[Richard Buckley]

r
Could you give us more information on your server and how did you configure it?

Is it a Exchange 2013 server with EAS ?

No I'm using dovecot and exim for IMAP and SMTP. If you read the whole thread there is a discussion about EAS and one poster got a ticket opened by BlackBerry. The issue isn't in the support of TLS 1.2, rather it seems to be a problem with no common cypher between the BlackBerry and the EAS server.

But since it seems to work on Wi-Fi and VPN the problem would seem to be the difference in the configuration of the Internet facing services vs the internal facing services.

LeapSTR100-2/10.3.2.2876

[amar70056]

After logging a ticket...BlackBerry team emailed me stating that this issue will resolve with new 10.3.3 update but have not given any tat for update release so stuck for sometime :-(

Posted via CB10

[mousse04]

Maybe it will be fixed in 10.3.3 final version but it is not fixed in the dev os currently

[Richard Buckley]

Maybe it will be fixed in 10.3.3 final version but it is not fixed in the dev os currently

Development OS previews are only to allow developers to test their programs with API changes. They aren't generally representative of the release version. That's why they don't include all the layered applications.

Also, in this specific case, if you examine the time line I believe you will find that the ticket was created after the developer preview was released.

LeapSTR100-2/10.3.2.2876

[keliew]

Interesting...

I'd imagine that mailserver protocols are more mature than other platforms for BlackBerry.

BlackBerry Passport via CB10

[mousse04]

Development OS previews are only to allow developers to test their programs with API changes. They aren't generally representative of the release version. That's why they don't include all the layered applications.

Also, in this specific case, if you examine the time line I believe you will find that the ticket was created after the developer preview was released.

LeapSTR100-2/10.3.2.2876

Yes but it doesn�t mean they will fix it

[Richard Buckley]

Yes but it doesn�t mean they will fix it

They said it would be resolved in 10.3.3. The last bug that I submitted was fixed in the release they said it would be. Every bug I've submitted to them in over 12 years of developing for BlackBerry platforms has been fixed on the release they said it would be.

LeapSTR100-2/10.3.2.2876

[Webbeh]

I also only have TLS 1.2 certificates for my postfix/dovecot server and my Passport accepted it already in version 10.3.1.

OP most certainly uses a Let's Encrypt certificate, who arent yet recognized by BlackBerry. Which is perfectly fine for me.

Posted via CB10

[Vistaus]

I also only have TLS 1.2 certificates for my postfix/dovecot server and my Passport accepted it already in version 10.3.1.

OP most certainly uses a Let's Encrypt certificate, who arent yet recognized by BlackBerry. Which is perfectly fine for me.

Posted via CB10

You can import the Let's Encrypt certificates by installing MultiCERT from BlackBerry World.

Posted via CB10 using my amazing  ,Passport (OG Red) <3

[mousse04]

You can import the Let's Encrypt certificates by installing MultiCERT from BlackBerry World.

Posted via CB10 using my amazing  ,Passport (OG Red) <3

Yes, but it is not recognize as a valid CA certificate ...

[CarelStarreveld]

//edit : just realised there was a second page on this topic...

Is it possible that it might be certificate related? TLS is based on encryption and using certain cipher suites, the certificate being presented by the server and cipher suites supported by the client (BB10) will then determine the handshake for what form of encryption is being used.

If you can connect to it when using VPN it means that TLS works fine. If the issue is only occurring while not having the VPN active. This means that the certificate of whatever device you are connecting to (frontend ie firewall, ISA server, EDGE server) is not "compatible" or very different from the one which is used when using a VPN.

Hope it makes sense, I think your IT guy might have to make some more adjustments either on his end or on your device (install an extra certificate)

What you can try is typing your exchange server address in the browser and see if you might be prompted with a insecure website page. In that case you will need to install the certificate on your device.

Hope it helps

Posted via the CrackBerry App for Android

[Vistaus]

Yes, but it is not recognize as a valid CA certificate ...

For me it is. I've had no more certificate complaints after using MultiCERT.

Posted via CB10 using my amazing  ,Passport (OG Red) <3

[Webbeh]

Good for you.

But dont recommend anyone to install certificates on their mobile phone. It's a VERY bad practice and security risk.

If you fail to see why it is, just trust me.

Posted via CB10

[mousse04]

For me it is. I've had no more certificate complaints after using MultiCERT.

Posted via CB10 using my amazing  ,Passport (OG Red) <3

For browser !! Not for the HUB

[Richard Buckley]

For browser !! Not for the HUB

Not true. BB10 devices have one list of CA certificates used for all TLS connections. On my test server I use my own CA to sign service certificates to test software before deployment. Adding that CA to my BlackBerry allowed me to connect to services from the Browser, hub and in house applications.

LeapSTR100-2/10.3.2.2876

[mousse04]

Not true. BB10 devices have one list of CA certificates used for all TLS connections. On my test server I use my own CA to sign service certificates to test software before deployment. Adding that CA to my BlackBerry allowed me to connect to services from the Browser, hub and in house applications.

LeapSTR100-2/10.3.2.2876

So, this comes from eas server.
But your case is a particular case as it is personal server which is not the targets of BB10 (professional) .
From professional point of view, with an EAS server it doesn't work.

[Richard Buckley]

So, this comes from eas server.
But your case is a particular case as it is personal server which is not the targets of BB10 (professional) .
From professional point of view, with an EAS server it doesn't work.

This is correct. The problem is with the EAS services, not with certificate management.

Information technology is not an endeavour which is well served by imprecise language, nor the making of assumptions. In my case it is not a personal server, but a number that I manage. The professionals using them are quite well served whether they use BB10, iOS, Android, Windows or Linux because I use OS agnostic tools and practices. I and others are also served quite nicely by EAS products on our BB10 and other devices by other providers.

You should look to the vendor of your EAS solution and objectively asses their standards compliance. Some of the worst standards abusers are the companies that produced the products in the first place.

LeapSTR100-2/10.3.2.2876

[Vistaus]

Good for you.

But dont recommend anyone to install certificates on their mobile phone. It's a VERY bad practice and security risk.

If you fail to see why it is, just trust me.

Posted via CB10

I see. So I take it you're not going to upgrade to 10.3.3 either when it's released? 'Cause 10.3.3 has those same certificates pre-installed.

Posted via CB10 using my amazing  ,Passport (OG Red)

[Webbeh]

I'm uninstalling the ones I don't trust.

Posted via CB10

[EdyC]

Did your Postfix supports only TLS 1.2 Version ?

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

If you take a look at your Postfix Logs, what you see ?

TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

or like my Logs when connecting with Z10 STL100-2 / 10.3.3.2049

TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

TLS Information in the logs/email, is not enabled by default.

To enable it:

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

BB10 Browser supports modern ciphers, the BB10 IMAP client NOT!

Maybe I missed something, but when I disable TLS 1.0, TLS 1.1, then it is not possible to connect to the postfix with BB10 email client.

Best regards

Edy