The following happened to a friend of mine who studies at the University of Hof.
I'm responsible for our mailserver, so he called me and told me that he couldn't
receive mails on his Android device (using K9-Mail) when being connected to the
university wifi. The interesting thing was that he didn't had any problems on his
laptop using Thunderbird with the equal configuration: IMAP Port 143 - STARTTLS
After running Netalyzr we found out that traffic on port 80 and 143 was routed through a transparent proxy. This was very likely the reason of our problem but the connection was encrypted. How should a proxy mess things up? And why should the laptop work while the smartphone wouldn't?
I looked in the ARP table for the MAC of the default gateway to gain more information about that proxy. The MAC address was from the range of Fortinet - a really sympathetic company which also provides the Myanmar goverment with hardware for Internet censorship.
To get an idea about the difference between the k9mail and the thunderbird connection we used tcpdump and some similar Android app to capture the traffic.
< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5] Dovecot ready.
> 1 STARTTLS
The difference was the \r\n after the 1 STARTTLS command:
- Thunderbird sent one TCP package:
1 STARTTLS \r\n - K9-Mail sent two TCP packages:
1 STARTTLSand\r\n
thunderbird:
< 00000000 2a 20 4f 4b 20 5b 43 41 50 41 42 49 4c 49 54 59 * OK [CA PABILITY
< 00000010 20 49 4d 41 50 34 72 65 76 31 20 4c 49 54 45 52 IMAP4re v1 LITER
< 00000020 41 4c 2b 20 53 41 53 4c 2d 49 52 20 4c 4f 47 49 AL+ SASL -IR LOGI
< 00000030 4e 2d 52 45 46 45 52 52 41 4c 53 20 49 44 20 45 N-REFERR ALS ID E
< 00000040 4e 41 42 4c 45 20 49 44 4c 45 20 53 54 41 52 54 NABLE ID LE START
< 00000050 54 4c 53 20 41 55 54 48 3d 50 4c 41 49 4e 20 41 TLS AUTH =PLAIN A
< 00000060 55 54 48 3d 4c 4f 47 49 4e 20 41 55 54 48 3d 44 UTH=LOGI N AUTH=D
< 00000070 49 47 45 53 54 2d 4d 44 35 5d 20 44 6f 76 65 63 IGEST-MD 5] Dovec
< 00000080 6f 74 20 72 65 61 64 79 2e 0d 0a ot ready ...
> 00000000 31 20 53 54 41 52 54 54 4c 53 0d 0a 1 STARTT LS..
< 0000008B 31 20 4f 4b 00 42 65 67 69 6e 20 54 4c 53 20 6e 1 OK.Beg in TLS n
< 0000009B 65 67 6f 74 69 61 74 69 6f 6e 20 6e 6f 77 2e 0d egotiati on now..
< 000000AB 0a .
k-9 mail:
< 00000000 2a 20 4f 4b 20 5b 43 41 50 41 42 49 4c 49 54 59 * OK [CA PABILITY
< 00000010 20 49 4d 41 50 34 72 65 76 31 20 4c 49 54 45 52 IMAP4re v1 LITER
< 00000020 41 4c 2b 20 53 41 53 4c 2d 49 52 20 4c 4f 47 49 AL+ SASL -IR LOGI
< 00000030 4e 2d 52 45 46 45 52 52 41 4c 53 20 49 44 20 45 N-REFERR ALS ID E
< 00000040 4e 41 42 4c 45 20 49 44 4c 45 20 53 54 41 52 54 NABLE ID LE START
< 00000050 54 4c 53 20 41 55 54 48 3d 50 4c 41 49 4e 20 41 TLS AUTH =PLAIN A
< 00000060 55 54 48 3d 4c 4f 47 49 4e 20 41 55 54 48 3d 44 UTH=LOGI N AUTH=D
< 00000070 49 47 45 53 54 2d 4d 44 35 5d 20 44 6f 76 65 63 IGEST-MD 5] Dovec
< 00000080 6f 74 20 72 65 61 64 79 2e 0d 0a ot ready ...
> 00000000 31 20 53 54 41 52 54 54 4c 53 1 STARTT LS
> 0000000A 0d 0a ..
Our Dovecot mailserver itself didn't had any problems with thee k9mail version but the proxy did. So I sent a Patch to the k9mail developers to make k9mail act like thunderbird does.