0

We've recently moved to a semi-outsourced Exchange farm, replacing our internal one. An application I've been asked to help troubleshoot uses IMAP to download some emails from the Exchange servers in question. This fails. Attempting to "speak the protocol" directly (e.g., with CAPABILITY) produces custom messages about only STARTTLS being allowed (I know they are custom to some degree because they mention the internal name of the project to "semi outsource" our email.) Is this within the spec for IMAP? My reading of the RFCs is that the CAPABILITY command should always be available, even if not always believable. (NOOP and LOGOUT also do not work at this point.) Is this a configuration concern with Exchange or is it possibly somewhere else? (IDS/Firewall?)

For what it is worth, I also got permission to nmap the test Exchange instance, and it does not find IMAP on port 143 but instead thinks it is some other protocol, which is suggestive. (It thinks it is BIND but the proceeds to crash on the BIND version checks, which isn't surprising given the strings that it would be getting.)

Edit: 993 might already be expecting a TLS/SSL connection from a tunnel set up some other way. Does this make sense?

Keith Douglas
  • 61
  • 7
  • 1
    This sounds more like an administrative issue related to "what kind of service did you agree to receive?". It looks like they just don't support plain text IMAP (port 143), if they expect connections only through 993, your application needs to connect with encryption, if said application doesn't support it, you can use stunnel to encapsulate your IMAP requests to the new server. So yes, your question from the "Edit" makes sense. Here's a short [howto](http://petermolnar.hu/secure-smtp-and-imap-sessions-with-stunnel/) – kamihack Apr 08 '16 at 20:07
  • 1
    I decided to make it a comment instead of an answer, because it didn't seem I was creating a whole solution, just clarifying your situation. In regards to you reading the RFC, Kudos; but you should be reading [RFC 2595](https://tools.ietf.org/html/rfc2595) instead of the IMAP RFC, because the only port you have open is for IMAPS – kamihack Apr 08 '16 at 20:11
  • Thanks for answering, kamihack. It seems that 143 should nevertheless be in spec and I don't understand why, still. As for 993, people have suggested a preexisting tunnel here too. I'll look into this. – Keith Douglas Apr 11 '16 at 15:49

0 Answers0