I have been trying to get my imap_open() function to connect to my mail server.

The mail server works just fine since I can use it over and over again to receive emails in Thunderbird.

So...

Can't open mailbox {mail.example.com:993/pop3/ssl/tls/validate-cert}: invalid remote specification

Quite often I was getting this one. In this case the imap_open() tool does not even attempt to connect to the remote system. It dies out immediately. The software just does not like the combinaison of parameters. I think that ssl and tls are not accepted together because if I put one or the other it works. You can also use /ssl/notls and it works. I think that if you put /ssl, it implies /notls.

Connection failed to mail.example.com,993: Connection timed out

This is an interesting one. If you use the wrong choice of encryptiong (I use SSL) then it breaks with that error. In other words, the server does not tell me anything about "illegal" whatever.

It is weird because when I do a telnet on that port and sends in the wrong command (obviously) it disconnects immediately. So I'm not too sure why it does not disconnect me in this case.

Here I was trying with /tls/novalidate-cert and combinaison thereof.

TLS/SSL failure for mail.example.com: SSL negotiation failed

Notice so far that each error has a different scheme? At times they show you the port, at times the options, and at times none of that...

I use the /novalidate-cert each time since I have a self signed certificate. But that does not explain why this one still fails... What am I to do to fix this last (hopefully last!) error?!

Is there even a connection at all?

You never with these things... so I checked my server firewall, since everything that comes in is tracked on a per port basis (pretty obviously, but hey!)

I could see that the port 993 counter would increase by 1 on each access. Good! The connection happens. Not for long and not for much, but it is there.

Is something accepting the connection?

When I was getting the timeout, I could check the list of connections with netstat -a64 and searching my client. There it was! So the connection between my server and my client is definitively happening.

Testing with openssl

Just in case I thought I should give it a try with openssl. I'm not too sure what openssl should get me in return, but I get an error, just like imap_open().

openssl s_client -debug -connect mail.example.com:993
CONNECTED(00000003)
write to 0x80c3880 [0x80c38c8] (118 bytes => 118 (0x76))
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00   .t....K... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 be 8b-46 4f f8 3c 0d 45 67 82   ........FO.<.Eg.
0060 - 56 29 0d 14 6f fe 0f 7c-4e 6e 6f 14 11 18 07 45   V)..o..|Nno....E
0070 - 53 59 e6 6b 1d 57                                 SY.k.W
read from 0x80c3880 [0x80c8e28] (7 bytes => -1 (0xFFFFFFFF))
write:errno=104

What about a log?

Well! It took me forever to find the log for the failure.

I checked mail.log and could not see anything. Since it uses SSL, I checked auth.log, but nothing appeared in there either.

The fact is, with the first few errors, nothing was happening and thus I didn't notice that syslog was actually changing. And I receive a large amount of mail and the mail.log would always appear last.

So... syslog... what do we find in there?

I had two types of error. Only different 'connect' or 'accept'. The rest is the same.

May 23 16:22:09 web couriertcpd: couriertls: connect: ...
    ... error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
May 23 16:22:09 web couriertcpd: couriertls: accept: ...
    ... error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Good. Now I see the actual error. A version problem. SSL3... Hmmm... maybe imap_open() expects SSL2 only.

Testing with openssl again...

I added the -ssl3 command line option, just in case. You'd think they could determine the version automatically with openssl... Get what... it worked! Got the "+OK Hello there." message. Cool.

Now, I have to find out whether PHP imap_open() can do that too... Argh!

Solution

Well... I looked around for a way to get imap_open() to accept SSLv3 but I could not see anything about that. I'm wondering why it fails like that.

I therefore used the solution I found here.

The solution was to edit my /etc/courier/mapd-ssl and put SSL23 instead of just SSL2 for the TLS_PROTOCOL. And... it still did not work! Then I edit the /etc/courier/pop3d-ssl file and did the same. Restarted all the servers and that worked like a charm! I can now read my emails.

Note: the port may be 993 or 995 or 143. The protocol imap or pop3. The secure flags ssl, tls and notls. The certificate check can be validate-cert or novalidate-cert.

More Info

You probably want to check out the PHP docs here: http://us.php.net/manual/en/function.imap-open.php

The UW IMAP is by the University of Washington and they have a lengthy document about errors and such. Not that useful in my case, but well... http://www.washington.edu/imap/IMAP-FAQs/index.html