TLS connections from iPhone/iPad/Mac Mail on Port 993 Failing

Problem reported by Matthew Sine - 6/27/2018 at 6:27 AM

Submitted

We have been getting slammed with calls after this past weekend (6-23) with IOS and Mac users who cannot connect.

The issue appears to be SSL on ports 993 and 995 (Imap TLS / POP3 TLS)

We have tested a lot of options but in essence we can get users to connect via SSL (setting in IOS) on port 143 but not on port 993 - no matter what we do.

Servers both running Windows 2012 R2
We have re-issued the certificate and re-exported to PFX with Private Key
Checked Firewall - even turned off Windows firewall
Removed all ports and set up again (one server is an older server upgraded since SM 13...)
Made sure the certificate (re-exported) is properly bound to each port (25, 110, 143, 465, 587, 993 995 and 366 as an alternate)
Checked and re-check at https://www.htbridge.com/ssl (where we see no issues on port 143 but 993 throws immediate errors)
Checked with every conceivable variation of iPhone/iPad and Mac OS
Checked,double-checked and re-checked IISCrypto settings (best practices minus TLS 1.0)

This problem is **identical** on two different SM servers - the one mentioned above and a much newer one that has only ever run v16 of SmarterMail

Both are running latest SmarterMail.

We are also seeing a smattering of this error in both IMAP and POP3 logs:

[2018.06.27] 09:16:50 [72.55.136.152][36201347] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][61593288] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][45364819] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][61593288] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][45364819] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][4601451] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][4601451] disconnected at 6/27/2018 9:16:50 AM

At this point we are handling a ton of tech support calls - so far **all** IOS / Mac Mail and changing to port 143 with "SSL" fixes the issue.

Any suggestions would be appreciated.

Matthew J. Sine, General Manager8Dweb LLC
"Making the Web a Happy Place"

6 Replies

Reply to Thread

Employee Replied

6/27/2018 at 1:54 PM

Employee Post

Hi Matthew. I was able to find your mail server from a years old ticket. I'm seeing a handshake failure when I test IMAP/TLS.

OpenSSL> s_client -starttls imap -crlf -connect yourmailserver.biz:993
Loading 'screen' into random state - done
CONNECTED(00000228)
18428:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:./ssl/s23_lib.c:188:

Has anything on the server changed recently? Are you NAT'ing through a firewall?

Matthew Sine Replied

6/27/2018 at 2:29 PM

Hi Rod,
No - we have never utilized NAT, and no changes other than the various SM16 updates.
This is why we are perplexed, it is also happening to our other mail server as well - both with same issue. This is why we are so perplexed this time around.

Matthew J. Sine, General Manager8Dweb LLC
"Making the Web a Happy Place"

Employee Replied

6/27/2018 at 2:45 PM

Employee Post

PM'd you.

echoDreamz Replied

6/27/2018 at 10:47 PM

We have a ton of these types of messages too, it appears to be related to failed IMAP login sessions... Something certainly seems off as we have hundreds and hundreds of these in our logs.

[2018.06.27] 00:22:02 [181.131.139.170][42012422] command: 891 CAPABILITY
[2018.06.27] 00:22:03 [181.131.139.170][42012422] command: 892 LOGIN REMOVED XXXX
[2018.06.27] 00:22:03 [181.131.139.170][42012422]  login failed
[2018.06.27] 00:24:32 [181.131.139.170][42012422] command: 893 NOOP
[2018.06.27] 00:24:32 [181.131.139.170][42012422] response: 893 OK NOOP completed
[2018.06.27] 00:24:34 [181.131.139.170][42012422] command: 894 NOOP
[2018.06.27] 00:24:34 [181.131.139.170][42012422] response: 894 OK NOOP completed
[2018.06.27] 00:24:34 [181.131.139.170][42012422] command: 895 XLIST "" "*"
[2018.06.27] 00:24:34 [181.131.139.170][42012422] response: 895 BAD XLIST not allowed in NonAuthenticated state
[2018.06.27] 00:24:35 [181.131.139.170][42012422] command: 896 NOOP
[2018.06.27] 00:24:35 [181.131.139.170][42012422] response: 896 OK NOOP completed
[2018.06.27] 00:24:35 [181.131.139.170][42012422] command: 897 STATUS "Sent Items" (UIDVALIDITY)
[2018.06.27] 00:24:35 [181.131.139.170][42012422] response: 897 BAD STATUS not allowed in NonAuthenticated state
[2018.06.27] 00:26:24 [181.131.139.170][42012422] command: 898 NOOP
[2018.06.27] 00:26:24 [181.131.139.170][42012422] response: 898 OK NOOP completed
[2018.06.27] 00:26:24 [181.131.139.170][42012422] command: 899 SELECT "Inbox"
[2018.06.27] 00:26:24 [181.131.139.170][42012422] Exception: (PooledTcpItem.cs) Object reference not set to an instance of an object.
[2018.06.27] 00:26:24 [181.131.139.170][42012422] StackTrace:    at MailService.TcpServerLib.IMAP.IMAPSession.#GY(String #L9)
[2018.06.27]    at MailService.TcpServerLib.IMAP.IMAPSession.GetMailbox(String #L9)   at MailService.TcpServerLib.IMAP.IMAPSession.#W9(String #X9, Boolean #Y9, MailboxInfo& #Z9, String& #t9)   at MailService.TcpServerLib.IMAP.IMAPSession.#38(String #M8, String #O8)   at MailService.TcpServerLib.IMAP.IMAPSession.ProcessAsyncCommand(String #M8, String #N8, String #O8)   at MailService.TcpServerLib.IMAP.IMAPSession.ProcessAsyncData(Byte[] memStream)   at MailService.TcpServerLib.Common.PooledTcpItem.ProcessData(Int32 bytes)

Ben Rowland Replied

7/7/2018 at 11:20 AM

Hi, is there any update to this? I installed SM 16 last night to try it out (I've used other SM versions for many years) and immediately ran into this problem when trying to configure TLS. Switching IMAP TLS from 993 to 143 worked fine on the iPhone and Mac Mail clients I used for testing, but I don't view that as a permanent solution.

Ben Rowland Replied

7/7/2018 at 11:21 AM

Thanks for posting this. I thought I was going crazy until I found your message!

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text