IMAP issues when using SSL

Hi Folks - so I am an experienced Linux man, however normally I build one server per service / site and keep its locked and simple.

One of my clients however wanted to move VPS and has about 70 mail accounts. A former CPANEL user he was fed up of his current host and the cost. So we moved to Hostinger with HestiaCP

Migrated everything to a Ubuntu server 22.04 running HestiaCP and got everything moved. Using Webmail all his email worked just fine, migrated smoothly and actually ramped up his mail score to perfect on most systems with a Spamassasin score of -5.096

The problems however began when users stated to access their new accounts, could not verify against IMAP, server not responding, setting up ok and then dropping offline. No consistency in the problems.

However one of the common issues I see with IMAP on macOS and apple is SSL being on or off and it’s a frequent issue on Apple systems. However I was also seeing issues with IMAP on IMAP checkers online, would connect and then would not

All my mail servers I had setup with SSL protected mail domains using lets encrypt. On a couple of test domain, I UNTICKED ‘enable SSL’ and all of a sudden those email accounts now add OK to all Apple devices AND stay connected. This is ironically exactly how it was on the old host as well, I thought I would improve it.

How the HECK can I get mail working happily over SSL and IMAP? The dovecot and exim4 logs showed no error I could work with, just the connections and if anyone could ‘point’ me at the starting line I can start the long marathon to fixing this.

Hi @MorganL

Did you test it with another mail clients like thunderbird? It only happens on MacOS mail clients? Are you using some kind of CDN, proxy, load balancer, etc.?

Check if clients can connect to your imap server using TLS on port 993 and STARTTLS on port 143. To test it you can execute these commands from a remote machine (Linux):

Note: replace by your actual domain

openssl s_client -connect -servername 2>/dev/null <<<: | openssl x509 -noout -issuer -subject -dates -ext subjectAltName | sed -E -e 's/^\s*//g' -e 's/^DNS:/SANs: /' -e 's/\s?DNS://g' -e '/X509v3/d'
openssl s_client -starttls imap -connect -servername 2>/dev/null <<<: | openssl x509 -noout -issuer -subject -dates -ext subjectAltName | sed -E -e 's/^\s*//g' -e 's/^DNS:/SANs: /' -e 's/\s?DNS://g' -e '/X509v3/d'

If you try to connect to port 143 without using STARTTLS, do it works or only works when you untick use SSL in Hestia?

If you share your domain I could test it from my side (you can send me a private message if you don’t want to share it publicly).


Appreciate the speedy response - just acknowledging your reply.

Quick reply : There are no load balancers involved, nor proxy nor CDN. This is pretty much a brand new VPS with a brand new HestiaCP

Trying thunderbird out of curiosity, and will do thoese other investiagations soon.

1 Like

So basically the new mail client proved it (thanks)… MacMail was just hopeless and also, I gave the VPS HOST its own SSL certificated

Removed old passwords from keychain
Backed up the complex signatures
Removed the account
Re-added the account
Re-added the signatures

and all working… honestly, sometimes its best to go back to the easy options


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.