Brad & I are having a weird problem with his iphone 4S (with the latest iOS versions).
iphone builtin mail imaps (port 993) ssl (self-signed) (old ciphers disabled on server) dovecot
He can connect to imap with the above config on his in-office wifi, in-home wifi over vpn to office, and shaw open wifi outside his office/home network.
If he switches to 3G (I don't think his phone does LTE) then suddenly he can't connect! (With some useless "can't connect" error.)
Huh? Duh?
Exact same setup and settings on an iphone 5 works fine. Also works fine on Android. The problem is just on his 4S.
Even more interesting, if he wifi tethers a PC to his 4S over 3G and hits imaps using thunderbird on the PC it works fine.
My question is, what on earth does changing the connection layer have anything to do with this? Can the phone be doing something differently in the mail app depending on 3G or wifi??? Can the 3G network be blocking something (unlikely since the tethered PC works)? It make no sense whatsoever to me. Maybe his phone is p0wned? I'm stumped. Ideas?
Not that I'd expect this to be the underlying cause, but have you tried with a valid cert? https://letsencrypt.org/ makes this free for those dabble in TLS without spending a fortune.
Theodore Baschak https://ciscodude.net/ https://theodorebaschak.com/
On Mon, Mar 7, 2016 at 12:30 PM, Trevor Cordes trevor@tecnopolis.ca wrote:
Brad & I are having a weird problem with his iphone 4S (with the latest iOS versions).
iphone builtin mail imaps (port 993) ssl (self-signed) (old ciphers disabled on server) dovecot
He can connect to imap with the above config on his in-office wifi, in-home wifi over vpn to office, and shaw open wifi outside his office/home network.
If he switches to 3G (I don't think his phone does LTE) then suddenly he can't connect! (With some useless "can't connect" error.)
Huh? Duh?
Exact same setup and settings on an iphone 5 works fine. Also works fine on Android. The problem is just on his 4S.
Even more interesting, if he wifi tethers a PC to his 4S over 3G and hits imaps using thunderbird on the PC it works fine.
My question is, what on earth does changing the connection layer have anything to do with this? Can the phone be doing something differently in the mail app depending on 3G or wifi??? Can the 3G network be blocking something (unlikely since the tethered PC works)? It make no sense whatsoever to me. Maybe his phone is p0wned? I'm stumped. Ideas? _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
I don't have an answer but part of your premise confuses me. You said: "He can connect via ... in-home wifi over vpn to office, and shaw open wifi outside". if he can connect on public wifi (Shaw), why does he need a VPN to connect from home? And why did you mention Shaw public wifi specifically? Why not all public wifi?
I'm not an IOS guy at all but I was under the impression that iPhones will not connect without a valid certificate, including situations where a valid certificates name does not match the domain name. I've commonly seen this in situations where a phone connects to an internal Wifi and the phone does a DNS lookup for an external name, but then ends up hitting an internal IP address with a self-signed internal domain trusted certificate. Since the phone is not domain joined (unlike corporate laptops for example, it doesn't trust the cert and refuses to connect.
One solution is to manually install the certificate on the iPhone.
That being said, it doesn't match your scenario so I'm not sure this is your problem.
John
On Mon, Mar 7, 2016 at 1:40 PM, Theodore Baschak theodore@ciscodude.net wrote:
Not that I'd expect this to be the underlying cause, but have you tried with a valid cert? https://letsencrypt.org/ makes this free for those dabble in TLS without spending a fortune.
Theodore Baschak https://ciscodude.net/ https://theodorebaschak.com/
On Mon, Mar 7, 2016 at 12:30 PM, Trevor Cordes trevor@tecnopolis.ca wrote:
Brad & I are having a weird problem with his iphone 4S (with the latest iOS versions).
iphone builtin mail imaps (port 993) ssl (self-signed) (old ciphers disabled on server) dovecot
He can connect to imap with the above config on his in-office wifi, in-home wifi over vpn to office, and shaw open wifi outside his office/home network.
If he switches to 3G (I don't think his phone does LTE) then suddenly he can't connect! (With some useless "can't connect" error.)
Huh? Duh?
Exact same setup and settings on an iphone 5 works fine. Also works fine on Android. The problem is just on his 4S.
Even more interesting, if he wifi tethers a PC to his 4S over 3G and hits imaps using thunderbird on the PC it works fine.
My question is, what on earth does changing the connection layer have anything to do with this? Can the phone be doing something differently in the mail app depending on 3G or wifi??? Can the 3G network be blocking something (unlikely since the tethered PC works)? It make no sense whatsoever to me. Maybe his phone is p0wned? I'm stumped. Ideas? _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2016-03-07 John Lange wrote:
I don't have an answer but part of your premise confuses me. You said: "He can connect via ... in-home wifi over vpn to office, and shaw open wifi outside". if he can connect on public wifi (Shaw), why does he need a VPN to connect from home? And why did you mention Shaw public wifi specifically? Why not all public wifi?
Ya, I could have worded that better. I was just listing our actual test scenarios.
He'd (most likely) be able to connect with all public wifi. He's only tested shaw's free wifi so far.
The original server in question he's trying to connect to is his home server. He has a permanent VPN connecting home server to office server (and lan to lan). That's what the "vpn to..." was about. So whether he's at home or office (wired or wifi) he can connect to any computer on either lan as though he was local.
where a valid certificates name does not match the domain name. I've commonly seen this in situations where a phone connects to an internal Wifi and the phone does a DNS lookup for an external name,
Ya, I've seen the same thing, but newer iOS makes it easier to connect to self-signed. (Android makes it dead easy.) But in the last test I outlined just prior to this email we eliminated the cert as the culprit.
One solution is to manually install the certificate on the iPhone.
Ya, he had done that anyway. (Our fun problem after that was how to get rid of it! Apparently you have to reset your whole iphone to do that! But it's not relevant to the real-cert test scenario.)
If someone has a 4S and wants to help us out I can email you some quick test creds and server info if you want to see if you can connect. It would at least tell us if Brad's 4S has been compromised or is dying or something.
Thanks guys!
This may be a dumb question, but have you tried deleting the settings for that mail server from the 4S, and reconfiguring it from scratch? Does the problem persist after that? It sounds like something got hosed in iOS's settings. While I haven't seen exactly this problem, I have on previous occasions seen problems go away when reconfiguring a server's settings.
On 03/07/2016 04:39 PM, Trevor Cordes wrote:
On 2016-03-07 John Lange wrote:
I don't have an answer but part of your premise confuses me. You said: "He can connect via ... in-home wifi over vpn to office, and shaw open wifi outside". if he can connect on public wifi (Shaw), why does he need a VPN to connect from home? And why did you mention Shaw public wifi specifically? Why not all public wifi?
Ya, I could have worded that better. I was just listing our actual test scenarios.
He'd (most likely) be able to connect with all public wifi. He's only tested shaw's free wifi so far.
The original server in question he's trying to connect to is his home server. He has a permanent VPN connecting home server to office server (and lan to lan). That's what the "vpn to..." was about. So whether he's at home or office (wired or wifi) he can connect to any computer on either lan as though he was local.
where a valid certificates name does not match the domain name. I've commonly seen this in situations where a phone connects to an internal Wifi and the phone does a DNS lookup for an external name,
Ya, I've seen the same thing, but newer iOS makes it easier to connect to self-signed. (Android makes it dead easy.) But in the last test I outlined just prior to this email we eliminated the cert as the culprit.
One solution is to manually install the certificate on the iPhone.
Ya, he had done that anyway. (Our fun problem after that was how to get rid of it! Apparently you have to reset your whole iphone to do that! But it's not relevant to the real-cert test scenario.)
If someone has a 4S and wants to help us out I can email you some quick test creds and server info if you want to see if you can connect. It would at least tell us if Brad's 4S has been compromised or is dying or something.
Thanks guys! _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2016-03-08 Gilles Detillieux wrote:
This may be a dumb question, but have you tried deleting the settings for that mail server from the 4S, and reconfiguring it from scratch? Does the problem persist after that? It sounds like something got hosed in iOS's settings. While I haven't seen exactly this problem, I have on previous occasions seen problems go away when reconfiguring a server's settings.
Ya, we thought about that, especially with cert "memory", and have tried hosing the whole account a few times and starting from scratch. No joy.
The test to the completely new/different test server achieved the same result, anyhow.
It sure is a big mystery! When we first started fighting with this I thought the carrier was doing something weird, but now I'm convinced it's just Apple being stupid Apple (or a strangely broken phone). I won't be surprised if someone else with a 4S tries our test and it fails too.
On 2016-03-07 Theodore Baschak wrote:
Not that I'd expect this to be the underlying cause, but have you tried with a valid cert? https://letsencrypt.org/ makes this free for those dabble in TLS without spending a fortune.
We thought at length about cert issues, but then again, why would the 4S be happy with the cert with one net connection and not with another? Does the iphone really have this?:
if ($3g and $selfsignedcert) barf() else workfine()
For sure this is a stumper.
I setup a test account on another (almost identical) server that has a legit Thawte SSL cert on it just now, out of curiosity, and we setup his 4S to connect to it (same everything else) and it doesn't connect. So same problem regardless of real or fake cert. That actually makes sense.
We did some tcpdumps at the same time and when connected with 3G *NO TRAFFIC* shows up from the phone to the server! Not a single TCP packet.
Next we installed a telnet client on the 4S and telnetted to both servers on port 993 and that did cause traffic to show in tcpdump (yay!).
So the problem appears to be solely in the iOS default email application! It's like it really does have code in it like:
if ($3g and $ssl and $port993) barf() else workfine()
We'll next be trying a different email app, just to see what happens (my guess, it'll work fine, proving the 4S email app is complete garbage -- still, what a weird bug!).
-
Gilles Detillieux -
John Lange -
Theodore Baschak -
Trevor Cordes