I got mine working over the weekend (thanks to Bill for helping me think it through), and it may be that my issue (which wasn't where I expected) affects some of the rest of you. Turns out it was due to the way my firewall handled the translation of IP addresses from the DMZ to the public. My settings are as follows:
My mailserver, mail.tractor-equip.net resolves (as anybody can check with nslookup or dig) to 220.127.116.11. That is actually a secondary IP address on the external ethernet port of my firewall.
The actual mailserver resides in a DMZ 10.3.2.xxx, which is a subnet that is inaccessible to the outside world.
I had the firewall set up to do Destination Network Address Translation (DNAT) so that any traffic from the outside world for port 25 (SMTP) or 443 (https) would get translated from 18.104.22.168 to 10.3.2.xxx. (later I added the IMAP and POP ports too) However, I didn't realize it at first, but all the OUTGOING traffic from the mailserver was not coming from that same address, but from the primary WAN address of the firewall (due to another NAT rule). This was preventing any of my external clients from logging in for external pop, IMAP, or SMTP, because the return traffic was not coming from 22.214.171.124.
Once I set up a second SNAT (Source Network Address Translation) rule to make the outgoing traffic from my mailserver to come from 126.96.36.199 rather than the other WAN address, I was able to log on successfully and both send and receive mail. I tested it from home using a Thunderbird client. Key issue--if you're using DMZ and NAT, be sure the incoming and outgoing traffic are on the same public IP address--and this is a firewall issue, not Zimbra's problem.
SSS, I would NOT recommend you use the clear text login or non-secure ports for your external access (as you well know already), and I was able to connect without them enabled. My settings are
Your firewall, of course, has to pass the proper ports for each service: 993 for IMAP-SSL, 995 for POP-SSL, and 465 for SMTP-SSL. I actually block 110 (cleartext POP) and 143 (clear IMAP) at the firewall since they are less secure (but don't block 25 SMTP or you won't get mail from anybody else ).
- enabling POP, IMAP and SMTP over SSL
- TLS enabled
- External Auth enabled
- cleartext login DISabled.
I can't speak to other clients, but with Thunderbird enabling SSL for POP, IMAP, and SMTP, and enabling the username and password for SMTP, did the trick.
Hope this helps,