?
Solved

Cannot get SSL IMAP to work

Posted on 2009-05-01
29
Medium Priority
?
1,644 Views
Last Modified: 2013-11-05
I am not sure what I did since I had SSL IMAP working for a little while - I am trying to set it up so that I can get an outside client to connect up & send/receive emails using SSL IMAP.  I thought I had all of the security correct, but I was hoping that someone would have some good documentation on what the security should be on the IMAP & the SMTP for both the front end Exchange Server (2003) & the back-end Exchange server (2003).  I think that the issue has something to do with the fact that I cannot check the box "Simple Authentication and Security Layer" in the Access properties of the front-end server (even though it is checked on the back-end).  

An example is, if I set up the IMAP client to require secure authentication, it says that this server does support secure authentication.

Is there anything that I am missing?

Thanks!
0
Comment
Question by:rustyrpage
  • 18
  • 11
29 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24283790
The backend does not need anything set on it, because the frontend server does that work. The communication between the two servers is done by Exchange over MAPI.

Do you have a certificate on the IMAP server?

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24283794
Yes - I have a certificate working for everything else on the front-end server....so are you saying that for IMAP on the back-end, it should be completely open authentication (none of the three Authentication boxes checked)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24283808
But why can't I check the box on the front-end server for Simple Authentication and Security Layer?  I would think that's the issue.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Expert Comment

by:Mestha
ID: 24284433
What I meant was is the certificate installed on the IMAP server? If you run the certificate wizard does it show the certificate? You have to install the certificate for each service in turn.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24295426
Oh, sorry - yes, I have installed the certificate for the IMAP server (using the same one I use for RPC over HTTPS & OWA)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24317002
Any other ideas?  It has to be something that I am missing.

I know that port 993 is open on my firewall (tested it using ShieldsUp), but if I telnet to servername 993, it just is a flashing cursor.

Can anyone else provide some insight as to why this wouldn't be working.

I need to get IMAP working either with SSL or TLS for our new message archiving system.

Thanks!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24319620
Flashing cursor means the connection cannot be made. From memory you should get at least the banner.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24319633
Actually - testing it again today, I don't even get a flashing cursor - but I have confirmed that the port is open, so I think the Exchange server is blocking it for some reason - any other ideas?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24328019
Exchange wouldn't be blocking it. It doesn't have that capability other than connection restrictions. Third party applications can be block it, as can firewalls.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24328033
I'm thinking it's more something along the lines that port 993 isn't listening on the server because the IMAP isn't set up correctly.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24328435
The attached picture is the connection screen for IMAP4 - aren't I supposed to be able to check the bottom box?
Cannot-Select.bmp
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24331778
Is that on the backend or the frontend server?

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24331861
That is the front-end.  The backend has all three boxes checked & is working fine.

Any other ideas what it could be?  Do you have a document that show every setting that needs to be checked etc for SSL based IMAP to work?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24346428
As far as I was aware the authentication settings are controlled by the backend. That screenshot you have posted would tend to point to that as well. Therefore thinking that your inability to change those options on the frontend server I do not think is anything to do with it.

Alas I have nothing on the setup. On the few occasions I have set this up it has just worked. Apply the SSL certificate, ensure that it is listening on the relevant port, job done.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24346653
What's weird is I did have it working for a little while & I remember all three boxes being checked/checkable.  I would think that if it was inheriting it from the back-end that it would at least show it as being checked since the back-end is.  Also - with two back-ends, how would it know which one to inherit from?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24346673
How can I test to see if it is listening on port 993 again?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24354104
Telnet to port 993. You should get some kind of response.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24354949
I do not get any response, it just sits at the "connecting to ............." - however, I have confirmed through ShieldsUp that port 993 IS open.  Wouldn't that point to Exchange not listening on that port?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24359430
The only thing I can suggest is to use a utility to confirm what process has the port open.
http://www.nirsoft.net/utils/cports.html

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24426273
Even if I telnet to localhost 993, it still says *Bye Connection Refused.

Any other ideas?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24426294
By they way, CPorts shows nothing running on 993! How is that possible!!
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24426314
I take it back, it is listening on port 993, this is what it says though:
Port993.bmp
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24426373
There doesn't appear to be anything wrong there.
The listening on 0.0.0.0 just means it is listening on all IP addresses. if you check port 80/443 for web services, you should see something similar - unless you have changed it from All Unassigned to a specific IP address.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24426392
If I change IMAP to a specified IP, then instead of getting a *Bye Connection Refused when telnet localhost 993, I just get a flashing cursor.

What else could be going on here?  I really need to get this up & rolling.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24427056
I THINK I found the issue - I went to each of my back-ends & turned of all security (Require TLS/SSL etc) for POP3 & IMAP.  Then I set it only at the front-end (still cannot check that thirdbox though) & set the front-end connection to require encryption.  Once I restarted the services on all 5 of my servers, then I am able to successfully poll from my message-archiving service.  A few questions though:

1) How can I ensure that it is sending the password over encrypted?  (I am assuming that the data is encrypted since it is on 993 & 995 & ports 143 & 110 are blocked at the firewall)

2) Our message archiving service provides two subnets of IP addresses, I put them in the ONLY allow connections from these IP addresses for the POP3 & IMAP settings, is that fairly secure, or should I work on putting those rules into my Cisco ASA also?

3) Does that sound like what would be causing the problem?

Thanks Mestha for sticking around.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24429773
Personally I prefer restrictions to be placed at the border, so on the firewall, rather than on the server. It probably doesn't matter a great deal, but I think connection restrictions are a firewall job.

As for knowing whether the traffic is secure, you cannot be 100% sure, like when you access a HTTPS site. Is that really secure? It is an awful lot of trust involved. Using the secure port should be enough.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24431454
I am pretty sure the actual data is secure, I am more concerned about the authentication, but since it is on that port & I checked the requires encryption, I am assuming that is as secure as can be.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24432252
That is almost as much as you can do. Logging on IMAP might show you a bit more, but that is about it.

Simon.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24432284
Great - thanks a lot for your help!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month16 days, 5 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question