Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Disable option for TLS mode on POP and/or IMAP

  1. #1
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default Disable option for TLS mode on POP and/or IMAP

    Hi

    I need a quick solution here...
    I've searched forums and found nothing that worked.

    Basically we want a web client (not zimbra) to connect on POP3 or IMAP port.

    Here's the catch.
    When that web client establish connection the first thing it tries entering TLS mode. With other clients works well (TB..)
    But the certificate is self signed and that makes SSL handshake exception.

    Sure they could just accept certificate, but it's a government institution.
    Zimbra is intranet..

    They want us to disable option for TLS mode on POP and/or IMAP
    (they don't want to reprogram their webclient)

    I've tried various options in admin console and shell but nothing helped.
    I can always enter into TLS mode.

    javamail_imap_debug = false
    javamail_imap_enable_starttls = false
    javamail_imap_test_timeout = 20
    javamail_imap_timeout = 20
    javamail_pop3_debug = false
    javamail_pop3_enable_starttls = false
    javamail_pop3_test_timeout = 20
    javamail_pop3_timeout = 20
    javamail_smtp_debug = false
    javamail_smtp_enable_starttls = true
    javamail_smtp_timeout = 60
    Thanks for zimbra
    Last edited by Aleks; 07-17-2009 at 05:15 AM.

  2. #2
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Did you try changing :

    zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode

    output of "only" to "on" ?

  3. #3
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default

    Quote Originally Posted by veronica View Post
    Did you try changing :

    zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode

    output of "only" to "on" ?
    ~> zmprov gs `zmhostname` | grep zimbraReverseProxyPop3StartTlsMode
    zimbraReverseProxyPop3StartTlsMode: only
    ~> zmprov gs `zmhostname` | grep zimbraReverseProxyImapStartTlsMode
    zimbraReverseProxyImapStartTlsMode: only
    I've changed ProxyPop3 and ProxyImap to mode "on" and "off" and it didn't help.
    zmprov ms `zmhostname` zimbraReverseProxyImapStartTlsMode on
    zmprov ms `zmhostname` zimbraReverseProxyPop3StartTlsMode on
    zmprov ms `zmhostname` zimbraReverseProxyPop3StartTlsMode off
    zmprov ms `zmhostname` zimbraReverseProxyImapStartTlsMode off
    It still offer TLS mode...
    I'm running out of ideas...

  4. #4
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default

    Version: 5.0.16_GA_2921.SuSEES10_20090429025523

    In admin console is set checkbox "This server is a reverse proxy lookup target"
    on MTA tab the TLS checkbox is unchecked.
    In POP and IMAP tabs the services are enabled and SSL.
    Clear text login checkbox is also checked but is blended... (cannot uncheck it)

  5. #5
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    many mta settings are taken from GLOBAL setttings..please go to global settings mta tab unchek it. it will show up the same in server settings.

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  6. #6
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default

    Thanks for reply raj.

    I'm more interested in how to disable TLS mode on IMAP.
    I do not have a clue how to do it and it is urgent.
    Is it possible?

    Best regards, Aleks

  7. #7
    Join Date
    Aug 2007
    Posts
    19
    Rep Power
    8

    Default

    Another idea is to investigate purchasing a cert from a CA and installing it on your server. That cert would be trusted by the client app and should work correctly. More secure that way as well as you get encrypted traffic at that point.

  8. #8
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default

    Quote Originally Posted by cmcbride View Post
    Another idea is to investigate purchasing a cert from a CA and installing it on your server. That cert would be trusted by the client app and should work correctly. More secure that way as well as you get encrypted traffic at that point.
    Thanks for quick reply cmcbride!!

    I did that today. I thought this would be great solution but the problem remains.

    When I was generating CSR in admin console, I had to type in ref. number in CN instead of server name (requested by CA). I got an error in admin.
    I had to manually generate custom CSR and send it to CA to generate and retrieve crt. They replaced CN with proper CN. I dont know if this is the problem, but ThunderBird popup's messages like "mail.domain.com" does not match "".

    So this I'm again back at the start...

  9. #9
    Join Date
    May 2007
    Location
    Europe
    Posts
    48
    Rep Power
    8

    Default

    And some logs...

    2009-07-22 15:14:15,578 INFO [ImapServer-35] [] imap - [172.24.240.101] connected
    2009-07-22 15:14:15,677 INFO [ImapServer-35] [] ProtocolHandler - Exception occurred while handling connection
    javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:117)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAle rt(SSLSocketImpl.java:1650)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:925)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1089)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1116)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1100)
    at com.zimbra.cs.imap.TcpImapHandler.doSTARTTLS(TcpIm apHandler.java:161)
    at com.zimbra.cs.imap.ImapHandler.executeRequest(Imap Handler.java:640)
    at com.zimbra.cs.imap.TcpImapHandler.processCommand(T cpImapHandler.java:124)
    at com.zimbra.cs.tcpserver.ProtocolHandler.processCon nection(ProtocolHandler.java:160)
    at com.zimbra.cs.tcpserver.ProtocolHandler.run(Protoc olHandler.java:128)
    at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:595)
    2009-07-22 15:14:15,678 INFO [ImapServer-35] [] ProtocolHandler - Handler exiting normally

  10. #10
    Join Date
    May 2012
    Posts
    2
    Rep Power
    3

    Default

    Quote Originally Posted by Aleks View Post
    Thanks for reply raj.

    I'm more interested in how to disable TLS mode on IMAP.
    I do not have a clue how to do it and it is urgent.
    Is it possible?

    Best regards, Aleks
    I'm more interested in how to disable TLS mode on IMAP.
    I do not have a clue how to do it and it is urgent.
    Is it possible?

    Best regards, Aleks


    I'm Gail and new here. This is EXACTLY what I need to do. Did you find a solution? It's affecting everything... HELP!!!

Similar Threads

  1. Invalid or untrusted server SSL certificate
    By GaryParr in forum General Questions
    Replies: 34
    Last Post: 02-13-2009, 10:39 AM
  2. Zimbra + LDAP + Posix + Samba
    By fruitlounge in forum Administrators
    Replies: 24
    Last Post: 06-30-2008, 09:55 PM
  3. SLES10: Problem upgrading from Zimbra NE 5.0 to NE 5.0.1
    By trapanator in forum Installation
    Replies: 11
    Last Post: 02-27-2008, 12:51 PM
  4. can't you help me
    By iwan siahaan in forum Administrators
    Replies: 6
    Last Post: 12-17-2007, 05:53 PM
  5. Disable SSL checking for slave POP accounts
    By SteveSmith in forum Administrators
    Replies: 0
    Last Post: 04-03-2007, 12:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •