IMAP

I blogged earlier about my frustration with the Mac OS X Mail.app mail client and its apparent lack of STARTTLS support with IMAP4.  Well, on a whim today I decided to take this issue back up again.

Since Microsoft Exchange does not support STARTTLS, I had to use Perdition as an IMAP proxy in front of Exchange.  Earlier attempts to get Mail.app to do STARTTLS had failed (not sure why), but today I decided to try changing the IMAP port from 993 (the default when you check the “Use SSL” box) to 143 (the standard IMAP4 port).  Oddly enough, it seemed to work!

Curious to find out for sure, I trotted out tcpdump on the mail gateway running Perdition to capture traffic to/from Mail.app and to/from the back end mail server.  The traffic to/from the back end mail server was transmitted in the clear (I used plain text messages so that I could see the content), but the traffic to/from Mail.app was not readable.  I also saw Mail.app issue a CAPABILITY command, then issue a STARTTLS command.  Bingo!

So, it appears that Mail.app does indeed support STARTTLS for IMAP, but only if you set the port number back to 143 after checking the “Use SSL” checkbox.

I finally managed to get Perdition working.  Still unable to confirm if Mac OS X’s Mail.app supports STARTTLS (my experience thus far says No), I had to resort to using Stunnel to wrap IMAP inside an SSL tunnel, then forward the IMAP traffic to Perdition on the same host.  The Perdition proxy then passes the traffic to the back-end mail server.  It’s not the solution that I really wanted, but it will do for now.  At least the Exchange Server 2003 IMAP server isn’t exposed directly to external networks.

On a slightly related note, the Slipstick Systems web site has a link to an IMAP proxy server that implements STARTTLS as a workaround for Exchange’s lack of native support for STARTTLS.  The IMAP proxy can be found at http://www.slipstick.com/files/imapproxysvc.zip.  So, if you have an IMAP4 client that supports STARTTLS and want to connect it to Exchange, you can use this IMAP proxy.  At least, until Microsoft puts STARTTLS support into Exchange directly.

In my experiments with Perdition, I learned a couple of very interesting facts.  First, the IMAP4 implementation on Exchange Server 2003 does not support the STARTTLS command, as described in RFC 2595 and re-affirmed in RFC 3501.  Instead, Exchange expects an SSL session to be established immediately, and then IMAP is spoken.  This is similar to the “smtpd_tls_wrappermode” directive that Postfix supports.

Second, it appears that the Mac OS X Mail application (commonly referred to as Mail.app) also uses this IMAP-over-SSL approach, since I’ve been using Mail.app to connect to Exchange using IMAP with SSL for quite some time.  I’m trying to confirm that now, but having precious little luck finding any definitive information one way or the other.  If anyone knows for certain, please let me know.  I’m going to keep searching.

This is one of those things that just makes me crazy.