Now here’s something odd.

I’m changing to new IMAP server software at Watershed (more on that later), and so during the testing phase I’ve got the old server listening on the standard port of 993, and the new one listening on 10993. And I thought I ought to test the new server, Dovecot, on different mail clients.

Entourage… fine. Thunderbird… fine. Apple Mail… ah.

Mail, on both 10.4 and the iPhone, will not connect. A packet trace shows the TCP handshake and then nothing else. They work fine on the old server on port 993, but simply will not connect to the new one on port 10993. And no, it’s not a firewall issue – I’m running Entourage (works) and Mail (doesn’t) on the same machine.

OK, I think, either Dovecot has some stupid implementation of IMAP which is tripping up Mail… or, somehow, Mail can’t cope with using high port numbers. The error I get from Mail (“Cannot connect on port 0”) and the fact that the connection never even enters SSL negotiation, let alone the IMAP login stage, suggests the latter.

So I added this rule to Watershed’s router (pf, since you ask):

rdr pass on $ext_if inet proto tcp from $oliver to $mail port 993 -> $mail port 10993

This means, if I try to get to port 993, actually connect to port 10993. This meant I could type port 993 into Mail, but it would get redirected (unbeknownst to Mail) and connect to the new server.

And it worked like a treat, in Mail on both 10.4 and the iPhone.

Mail in Leopard doesn’t have this problem, so presumably the Mail on the iPhone is based on the 10.4 Mail code.

OK, how stupid is this thing then? I’ll tell you. Although there is a space for you to specify the IMAP port, as far as I can see no port except 993 will actually connect to the mail server (assuming you’re using SSL). I’ve tried with 10993, 1023, 143, 990… none of them work. How this made it past QA I can’t imagine. Surely this can’t be a quirk of my setup: when I trace *all* traffic on *all* ports between my computer and the mail server all I see is Syn, Syn-Ack, Ack… and that’s all. Mail never replies to that last Ack that comes in. This clearly isn’t a firewall problem.

As I said, this appears to be fixed in 10.5’s Woo, it only took them 5 versions.

If anyone else fancies verifying this, please do and let me know the results below.