[SOGo] ActiveSync on Android

Discussion:

elagil

2016-02-22 13:00:36 UTC

Hello!

I am using SOGo on my Debian 8 Server with Apache 2.4.

Everything is working, except for ActiveSync on the native Android Mail
client. Other clients, also on Android, do work. I get the following error
message on the Android device: "Cannot connect to server".

I am using Let's Encrypt certificates, which also work fine. However, if I
enably trusting any certificate, Android will connect to the server. I do not
want that, though.

When using the Microsoft Connectivity Analyzer, I get:

A 401 error was received from the server, but no authentication methods are
supported.
HTTP Response Headers:
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Mon, 22 Feb 2016 12:29:41 GMT
Server: Apache
WWW-Authenticate: basic realm="SOGo"
Elapsed Time: 760 ms.

Any ideas on this?

Thanks in advance!
Adrian

--
***@sogo.nu
https://inverse.ca/sogo/lists

Christian Mack

2016-02-22 14:18:47 UTC

Permalink

Hello

Post by elagil
Hello!
I am using SOGo on my Debian 8 Server with Apache 2.4.
Everything is working, except for ActiveSync on the native Android Mail
client. Other clients, also on Android, do work. I get the following error
message on the Android device: "Cannot connect to server".
I am using Let's Encrypt certificates, which also work fine. However, if I
enably trusting any certificate, Android will connect to the server. I do not
want that, though.
A 401 error was received from the server, but no authentication methods are
supported.
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Mon, 22 Feb 2016 12:29:41 GMT
Server: Apache
WWW-Authenticate: basic realm="SOGo"
Elapsed Time: 760 ms.
Any ideas on this?

--
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung Basisdienste
78457 Konstanz
+49 7531 88-4416

Adrian Figueroa

2016-02-22 16:42:08 UTC

Permalink

Actually, I did provide the analyzer with valid login information. Maybe I should not pay too much attention to that 401 error.
ActiveSync does work on any other device, also on Android with other clients (such as "nine").

Could it be, that Let's Encrypt certificates do not work on Android with the standard mail client? They do work in browsers.

Post by Christian Mack
Hello

Error 401 means, that you try to access a web site, which need
authentication, but you did not provide username and password.
It (the App or Connectivity Analyzer) should ask you for username and
password, when receiving that.
Kind regards,
Christian Mack
--
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung Basisdienste
78457 Konstanz
+49 7531 88-4416

André Schild

2016-02-22 20:07:25 UTC

Permalink

Post by Adrian Figueroa
Actually, I did provide the analyzer with valid login information. Maybe I should not pay too much attention to that 401 error.
ActiveSync does work on any other device, also on Android with other clients (such as "nine").
Could it be, that Let's Encrypt certificates do not work on Android with the standard mail client? They do work in browsers.

Are you using Stock Android, or some other branded Android device?
Some manufacturers make modifications to such services...

Does it happen on different devices?

What Android Version?

André

--
***@sogo.nu
https://inverse.ca/sogo/lists

Adrian Figueroa

2016-02-23 10:42:15 UTC

Permalink

I solved the problem!

It is stock android 5 (Moto G, GPE) with stock mail, by the way. It happens on multiple devices.

It is like this:
The mail client connects to my mail server. The mail server is called "mail.domain.tld".

Now, another domain name on the same server (other.domain.tld) is supplied to the mail client by apache, while the certificate itself is served by the mail server (dovecot, postfix, ..). Obviously, the name of the domain now does not match the certificate.

What I had to do was to add mail.domain.tld to the apache vhosts and make it the first to be served by appending 000_ at the beginning of the name of the vserver config. Now, name and certificate do match.

I wonder why apache serves the mail client in the first place...

Adrian

Post by AndrÃ© Schild

Are you using Stock Android, or some other branded Android device?
Some manufacturers make modifications to such services...
Does it happen on different devices?
What Android Version?
André
--
https://inverse.ca/sogo/lists

Chris

2016-02-23 17:21:45 UTC

Permalink

Very cool. Inverse should add this issue to public FAQ or Knowledgebase
on sogo.nu

SOGo should be made to detect TLS certificate issues with a wget command
to self-test verify the web interface and if it isn't setup properly,
provide the admin with a human language worded error message, if not
also propose the fix and/or apply the fix. Saving many admins running
TLS secure web mail, many, many hours of hunting this issue down.

Post by Adrian Figueroa
I solved the problem!
It is stock android 5 (Moto G, GPE) with stock mail, by the way. It happens on multiple devices.
The mail client connects to my mail server. The mail server is called "mail.domain.tld".
Now, another domain name on the same server (other.domain.tld) is supplied to the mail client by apache, while the certificate itself is served by the mail server (dovecot, postfix, ..). Obviously, the name of the domain now does not match the certificate.
What I had to do was to add mail.domain.tld to the apache vhosts and make it the first to be served by appending 000_ at the beginning of the name of the vserver config. Now, name and certificate do match.
I wonder why apache serves the mail client in the first place...
Adrian

Post by AndrÃ© Schild

--
***@sogo.nu
https://inverse.ca/sogo/lists

Adrian Figueroa

2016-02-23 20:26:17 UTC

Permalink

I tested the certificates with a cert chain checker and it worked fine. Also, when I called mail.domain.tld in a browser, the correct certificate was served. Something might be wrong with the Android client.. Maybe it does not use the name based configuration?

I have no idea, I am no expert in this.

Very cool. Inverse should add this issue to public FAQ or Knowledgebase on sogo.nu
SOGo should be made to detect TLS certificate issues with a wget command to self-test verify the web interface and if it isn't setup properly, provide the admin with a human language worded error message, if not also propose the fix and/or apply the fix. Saving many admins running TLS secure web mail, many, many hours of hunting this issue down.

--
https://inverse.ca/sogo/lists

Chris

2016-02-23 21:47:13 UTC

Permalink

Possibly these bugs, if you're running android 5.0 lollipop on your Moto
G. Something having to do with TLS 1.2 - the latest version.

https://code.google.com/p/android/issues/detail?id=79389

https://code.google.com/p/android/issues/detail?id=36025

Post by Adrian Figueroa
I tested the certificates with a cert chain checker and it worked fine. Also, when I called mail.domain.tld in a browser, the correct certificate was served. Something might be wrong with the Android client.. Maybe it does not use the name based configuration?
I have no idea, I am no expert in this.

Very cool. Inverse should add this issue to public FAQ or Knowledgebase on sogo.nu
SOGo should be made to detect TLS certificate issues with a wget command to self-test verify the web interface and if it isn't setup properly, provide the admin with a human language worded error message, if not also propose the fix and/or apply the fix. Saving many admins running TLS secure web mail, many, many hours of hunting this issue down.

--
https://inverse.ca/sogo/lists

--
***@sogo.nu
https://inverse.ca/sogo/lists