How to setup 17.1 maileater against Google Mail or Gmail -

Document ID : KB000074442
Last Modified Date : 24/04/2018
Show Technical Document Details
With Service Desk Manager 17.1 we are able to use IMAP over SSL directly. That means that we should be able to connect to a 3rd party Email solutions like Google Mail etc.,  This article shows a step by step approach on what needs to be done to get our Maileater to work with Google Mail.

Similar approach could be implemented for any other IMAP over SSL mail solution.

1) Obtain Gmail's IMAP Server's Root Certificate first. 

You can do so by opening a browser to and exporting the certificate there manually to base64 encoded cert file.

a) Here's an example from IE after you have logged into

b) click the padlock icon to view the certificate

c) Go to the Certification Path tab

d) Highlight the root certificate there (in this case its Google Trust Services GlobalSign Root)

e) It brings the properties for that root cert,  select the Details tab on that one now

f) Click Copy to File button  and save it as a Base64 encoded file.  Copy this file to the SDM Server now.

2) The thumbprint of that certificate is here below in case you want to just Save it to a file and use it on SDM Maileater  (Note, you need all the lines in the code below, including ---- BEGIN.....   all the way to -----END CERTIFICATE-----  including those lines)
NOTE: The certificate below is provided as an example, it's possible that Google may change the certificate at anytime, and then the example will no longer work.



3) Now configure your SDM mailbox to something like below (of course it has to be Active, my screenprint below shows Inactive as I deactivated that mailbox now)


4)  When you click Save, that's when SDM maileater program attempts to import the certificate into SDM's keystore (NX.keystore)

5) If it is the first time you are creating the NX.keystore, it'll take a minute or so for SDM to install the NX_KEYSTORE option, import the cert etc., 


2018-03-19 07:03:24:886 DEBUG [main] c.c.S.maileater.Maileater - Setting NX_ROOT to: C:/PROGRA~2/CA/SERVIC~1
2018-03-19 07:03:24:964 DEBUG [main] c.c.S.m.c.PDMMailerUtil - Not using keystore C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Probably not configured.
2018-03-19 07:03:24:995 INFO [main] c.c.S.maileater.Maileater - Startup of pdm_maileater Daemon with name 'pdm_maileater_nxd'; Catcher name: pdm_maileater Classpath: C:/PROGRA~2/CA/SERVIC~1/java/lib/pdm_mail_assembly.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/javax.mail-1.5.6.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/slump.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/domsrvr_utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/BOPIntegration.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/sd-utils.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/log4j-1.2.15.jar;C:/PROGRA~2/CA/SERVIC~1/site/cfg;C:/PROGRA~2/CA/SERVIC~1/java/lib/bc-fips-1.0.0.jar;C:/PROGRA~2/CA/SERVIC~1/java/resources
2018-03-19 07:03:25:042 INFO [main] c.c.S.maileater.Maileater - Maileater connected to domsrvr domsrvr
2018-03-19 07:03:25:058 DEBUG [main] c.c.S.m.NXMailEater - NX_SITE path is C:/PROGRA~2/CA/SERVIC~1/site
2018-03-19 07:03:25:136 INFO [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore file is not yet created, importing certificate should create the file.
2018-03-19 07:03:25:136 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - [pdm_perl,, -import, c:\gmail_root.txt]
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 36,500 days
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
2018-03-19 07:03:37:797 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - Certificate was added to keystore
2018-03-19 07:03:44:351 DEBUG [Thread-4] c.c.S.m.c.PDMMailerUtil - [Storing C:\PROGRA~2\CA\SERVIC~1\pdmconf\nx.keystore]
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - 
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - SUCCESS!
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - The certificate gmail_root.txt has been imported.
2018-03-19 07:03:47:211 DEBUG [Thread-5] c.c.S.m.c.PDMMailerUtil - Use -list to see the contents of the keystore.
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Exit value from 0
2018-03-19 07:03:47:227 DEBUG [Thread-3] c.c.S.m.c.PDMMailerUtil - Keystore exists at: C:/PROGRA~2/CA/SERVIC~1/pdmconf/nx.keystore. Setting properties.

And then it polls.   If there was no issue, you should see that the mails got eaten fine.

2018-03-19 07:08:31:071 INFO [pool-4-thread-1] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400052.
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [] ( signalled for Mail Poll...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.maileater.Mailbox - [] ( polling for mail...
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [] Password was already decrypted
2018-03-19 07:08:31:634 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connection properties set
2018-03-19 07:08:32:290 INFO [pool-4-thread-2] c.c.S.m.MailboxPollingRequest - Performing scheduled Mail Poll for Mailbox 400001.
2018-03-19 07:08:32:399 DEBUG [ForkJoinPool-1-worker-0] c.c.S.m.c.JavaMailIMAPClient - Connected to IMAP host
2018-03-19 07:08:32:540 INFO [ForkJoinPool-1-worker-0] c.c.S.m.ConnectSession - [] Received messages count : 7

NOTE:  While it was not seen in our testing, its possible that a Service Desk restart is needed here if the NX.keystore is not being read properly.

Additional Information:


If you get an error like this, most likely that's because Google blocked your IMAP connection because it thought it was a non secure app:

2018-03-19 07:06:09:118 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to make connection with STARTTLS to server, port 993, trying SSL connection
2018-03-19 07:06:10:665 ERROR [ForkJoinPool-1-worker-1] c.c.S.m.c.JavaMailIMAPClient - Failed to connect to the Store.
javax.mail.AuthenticationFailedException: [ALERT] Please log in via your web browser: (Failure)
at com.sun.mail.imap.IMAPStore.protocolConnect(
at javax.mail.Service.connect(
at javax.mail.Service.connect(
at java.util.concurrent.ForkJoinTask$AdaptedCallable.exec(Unknown Source)
at java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(Unknown Source)
at java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
at Source)


You may even get an email from Google about it:

Monday, March 19, 2018 7:01 AM (PT) 
Santa Clara, CA, USA*Don't recognize this activity? 
If you didn't recently receive an error while trying to access a Google service, like Gmail, from a non-Google application, someone may have your password.


Are you the one who tried signing in? 
Google will continue to block sign-in attempts from the app you're using because it has known security problems or is out of date. You can continue to use this app by allowing access to less secure apps, but this may leave your account vulnerable.

The Google Accounts team *The location is approximate and determined by the IP address it was coming from. 
This email can't receive replies. For more information, visit the Google Accounts Help Center. You received this mandatory email service announcement to update you about important changes to your Google product or account. © 2018 Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA et:27

Some apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access for these apps (which we recommend) or choose to use them despite the risks.



To resolve this, you may need to change your security in Google to allow the SDM connection:

1) With in your "My Account"  settings of Gmail account

2) select  Sign-in & Security

3) Click on Apps with account access

4) Turn ON the option   "Allow less secure apps"

5) Retest your maileater again


Another way to test is to test this directly using OpenSSL against the IMAP/POP ports in question. This lets you test a basic connection to see the certificate chain that the port is using: 


a)   openssl s_client -starttls pop3 -connect -showcerts

(You may see an error like this:  because we did not provide a certificate for the above test yet:         Verify return code: 21 (unable to verify the first certificate)  )

Note: for IMAP, it would be:     openssl s_client -starttls imap -connect -showcerts

b)   You should now see some output, showing the certificate chain that the server knows about.  In this case its just Cert Authority issuing server cert. 


Certificate chain

0 s:/CN=casupport.local

   i:/DC=local/DC=casupport/CN=casupport- DC1-CA


c) You can save the text for the mentioned server certificate to a file 



..blahblah Real Cert...



d) You can now open this certificate and check the Certificate Chain.  All we need is the Root CA cert, so follow the steps like you did in the Instructions section to export Root Cert.  Resulting file is what we need in SDM