Help → SSL with IMAP module on Exchange server

SSL with IMAP module on Exchange server

I seem to have a similar problem connecting POPFile via SSL to an Exchange server for an Office 365 account, as mentioned in an old question (ID #440, a year ago), but which was not resolved in that thread. The log file information from my failure is below. I'm using the IMAP module. My e-mail client, Pegasus Mail, connects to it using SSL.

FWIW, to make Pegasus Mail connect via SSL to this IMAP server I had to enable server certificate fingerprint tracking then disable certificate validation (not the right way to do it, but typical MS stuff I figured). Thanks for any suggestions.

Pertinent log file listing:

2014/1/30 13:07:41 7048: imap: 311: Building list of serviced folders.
2014/1/30 13:07:41 7048: bayes: 2231: get_session_key returning key YYYYYY for user XXXXXX
2014/1/30 13:07:41 7048: IMAP-Client: 128: Connecting to outlook.office365.com:993
2014/1/30 13:07:42 7048: IMAP-Client: 136: IO::Socket::SSL error: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
2014/1/30 13:07:42 7048: imap: 1627: Could not CONNECT to server.
2014/1/30 13:07:42 7048: IMAP-Client: 287: IMAP-Client is exiting
2014/1/30 13:07:42 7048: imap: 461: Trying to disconnect all connections.
2014/1/30 13:07:42 7048: imap: 272: Could not connect: NO_CONNECT C:\PROGRA~2\POPFile/Services/IMAP.pm(396))

  • Message #1838

    I seem to have a similar problem ... mentioned in an old question (Help Forum ID 440, a year ago), but which was not resolved in that thread.

    I've lost count of the number of times users never report back after I post a reply. Perhaps my replies are useless?

    I suspect the problem might be that the Windows version of POPFile 1.1.3 uses an old version of the OpenSSL library. There is a newer OpenSSL library which I believe is compatible with POPFile 1.1.3 so I'll try building a small utility to update the OpenSSL library in POPFile 1.1.3.

    • Message #1839

      I cannot make the new SSL packages work on my POPFile 1.1.3 installation. I suspect there is something missing from the minimal Perl but the error message doesn't give me any clues.

      I've given up on this problem so I can spend more time on the next release which will use newer SSL packages than POPFile 1.1.3 (my current alpha build of POPFile 1.1.4 is able to make SSL connections).

      • Message #1840

        Brian,

        I think you need to update Net::SSLeay module too.

        I'm using new version of IO::Socket::SSL with POPFile v1.1.3 by doing following steps:

        1) Update Net::SSLeay module

        Download the new version from here:
        http://www.bribes.org/perl/ppm/Net-SSLeay-1.55-PPM58.tar.gz

        Extract the archive and copy contents of 'blib\arch\auto\Net\SSLeay' and 'blib\lib\auto\Net\SSLeay' to 'lib\auto\Net\SSLeay' in the POPFile program directory.

        Copy contents of 'blib\lib\Net' to 'lib\Net' in the POPFile program directory.

        2) Update IO::Socket::SSL module

        Download the new version from here:
        http://www.bribes.org/perl/ppm/IO-Socket-SSL-1.960-PPM58.tar.gz

        Extract the archive and copy 'blib\lib\IO\Socket\SSL.pm' to 'lib\IO\Socket' in the POPFile program directory.

        And to use Proxy module (i.e. POP3 module),

        3) Update Proxy module of POPFile

        Donload the new version of the module from here:
        http://getpopfile.org/browser/branches/b0_22_2/engine/Proxy/Proxy.pm?rev=3844&format=raw

        Copy the downloaded file to 'Proxy' folder in the POPFile program directory.

        Naoki

        • Message #1841

          Er... I'm sorry. Bribes only supply the latest version.

          Please try following links.

          Download the new version from here:
          http://www.bribes.org/perl/ppm/Net-SSLeay-1.55-PPM58.tar.gz

          http://www.bribes.org/perl/ppm/Net-SSLeay-1.58-PPM58.tar.gz

          Download the new version from here:
          http://www.bribes.org/perl/ppm/IO-Socket-SSL-1.960-PPM58.tar.gz

          http://www.bribes.org/perl/ppm/IO-Socket-SSL-1.966-PPM58.tar.gz

          Naoki

          • Message #1842

            I was trying to use the Perl 5.8 versions of IO-Socket-SSL 1.966 and Net-SSLeay 1.58 from bribes obtained via PPM (using the GUI not the command-line).

            Attempts to connect to Gmail resulted in an SSL error message about failing to validate the certificate (I'm away from my development system at the moment so I cannot quote the exact error).

            POPFile 1.1.3 with the original (old) SSL files connects to Gmail without this error (as does my alpha build of POPFile 1.1.4 using the Perl 5.16 versions of IO-Socket-SSL 1.966 and Net-SSLeay 1.58).

            Brian

            • Message #1844

              OK, I've commit a patch [3861] to avoid the error.
              Can you test it?

              Naoki

              • Message #1845

                Attempts to connect to Gmail resulted in an SSL error message about failing to validate the certificate

                I think I got this error because I was trying to make a POP3 connection using the original POPFile 1.1.3 version of engine\Proxy\Proxy.pm.

                Updating to revision 3844 of this file lets me make POP3 connections to Gmail (with the Perl 5.8 versions of IO-Socket-SSL v1.966 and Net-SSLeay v 1.58)

                I'll add Proxy.pm to my SSL Updater for POPFile 1.1.3.

                [IMAP fix] Can you test it?

                I think it will work as it is the same fix that Proxy.pm revision 3844 uses.

                I'll need to enable IMAP for my Gmail account in order to test it.

                Brian

                • Message #1846

                  Updating to revision 3844 of this file lets me make POP3 connections to Gmail (with the Perl 5.8 versions of IO-Socket-SSL v1.966 and Net-SSLeay v 1.58)

                  I'll add Proxy.pm to my SSL Updater for POPFile 1.1.3.

                  Thank you for testing.

                  I think we should set SSL_verify_mode to SSL_VERIFY_PEER to verify the peer (server) certificate in the future version of POPFile (but currently I don't know how to set the CA path on Windows). So I've added TODO comments to 'Proxy/Proxy.pm' and 'Services/IMAP/Client.pm'.

                  Naoki

                  • Message #1847

                    I think we should set SSL_verify_mode to SSL_VERIFY_PEER to verify the peer (server) certificate in the future version of POPFile (but currently I don't know how to set the CA path on Windows).

                    I opened a new thread in the Source Code forum to discuss how to verify the peer (server) certificate:

                    http://getpopfile.org/discussion/3/485

                    Naoki

                • Message #1849

                  [IMAP fix] Can you test it?


                  I think it will work as it is the same fix that Proxy.pm revision 3844 uses.

                  I'll need to enable IMAP for my Gmail account in order to test it.

                  Using the new Client.pm my updated POPFile 1.1.3 installation was able to log in to Gmail and generate the list of folders found on the IMAP server:

                  2014/2/4 15:58:50 5572: IMAP-Client: 128: Connecting to imap.gmail.com:993
                  2014/2/4 15:58:52 5572: IMAP-Client: 177: Connected to imap.gmail.com:993 timeout 60
                  2014/2/4 15:58:52 5572: IMAP-Client: 181: >> * OK Gimap ready for requests from <my IP address>[0d][0a]
                  2014/2/4 15:58:52 5572: IMAP-Client: 209: Logging in
                  2014/2/4 15:58:52 5572: IMAP-Client: 340: << A00000 LOGIN "xxxxx" "xxxxx"[0d][0a]
                  2014/2/4 15:58:53 5572: IMAP-Client: 445: >> * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS ENABLE MOVE CONDSTORE ESEARCH[0d][0a]
                  

                  I've added Services\IMAP.pm and Services\IMAP\Client.pm to my SSL updater. The updater offers to install the new files or restore the files shipped with the original POPFile 1.1.3 release, so I think it is ready to be uploaded (the zip file size is just over 1 MB).

                  Brian

      • Message #1843

        Thanks very much for working on it. FYI, the SSL connection was working on the previous IMAP server here (via Zimbra e-mail), but it started this when they switched to an MS Office365 e-mail system.

        I can wait for 1.1.4. Short term, I can sort of manage without POPFile -- long term, that would be scary.

        Thanks for the great program.

        Mark

        • Message #1854

          In my first reply I said

          I suspect the problem might be that the Windows version of POPFile 1.1.3 uses an old version of the OpenSSL library. There is a newer OpenSSL library which I believe is compatible with POPFile 1.1.3 so I'll try building a small utility to update the OpenSSL library in POPFile 1.1.3.

          I have just uploaded a small utility (just over 1 MB) to update the Windows version of POPFile 1.1.3.

          It updates POPFile 1.1.3's SSL support files to the latest versions. The utility also makes some minor changes to two POPFile program files to cope with extra features provided by the new SSL support files.

          The utility can also be used to restore the original files (i.e. it can undo the changes it makes to POPFile).

          If you want to try the utility it is available here:
          http://getpopfile.org/downloads/updateSSL-for-POPFile-1.1.3.zip

          If you try these new files and you still have problems, please let us know. The utility installs the same versions of the SSL support files that POPFile 1.1.4 will use (though POPFile 1.1.4 will use versions built for Perl 5.16 instead of Perl 5.8).

          Brian

          • Message #1857

            This solved my problems with the SSL connection. (Updated on Windows 7 SP1.)

            Thanks again, very much!

            Mark

          • Message #1855

            Good work.

            I've tested the updater on Windows XP SP3 to connect the Gmail server without any problems (both POP3 proxy and IMAP service).

            I found a bug that a 'Use of uninitialized value' warning occurs the setting 'concurrent POP3 connections' is on. I've fixed this bug in [3869].

            Naoki