During some experiments with open-sources code, found an issue with STARTTLS on the latest open-xchange appsuite 7.10.1-Rev9
Something like this:
com.openexchange.exception.OXException: LGI-0003 Categories=ERROR Message='Unknown problem: "STARTTLS failure".' exceptionID=-1484511495-7 at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:175) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:165) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:138) at com.openexchange.authentication.LoginExceptionCodes.create(LoginExceptionCodes.java:267) at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:373) at com.openexchange.authentication.service.Authentication.login(Authentication.java:111) at com.openexchange.authentication.service.Authentication.login(Authentication.java:98) at com.openexchange.login.internal.NormalLoginMethod.doAuthentication(NormalLoginMethod.java:83) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:216) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:157) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:145) at com.openexchange.ajax.login.Login$1.doLogin(Login.java:109) at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:226) at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:184) at com.openexchange.ajax.login.Login.doLogin(Login.java:97) at com.openexchange.ajax.login.Login.handleRequest(Login.java:90) at com.openexchange.ajax.LoginServlet.doJSONAuth(LoginServlet.java:793) at com.openexchange.ajax.LoginServlet.doGet(LoginServlet.java:758) at com.openexchange.ajax.LoginServlet.doPost(LoginServlet.java:878) at javax.servlet.http.HttpServlet.service(HttpServlet.java:706) at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:566) at com.openexchange.ajax.LoginServlet.service(LoginServlet.java:738) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:147) at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:138) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:222) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:139) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at org.glassfish.grizzly.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:106) at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:226) at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:178) at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:301) at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2575) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:841) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:868) at java.lang.Thread.run(Thread.java:748) Caused by: javax.mail.MessagingException: STARTTLS failure at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:954) at javax.mail.Service.connect(Service.java:369) at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:357) ... 34 common frames omitted
Looks like empty vars for SSL protocol and SSL ciphersuites are not working properly, if specify them everything works just fine.
# File /opt/open-xchange/etc/imap.properties # Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. # Default is empty com.openexchange.imap.ssl.protocols=TLSv1 TLSv1.1 TLSv1.2 # Specifies the SSL cipher suites that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. # # Check "http://<ox-grizzly-hostname>:<ox-grizzly-port>/stats/diagnostic?param=ciphersuites" to check available cipher suites. # # Default value is empty (fall-back to current JVM's default SSL cipher suite) com.openexchange.imap.ssl.ciphersuites=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256
Hope that helps, thanks!