We help IT Professionals succeed at work.

IMAP access to Exchange 2016 server from Mac OSX

Alexandre Takacs
on
355 Views
Last Modified: 2017-06-08
We have just deployed an Exchange 2016 server and overall it works well.

We have however an issue witn IMAP access from MAc OSX (latest builds, using either MAil.app or ThunderBird). We can't seem to authenticate:

21:46:53 Running action
21:46:53 Sending request (3690)
21:46:53 Handling request
21:46:53 Ready to run action (retry count: 0)
21:46:53 Clearing connection to exchange.genericdomain.ch
21:46:53 Trying to connect to exchange.genericdomain.ch on port 993 (CFNetwork) without STARTTLS (required)
21:46:53 Resolved hostname (exchange.genericdomain.ch).
21:46:53 Prepare secure connection...
21:46:53 Successful connection.
21:46:53 Initiating secure connection...
21:46:53  Returned (4)...
21:46:53 Protocol version: kTLSProtocol12
21:46:53 S: * OK The Microsoft Exchange IMAP4 service is ready.
21:46:53 C: A0 CAPABILITY
21:46:53 S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=NTLM AUTH=GSSAPI SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
21:46:53 S: A0 OK CAPABILITY completed.
21:46:53 Retrieving password (keychain or user request)
21:46:53 C: A1 AUTHENTICATE PLAIN ••••••••••
21:46:53 S: A1 NO AUTHENTICATE failed.
21:46:53 Error: Server response: “A1 NO AUTHENTICATE failed.”. Command attempted: “A1 AUTHENTICATE PLAIN ••••••••••”.
21:46:53 Retrieving password (keychain or user request)
21:47:13 C: A2 AUTHENTICATE PLAIN ••••••••••
21:47:13 S: * BYE Connection is closed. 12
21:47:13 S: <<< terminated reading >>>
21:47:13 Error code: 9
21:47:13 Failed action (1000). Reset observed read/write timeouts: 8/8

Open in new window


Am I missing something here ? My credentials are correct as they work with OWA.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
my guess is the server rejects plain authentication.
macos's mail client is known for not trying anything else whan PLAIN is rejected while most other clients wil try some encrypted scheme or all possible schemes before they abort even if plain auth was rejected.


you need to configure the client to use something else than plain authentication. try CRAM-MD5, GSSAPI ( kerberos , NTML, or whatever mail proposes.

OR

configure your server / proxy so it does not announce AUTH=plain if it rejects it

OR

allow the plain auth mechanism on the server at least when the connection is SSL ( which should be the case by default on exchange afaik )

Author

Commented:
Well I can't seem to be able to login, regardless of the client software (my benchmark in Thunderbird on both Mac OS and Windows).

Staying in Mac OS I do:

Alexandres-MacBook-Pro:~ alex$ openssl s_client -connect exchange.genericdomain.com:993 -crlf
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=CH/L=Nyon/O=genericdomain SA/CN=*.genericdomain.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIQAm/dd9nzeFUo3yByzEGh8jANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTUwNjAzMDAwMDAwWhcN
MTcwNjA3MTIwMDAwWjBKMQswCQYDVQQGEwJDSDENMAsGA1UEBxMETnlvbjEUMBIG
A1UEChMLU3luZXJnaXggU0ExFjAUBgNVBAMMDSouc3luZXJnaXguY2gwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDETb2/bdMKZBRvukNeZqUtVSxIVjIw
WCqF4mgSmiaL+/wjybkj/cRxQElrg1l2NVD1mBaiUrBy1LAWyVntjNOFK+po689C
DBl5A3gKsJ1te7KdYyl1jSFVsnFovrAeBKeR29jOdU/wHMvfHWOlmvqUYbdEzkd7
zzz/mlfrRAQJAVLJPRbo/3eQ3Rxbb24x40yWBK/elQhNTDiqZWr+2Y+PjcDnN4+R
c8LFi9tDPg6jNglmf9XtxVJXrGyGB+T5HxqThlc+5D6nyCkd3veXNRkkLdNnLZV3
/Z10dC3+RZoPhgajWgBNSwvHy/5lMPUzMUwh+dCZtREUQ0UVF+qbfmMrAgMBAAGj
ggIDMIIB/zAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4E
FgQUtG3tn66rluUuGumPcmqZRbznYfgwUQYDVR0RBEowSIINKi5zeW5lcmdpeC5j
aIILc3luZXJnaXguY2iCFGludHJhbmV0LnN5bmVyZ2l4LmNoghRleGNoYW5nZS5z
eW5lcmdpeC5jaDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9zc2NhLXNoYTItZzQuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vc3NjYS1zaGEyLWc0LmNybDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAq
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMHwGCCsG
AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
AQELBQADggEBALFzZQi/BmK1LlXS5NHjhAnjjEFqC/xf/I2WAAL2ubTGErxpyDJH
jyxX11KyTcASKKpmJ1Ot2iCqSNYHLuK3Tw1cWSeHHU+FwLtu3jqxRUwlLybgGpDV
CflViDSCZR3SW1JnlZ24uiDWfPC92NYxq462bqIm3v4SewiDmjTP4nAW++naC6hl
LSN4JbaMs+jnN5+sc5F+2SOb4TgZXVmFI+X3S9WSgrzJs0T0hmcw2AKel9R0AvrF
zfzeTI8Zf1Cu/PQmxHPHSuzUY+WJyTY5Fna3enoywKeWveaHYS7QGh0/FVaoX2rb
mgKr9/BZj9N04wSsrwsFlavIadNr8VXIabc=
-----END CERTIFICATE-----
subject=/C=CH/L=Nyon/O=genericdomain SA/CN=*.genericdomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2660 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: DC120000D6F653F51961740812E0D5D72F7B27BC2135F5158EFBCD893E186A20
    Session-ID-ctx: 
    Master-Key: 8BE2D15BD6537020CFDE7739F26FED3BDB14D1063063F1BA6258453940C02DDC748DA6CBF148B245D8A426D740EBAD06
    Key-Arg   : None
    Start Time: 1491506143
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Open in new window

at which point I would expect to be able to log in with

0 LOGIN username password

Open in new window

Hower I can't seem to find any combination of know and validated user / pass working...

I have tried

  • username
  • domain\username
  • username@domain
  • e-mail address

to no avail - always get

0 NO LOGIN failed.

Open in new window


Any idea ?
CERTIFIED EXPERT

Commented:
please paste the output of the 'capacity' imap command

Author

Commented:
I guess you meant CAPABILITY ? In any case this only works once logged in.
CERTIFIED EXPERT

Commented:
oups, my bad. CAPABILITY is usually provided in the server's banner and it is available before authentication

typically, it contains a bunch of strings such as AUTH=PLAIN , AUTH=CRAM-MD5 , AUTH=NTLM, AUTH=GSSAPI, ...

you need to send a string such as "x CAPABILITY" because imap commands are the 2nd word of the line. the first is a mandatory id which will be repeated in the answer

example :
$ nc imap.free.fr 143
* OK IMAP4 ready
x CAPABILITY 
* CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS AUTH=PLAIN
x OK completed

Open in new window

Author

Commented:
Aha - got it ! Here we go:

1 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=NTLM AUTH=GSSAPI SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
1 OK CAPABILITY completed.

Open in new window

Author

Commented:
Well... anyone ?
CERTIFIED EXPERT

Commented:
sorry, i was rather busy lately.

see my first post : most likely PLAIN is announced but rejected. most mail applications will revert to other mechanisms. macos does not.
disabling PLAIN auth altogether on the server seems a viable workaround.

Author

Commented:
aha... sorry to ask but what's my best approach for that ?
CERTIFIED EXPERT

Commented:
i'd go for typing "disable plain text authentication in exchange server" in google and pick the very first link ( on the technet ). this is fairly well documented and requires a few mouse clicks.

another option is to disable plain text authentication manually in thunderbird ( same place where you setup the connection ). don't forget to di it for both imap and smtp settings. unfortunately afaik, apple's mail app does not provide that setting.

Author

Commented:
I'd go for typing "disable plain text authentication in exchange server" in google and pick the very first link ( on the technet ). this is fairly well documented and requires a few mouse clicks.

Open in new window

Is that so ? I can't seem to find anything pertaining to the authentication methods being configured for the IMAP protocol (and I hope you can have different one from SMTP !?).
I need to to do this server side.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Well I guess (and hope, otherwise you might be in for quite  a shock) you understand that google does not return the same results for a given search for all users. It depends on a lot a of variables, first and foremost if you are logged in into their ecosystem.

As such the first two pages of links I get running your suggested search ARE FOR SMTP, which, I'm sure, you understand is NOT what I am looking for. I want to set the IMAP authentication options (more specifically turn off plain authentication) in my EXCHANGE 2016 setup. As far as I can tell this most likely requires some powershell commandlets which I'm happy to apply as soon as you (or anyone else) would provide me with proper instructions. Believe me I have tried (possibly not hard enough or without imagination, I guess) to locate this !
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Well by poking around the various powershell commandlet that allow you to change those settings (and which are not exposed to the best of my knowledge in the GUI, nor, to be honest, comprehensively documented) I eventually managed to diable plain authentication, which solved the issue.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.