I'm hoping someone can give me a pointer on why this isn't working.

We have the Zimbra Open Source Edition, so we don't actually have Zimbra Mobile. As I understand it, Mobile gets you OTA synchronization of calendars and push mail, but all we want to do is set a WM5 device up as a regular IMAP client using the included Xpressmail software.

At the moment, the best we can get is an error that the device cannot connect. In the zimbra.log file we get the following error every time a connection is attempted to 993/IMAPS:

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAle rt(SSLSocketImpl.java:1584)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:866)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:622)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
at com.zimbra.cs.imap.ImapHandler.sendLine(ImapHandle r.java:2049)
at com.zimbra.cs.imap.ImapHandler.sendResponse(ImapHa ndler.java:2039)
at com.zimbra.cs.imap.ImapHandler.sendUntagged(ImapHa ndler.java:2028)
at com.zimbra.cs.imap.ImapHandler.setupConnection(Ima pHandler.java:168)
at com.zimbra.cs.tcpserver.ProtocolHandler.run(Protoc olHandler.java:196)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Wo rker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:595)
2007-03-16 11:15:19,733 INFO [ImapSSLServer-51841] [] ProtocolHandler - Handler exiting normally

Now, we are using an internal CA to sign a certificate for this service. We're aware that the root certificate needs to be added to the root store on the WM5 device and we have done that - it shows up in the list, and we can browse secure websites signed by this root. But we still can't connect to Zimbra IMAP.

What should we try next? We are a small organization and at the moment making the leap from the Open version to the Network Pro version with Mobile users is too steep. We have 1 mobile device user that just needs email, not calendar and we aren't interested in paying someone to trust ourselves when we've already got a perfectly good self-signed certificate for this non-public network service.