My mail servers are set up with IMAP access available only with encryption (IMAPS, on TCP/993), so as to avoid sending my password in the clear. This occassionally presents some challenges, including firewalls that assume that only unenrypted POP3 (TCP/110) or unencrypted IMAP (TCP/443) should be allowed -- but mostly not allowing unencrypted connections avoids leaking passwords in plain text.

Since this is only for my internal use, I didn't want to pay the SSL Certificate protection money, and hence use a self-signed certificate on my mail servers -- actually more accurately I use a self-signed certificate as a private root CA for all my mail servers. That too occassionally causes problems, but most mail clients can be told "trust always" without too much trouble (eg, Apple Mail.app and Thunderbird -- I'm using Mail.app for my work email, and Thunderbird for my personal email at present).

However getting IMAP access working on my iPhone proved a little more challenging. It will accept the settings, and try to connect, and complain about the SSL certificate possibly being untrusted. But it won't go any further than that without doing separate reassurance in advance, even if you click on "Continue" -- and you can't save the mail connection settings without it having fully verified the account :-(

The trick to allow a self-signed certificate is:

  • Arrange for the CA certificate to be available via a HTTP URL, with the correct MIME type (application/x-x509-ca-cert), such as a file ending in .crt in most modern web servers

  • In Safari on the iPhone to go the URL with the certificate

  • Providing the certificate is presented with the right MIME type, the Safari window will close and an "Install Profile" application will appear showing the certificate

  • Verify the details of the certificate (eg, follow through the "more detail" links; unfortunately it appears only the start of various longer identification strings is displayed due to space constraints and there doesn't appear to be a way to scroll over to see the rest)

  • Once you're convinced it's the correct certificate, click on "Install" to install the new CA, then confirm the installation by clicking on the "Install Now" button, and verify the installation with your passcode. (The iPhone will report that the certificate can't be authenticated -- that's what you are doing, hence the verification step above.)

  • Check that it reports "Profie Installed" and close with the "Done" button, and you'll be taken back to Safari.

Now you can set up the mail account:

  • Settings -> Mail, Contacts, Calendars -> Add Account...

  • Choose "Other" (presumably the ones listed there have various defaults to save you typing)

  • Choose "Add Mail Account"

  • Enter basic details of the account, including the password (which will be used as the default password for the incoming mail server but unfortunately not used as the default for the outgoing mail server -- so you'll have to type it twice)

  • Click on "Save" button, and wait for it to try to guess the mail servers

  • Fill in proper details of mail servers, particularly making sure that the server names exactly match the names in the SSL certificate

  • Click on "Save"

  • Wait patiently while it verifies your IMAP settings (even over Wifi into a fast broadband connection this seems to take a very long time)

Assuming no errors come up, you can then go to Mail application and verify that it can read email (this seems to be much faster than the IMAP settings verification step -- hopefully because it's cached the verfication). It'd also be a good idea to verify that you can send mail, especially if you reentered the mail sending authentication password.

I also set the mail to only be checked manaully, as normally when I care about mail I am near my laptop, and when I am not near my laptop I don't want to be disturbed. This has the advantage that it also saves battery power. (Especially in the absence of push mail; people have hacked push email using mail2web, and GMail has push mail support -- but the best chance for generic support seems to be Z-Push which is open source (on Sourceforge), although some people claim that it should have bought an EAS (Exchange Active Sync) license, and others are confused about licensing, which seem to be patent licensing possibly affected by the EU deal. At some point I'll have to investigate what might be needed to get that set up -- some detailed instructions -- and whether it needs special licensing. The main trick is that you seem to set up an Exchange connection rather than an IMAP one, and Z-Push then proxies to the real IMAP backend. Apparently it downconverts HTML mail into plain text which may or may not be an issue. There is also Zimbra which has suitable support in the commercial version.)

Other Mail on iPhone notes

It appears that the Mail application doesn't have a way of writing a "Sent" message to the "Sent" folder (cf, Mail.app and Thunderbird). However it can BCC you (and appears to be set to do so by default), and it's fairly quick to move that message into the Sent Folder (go to the message view, click on the Folder icon, click on the "Sent" folder).

Annoyingly when replying the iPhone Mail application (a) quotes all text of the previous message, an (b) (sinfully) puts the signature and insertion point above the quote :-(

You can fix the first by selecting what you want to quote before clicking on the reply button, and then it'll only quote the selection.

The only fix for the second appears to be excessive use of cut'n'paste on the iPhone to rearrange the text to suit (alas it's probably the least functional cut'n'paste possible, due to very poor choice of UI -- but it can be done). (There is QuoteFix for Mac OS X Mail.app (using a private API) which apparently fixes various issues with quoting text there. But AFAICS no option at all on the iPhone. Oh well, I mostly want it for reading email anyway.)

(This also reminded me that I'll need to renew my SSL certificates in about 6 months. And of various extensions to Apple Mail.app including Mail Act On -- which is US$25, but apparently worth it.)

Other notes

ETA, 2012-07-06: the CA certificate expired this time, and Thunderbird got upset, continually reprompting to verify the identity over and over again irrespective of saying "cancel" or "confirm" (and permanently store this identity). Even updating the credentials on the server didn't help. In the end I ended up importing the CA certificate (which is in the Preferences pane on OS X; another example), trying a few more times, and then giving up and force-quitting Thunderbird then restarting it (it was effectively live-locked in the UI in that re-re-reprompting for verification of certificate, apparently never bothering to consult the updated certificate database). After the (forced) restart it then behaved properly.

Mail.app was much better behaved, just requiring actually checking the "always trust" checkbox, and then there was just a single prompt. In theory it's also possible to trust the CA certificate using Keychain Access (in /Applications/Utilities), but in OS X 10.6.8 I was only able to get it trusted in the "login" keychain, not the "System Roots" (even by going to "System Roots", "Certificates", then File/Import Items... and then import the certificate, and choosing to trust it). Perhaps there's an additional step required in later versions of OS X. (I also noticed after trying this that when I did the import the System Root was locked. I haven't retried again with the System Root unlocked.)