I bought a Nokia 6233 yesterday, because I lost my Nokia N80 a few days ago. One of its important features besides 3G and Bluetooth, for me, is the ability to read e-mail. Unfortunately, the devices has some serious problems with non-cleartext authentication in IMAP. What is strange is that SMTP authentication using CRAM-MD5 and DIGEST-MD5 works fine. Actually, there is more strangeness to it than this…
My first attempt was to enable SSL. First, this means SSL over port 993 and not STARTTLS on port 143. Attempting the download fails with a general purpose error, but the server logs gave me some hints:
cyrus/imapd: imaps TLS negotiation failed cyrus/imapd: Fatal error: tls_start_servertls() failed
I tried to add the CA certificate for my server to the phone’s CA store. This can be done by using the built-in web browser and retrieving a DER encoded version of the certificate. A PEM encoded certificate does not work (it says the certificate “contains an error”). The server messages now became:
cyrus/imapd: starttls: TLSv1 with cipher RC4-MD5 (128/128 bits new) no authentication
One can question Nokia’s wisdom of using RC4-MD5, but that is another story. However, the error message on the phone remains the same. There is no indication that the phone attempts to authentication to the server inside the successfully negotiated TLS session. My theory is that the phone expects “SSL” to mean authentication with client-side certificates, but I have not tried to import a client-side certificate into the phone. I gave up on SSL at this point.
I disabled SSL and selected CRAM-MD5. The server logs are fine, but the phone error messages remains. The server logs contains:
cyrus/imapd: login: [18.104.22.168] jas CRAM-MD5 User logged in
That actually means the phone successfully authenticated! However, using
tcpdump on the server, I can see the following exchange:
server: * OK yxa-iv Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1+sarge2 server ready client: A0 AUTHENTICATE CRAM-MD5 server: + ... client: ... server: A0 OK Success (no protection) client: \r\n server: * BAD Invalid tag [20 seconds delay] client: A1 NOOP server: A1 OK Completed client: A2 EXPUNGE server: A2 BAD Please select a mailbox first client: A3 CLOSE server: A3 BAD Please select a mailbox first client: A4 LOGOUT server: * BYE LOGOUT received
The conclusion is that the 6233 sends a spurious rn and interprete the error message as an authentication error.
I tried DIGEST-MD5 instead, but the error message on the phone was the same. Sniffing the network traffic reveals that authentication works, and the phone does not send the spurious \r\n.
server: * OK yxa-iv Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1+sarge2 server ready client: A0 AUTHENTICATE DIGEST-MD5 server: + ... client: ... server: + ... client: server: A0 OK Success (no protection) client: A1 NOOP server: A1 OK Completed client: A2 EXPUNGE server: A2 BAD Please select a mailbox first client: A3 CLOSE server: A3 BAD Please select a mailbox first client: A4 LOGOUT server: * BYE LOGOUT received client: A4 OK Completed
This time there is no 20s delay. The whole transaction was done under 2s. The error message on the phone remains though.
At this point, I gave up and tried clear-text authentication just to see what would happen. PLAIN did not work, since my server correctly requires TLS. LOGIN did not work, because my server doesn’t support this non-standard SASL mechanism. If I disabled secure login, it would use the plain IMAP LOGIN command, and things would work.
For completeness, here is what happened if I selected ‘Automatic’. It appears to try DIGEST-MD5 first, CRAM-MD5 then, and then resort to LOGIN. There is no 20s delay here either, the entire transaction is again done under 2s. The error is that it fails to notice successes.
server: * OK yxa-iv Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-1+sarge2 server ready client: A0 CAPABILITY server: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 ANNOTATEMORE server: A0 OK Completed client: A1 AUTHENTICATE DIGEST-MD5 server: + ... client: ... server: + ... client: server: A1 OK Success (no protection) client: A2 AUTHENTICATE CRAM-MD5 server: A2 BAD Already authenticated client: A3 LOGIN "..." "..." server: A3 BAD Already logged in client: A4 NOOP server: A4 OK Completed client: A5 EXPUNGE server: A5 BAD Please select a mailbox first client: A6 CLOSE server: A6 BAD Please select a mailbox first client: A7 LOGOUT server: * BYE LOGOUT received
Cleartext passwords over wireless links is not acceptable. I urge Nokia to release a new firmware for the 6233 that fixes this bug. For the record, my firmware (according to *#0000#) is V 05.10 released 21-12-06.