A new security patch has been released to further address CVE-2022-27924.
This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.
https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/ (May 10th 2022)

iPhone connection problems with IMAP [SOLVED]

Take your Zimbra with you!
Corstian
Posts: 4
Joined: Thu Mar 24, 2022 9:52 pm

iPhone connection problems with IMAP [SOLVED]

Postby Corstian » Tue Mar 29, 2022 7:45 am

Hi,

I am an almost happy Zimbra user for almost 10 years now, currently running Zimbra 8.8.15_GA_4232 (build 20220204072400) on CentOs 7. I am using a Let's Encrypt certificate.
This week i've switched phones and I can't get my iPhone connecting to IMAP on port 993. CalDav and CardDav are already working and no problem.
My previous android phones had no problems at all.

The iPhone is running iOs version 15.4.

When trying to connect from the iPhone:
- I get the following message: Failed to retrieve email. The email server '<servername>' is not responding. Check if you have entered the correct account info in the email settings.

- I see the following lines in /opt/zimbra/log/nginx.log:

Code: Select all

2022/03/24 22:50:46 [info] 27748#0: *70549 client 188.207.72.119:10252 connected to 192.168.0.169:993
2022/03/24 22:50:46 [info] 27748#0: *70549 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 188.207.72.119:10252, server: 192.168.0.169:993


I am able to login to the server manually
openssl s_client -showcerts -connect <domain>:993 -servername <domain> show the right certificate.

Code: Select all

openssl s_client -showcerts -connect <domain>:993 -servername <domain>
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <domain>
verify return:1
---
Certificate chain
 0 s:/CN=<domain>
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
 1 s:/CN=<domain>
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=<domain>
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6170 bytes and written 436 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 339882E778D8F1636DE4294DCCC731827F1F40F6ECA11B810567464277224D20
    Session-ID-ctx:
    Master-Key: <master-key>
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c5 71 63 28 e7 4b b6 79-4d 04 7d c2 ee bc 8a 39   .qc(.K.yM.}....9
    0010 - 0b 7c d9 49 2a 39 ef bb-9e 1a d1 2c 13 56 57 4f   .|.I*9.....,.VWO
    0020 - bb ca 9f 55 07 82 59 65-3c d0 68 10 79 ea 3d 15   ...U..Ye<.h.y.=.
    0030 - a2 4c dd 7d b9 ab f9 62-b5 35 eb e6 43 bd 67 3a   .L.}...b.5..C.g:
    0040 - 72 32 a3 09 fd 96 d3 1b-96 6d 3d 3a 7d c5 8d 4e   r2.......m=:}..N
    0050 - ae 52 97 81 87 18 8e f3-41 23 3d 93 25 14 09 f6   .R......A#=.%...
    0060 - 62 26 bc f1 28 0e 07 69-9f f5 49 68 9e e5 36 c2   b&..(..i..Ih..6.
    0070 - e2 91 d3 7d cb aa 27 ef-1c db 69 ee f2 89 49 42   ...}..'...i...IB
    0080 - 28 a0 e5 32 7e cb e7 2c-46 d6 7c 9f 3c e3 20 86   (..2~..,F.|.<. .
    0090 - cb f4 bf 70 9a ad e2 29-cb 35 20 ae e4 79 a3 70   ...p...).5 ..y.p
    00a0 - 98 b4 c9 c4 91 cc 16 ae-3b 1b ea dd b8 26 11 3c   ........;....&.<

    Start Time: 1648156860
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK IMAP4rev1 proxy server ready
read:errno=0

Login:

Code: Select all

tag login <username> <password>
tag OK [CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST] LOGIN completed

nginx.log:

Code: Select all

2022/03/24 23:04:58 [info] 27747#0: *70585 client <ip_address>:51508 connected to 192.168.0.169:993
2022/03/24 23:05:47 [info] 27747#0: *70585 client logged in, client: <ip_address>:51508, server: 192.168.0.169:993, login: "<username>", upstream: 192.168.0.169:7993 (<ip_address>:51508->192.168.0.169:993) <=> (192.168.0.169:33334->192.168.0.169:7993)


Already tried:
- import Lets Encrypt ISRG Root X1 certificate on the iPhone. No success.


Corstian
Posts: 4
Joined: Thu Mar 24, 2022 9:52 pm

Re: iPhone connection problems with IMAP

Postby Corstian » Thu Mar 31, 2022 8:59 am

I followed these instructions and renewed my Let's Encrypt certificates:
https://www.sbarjatiya.com/notes_wiki/i ... _in_Zimbra

After renewing the certificates, my iPhone was able to connect! :D

Return to “Mobility”

Who is online

Users browsing this forum: No registered users and 4 guests