After some more research, I would like to correct my earlier
statement. It seems that at least in Android (K9), choosing "TLS
(if available)" will allow the device to negotiate TLS, *even if the
certificate authority is not in the local keystore*. In other
words, there is no chain of trust in this mode, so although you are
encrypting your connection, it doesn't stop anyone from performing a
"man-in-the-middle" attack and getting your password/reading your
So, if you have changed your Android phone to use "TLS (if
available)", please change it back to "TLS (always)". At this
point, it should accept the new certificate. If it does NOT, please
let me know. I tested it on Zoey's phone and it is working there.
On 01/26/2011 10:31 AM, Jim Lawson wrote:
[log in to unmask]" type="cite">
I borrowed Zoey's phone, and I can confirm that changing to TLS
(if available) works. TLS (always) does not.
Speaking as someone with a passable knowledge of SSL/TLS, and the
one who configured the mail servers at UVM, this makes no sense.
I think it is a client bug.
However, it does seem to work. It's not a great security
practice, but fortunately UVM's IMAP servers won't let you log in
with a password sent in the clear, so it is safe to do with our
servers. I wouldn't recommend it with other IMAP servers, though,
unless the admin of the other server tells you it's OK, or you
don't mind if someone can sniff your password.
Systems Architecture & Administration
Enterprise Technology Services
University of Vermont
Burlington, VT USA