1. deiop's Avatar
    S/MIME signed Mails can not be opened

    We have the following situation:
    a) BES 10.1.3 Exchange 2007 + BB10.2 Devices (Q10 / Z10)
    b) BES 10.1.3 Exchange 2010 + BB10.2 Devices (Q10 / Z10)
    c) BES 10.1.3 Traveler 9.0.1 + BB10.2.x Devices (Q10/Z10/Z30)
    d) Traveler 9.0.1 + BB10.2 Devices (without BES)

    When a user recieves an S/MIME SIGNED (not encrypted) Mail it cannot be opened on the Blackberry 10 devices.The circle is going around and around and after a couple of minutes the device runs into timeout displaying "message cound not be retrieved from server".



    The content type of the mail is:

    This is a multipart message in MIME format.
    --=_alternative 003651F1C1257C1B_=
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: quoted-printable
    --=_alternative 003651F1C1257C1B_=
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: quoted-printable
    --=_alternative 003651F1C1257C1B_=--
    --SIGNATURE_AS_XXXXX_XXXXX_XXXX
    Content-Type: application/x-pkcs7-signature;
    name=SMIME.p7s
    Content-Transfer-Encoding: BASE64
    Content-Disposition: attachment; filename=SMIME.p7s

    Update:
    This is a open case with IBM (since 07.11.2013) and Blackberry (since 18.10.2013) . Will keep this thread up to date..
    Last edited by TAltemeier; 11-08-13 at 09:19 AM.
    10-10-13 10:45 AM
  2. Sith_Apprentice's Avatar
    Did you enable SMIME in the settings on the device? Also make sure that if you are using signatures, your message size is increased 25% or more with overhead. Ensure that you are not hitting your timeout values for your connection. Something like the following (Exchange, but ActiveSync is "usually" ActiveSync)

    Unable to connect using Exchange ActiveSync due to Exchange resource consumption
    Event ID 1008: "Maximum Request Length Exceeded" - Get-ExchangeHelp - Site Home - TechNet Blogs
    ActiveSync email size limits when SENDING - Email and calendar - Office 365 - Microsoft Office 365 Community


    The post by david.rust on 10/26/11 referencing maxRequestLength
    10-10-13 12:46 PM
  3. deiop's Avatar
    Thanks for your help, but no, the size is not the problem.
    A typical mail with signature has about 10 KB.

    Even a mail with only one KB and s/mime signature can not be opend.

    Are you running 10.2 or a device attached to Exchange 2007/2010? Then PM me your E-Mail Address and I send you a signed mail - and try to open it...

    Posted via CB10
    10-10-13 12:52 PM
  4. deiop's Avatar
    And, as far es I know, you don't need to enable S/MIME support on the device to just !RECEIVE! a signed mail....

    S/Mime support is only needed for SENDING singed Mails or encrypting and decrypting.

    But yes, we have tried both: With S/MIME Support on or off


    Posted via CB10
    10-10-13 12:54 PM
  5. Sith_Apprentice's Avatar
    Thanks for your help, but no, the size is not the problem.
    A typical mail with signature has about 10 KB.

    Even a mail with only one KB and s/mime signature can not be opend.

    Are you running 10.2 or a device attached to Exchange 2007/2010? Then PM me your E-Mail Address and I send you a signed mail - and try to open it...

    Posted via CB10
    I am running this without issue, though my agency would not like it much for me to give my Email out for this lol. (One of those three letter ones).

    I had this working since before 10.1 released as well (got the software from BB to push out). Also works encrypted and signed/encrypted for 10.1 and 10.2.
    10-10-13 01:16 PM
  6. Sith_Apprentice's Avatar
    And, as far es I know, you don't need to enable S/MIME support on the device to just !RECEIVE! a signed mail....

    S/Mime support is only needed for SENDING singed Mails or encrypting and decrypting.

    But yes, we have tried both: With S/MIME Support on or off


    Posted via CB10
    You shouldnt need to enable it to receive, but the device may not be recognizing the signature (since it isnt processing anything S/MIME related).

    Do you have any other brand activesync devices working?
    10-10-13 01:20 PM
  7. Sith_Apprentice's Avatar
    You shouldnt need to enable it to receive, but the device may not be recognizing the signature (since it isnt processing anything S/MIME related).

    Do you have any other brand activesync devices working?
    Also, check your Mail profile in BDS. What are the SMIME settings there? Should be "Allowed" for the first three, and then the content ciphers you support for the last one.
    10-10-13 01:23 PM
  8. deiop's Avatar
    Also, check your Mail profile in BDS. What are the SMIME settings there? Should be "Allowed" for the first three, and then the content ciphers you support for the last one.
    Yes, everything is fine there. We have about 20 BES10 Servers in all possible configurations (a,b,c,d) and we have the problem with all devices attached to all combinations, except 10.1 Devices attached to BES/Traveler9.

    Posted via CB10
    10-10-13 01:32 PM
  9. deiop's Avatar
    You shouldnt need to enable it to receive, but the device may not be recognizing the signature (since it isnt processing anything S/MIME related).

    Do you have any other brand activesync devices working?
    Yes, iOS and Android works fine. Only BB10 Device can not open signed mails.

    Posted via CB10
    10-10-13 01:33 PM
  10. deiop's Avatar
    I am running this without issue, though my agency would not like it much for me to give my Email out for this lol. (One of those three letter ones).
    LOL, okay ;-)


    Maybe it is a problem with the singed mails...

    Content-Type: multipart/signed;
    boundary="XXX";
    protocol="application/x-pkcs7-signature";
    micalg="sha1"
    ????

    But, as I mentioned above, BlackBerry MDM attached IOS and Android devices work well....

    Posted via CB10
    10-10-13 01:35 PM
  11. Sith_Apprentice's Avatar
    Out of curiousity, when you send this signed message outside of your organization, can you view it?
    10-10-13 01:42 PM
  12. Sith_Apprentice's Avatar
    Also if you pull down on the message body, it should show the header. Is there any error logged in the header of the message?
    10-10-13 01:47 PM
  13. Sith_Apprentice's Avatar
    LOL, okay ;-)


    Maybe it is a problem with the singed mails...

    Content-Type: multipart/signed;
    boundary="XXX";
    protocol="application/x-pkcs7-signature";
    micalg="sha1"
    ????

    But, as I mentioned above, BlackBerry MDM attached IOS and Android devices work well....

    Posted via CB10
    This leads me to believe that this is a mail profile issue, not sure what it would be since it is likley set the same as others.
    10-10-13 01:49 PM
  14. deiop's Avatar
    Out of curiousity, when you send this signed message outside of your organization, can you view it?
    YES :-) funny, is'nt it? You can open the signed mail on Desktop (Outlook / Notes) as well.

    Posted via CB10
    10-10-13 01:52 PM
  15. deiop's Avatar
    Also if you pull down on the message body, it should show the header. Is there any error logged in the header of the message?
    Yes, "Message could not retrieved from server"... (in German of course) ;-)

    Posted via CB10
    10-10-13 01:54 PM
  16. Sith_Apprentice's Avatar
    Yes, "Message could not retrieved from server"... (in German of course) ;-)

    Posted via CB10
    For fun, try enabling S/MIME on the device. I dont have it on my personal Zed and it shows the attachment p7s file. On my work Zed i can view signature details etc.
    10-10-13 01:56 PM
  17. deiop's Avatar
    This leads me to believe that this is a mail profile issue, not sure what it would be since it is likley set the same as others.
    No, all servers have total different configurations, as they are belonging to different companys, with total different setups, different IP Adresse, different Firewalls....

    Posted via CB10
    10-10-13 01:56 PM
  18. deiop's Avatar
    For fun, try enabling S/MIME on the device. I dont have it on my personal Zed and it shows the attachment p7s file. On my work Zed i can view signature details etc.
    Have done this already. Same result. Except 10.1 devices attached to BES / Lotus Traveler.

    Posted via CB10
    10-10-13 01:59 PM
  19. Sith_Apprentice's Avatar
    No, all servers have total different configurations, as they are belonging to different companys, with total different setups, different IP Adresse, different Firewalls....

    Posted via CB10
    I was referring to the mail profile setup allowing SMIME. Generally if the device can connect through activesync you should be good to go. SMIME is allowed by default (allowed obviously not required) for Exchange so should be fine in ActiveSync. Not to mention that the iOS and Android devices work fine.
    10-10-13 02:00 PM
  20. deiop's Avatar
    I was referring to the mail profile setup allowing SMIME. Generally if the device can connect through activesync you should be good to go. SMIME is allowed by default (allowed obviously not required) for Exchange so should be fine in ActiveSync. Not to mention that the iOS and Android devices work fine.
    Sorry! Got it wrong.

    But yes, I had the same thoughts. Maybe it is a problem with the verification process for the certificate? But it is a well trusted cert that is accepted on all other devices / workstations. But even if it would not be trusted, the BB10 device should open the mail ;-)

    Posted via CB10
    10-10-13 02:08 PM
  21. Sith_Apprentice's Avatar
    Yes it should, no verification should be done. Do you have access to the mail servers?

    Posted via CB10
    10-10-13 02:42 PM
  22. deiop's Avatar
    Yes it should, no verification should be done. Do you have access to the mail servers?

    Posted via CB10
    Yes, to all.

    Posted via CB10
    10-10-13 03:15 PM
  23. Sith_Apprentice's Avatar
    Open a message and then when it errors check the IIS logs for the CAS servers. Look for the users PIN. See if any errors coincide with the time.

    Posted via CB10
    10-11-13 05:06 AM
  24. deiop's Avatar
    Open a message and then when it errors check the IIS logs for the CAS servers. Look for the users PIN. See if any errors coincide with the time.

    Posted via CB10
    I have read tons of debug stuff this day and cannot find anything unusual. Hm, if the device is directly attached to exchange / Traveler without BES, everything is fine. So there have to be some BES related problems....

    Posted via CB10
    10-11-13 08:39 AM
  25. Sith_Apprentice's Avatar
    I have read tons of debug stuff this day and cannot find anything unusual. Hm, if the device is directly attached to exchange / Traveler without BES, everything is fine. So there have to be some BES related problems....

    Posted via CB10
    This is odd, and implies a problem with the mail profile. But we have checked that multiple times.
    10-11-13 08:58 AM
82 123 ...

Similar Threads

  1. 9930 in china not getting EDGE! china mobile
    By Cozmohoot in forum BlackBerry Bold Series
    Replies: 3
    Last Post: 10-28-13, 04:28 PM
  2. Replies: 36
    Last Post: 10-11-13, 06:46 PM
  3. Replies: 4
    Last Post: 10-11-13, 09:38 AM
  4. Please HELP! Can t use BBM om my BB 9650
    By Dusan Rapajic in forum BlackBerry Bold Series
    Replies: 1
    Last Post: 10-10-13, 10:44 AM
LINK TO POST COPIED TO CLIPBOARD