I created a new self-signed certificate in AMS so I can have secure SMTP and IMAP sessions between our smartphones and roaming laptops when they're outside the network.
Testing from inside the network on both SMTP and IMAP (separately and together), I used default SSL ports in AMS and selected the certificate. I tried using implicit, explicit, and explicit SSL v 2/3 w/ TLS. I made sure Outlook had the right ports and SSL specified for the test account and I cannot get it to work in explicit SMTP mode.
Here's what I've tested so far and the results the tests:
Worked IMAP explicit: 143 TLS
Worked IMAP implicit: 993 SSL
Worked POP3 explicit: no option in Outlook to test
Worked POP3 implicit: 995 SSL
Failed SMTP explicit: 25 TLS
Worked SMTP implicit: 465 SSL
I cannot seem to get explicit SMTP SSL working in any situation with any client. Here is the message I get kicked back from Outlook when trying SMTP port 25 with TLS:
Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.
Also, when testing with Outlook Mobile on a Windows Mobile 6 smartphone, it appears that AMS will accept a regular non-encrypted IMAP connection even if the Use SSL boxes in AMS are checked. According to my firewall log, the phone is connecting straight to 143 and doesn't even try 993. I assume this means that WinMo Outlook must be used with Explicit? Is there a way to verify if that traffic is encrypted without doing a packet capture? Maybe in logs somewhere?
Also, why does the connection not fail if I have an encryption method enabled on the server and then phone doesn't connect using SSL? - is there a way to drop all connections if not encrypted OR just force SSL only (aka require SSL)? I understand this isn't an option for SMTP as it would block all incoming mails. For incoming mail servers though (POP and IMAP) I would think there should be a way to configure this in AMS. Is this the case?
Also, If I accept the certificate (it says there is an error - I assume this is because it's self-signed and not verified by a root CA - right?) Do you have any recommendations for a CN? Just make it whatever? Or should it match the host name being accessed (I suppose this doesnt' matter since the cert is self-signed anyways).
Thanks in advance!