IMAP4 on Exchange 2007 / Exchange 2007 SP1

Good evening!

Okay, I am breaking down and posting this question on IMAP4 in an EXCH2007
environment.

Need help setting this up. I believe that I have everything on the
server-side configured properly. I am - from the outside - able to telnet
to the server via 'telnet mail.mydomain.com 143'. Yes, yes....I know. Now,
I am not able to do so when using port 993. I assume that this is a
Firewall issue but I can verify this as this is not my client (helping a
colleague).

Additionally, we can not successfully connect to a mailbox when using OE
from the inside. Do not know what the error was as I was not there. Just
know that it does not work.

I also know (I tried this) that it does not work from the outside (using the
proper 'OWA' url). It looks like it is going to and then tells me that the
server rejected my credentials. The error code is "Code: 800cccd1". I have
tried just about every possibly combination of credentials and it just does
not work.

Now, I have also looked at the security/authentication. I attempted every
combination of credentials (domainname\user and user@domainname.com and
domainname\username\alias and a whole bunch of others) under one
authentication setting and then changed the authentication to the second one
and went through the same set of credentials again and when that did not
work I tried the final choice (knowing that it was not going to work as 993
is apparently not open).

Anyone have any idea what I have missed?

Thanks,

Cary

PS....really trying to set up some phones that need to use IMAP. Really
really really would like to use 993!
PSS...does the self-signed cert that Exchange 2007 creates upon installation
cause any problems? Apparently this client has not purchased a cert of any
sort (UCE from DigiCert would be nice).

Rich
Sat Mar 15 15:16:13 CDT 2008

"Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote:

>Need help setting this up. I believe that I have everything on the
>server-side configured properly. I am - from the outside - able to telnet
>to the server via 'telnet mail.mydomain.com 143'. Yes, yes....I know. Now,
>I am not able to do so when using port 993. I assume that this is a
>Firewall issue but I can verify this as this is not my client (helping a
>colleague).
>
>Additionally, we can not successfully connect to a mailbox when using OE
>from the inside. Do not know what the error was as I was not there. Just
>know that it does not work.

Then I'd guess that the certificate you're using isn't bound to IMAP,
just to IIS.

>I also know (I tried this) that it does not work from the outside (using the
>proper 'OWA' url). It looks like it is going to and then tells me that the
>server rejected my credentials. The error code is "Code: 800cccd1". I have
>tried just about every possibly combination of credentials and it just does
>not work.

If you're using "-LoginType PlainTextLogin" in the imap settings then
I'd really check the cert. Use "get-exchangecertificate | fl" an see
if the "Services" include IMAP. Oh . . . and don't forget to restart
the IMAP service after making changes. :-)



--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

Cary
Sat Mar 15 18:26:00 CDT 2008

Rich,

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:48bot318u3oure8m65e7skud8ii5rd2n9o@4ax.com...
> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote:
>
>>Need help setting this up. I believe that I have everything on the
>>server-side configured properly. I am - from the outside - able to telnet
>>to the server via 'telnet mail.mydomain.com 143'. Yes, yes....I know.
>>Now,
>>I am not able to do so when using port 993. I assume that this is a
>>Firewall issue but I can verify this as this is not my client (helping a
>>colleague).
>>
>>Additionally, we can not successfully connect to a mailbox when using OE
>>from the inside. Do not know what the error was as I was not there. Just
>>know that it does not work.
>
> Then I'd guess that the certificate you're using isn't bound to IMAP,
> just to IIS.

This was something that I initially checked. The cert was not bound to
IMAP, so I enabled that....and I did indeed restart the IMAP4 service after
doing this....but, good call. I am sure that this is often a 'point of
failure' in a lot of cases.

To be thorough, the cert is bound to IIS, POP, IMAP and SMTP.....


>
>>I also know (I tried this) that it does not work from the outside (using
>>the
>>proper 'OWA' url). It looks like it is going to and then tells me that
>>the
>>server rejected my credentials. The error code is "Code: 800cccd1". I
>>have
>>tried just about every possibly combination of credentials and it just
>>does
>>not work.
>
> If you're using "-LoginType PlainTextLogin" in the imap settings then
> I'd really check the cert. Use "get-exchangecertificate | fl" an see
> if the "Services" include IMAP. Oh . . . and don't forget to restart
> the IMAP service after making changes. :-)

Done...still not working...



>
>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com
> mailto:melvin.mcphucknuckle@getronics.com
> mailto:melvin.mcphucknuckle@pinkroccade.com

Cary
Sat Mar 15 19:27:03 CDT 2008

Well, I restarted the IMAP service again and made sure that the user account
objects' password had not expired.

Not sure which one did it but it works now....

FYI - user credentials in the domain\user format. So, mydomain\testuser03
did it.

Cary

"Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote in message
news:uAbpvPvhIHA.4076@TK2MSFTNGP05.phx.gbl...
> Rich,
>
> "Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
> news:48bot318u3oure8m65e7skud8ii5rd2n9o@4ax.com...
>> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote:
>>
>>>Need help setting this up. I believe that I have everything on the
>>>server-side configured properly. I am - from the outside - able to
>>>telnet
>>>to the server via 'telnet mail.mydomain.com 143'. Yes, yes....I know.
>>>Now,
>>>I am not able to do so when using port 993. I assume that this is a
>>>Firewall issue but I can verify this as this is not my client (helping a
>>>colleague).
>>>
>>>Additionally, we can not successfully connect to a mailbox when using OE
>>>from the inside. Do not know what the error was as I was not there.
>>>Just
>>>know that it does not work.
>>
>> Then I'd guess that the certificate you're using isn't bound to IMAP,
>> just to IIS.
>
> This was something that I initially checked. The cert was not bound to
> IMAP, so I enabled that....and I did indeed restart the IMAP4 service
> after doing this....but, good call. I am sure that this is often a 'point
> of failure' in a lot of cases.
>
> To be thorough, the cert is bound to IIS, POP, IMAP and SMTP.....
>
>
>>
>>>I also know (I tried this) that it does not work from the outside (using
>>>the
>>>proper 'OWA' url). It looks like it is going to and then tells me that
>>>the
>>>server rejected my credentials. The error code is "Code: 800cccd1". I
>>>have
>>>tried just about every possibly combination of credentials and it just
>>>does
>>>not work.
>>
>> If you're using "-LoginType PlainTextLogin" in the imap settings then
>> I'd really check the cert. Use "get-exchangecertificate | fl" an see
>> if the "Services" include IMAP. Oh . . . and don't forget to restart
>> the IMAP service after making changes. :-)
>
> Done...still not working...
>
>
>
>>
>>
>>
>> --
>> Rich Matheisen
>> MCSE+I, Exchange MVP
>> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
>> Don't send mail to this address mailto:h.pott@getronics.com
>> Or to these, either: mailto:h.pott@pinkroccade.com
>> mailto:melvin.mcphucknuckle@getronics.com
>> mailto:melvin.mcphucknuckle@pinkroccade.com
>
>

Rich
Sat Mar 15 21:30:24 CDT 2008

"Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote:

>Well, I restarted the IMAP service again and made sure that the user account
>objects' password had not expired.
>
>Not sure which one did it but it works now....
>
>FYI - user credentials in the domain\user format. So, mydomain\testuser03
>did it.

Next time that happens try using a simple:

telnet <server> 143
blah blah READY
a001 user mydomain\testuser03 whateverthepasswordis

If you get back an error that says something along the lines of "bad
command received in invalid state" (I forget the exaxt wording, sorry)
it's usually related to not having a cert or having a mismatch in the
logintype.

if you enter "a001 capability" you should get back a list of what the
machine will accept. It'll look something like this:

a001 capability
* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI STARTTLS IDLE
NAMESPACE LITERAL+
a001 OK CAPABILITY completed.

If there are multiple DCs involved then perhaps the cmdlet was
changing the values on one DC and the server was looking at another?
Maybe all you had to do was wait 15 minutes and /then/ restart the
service?


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

Cary
Sat Mar 15 21:53:30 CDT 2008

Rich,

in-line...


"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:kt0pt3hlfeoc2eu85fqd2g286voh1mjtib@4ax.com...
> "Cary Shultz" <cshultz@nospam.outsourceitcorp.com> wrote:
>
>>Well, I restarted the IMAP service again and made sure that the user
>>account
>>objects' password had not expired.
>>
>>Not sure which one did it but it works now....
>>
>>FYI - user credentials in the domain\user format. So, mydomain\testuser03
>>did it.
>
> Next time that happens try using a simple:
>
> telnet <server> 143
> blah blah READY
> a001 user mydomain\testuser03 whateverthepasswordis
>
> If you get back an error that says something along the lines of "bad
> command received in invalid state" (I forget the exaxt wording, sorry)
> it's usually related to not having a cert or having a mismatch in the
> logintype.

cert - while the self-signed cert - seems to be correct....the URL of the
cert matches the URL used to access e-mail (webmail.mydomain.com.....in this
case). And, as already stated, "Service" is set for four - as mentioned.

>
> if you enter "a001 capability" you should get back a list of what the
> machine will accept. It'll look something like this:
>
> a001 capability
> * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI STARTTLS IDLE
> NAMESPACE LITERAL+
> a001 OK CAPABILITY completed.

good to know. I know about telnet (one of my favorite tools) but did not
know about the a001 part.
>
> If there are multiple DCs involved then perhaps the cmdlet was
> changing the values on one DC and the server was looking at another?
> Maybe all you had to do was wait 15 minutes and /then/ restart the
> service?

I did change the password...actually on two test accounts that I previously
created for other purposes. I was able to immeditaley access - via OE from
my laptop at home - both accounts via IMAP. Now, you are going to shoot me
for this....but the EXCH2007 box is on a DC.....not my choice, not my doing.
But, I will say that in this specific situation this was really necessary.

Now, another thing to note is that I was able to access - with both
accounts - e-mail via OE with each of the three authentication types
selected on the EXCH2007 SP1 box. I currently left it the bottom one (tls
required). Still works.
>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com
> mailto:melvin.mcphucknuckle@getronics.com
> mailto:melvin.mcphucknuckle@pinkroccade.com