Strange IMAP Proxy

The following happened to a friend of mine who studies at the University of Hof. I'm responsible for our mailserver, so he called me and told me that he couldn't receive mails on his Android device (using K9-Mail) when being connected to the university wifi. The interesting thing was that he didn't had any problems on his laptop using Thunderbird with the equal configuration: IMAP Port 143 - STARTTLS

After running Netalyzr we found out that traffic on port 80 and 143 was routed through a transparent proxy. This was very likely the reason of our problem but the connection was encrypted. How should a proxy mess things up? And why should the laptop work while the smartphone wouldn't?

I looked in the ARP table for the MAC of the default gateway to gain more information about that proxy. The MAC address was from the range of Fortinet - a really sympathetic company which also provides the Myanmar goverment with hardware for Internet censorship.

To get an idea about the difference between the k9mail and the thunderbird connection we used tcpdump and some similar Android app to capture the traffic.

< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5] Dovecot ready.
> 1 STARTTLS

The difference was the \r\n after the 1 STARTTLS command:

  • Thunderbird sent one TCP package: 1 STARTTLS \r\n
  • K9-Mail sent two TCP packages: 1 STARTTLS and \r\n
thunderbird:
<   00000000  2a 20 4f 4b 20 5b 43 41  50 41 42 49 4c 49 54 59 * OK [CA PABILITY
<   00000010  20 49 4d 41 50 34 72 65  76 31 20 4c 49 54 45 52  IMAP4re v1 LITER
<   00000020  41 4c 2b 20 53 41 53 4c  2d 49 52 20 4c 4f 47 49 AL+ SASL -IR LOGI
<   00000030  4e 2d 52 45 46 45 52 52  41 4c 53 20 49 44 20 45 N-REFERR ALS ID E
<   00000040  4e 41 42 4c 45 20 49 44  4c 45 20 53 54 41 52 54 NABLE ID LE START
<   00000050  54 4c 53 20 41 55 54 48  3d 50 4c 41 49 4e 20 41 TLS AUTH =PLAIN A
<   00000060  55 54 48 3d 4c 4f 47 49  4e 20 41 55 54 48 3d 44 UTH=LOGI N AUTH=D
<   00000070  49 47 45 53 54 2d 4d 44  35 5d 20 44 6f 76 65 63 IGEST-MD 5] Dovec
<   00000080  6f 74 20 72 65 61 64 79  2e 0d 0a                ot ready ...
>   00000000  31 20 53 54 41 52 54 54  4c 53 0d 0a             1 STARTT LS..
<   0000008B  31 20 4f 4b 00 42 65 67  69 6e 20 54 4c 53 20 6e 1 OK.Beg in TLS n
<   0000009B  65 67 6f 74 69 61 74 69  6f 6e 20 6e 6f 77 2e 0d egotiati on now..
<   000000AB  0a                                               .

k-9 mail:
<   00000000  2a 20 4f 4b 20 5b 43 41  50 41 42 49 4c 49 54 59 * OK [CA PABILITY
<   00000010  20 49 4d 41 50 34 72 65  76 31 20 4c 49 54 45 52  IMAP4re v1 LITER
<   00000020  41 4c 2b 20 53 41 53 4c  2d 49 52 20 4c 4f 47 49 AL+ SASL -IR LOGI
<   00000030  4e 2d 52 45 46 45 52 52  41 4c 53 20 49 44 20 45 N-REFERR ALS ID E
<   00000040  4e 41 42 4c 45 20 49 44  4c 45 20 53 54 41 52 54 NABLE ID LE START
<   00000050  54 4c 53 20 41 55 54 48  3d 50 4c 41 49 4e 20 41 TLS AUTH =PLAIN A
<   00000060  55 54 48 3d 4c 4f 47 49  4e 20 41 55 54 48 3d 44 UTH=LOGI N AUTH=D
<   00000070  49 47 45 53 54 2d 4d 44  35 5d 20 44 6f 76 65 63 IGEST-MD 5] Dovec
<   00000080  6f 74 20 72 65 61 64 79  2e 0d 0a                ot ready ...
>   00000000  31 20 53 54 41 52 54 54  4c 53                   1 STARTT LS
>   0000000A  0d 0a                                            ..

Our Dovecot mailserver itself didn't had any problems with thee k9mail version but the proxy did. So I sent a Patch to the k9mail developers to make k9mail act like thunderbird does.