IMAP SSL Error when sending / opening e-mails on Android

Support Security
1

I just installed a new SSL Cert from Let’s Encrypt today using Axigen’s system to request it. I thought everything was working fine, but found that IMAP is having some issues. When I look at the log, I find:

IMAP Log

2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: << SSL: client hello, remote 212.102.45.28:52384, version TLS 1.3 (0304)
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: << SSL: client hello, remote 212.102.45.28:52384, 15 cipher suites: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: << SSL: client hello, remote 212.102.45.28:52384, sni extension for domain.com
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: >> SSL: server hello, remote 212.102.45.28:52384, version TLS 1.2 (0303)
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: >> SSL: server hello, remote 212.102.45.28:52384, cipher suite c02f
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: >> SSL: server write cert, remote 212.102.45.28:52384, version TLS 1.2 (0303)
2020-10-15 21:22:58 -0600 16 Server IMAP:00000000: >> SSL: server write cert, remote 212.102.45.28:52384, certificate 1: serial xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2020-10-15 21:22:58 -0600 02 Server IMAP:00000000: SSL alert remote 212.102.45.28:52384, undefined:fatal:certificate unknown
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: << IXU6 NOOP
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: >> IXU6 OK NOOP completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: << DONE
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: >> IXK8 OK IDLE completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: << IXK9 NOOP
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: >> IXK9 OK NOOP completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: << IXU7 NOOP
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: >> IXU7 OK NOOP completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: << IXU8 NOOP
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: >> IXU8 OK NOOP completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: << IXU9 NOOP
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075C: >> IXU9 OK NOOP completed [0 msec]
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: << IXK10 IDLE
2020-10-15 21:23:32 -0600 16 Server IMAP:0000075A: >> + Expecting DONE
2020-10-15 21:23:33 -0600 02 Server IMAP:0000075C: SSL_read error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

I’ve restarted the IMAP service and confirmed that the new cert is correctly on each of the Listeners. Could there be a problem with the Android phone not liking the cert?

Notes:

  1. I did see another article here with a similar error, but it doesn’t look to be the same issue.
  2. My last cert was NOT Let’s Encrypt due to a different problem. I’m reading that they’ve been making updates to their cert chain, so it might be that.
2

I figured out that the Intermediate CA was not on the phones. Not sure why as previous Let’s Encrypt certs didn’t have the problem, but after I added it, IMAP is now syncing.

3

That is great news. Can you help a newby out. I am using a selfsigned cert would love to goto a more secure setup. DO you have instruction on the Let’s Encrypt and how I can add it to my home mailserver.

Thanks in advance for your Help.

4

@MailTec1,

The basic instructions can be found at https://www.axigen.com/documentation/managing-ssl-certificates-p21594182.

For me, I was having issues because Axigen needs to be able to respond on port 80 for the Let’s Encrypt system to confirm you are who you say you are. I was having difficulties enabling non-SSL Listener, so I changed Axigen’s non-SSL Listener’s port to 8080 and routed all port 80 traffic to it via my router. Once I did that, I was able to quickly get the Let’s Encrypt cert and bind it to all of the listeners. You can read about that in my posts here - Let's Encrypt Certificate