Profile Manager Setting IMAP SSL as 143

I have the same situation. Researching as well, will post result if I find a solution.

I just got off the phone with some Apple Engineers from tech support. They were not aware of this issue, but were able to replicate while I was on the phone with them. They are forwarding this issue on to development engineers, and we hope to see this fixed in a future patch -- hopefully this qualifies for a security patch, otherwise it will have to wait for a maintenance release, i.e. 10.7.2 or 10.7.3.

However, in the mean-time we have identified 4 work-arounds:

1. Remove the system-generated email payload from the Everybody group and create one with the correct ports. (I see there being issues with restarting services, duplicate payloads being created, etc., so I won't be doing this one.)
2. Let the payloads propogate, but change the ports to 993 on each client. (This can be a hastle if you have more than a few clients. Also, if payloads get sent out, it will likely overwrite these settings.)
3. Map the port 143 to 993 on your firewall. (This is the route I will take.)
4. Open port 143 on your firewall, as well as 993. (I don't quite feel as comfortable with this, but it should be an acceptable workaround as well.)

Let me know how this works for you. Mark (the tech support engineer) said he would shoot me an email as soon as he hears back from Engineering as to what their plans will be regarding this issue.

~Mike

Quick update:

Workaround #3 in fact doesn't work, because it will conflict with the existing port rule for 993. Looks like I will be adopting workaround #4.

Final update:

I received a response from the engineer that helped me with this case. The reason that mail does not use port 993 as is often used for IMAPS by various email providers (GMail for one), is because RFC2595 discourages a separate SSL protocol (see section 7).

So this is indeed best practice to use port 143.

(Credit goes to Mark R. and the engineering team at Apple.)

~Mike

Okay, but in everything else Apple, you're allowed to configure IMAP as SSL on 993. Why not specifically here? And why no option to at least make it possible? All my mail server stuff is setup as SSL IMAP on 993. So, basically, becuase of this one thing, I cannot let my server configure Profile Manager for a "settings for everyone" profile that is usable. "Discourages" has never stopped Apple before.

Grrrrrrrr...

I don't see any options to use TLS in mail on the iOS devices And the only security settings I see in the server mail area on my mac related to IMAP are SSL. Why would Apple configure their server mail to allow for SSL on IMAP and then eliminate it from profile manager? I don't get it. Are we just supposed to use no security on 143?

This article seems to argue that using separate ports for security is unnecessary because one can use TLS on a standard port. Im I supposed to VPN in to my server to get my mail?

I have to be missing something here -- either misunderstanding how TLS works, or something. I don't see any configuration settings for TLS at all. They can't expect us to settle for using 143 without security. Miggl, what are you planning on doing? Were you going to just leave 143 open? Can you use SSL on 143?

Does Profile Manager put SSL on POP3 at 110 instead of 995 as well?

Lots of questions, sorry. Most of them are rhetorical.

After thought

Port 993 is an "Officially Registered" port with IANA for use with SSL over IMAP. It's not like they'll be able to reclaim it for other uses if Apple stops using it for it's intended purpose. It's already done. I can understand not wanting to set a precident for unnecessary use of extra ports, but this one is so widely used. It's almost like one engineer read the referenced article and decided, on his/her own, to eliminate this port in Profile Manager, without consulting anyone else working on other projects that have used 993 for years. I'm also having a hard time with them initially not being aware of the issue and then being able to cite the exact reason why it was done the way it was (though likely they weren't the engineers who worked on the exact project).

I am absolutely not trying to kill the messenger here (obviously not your fault -- at all), I just hope they reconsider this. I think a lot of people are holding off on fully implementing profile manager becuase it's still so buggy and needs fixes. But when it starts getting more widely used, they're going to have many, many more complaints about this one.

I can just see the department-wide email now from the engineer to other Apple developers/engineers, "Hey guys, I've been getting a few calls about a change we made in Profile Manager recently. A couple months ago, we eliminated the ability to configure profiles with port 993 (SSL / IMAP). Are we all cool with that? Forgot to tell y'all earlier. They can sitll use 143 though. So, it's cool, right?"

And one typical reply: "You bleeping bleep-hole, you did WHAT???? Are you serious, or did Jim in accounting put you up to this, becuase I wouldn't put it past Jim to pull a prank like this. You tell that S.O.B. that he had me going for a few minutes. You do know he was the one who left that second iPhone, the i5 prototype, in that second bar, right, on purpose? Don't tell anyone though."

One last thing...

In the iPhone Configuration Utility (v3.3 -- Released 5/9/2011), when you're setting up a configuration profile for mail, it automatically changes the port from 143 to 993 when you check the SSL box.

I have opened port 143 and executed the following line:

sudo serveradmin settings mail:imap:tls_server_options = "require"

This enforces the mail server to accept SSL-connections only. Don't forget to restart the mail server.

The following command sets the default setting:

sudo serveradmin settings mail:imap:tls_server_options = "use"