IMAP & self-signed SSL certificates


Last Updated:

  1. simmcrd

    simmcrd Active Member

    I'm using the Email application. I get a "non-trusted certificate" error when setting up mail for IMAP. This is expected because I generally self-sign my certs. Though, what is not expected is that there seems to be no mechanism to accept non-trusted server certificates. No self-sign certs? That's a deal breaker. There has got to be a work-a-round.:confused:

    Advertisement
  2. klotz

    klotz New Member

    If it doesn't accept CA-Cert, which is free http://www.cacert.org/ try go-daddy which is cheap. A self-signed cert gives you no value if you can't view the hash on the device before you accept it.
  3. solid

    solid Member

    I found a work around on another forum. I can't find it now but the gist of it is that you are selecting "SSL Always" or "TLS Always" in the security type column. The forum post I read said that these settings require the cert to be part of your valid keystore. If you set it to "SSL if available" or "TLS if available" (whichever is appropriate for your server config) then the android client will use the certs even if they are not trusted in your Keystore. I did that with the android client using my ssl ports (465 && 993) and that seemed to work. I have not tested if the data is encrypted because I am work. I will throw kismit against it when I get home to verify it is doing ssl. Supposedly this information is third(fourth?) hand from an actual Android developer but I am not one and have not verified it myself.
  4. simmcrd

    simmcrd Active Member

    Thanks, but it does not work. I selected Security type "SSL (if available)" on my g1. After "checking incoming server settings" I get a "Setip could not finish / Username or password incorrect. () ". My server logs (linux) are:

    By the way, I have standard IMAP (port 143) blocked on my router, firewire, and server. I use IMAPS (port 993) only.
  5. sjandroid

    sjandroid New Member

  6. simmcrd

    simmcrd Active Member

    Thanks, that helped, but now I've reached another impasse. Whenever my laptop initiates an imaps session, a sasl password authentication is performed (against /etc/sasldb2 database). However, whenever I use my Android it performs a "login" authentication (against /etc/passwd). I find this odd because I thought the authentication scheme was strictly server-side determinant. Sanitized log snippets follow:

    Laptop:
    android phone:
    In short, it's all the same until after "starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication".
    After that, the laptop does succeeds a CRAM-MD5+TLS login, but the G1 fails a plaintext login

    But when I attempt to sync up my Android phone with an IMAP mailbox that happens to have the same name as my shell login (i.e., name happens to be in both /etc/passwd and /etc/sasldb databases):

    Note it now uses "plaintext+TLS" to successfully login.
    It puzzles me that my laptop resolves to "CRAM-MD5+TLS" authentication, but my android phone resolves to "plaintext+TLS". I wonder why.

    I could probably resolve the matter by creating shell account for each imap user that has an Android. But I would rather not do that. The scope of this problem probably now exceeds the scope of the forum (it may very well be a linux problem). But I suspect as more Android users come on line, they might encounter the same complications. Any ideas?
  7. simmcrd

    simmcrd Active Member

    Adding IMAP users to the /etc/passwd file (with /bin/false and /nonexistent home diectory) does succeed as a work around. But being that the password authentication is PLAIN, I am not sure whether or not it is sent in the clear. I'll kismet my network tomorrow and post my results.
  8. xaos

    xaos New Member

    i might also add that if you have special characters in your password you will get the message "Username or password incorrect. ()" as well. the mail app apparently does not process special characters correctly.
  9. simmcrd

    simmcrd Active Member

    Thanks, but the passwd had already been changed early to a simple English word. No dice.
  10. johndroid

    johndroid New Member

    This worked for me on my Samsung Moment (1.5 cupcake) using the 'email' app, which I've setup for my work mail. I use the 'gmail' for my home email to segregate the two.

Share This Page