BlackBerry Forums Support Community - View Single Post - BIS and self-signed certificate?

onfocus · 09-07-2009, 04:38 PM

Hi all,

I'm not a regular forum poster on any forums, usually I can find the answers I need by googling, but this one's really got me beat.

I have a debian server running postfix and dovecot serving up IMAPS (993), POP3S (995) and SMTP with TLS (25). As it's email I figure I can happily create certificates with my own root CA - clients can simply install the root cert and everything works fine.

I've tested with openssl s_client, as well as Outlook and Thunderbird and all works as expected.

The problem I have is with BIS. And it's a simple question, I think, but not one that I've been able to find an answer to:

Does BIS refuse self-signed, or untrusted certificates?

See, I'm trying to set up an account through the BIS site (on computer or handheld, it doesn't matter, I get the same errors). On attempting to set up an account (after it's tried to auto-detect and I've got to the page where I put in the address, username and server name) I get:

Cannot connect to email server or invalid server name:

Please verify the server name. If the error persists contact example.com (your
email provider).

I thought I'd cheat, open up IMAP temporarily on the server, then try and switch the account to IMAPS...no luck there either. If I go into 'advanced settings' (again handheld and big computer give the same error) and tick the SSL box I get:

An error occurred during email account validation.
Please check your information and try again.

It's definitely not settings, everything is tickety-boo with clients that connect directly to the mail server...

The error messages BIS provides are so generic it's very difficult to know what's going on. FWIW, on the server side I get:

dovecot: imap-login: Disconnected: rip=216.9.253.55, lip=x.x.x.x, TLS handshake

Which tells me something's falling over during the secure connection negotiation process, but what? and why? Unfortunately this is about as verbose as the logging gets - I know it's a bit OT but I've not been able to find a way of logging low-level SSL/TLS activity on my server.

If only I had a clue about what the BIS server was trying to do then at least I'd know whether to give it up and look for another solution.

So, I go back to my original question:

Does anyone know how BIS handles untrusted certificates?

If you're still reading at this point, thank you for your patience and persistence!

09-07-2009, 04:38 PM	#1
onfocus New Member Join Date: Sep 2009 Location: England Model: 8320 PIN: N/A Carrier: Orange Posts: 2	BIS and self-signed certificate? Please Login to Remove! Hi all, I'm not a regular forum poster on any forums, usually I can find the answers I need by googling, but this one's really got me beat. I have a debian server running postfix and dovecot serving up IMAPS (993), POP3S (995) and SMTP with TLS (25). As it's email I figure I can happily create certificates with my own root CA - clients can simply install the root cert and everything works fine. I've tested with openssl s_client, as well as Outlook and Thunderbird and all works as expected. The problem I have is with BIS. And it's a simple question, I think, but not one that I've been able to find an answer to: Does BIS refuse self-signed, or untrusted certificates? See, I'm trying to set up an account through the BIS site (on computer or handheld, it doesn't matter, I get the same errors). On attempting to set up an account (after it's tried to auto-detect and I've got to the page where I put in the address, username and server name) I get: Cannot connect to email server or invalid server name: Please verify the server name. If the error persists contact example.com (your email provider). I thought I'd cheat, open up IMAP temporarily on the server, then try and switch the account to IMAPS...no luck there either. If I go into 'advanced settings' (again handheld and big computer give the same error) and tick the SSL box I get: An error occurred during email account validation. Please check your information and try again. It's definitely not settings, everything is tickety-boo with clients that connect directly to the mail server... The error messages BIS provides are so generic it's very difficult to know what's going on. FWIW, on the server side I get: dovecot: imap-login: Disconnected: rip=216.9.253.55, lip=x.x.x.x, TLS handshake Which tells me something's falling over during the secure connection negotiation process, but what? and why? Unfortunately this is about as verbose as the logging gets - I know it's a bit OT but I've not been able to find a way of logging low-level SSL/TLS activity on my server. If only I had a clue about what the BIS server was trying to do then at least I'd know whether to give it up and look for another solution. So, I go back to my original question: Does anyone know how BIS handles untrusted certificates? If you're still reading at this point, thank you for your patience and persistence!
Offline