Go Back   Android Forums > Android Discussion > Android Applications
Android Applications All the information you could ever want about Android Applications. Learn about apps and get help with them... all here! New apps can be found and announced in the Applications Announcements forum linked below.

Get excited for the Samsung Galaxy S5! Find everything you need and discuss it in our Galaxy S5 Forum!

test: Reply
 
LinkBack Thread Tools
Old October 23rd, 2008, 07:55 PM   #1 (permalink)
Junior Member
Thread Author (OP)
 
Join Date: Oct 2008
Posts: 32
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Angry IMAP & self-signed SSL certificates

I'm using the Email application. I get a "non-trusted certificate" error when setting up mail for IMAP. This is expected because I generally self-sign my certs. Though, what is not expected is that there seems to be no mechanism to accept non-trusted server certificates. No self-sign certs? That's a deal breaker. There has got to be a work-a-round.

simmcrd is offline  
Reply With Quote
sponsored links
Old October 24th, 2008, 10:07 AM   #2 (permalink)
New Member
 
Join Date: Sep 2008
Location: Palo alto
Posts: 1
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

If it doesn't accept CA-Cert, which is free http://www.cacert.org/ try go-daddy which is cheap. A self-signed cert gives you no value if you can't view the hash on the device before you accept it.
klotz is offline  
Reply With Quote
Old October 24th, 2008, 10:46 AM   #3 (permalink)
New Member
 
Join Date: Sep 2008
Posts: 6
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default Work around here<<<<<

I found a work around on another forum. I can't find it now but the gist of it is that you are selecting "SSL Always" or "TLS Always" in the security type column. The forum post I read said that these settings require the cert to be part of your valid keystore. If you set it to "SSL if available" or "TLS if available" (whichever is appropriate for your server config) then the android client will use the certs even if they are not trusted in your Keystore. I did that with the android client using my ssl ports (465 && 993) and that seemed to work. I have not tested if the data is encrypted because I am work. I will throw kismit against it when I get home to verify it is doing ssl. Supposedly this information is third(fourth?) hand from an actual Android developer but I am not one and have not verified it myself.
solid is offline  
Reply With Quote
Old October 24th, 2008, 12:43 PM   #4 (permalink)
Junior Member
Thread Author (OP)
 
Join Date: Oct 2008
Posts: 32
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks, but it does not work. I selected Security type "SSL (if available)" on my g1. After "checking incoming server settings" I get a "Setip could not finish / Username or password incorrect. () ". My server logs (linux) are:

Quote:
Oct 24 13:38:16 axum cyrus/imaps[17759]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 24 13:38:18 axum cyrus/imaps[17759]: badlogin: myrouter.mysite.com [192.168.1.1] plaintext robeks SASL(-13): authentication failure: checkpass failed
By the way, I have standard IMAP (port 143) blocked on my router, firewire, and server. I use IMAPS (port 993) only.
simmcrd is offline  
Reply With Quote
Old October 25th, 2008, 12:12 PM   #5 (permalink)
New Member
 
Join Date: Oct 2008
Posts: 2
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default solid is correct

solid is correct, I have done this myself. simmcrd must be giving a bad username/password.

More discussion here:
http://code.google.com/p/android/issues/detail?id=1016
sjandroid is offline  
Reply With Quote
Old October 26th, 2008, 09:28 PM   #6 (permalink)
Junior Member
Thread Author (OP)
 
Join Date: Oct 2008
Posts: 32
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks, that helped, but now I've reached another impasse. Whenever my laptop initiates an imaps session, a sasl password authentication is performed (against /etc/sasldb2 database). However, whenever I use my Android it performs a "login" authentication (against /etc/passwd). I find this odd because I thought the authentication scheme was strictly server-side determinant. Sanitized log snippets follow:

Laptop:
Quote:
Oct 26 21:37:20 myserver cyrus/master[15106]: about to exec /usr/lib/cyrus/bin/imapd
Oct 26 21:37:20 myserver cyrus/imaps[15106]: executed
Oct 26 21:37:20 myserver cyrus/imaps[15106]: accepted connection
Oct 26 21:37:20 myserver cyrus/imaps[15106]: mystore: starting txn 2147485774
Oct 26 21:37:20 myserver cyrus/imaps[15106]: mystore: committing txn 2147485774
Oct 26 21:37:20 myserver cyrus/imaps[15106]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 21:37:26 myserver cyrus/imaps[15106]: login: mylaptop.mydomain.com [192.168.1.1] myImapUserName CRAM-MD5+TLS User logged in
Oct 26 21:37:26 myserver cyrus/imaps[15106]: seen_db: user myImapUserName opened /var/lib/cyrus/user/m/myImapUserName.seen
Oct 26 21:37:26 myserver cyrus/imaps[15106]: open: user myImapUserName opened INBOX
android phone:
Quote:
Oct 26 21:49:43 myserver cyrus/master[15278]: about to exec /usr/lib/cyrus/bin/imapd
Oct 26 21:49:43 myserver cyrus/imaps[15278]: executed
Oct 26 21:49:43 myserver cyrus/imaps[15278]: accepted connection
Oct 26 21:49:45 myserver cyrus/imaps[15278]: mystore: starting txn 2147485786
Oct 26 21:49:45 myserver cyrus/imaps[15278]: mystore: committing txn 2147485786
Oct 26 21:49:45 myserver cyrus/imaps[15278]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 21:49:50 myserver cyrus/imaps[15278]: badlogin: mytmohostname.tmodns.net [xxx.xxx.xxx.xxx] plaintext myImapUserName SASL(-13): authentication failure: checkpass failed
In short, it's all the same until after "starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication".
After that, the laptop does succeeds a CRAM-MD5+TLS login, but the G1 fails a plaintext login

But when I attempt to sync up my Android phone with an IMAP mailbox that happens to have the same name as my shell login (i.e., name happens to be in both /etc/passwd and /etc/sasldb databases):

Quote:
Oct 26 22:01:25 myservername cyrus/imaps[15374]: executed
Oct 26 22:01:25 myservername cyrus/imaps[15374]: accepted connection
Oct 26 22:01:26 myservername cyrus/imaps[15374]: mystore: starting txn 2147485791
Oct 26 22:01:26 myservername cyrus/imaps[15374]: mystore: committing txn 2147485791
Oct 26 22:01:26 myservername cyrus/imaps[15374]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Oct 26 22:01:26 myservername cyrus/imaps[15374]: login: myhostname.tmodns.net [xxx.xxx.xxx.xxx] myShellUserName plaintext+TLS User logged in
Oct 26 22:01:27 myservername cyrus/imaps[15374]: seen_db: user myShellUserName opened /var/lib/cyrus/user/m/myShellUserName.seen
Oct 26 22:01:27 myservername cyrus/imaps[15374]: open: user myShellUserName opened INBOX
Note it now uses "plaintext+TLS" to successfully login.
It puzzles me that my laptop resolves to "CRAM-MD5+TLS" authentication, but my android phone resolves to "plaintext+TLS". I wonder why.

I could probably resolve the matter by creating shell account for each imap user that has an Android. But I would rather not do that. The scope of this problem probably now exceeds the scope of the forum (it may very well be a linux problem). But I suspect as more Android users come on line, they might encounter the same complications. Any ideas?
simmcrd is offline  
Last edited by simmcrd; October 27th, 2008 at 07:11 AM. Reason: grammar
Reply With Quote
Old October 26th, 2008, 11:00 PM   #7 (permalink)
Junior Member
Thread Author (OP)
 
Join Date: Oct 2008
Posts: 32
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

Adding IMAP users to the /etc/passwd file (with /bin/false and /nonexistent home diectory) does succeed as a work around. But being that the password authentication is PLAIN, I am not sure whether or not it is sent in the clear. I'll kismet my network tomorrow and post my results.
simmcrd is offline  
Reply With Quote
Old October 28th, 2008, 02:03 PM   #8 (permalink)
New Member
 
Join Date: Oct 2008
Posts: 1
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

i might also add that if you have special characters in your password you will get the message "Username or password incorrect. ()" as well. the mail app apparently does not process special characters correctly.
xaos is offline  
Reply With Quote
Old October 28th, 2008, 04:19 PM   #9 (permalink)
Junior Member
Thread Author (OP)
 
Join Date: Oct 2008
Posts: 32
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks, but the passwd had already been changed early to a simple English word. No dice.
simmcrd is offline  
Reply With Quote
Old November 2nd, 2009, 05:50 PM   #10 (permalink)
New Member
 
Join Date: Nov 2009
Posts: 2
 
Device(s):
Carrier: Not Provided

Thanks: 0
Thanked 0 Times in 0 Posts
Default Thanks!

Quote:
Originally Posted by solid View Post
I found a work around on another forum. I can't find it now but the gist of it is that you are selecting "SSL Always" or "TLS Always" in the security type column. The forum post I read said that these settings require the cert to be part of your valid keystore. If you set it to "SSL if available" or "TLS if available" (whichever is appropriate for your server config) then the android client will use the certs even if they are not trusted in your Keystore. I did that with the android client using my ssl ports (465 && 993) and that seemed to work. I have not tested if the data is encrypted because I am work. I will throw kismit against it when I get home to verify it is doing ssl. Supposedly this information is third(fourth?) hand from an actual Android developer but I am not one and have not verified it myself.
This worked for me on my Samsung Moment (1.5 cupcake) using the 'email' app, which I've setup for my work mail. I use the 'gmail' for my home email to segregate the two.
johndroid is offline  
Reply With Quote
sponsored links
Reply
Tags
imap imaps ssl self-serve


Go Back   Android Forums > Android Discussion > Android Applications
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 06:19 AM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.