Today i wanted to add an email account:

- created the account with manual settings:
- Protocol IMAP
- Username + password
- TLS encryption
- Port 993

The server on the other end is a Cyrus imap daemon, listening to 143 (IMAP) and 993 (IMAPS, resp IMAP4S)

I imported the CA cert and the server PEM (for good measure) and connected to the server, only to get the following errors (log on server):

Apr 9 16:01:50 hcsrv01 cyrus/imaps[8988]: imaps TLS negotiation failed: [xxx.xxx.xxx.xxx]
Apr 9 16:01:50 hcsrv01 cyrus/imaps[8988]: Fatal error: tls_start_servertls() failed

The log on the Pre showed a Java exception.

With tcpdump i found out that the Pre sent a "A1 CAPABILITY" to the cyrus daemon and then the demon dropped the connection.

So the Pre used normal (unencrypted) IMAP, not IMAPS.

Ok, seeing that i suspected that the Pre used the "starttls" protocol instead of "proper" IMAPS. So i connected to port 143 instead of 993 and voila:

- Connection with standard IMAP
- Verification with "CAPABILITY" that the server understands "STARTTLS"
- TLS negotiation with "STARTTLS"
- encrypted IMAPS traffic

So this is not a serious bug, but can cause major trouble.

The STARTTLS protocol is intended for text protocols that support plain and encrypted traffic OVER THE SAME PORT (ask Wikipedia - i'm not allowed to post links with only 9 posts). So it makes perfect sense to speak STARTTLS on port 143, which is used for plain IMAP also.

The Pre also uses STARTTLS for encrypted SMTP traffic (i verified that), but that is fine, because plain and encrypted SMTP both use port 25.

It doesn't make sense to speak STARTTLS on port 993, which is the official port for encrypted IMAPS traffic.

It's great that the the email app supports user defined ports, but it should be smart enough to know about port 993 and should connect with a TLS initiation, not with an IMAP capability request.

Just thought i'd mention it ... if anyone knows an official bug report contact at Palm, i'd be glad to inform them directly.

-Walter