Troubleshooting IMAP authentication issues

Problem Symptoms

When trying to signup an IMAP account it returns the error message below in the dashboard Authentication logs: 

Provider: Custom

LoginError('[AUTHENTICATIONFAILED] LOGIN Invalid credentials',)

Description

Most of the time the problem relates to:

• Wrong port number
• Server does not have a valid SSL/TLS connection.

Resolution

1. Make sure the port number & username password is correct:

• Try connecting via https://testconnectivity.microsoft.com/tests/O365Imap/input 
• Ensure Authentication is set to Basic

• This only tests the IMAP side not the SMTP side, nor does it test the SSL certificates
• Confirmed: We now know the username / password and port 993 are correct.

2. Confirm the IMAP server is running IMAP4rev1

• Run openssl s_client -connect mail.therebepirate.com:993 -crlf

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

• Confirmed: We now know we will not have issues with UID validity

3. Confirm SMTP port details and confirm that SSL/TLS certificate (=>1.2) is installed correctly.

• Within a terminal window run openssl s_client -connect imap.server.name:465 -crlf
• Make sure you get a response that does not look like this: This has NO services running on it.

CONNECTED(00000006)
4514381420:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:386:

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1652458116
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

• This an example of a working SMTP server with a signed certificate, it doesn't have to be signed be a Certificate Authority. NOTE: The server name at the bottom.

CONNECTED(00000005)

depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = hp281.hostpapa.com
verify return:1

---

Certificate chain
 0 s:/CN=hp281.hostpapa.com
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIRAMRGsEwzUmnzdPrcOaftv7wwDQYJKoZIhvcNAQELBQAw
......
owoLaOB+3xWEViraMIXh2SF5
-----END CERTIFICATE-----
subject=/CN=hp281.hostpapa.com
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4954 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E8A8A8C450E2BC8566B4E074241B67B1F922505B22B24D165511C9DF730F8257
    Session-ID-ctx: 
    Master-Key: F62D773F40D44FE68D38614BA38CF96501F4DEF4AC2EBB05E8D7DF0D790465302D42A3FBEFC57F45A1DF2A4AF2BB2BA7
    Start Time: 1652458595
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
220-hp281.hostpapa.com ESMTP Exim 4.94.2 #2 Fri, 13 May 2022 17:16:36 +0100 

We now know the following and should be able to connect.

• Username & password are correct
• We have the right port numbers i.e. SMTP 465 and IMAP 993 - PROVIDERS use different ports.