Hi all,

I'm not a regular forum poster on any forums, usually I can find the answers I need by googling, but this one's really got me beat.

I have a debian server running postfix and dovecot serving up IMAPS (993), POP3S (995) and SMTP with TLS (25). As it's email I figure I can happily create certificates with my own root CA - clients can simply install the root cert and everything works fine.

I've tested with openssl s_client, as well as Outlook and Thunderbird and all works as expected.

The problem I have is with BIS. And it's a simple question, I think, but not one that I've been able to find an answer to:

Does BIS refuse self-signed, or untrusted certificates?

See, I'm trying to set up an account through the BIS site (on computer or handheld, it doesn't matter, I get the same errors). On attempting to set up an account (after it's tried to auto-detect and I've got to the page where I put in the address, username and server name) I get:

Cannot connect to email server or invalid server name:

Please verify the server name. If the error persists contact example.com (your
email provider).

I thought I'd cheat, open up IMAP temporarily on the server, then try and switch the account to IMAPS...no luck there either. If I go into 'advanced settings' (again handheld and big computer give the same error) and tick the SSL box I get:


An error occurred during email account validation.
Please check your information and try again.

It's definitely not settings, everything is tickety-boo with clients that connect directly to the mail server...

The error messages BIS provides are so generic it's very difficult to know what's going on. FWIW, on the server side I get:

dovecot: imap-login: Disconnected: rip=216.9.253.55, lip=x.x.x.x, TLS handshake

Which tells me something's falling over during the secure connection negotiation process, but what? and why? Unfortunately this is about as verbose as the logging gets - I know it's a bit OT but I've not been able to find a way of logging low-level SSL/TLS activity on my server.

If only I had a clue about what the BIS server was trying to do then at least I'd know whether to give it up and look for another solution.

So, I go back to my original question:

Does anyone know how BIS handles untrusted certificates?

If you're still reading at this point, thank you for your patience and persistence!

I'm having a similar problem.

Existing users configured with BIS before the cert expired (3 days ago!) are enjoying uninterrupted use, where BIS is now just rejecting the server name and the new user i am trying to add.

If you find a solution please let me know and naturally I'll do likewise!

I'm afraid my problem actually turned out to be far simpler:

My customers mailbox name (not username) on the server was their (rather unfortunate) birthname rather than their 'professional' name which they neglected to tell me and took a little working out since i have no access to their server!

All the best with your quest

onfocus:

I set up my https and imaps servers using certificates from CACert.Org (which I'm quite sure RIM (BIS) doesn't trust), and they have since expired but it works fine.

My settings are: email account name: the full email name ie <name>@<domain>
server type: IMAP
port: 993
ssl: checked

The biggest problem I had when I set everything up was figuring out what the account name was, and how to enter that into all the tools so it was presented to server.

Do the IMAP server or mail logs shed any light?

jfdmedia - glad you got it sorted.

hrbuckley - thanks for posting your experience. Unfortunately the mail server logs don't give me anything I could really call helpful - and that's with all the verbose logging turned on that I can find.

My settings are pretty much the same, I'm just beginning to wonder if there's something up with the way I'm generating the certificates.

Does anyone know if BIS behaves differently for different networks or different geographical areas?

I posed the question to the BB security team and got the reply 'Please contact your wireless service provider for assistance.' After 2 weeks. Plainly this is rubbish as I'm using the bis.eu.blackberry.com server to set up the accounts in the first place - that's not provider dependent but there may be a difference between bis.eu and bis.na?

If only RIM published some technical specs for connecting to BIS...