I’ve just spent a while trying to troubleshoot my SSL IMAP connection. This is the first time I’ve had to do any diagnostics since switching to an SSL secured mail connection.
When my connection stopped working I got only a very non-specific error from OSX mail, and no error at all from Thunderbird (it just hung). If I was using an unsecured connection I’d usually try to check the connection manually using telnet, but trying this against the SSL port on my IMAP server didn’t get any response.
Having done some digging I found that you can test an SSL secured connection using the tools included with openssh. In the case of IMAP you can connect to the server using:
openssl s_client -connect mail.example.com:993
In my case this failed (hence things not working!), with the error:
Reading through the openssl documentation I found that this error usually results from the connection not being able to auto-negotiate a suitable ssl version to use. If this is the case you can force a specific ssl version using:
openssl s_client -connect mail.example:993 -ssl2
openssl s_client -connect mail.example.com:993 -ssl3
If you want more information you can also add -debug to the command to see a full list of the commands being sent and a hex dump translation.
In my case I found that the connection only worked when sslv3 was forced, forcing sslv2 or allowing the connection to autonegotiate caused the connection to fail. Since none of the mail clients I could find allow you to force a specific ssl version my email wouldn’t work.
Fortunately my hosting provider Orchard Hosting were very quick to respond when I reported this and have fixed things.