I am an almost happy Zimbra user for almost 10 years now, currently running Zimbra 8.8.15_GA_4232 (build 20220204072400) on CentOs 7. I am using a Let's Encrypt certificate.
This week i've switched phones and I can't get my iPhone connecting to IMAP on port 993. CalDav and CardDav are already working and no problem.
My previous android phones had no problems at all.
The iPhone is running iOs version 15.4.
When trying to connect from the iPhone:
- I get the following message: Failed to retrieve email. The email server '<servername>' is not responding. Check if you have entered the correct account info in the email settings.
- I see the following lines in /opt/zimbra/log/nginx.log:
Code: Select all
2022/03/24 22:50:46 [info] 27748#0: *70549 client 188.207.72.119:10252 connected to 192.168.0.169:993
2022/03/24 22:50:46 [info] 27748#0: *70549 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 188.207.72.119:10252, server: 192.168.0.169:993
openssl s_client -showcerts -connect <domain>:993 -servername <domain> show the right certificate.
Code: Select all
openssl s_client -showcerts -connect <domain>:993 -servername <domain>
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <domain>
verify return:1
---
Certificate chain
0 s:/CN=<domain>
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
1 s:/CN=<domain>
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=<domain>
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6170 bytes and written 436 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 339882E778D8F1636DE4294DCCC731827F1F40F6ECA11B810567464277224D20
Session-ID-ctx:
Master-Key: <master-key>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c5 71 63 28 e7 4b b6 79-4d 04 7d c2 ee bc 8a 39 .qc(.K.yM.}....9
0010 - 0b 7c d9 49 2a 39 ef bb-9e 1a d1 2c 13 56 57 4f .|.I*9.....,.VWO
0020 - bb ca 9f 55 07 82 59 65-3c d0 68 10 79 ea 3d 15 ...U..Ye<.h.y.=.
0030 - a2 4c dd 7d b9 ab f9 62-b5 35 eb e6 43 bd 67 3a .L.}...b.5..C.g:
0040 - 72 32 a3 09 fd 96 d3 1b-96 6d 3d 3a 7d c5 8d 4e r2.......m=:}..N
0050 - ae 52 97 81 87 18 8e f3-41 23 3d 93 25 14 09 f6 .R......A#=.%...
0060 - 62 26 bc f1 28 0e 07 69-9f f5 49 68 9e e5 36 c2 b&..(..i..Ih..6.
0070 - e2 91 d3 7d cb aa 27 ef-1c db 69 ee f2 89 49 42 ...}..'...i...IB
0080 - 28 a0 e5 32 7e cb e7 2c-46 d6 7c 9f 3c e3 20 86 (..2~..,F.|.<. .
0090 - cb f4 bf 70 9a ad e2 29-cb 35 20 ae e4 79 a3 70 ...p...).5 ..y.p
00a0 - 98 b4 c9 c4 91 cc 16 ae-3b 1b ea dd b8 26 11 3c ........;....&.<
Start Time: 1648156860
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4rev1 proxy server ready
read:errno=0
Code: Select all
tag login <username> <password>
tag OK [CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST] LOGIN completed
Code: Select all
2022/03/24 23:04:58 [info] 27747#0: *70585 client <ip_address>:51508 connected to 192.168.0.169:993
2022/03/24 23:05:47 [info] 27747#0: *70585 client logged in, client: <ip_address>:51508, server: 192.168.0.169:993, login: "<username>", upstream: 192.168.0.169:7993 (<ip_address>:51508->192.168.0.169:993) <=> (192.168.0.169:33334->192.168.0.169:7993)
- import Lets Encrypt ISRG Root X1 certificate on the iPhone. No success.