Back to Silas S. Brown's home page

Windows Mobile email setup

(see also list of vaguely-usable old Windows Mobile phones)

This page has some notes on running old Windows Mobile phones (dating from 2003 to 2009/10) with modern email systems.

SSL encryption problem with built-in client

Email is no longer likely to work on Windows Mobile's built-in client because its SSL encryption options are now considered insecure and are usually disabled server-side. Cambridge's server switched off RC4 in January 2016 and GMail's in June, by which time Yahoo, Hotmail and iCloud had also stopped working. AOL still worked until November 2017 if you didn't mind connecting to their non-SSL server---I suggested using ImapFix's secondary_is_insecure setting to remove addresses from the plaintext copy---but then they shut this down and their SSL server didn't work with WM.

Personally I didn't think the known RC4 attacks on Web traffic are also feasible on IMAP unless poll frequency is set way too high, so I think there's a valid argument for re-enabling older ciphers for email only so as to allow old WM phones to connect. But the sysadmins were worried I might be wrong, and eventually GNU/Linux distributions started disabling these ciphers at the SSL library level (e.g. Debian bug #875423), so sysadmins can't now turn them back on even if they want to, unless they recompile their system libraries from source or risk running outdated distributions. This also means you can't just set up Dovecot on a Raspberry Pi or something and expect a quick ssl_cipher_list = ALL to solve your problem: you'd be left with log entries that say SSL routines:tls_process_client_hello:version too low, and the WM device will probably "A secure sockets layer (SSL) connection could not be established" when "require SSL" is turned on, or perpetual re-requests for your password when "require SSL" is turned off (but its exact message may vary).

You can still run on a home server what used to be possible with AOL: use IMAP without SSL, and ImapFix's secondary_is_insecure setting to remove addresses from the plaintext copy of your inbox. To do this with dovecot-imapd you'll need to set disable_plaintext_auth = no in /etc/dovecot/conf.d/10-auth.conf and I strongly recommend changing the passdb section in /etc/dovecot/conf.d/auth-system.conf.ext so it uses driver = passwd-file instead of driver = pam, with args = a path to some alternate passwd file you set up specially for email (use echo `whoami`:`doveadm pw -s CRYPT` > passwd), so you don't have to send your system login password in the clear whenever you check your email. You might also want to edit 10-mail.conf commenting out mbox and uncommenting maildir options to reduce the disk writes needed for small incremental updates. (With some Dovecot versions you also need to ensure the mailbox is not on a fusecompress mount.) Then do /etc/init.d/dovecot restart, open port 143 on your firewall (or set up a script to open it temporarily when requested in some way), and use ImapFix to synchronise your mail there.

For sending email from the phone, you'll also need an SMTP server it can connect to---and this will have the same issues with SSL libraries. I wouldn't recommend connecting to SMTP with a plaintext password---there's a big difference between "sniffing your password to read an inbox from which the most sensitive information has already been redacted" and "sniffing your password to send emails from your server", especially if you have scripts that say emails provably from that server can run certain commands. But the lack of SMTP is not a major issue, because it's hard to type much on a small WM keyboard anyway, and it's rare that urgent matters can't be dealt with by SMS or voice call until you get to a proper keyboard.

Other notes on built-in client

If you have a server to which the phone can connect:

Third-party clients

You could try (the old WM version of) which supports more SSL options than the built-in client, but even this began to fail to connect to Cambridge servers in December 2016 (reporting error 10022, which is Microsoft speak for an invalid parameter somewhere). If it does connect to your server:

Otherwise you might have to use PocketPUTTY, which is not suitable for offline use (although you can long-press to paste in a pre-written email when signal becomes available). It won't work on non-touchscreen models although a more-awkward SSH "midlet" does.

Usual disclaimers apply---all the above is at your own risk.

All material © Silas S. Brown unless otherwise stated.