TLS IMAP has stopped working ("Cannot enable tls")

yurividal

Hi. This has suddenly stopped working on 1.17 and still doesn't work on 1.18.

I have done packet captures on the server side, and there doesn't seem to be anything wrong in the server side.

KevinTheJedi

Try removing tls:// from your hostname and retest. Maybe your port 143 doesn't support TLS, rather SSL or simply no encryption.

Cheers.

yurividal

KevinTheJedi
Removing tls:// doesn't work. The server rejects the connection, because its not set to allow LOGIN like that.

`telnet 172.17.12.13 143
01 LOGIN "helpdesk@domain.com" "password"
01 BAD Command received in Invalid state.`

It used to work for years with the tls://
Not sure what changed. we definetly didnt change anything in this email server.

KevinTheJedi

yurividal

You may need to double check your CA and other certificates on the wbeserver; they are potentially stale. Also make sure your OpenSSL on the web server is working and up to date.

Cheers.

yurividal

I found a reddit thread that included a fix. The issue was that my exchange cert chain aparently was stuck after we replaced the cert. The fix is:

Looks like when the certificate was enabled whoever did it said yes to replace the default self signed certificate. Exchange uses an internal self signed certificate using the actual name of the server for internal purposes. As you cannot get trusted certs with internal names you have to use the self signed one.
Easy fix, drop in to EMS and type new-exchangecertificate without any additional switches and press enter. Say yes to the prompt about replacing the current certificate and restart MS Exchange Transport service.