What Is IMAPS

Email Tutorials - Herong's Tutorial Examples

∟What Is IMAPS

This section provides a quick introduction on IMAPS (Internet Message Access Protocol Secure) for message retrieval. An IMAPS sample session of retrieving an email message using the 'openssl s_client' command is included.

What Is IMAPS? - IMAPS (Internet Message Access Protocol Secure) is a method to secure a IMAP communication by wrapping it under a SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection.

Running a IMAPS communication requires the email message agents on both sides of the communication to meet server authentication requirements defined by the PKI (Public Key Infrastructure) standard:

A PKI server certificate and its private key must be installed on the server agent.
The signing authority of the server certificate must be specified as a trusted authority by the client agent .

By default, an IMAPS server listens on port 993 for IMAPS connection requests. Here is a sample session of retrieving an email message with IMAPS using "openssl s_client" as the MUA. The IMAPS server is a Dovecot server.

herong$ openssl s_client -connect 127.0.0.1:993

CONNECTED(00000003)
depth=0 OU = IMAP server, CN = imap.example.com, emailAddress = post...
verify error:num=18:self signed certificate
verify return:1
Server certificate
-----BEGIN CERTIFICATE-----
MIIEUzCCArugAwIBAgIUemnAqnnY7dfjsdPa2HVHDkVKu20wDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2276 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 3072 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 18075F67F0611E686015752EF2816A18BA7B21803D8A7F01F20C...
    Session-ID-ctx:
    Master-Key: F20D75326B6DB5BB560E89EBFE1B94D3B57533775A9E276A6711...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    ...
    Start Time: 1605857873
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
. OK Pre-login capabilities listed, post-login capabilities have more.

c1 login herong TopSecret
  * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT ...
  c1 OK Logged in
c2 select "INBOX"
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] ...
  * 6 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1605272831] UIDs valid
  * OK [UIDNEXT 44] Predicted next UID
  c2 OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
c3 fetch 1 RFC822
  * 1 FETCH (RFC822 {416}
  Return-Path: <herong@example.com>
  X-Original-To: herong
  Delivered-To: herong@example.com
  Received: from localhost (localhost [IPv6:::1])
    by mail.herongyang.com (Postfix) with ESMTP id 5EABD266002B
    for <herong>; 15 Nov 2023 06:19:34 -0500 (EST)
  Message-Id: <20231113111946.5EABD266002B@mail.herongyang.com>
  Date: 15 Nov 2023 06:19:34 -0500 (EST)
  From: herong@example.com

  Hello world!
  )
  c3 OK Fetch completed (0.022 + 0.000 + 0.021 secs).
c4 logout
  * BYE Logging out
  c4 OK Logout completed (0.001 + 0.000 secs).
  closed

Note that "openssl s_client" actually failed to validate the server certificate. It returned the "verify return:1" message, because I did not tell "openssl" to trust the self-signed server certificate.