Topic: SSL Certificate, Blackberry and Complications

[Paul Howard]

Ok first of all I had better explain a few things.

I work for a small business who currently rent a pop mailbox from another company (which also includes our domain name registered on their server), on a "catch all" basis. (Wasn't my idea this is what happens when the bosses do things off their own bat before they hand you the job of the IT management)

We have 12 users within the company who need email and thus we run and internal email server to collect email from the rented pop mail box, sort the email, perform spam, anti virus filtering before sorting users email for them to collect. I ended up using SME Server as an emergency fallback on a spare machine since the previous email server software on NT used as a file server keeled over and couldn't be recovered.

My bosses have purchased a Blackberry each. Now collecting the email from the pop mailbox provider is a no go since the amount of spam sitting on it before it is filtered by our internal email server is a serious amount to provide a problem without spam filtering as well as the fact they will pick up mail which is not meant for other users. So, I need their Blackberries to connect to email server sitting in the office where they can collect their own email via SSL IMAP. The problem I have (and believe me I have crawled all over the blackberry forums without success) is the Blackberries only like signed valid SSL Certificates and thus the server signed certificate by SME server registers as an error therefore making the blackberry refuse to connect to our sme server.

Unless I am missing something, the only viable solutions would be:-

1) Turn on unsecured IMAP on SME Server
    I don't really want to do this as ideally we need to use SSL due to confidential material being part of our business, although it probably would save me a headache.

2) Get our domain name transferred to us, so we can go direct to a hosting provider (who provides a free SSL certificate as part of the ecommerce hosting package) and ditch SME Server entirely. Torn here because I like keep my finger on the pulse for the spam filtering and adapt it as necessary.

3) Get our domain transferred and host our own servers using SME server. Price of building new servers isn't going to sit well with the boss.

So far as I can see there is no way I can solve the SSL certificate problem with the current setup because we do not currently control our own domain. Looking for confirmation really to make sure I haven't missed anything before I sit the boss down and try to explain the technicalities to a non tech of how am I am going to get the blackberries to work so they can collect their email!

[brianr]

I am sucessfully using my blackberry on my own SMEserver, using IMAPS as far as i can remember, i have also set up a number of other blackberries (?) and also other PDAs also using IMAPS on SMEservers and as far as I can see the certificate problem you mention does not occur.

I have just checked my own server, and IMAP (without the S) is NOT enabled, so it must be working ok.  I monitor 4 email addresses.

I do not understand enough about SSL certificates to suggest what might be wrong, but something else must be. 

[pfloor]

I use a Samsung i760 with Windows Mobile 6 and had it working with IMAPS but I did have to do one thing to make it work.  I had to install the SME's self signed certificate onto the phone then everything worked fine.

Does the Blackberry have a way to install certificates?

[cactus]

I use a Samsung i760 with Windows Mobile 6 and had it working with IMAPS but I did have to do one thing to make it work.  I had to install the SME's self signed certificate onto the phone then everything worked fine.

That is normal behavior for clients as the SME Server certificate does not meet all security criteria for a certificate as it is self-signed and not signed by a trusted-root authority the only way to force an auto-except is by explicitly stating that you accept this certificate by installing it on the client yourself.

Does the Blackberry have a way to install certificates?

I am unaware of that being possible, but it looks like it does from the post by brianr, p[erhaps this might help: http://support.quovadisglobal.com/customer/KBArticle.aspx

[brianr]

yes, I do not deny that I may have "accepted" the certificate as part of the initial blackberry set-up, pretty sure I didn't install anything specifically though.  In one case a customer did some blackberry configuring, and he would not have known about certificates.

[pfloor]

yes, I do not deny that I may have "accepted" the certificate as part of the initial blackberry set-up, pretty sure I didn't install anything specifically though.  In one case a customer did some blackberry configuring, and he would not have known about certificates.

On my WM6 based device, I didn't merely accept the cert (I didn't have that option), I actually had to install it, something like this:

1-Export the cert to my desktop where I have established a sync relationship with my phone.
2-Copy the exported cert to the sync folder so it will get copied to my phone upon next sync.
3-Sync the phone.
4-On the phone, find the newly copied cert and click on it.  The phone then walked me through actually "Installing" the cert on the phone.

Some quick goggling indicates that you can in fact "Install" certs on some Blackberry devices.  It looks to be a bit more complex on a Blackberry than on WM6 but does appear that it can be done (on certain devices) and you may need to do this in order to use the self signed cert.

[MSmith]

I've successfully avoided this issue by creating a Blackberry-specific email address using the RIM online control panel (exact details vary from provider to provider) and forwarding a copy of all emails from the Users panel in the SME Server Manager.  You can very easily configure the Blackberry account to send "from" the user's real email address so no one (including the Blackberry's user) ever sees the Blackberry-specific account.  Bonus:  while editing the account's properties you can suppress that annoying "Sent from my Blackberry" default signature.

[mmccarn]

I would add to MSmith's solution the following steps:

1) Create an alias on the SME for the user's blackberry - something like "f.lastname-bb@example.com"
2) In account setup on the blackberry servers:
- Setup the Blackberry account to "BCC" this account with any outgoing emails
- Create a filter so that email addressed to the "...-bb@example.com" address is NOT sent to the handheld
2) Create a rule on the SME or in the user's email client to automatically move these "BCC'd" messages to the "Sent Items" folder

Now the emails sent from the blackberry will appear in the user's email "Sent Items" folder, without coming back to the blackberry itself.

Finally, if you can create mail rules on the server with the external POP mailbox you could create rules there that forward copies of incoming emails for the blackberry users to their blackberry email addresses - then they will get their emails on their blackberries as soon as possible, instead of waiting for the SME to download and process them...

[m]

Recently I had similar trouble with certificates when setting up a Nokia Communicator. I finally decided to make my own CA, install the CA root certificate on the communicator and generate server certificates signed by my own CA. That solves my problem.
I have put together what I have done in a Howto. Perhaps it is useful for you. Have a look here.