whenever my laptop initiates an imaps session, a sasl password authentication is performed (against /etc/sasldb2 database). However, whenever I use my Android it performs a "login" authentication (against /etc/passwd). I find this odd because I thought the authentication scheme was strictly server-side determinant. Sanitized log snippets follow:

Laptop:

Oct 26 21:37:20 myserver cyrus/master[15106]: about to exec /usr/lib/cyrus/bin/imapd
Oct 26 21:37:20 myserver cyrus/imaps[15106]: executed
Oct 26 21:37:20 myserver cyrus/imaps[15106]: accepted connection
Oct 26 21:37:20 myserver cyrus/imaps[15106]: mystore: starting txn 2147485774
Oct 26 21:37:20 myserver cyrus/imaps[15106]: mystore: committing txn 2147485774
Oct 26 21:37:20 myserver cyrus/imaps[15106]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 21:37:26 myserver cyrus/imaps[15106]: login: mylaptop.mydomain.com [192.168.1.1] myImapUserName CRAM-MD5+TLS User logged in
Oct 26 21:37:26 myserver cyrus/imaps[15106]: seen_db: user myImapUserName opened /var/lib/cyrus/user/m/myImapUserName.seen
Oct 26 21:37:26 myserver cyrus/imaps[15106]: open: user myImapUserName opened INBOX

android phone:

Oct 26 21:49:43 myserver cyrus/master[15278]: about to exec /usr/lib/cyrus/bin/imapd
Oct 26 21:49:43 myserver cyrus/imaps[15278]: executed
Oct 26 21:49:43 myserver cyrus/imaps[15278]: accepted connection
Oct 26 21:49:45 myserver cyrus/imaps[15278]: mystore: starting txn 2147485786
Oct 26 21:49:45 myserver cyrus/imaps[15278]: mystore: committing txn 2147485786
Oct 26 21:49:45 myserver cyrus/imaps[15278]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 21:49:50 myserver cyrus/imaps[15278]: badlogin: mytmohostname.tmodns.net [xxx.xxx.xxx.xxx] plaintext myImapUserName SASL(-13): authentication failure: checkpass failed

In short, it's all the same until after "starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication".
After that, the laptop does succeeds a CRAM-MD5+TLS login, but the G1 fails a plaintext login

But when I attempt to sync up my Android phone with an IMAP mailbox that happens to have the same name as my shell login (i.e., name happens to be in both /etc/passwd and /etc/sasldb databases):

Oct 26 22:01:25 myservername cyrus/imaps[15374]: executed
Oct 26 22:01:25 myservername cyrus/imaps[15374]: accepted connection
Oct 26 22:01:26 myservername cyrus/imaps[15374]: mystore: starting txn 2147485791
Oct 26 22:01:26 myservername cyrus/imaps[15374]: mystore: committing txn 2147485791
Oct 26 22:01:26 myservername cyrus/imaps[15374]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 22:01:26 myservername cyrus/imaps[15374]: login: myhostname.tmodns.net [xxx.xxx.xxx.xxx] myShellUserName plaintext+TLS User logged in
Oct 26 22:01:27 myservername cyrus/imaps[15374]: seen_db: user myShellUserName opened /var/lib/cyrus/user/m/myShellUserName.seen
Oct 26 22:01:27 myservername cyrus/imaps[15374]: open: user myShellUserName opened INBOX

Note it now uses "plaintext+TLS" to successfully login.
It puzzles me that my laptop resolves to "CRAM-MD5+TLS" authentication, but my android phone resolves to "plaintext+TLS". I wonder why.

I could probably resolve the matter by creating shell account for each imap user that has an Android. But I would rather not do that. The scope of this problem probably now exceeds the scope of the forum (it may very well be a linux problem). But I suspect as more Android users come on line, they might encounter the same complications. Any ideas?

 

[simmcrd]

Adding IMAP users to the /etc/passwd file (with /bin/false and /nonexistent home diectory) does succeed as a work around. But being that the password authentication is PLAIN, I am not sure whether or not it is sent in the clear. I'll kismet my network tomorrow and post my results.

 

[xaos]

i might also add that if you have special characters in your password you will get the message "Username or password incorrect. ()" as well. the mail app apparently does not process special characters correctly.

 

[simmcrd]

Thanks, but the passwd had already been changed early to a simple English word. No dice.

 

[johndroid]

I found a work around on another forum. I can't find it now but the gist of it is that you are selecting "SSL Always" or "TLS Always" in the security type column. The forum post I read said that these settings require the cert to be part of your valid keystore. If you set it to "SSL if available" or "TLS if available" (whichever is appropriate for your server config) then the android client will use the certs even if they are not trusted in your Keystore. I did that with the android client using my ssl ports (465 && 993) and that seemed to work. I have not tested if the data is encrypted because I am work. I will throw kismit against it when I get home to verify it is doing ssl. Supposedly this information is third(fourth?) hand from an actual Android developer but I am not one and have not verified it myself.

This worked for me on my Samsung Moment (1.5 cupcake) using the 'email' app, which I've setup for my work mail. I use the 'gmail' for my home email to segregate the two.