TLS connections from iPhone/iPad/Mac Mail on Port 993 Failing
Problem reported by Matthew Sine - June 27 at 6:27 AM
Submitted
We have been getting slammed with calls after this past weekend (6-23) with IOS and Mac users who cannot connect.
 
The issue appears to be SSL on ports 993 and 995 (Imap TLS / POP3 TLS)

We have tested a lot of options but in essence we can get users to connect via SSL (setting in IOS) on port 143 but not on port 993 - no matter what we do.
  • Servers both running Windows 2012 R2
  • We have re-issued the certificate and re-exported to PFX with Private Key
  • Checked Firewall - even turned off Windows firewall
  • Removed all ports and set up again (one server is an older server upgraded since SM 13...)
  • Made sure the certificate (re-exported) is properly bound to each port (25, 110, 143, 465, 587, 993 995 and 366 as an alternate)
  • Checked and re-check at https://www.htbridge.com/ssl (where we see no issues on port 143 but 993 throws immediate errors)
  • Checked with every conceivable variation of iPhone/iPad and Mac OS
  • Checked,double-checked and re-checked IISCrypto settings (best practices minus TLS 1.0)
This problem is **identical** on two different SM servers - the one mentioned above and a much newer one that has only ever run v16 of SmarterMail
 
Both are running latest SmarterMail.
 
We are also seeing a smattering of this error in both IMAP and POP3 logs:
[2018.06.27] 09:16:50 [72.55.136.152][36201347] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][61593288] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][45364819] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][61593288] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][45364819] disconnected at 6/27/2018 9:16:50 AM
[2018.06.27] 09:16:50 [72.55.136.152][4601451] Exception negotiating TLS session: System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
[2018.06.27]    at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)   --- End of inner exception stack trace ---   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting, Log log, String sessionId)   at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(IPBindingPort setting)   at MailService.TcpServerLib.IMAP.IMAPSession.#W8(String #M8)09:16:50 [72.55.136.152][4601451] disconnected at 6/27/2018 9:16:50 AM
 
At this point we are handling a ton of tech support calls - so far **all** IOS / Mac Mail and changing to port 143 with "SSL" fixes the issue.
 
Any suggestions would be appreciated.
 
 
 
 
Matthew J. Sine, General Manager8Dweb LLC"Making the Web a Happy Place"

6 Replies

Reply to Thread
0
Rod Lasky Replied
Employee Post
Hi Matthew.  I was able to find your mail server from a years old ticket.  I'm seeing a handshake failure when I test IMAP/TLS.
OpenSSL> s_client -starttls imap -crlf -connect yourmailserver.biz:993
Loading 'screen' into random state - done
CONNECTED(00000228)
18428:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:./ssl/s23_lib.c:188:
Has anything on the server changed recently?  Are you NAT'ing through a firewall?
Rod Lasky
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matthew Sine Replied
Hi Rod,
No - we have never utilized NAT, and no changes other than the various SM16 updates.
This is why we are perplexed, it is also happening to our other mail server as well - both with same issue. This is why we are so perplexed this time around.
Matthew J. Sine, General Manager8Dweb LLC"Making the Web a Happy Place"
0
Rod Lasky Replied
Employee Post
PM'd you.
Rod Lasky
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
echoDreamz Replied
We have a ton of these types of messages too, it appears to be related to failed IMAP login sessions... Something certainly seems off as we have hundreds and hundreds of these in our logs.
[2018.06.27] 00:22:02 [181.131.139.170][42012422] command: 891 CAPABILITY
[2018.06.27] 00:22:03 [181.131.139.170][42012422] command: 892 LOGIN REMOVED XXXX
[2018.06.27] 00:22:03 [181.131.139.170][42012422]  login failed
[2018.06.27] 00:24:32 [181.131.139.170][42012422] command: 893 NOOP
[2018.06.27] 00:24:32 [181.131.139.170][42012422] response: 893 OK NOOP completed
[2018.06.27] 00:24:34 [181.131.139.170][42012422] command: 894 NOOP
[2018.06.27] 00:24:34 [181.131.139.170][42012422] response: 894 OK NOOP completed
[2018.06.27] 00:24:34 [181.131.139.170][42012422] command: 895 XLIST "" "*"
[2018.06.27] 00:24:34 [181.131.139.170][42012422] response: 895 BAD XLIST not allowed in NonAuthenticated state
[2018.06.27] 00:24:35 [181.131.139.170][42012422] command: 896 NOOP
[2018.06.27] 00:24:35 [181.131.139.170][42012422] response: 896 OK NOOP completed
[2018.06.27] 00:24:35 [181.131.139.170][42012422] command: 897 STATUS "Sent Items" (UIDVALIDITY)
[2018.06.27] 00:24:35 [181.131.139.170][42012422] response: 897 BAD STATUS not allowed in NonAuthenticated state
[2018.06.27] 00:26:24 [181.131.139.170][42012422] command: 898 NOOP
[2018.06.27] 00:26:24 [181.131.139.170][42012422] response: 898 OK NOOP completed
[2018.06.27] 00:26:24 [181.131.139.170][42012422] command: 899 SELECT "Inbox"
[2018.06.27] 00:26:24 [181.131.139.170][42012422] Exception: (PooledTcpItem.cs) Object reference not set to an instance of an object.
[2018.06.27] 00:26:24 [181.131.139.170][42012422] StackTrace:    at MailService.TcpServerLib.IMAP.IMAPSession.#GY(String #L9)
[2018.06.27]    at MailService.TcpServerLib.IMAP.IMAPSession.GetMailbox(String #L9)   at MailService.TcpServerLib.IMAP.IMAPSession.#W9(String #X9, Boolean #Y9, MailboxInfo& #Z9, String& #t9)   at MailService.TcpServerLib.IMAP.IMAPSession.#38(String #M8, String #O8)   at MailService.TcpServerLib.IMAP.IMAPSession.ProcessAsyncCommand(String #M8, String #N8, String #O8)   at MailService.TcpServerLib.IMAP.IMAPSession.ProcessAsyncData(Byte[] memStream)   at MailService.TcpServerLib.Common.PooledTcpItem.ProcessData(Int32 bytes)
 

Christopher

0
Ben Rowland Replied
Hi, is there any update to this? I installed SM 16 last night to try it out (I've used other SM versions for many years) and immediately ran into this problem when trying to configure TLS. Switching IMAP TLS from 993 to 143 worked fine on the iPhone and Mac Mail clients I used for testing, but I don't view that as a permanent solution.
0
Ben Rowland Replied
Thanks for posting this. I thought I was going crazy until I found your message!

Reply to Thread